the art of being legal

Would you sell a copy of your iris for cryptocurrency?


It might seem like a quote from a science-fiction movie, but sometimes facts are stranger than fiction.


Have you heard of Worldcoin?


In case you haven’t met before, let me introduce you to World ID 2.0, the brainchild of Worldcoin.  Worldcoin’s goal is to “provide universal access to the global economy no matter your country or background, establishing a place for all of us to benefit in the age of AI”.  It boasts privacy democracy and inclusivity as three of the core foundations of the company.  


Essentially, Worldcoin is a platform on which digital money or “tokens” can be sent and received.  In order to gain access to this platform, and, in theory, to protect the security of transactions, users must provide “proof of their personhood” by means of a scan of their iris (World ID).  


Worldcoin came to my attention last month, in February 2024, when, on my way home from work, I saw a long queue of people, mostly young adults, waiting outside a popular technology shop.  It turned out that they were waiting to scan their iris for Worldcoin.  


What was the incentive?  Well, Ricardo Maceira, European manager of Tools For Humanity, developer of the technology for the Worldcoin protocol, said to the newspaper La Voz de Galicia that, “We are not paying for biometric data. Anyone who wants to sign up can use their biometric data to do the verification and sign up for the application. What we are giving is ownership of the network and we give welcome tokens. Then the person decides what to do with that. We don't give money away; we give ownership in the project to the people who sign up.”  Make of that what you will.  


Currently various data protection authorities across Europe are investigating whether or not Worldcoin is complying with relevant data protection laws, particularly the European Union’s General Regulation on Data Protection (GDPR).  


Additionally, just this week, the Spanish Agency for Data Protection has even ordered an injunction against Tools for Humanity Corporation to cease the collection and processing of personal data that it is carrying out in Spain in the framework of its Worldcoin project, and to block the data already collected.  


This move has been carried out within the framework of the GDPR, which establishes that, in exceptional circumstances, when a supervisory authority concerned belives there to be an urgent need to intervene to protect the rights and freedoms of individuals, it may adopt provisional measures with legal effects in its territory and with a period of validity that may not exceed three months.


But, why all of the concern over our eyes? 


A scan of your iris amounts to what we call “biometric data” and the GDPR categorises such data as particularly sensitive given that it is information which allows for the unequivocal identification of a particular individual (the data subject).  And unlike your email address or password, or even your name, your biometric data isn’t something you can just decide to change for security purposes.  As such, the processing of such data results in a high risk to the rights and freedoms of said data subject.  


Obligations of the Data Controller


Generally, in order for a company to be able to process such high-risk data, they must have (and be able to demonstrate that they have) the explicit consent of the data subject.  The consent must be freely given, informed, specific and represent an unambiguous indication of the data subject’s agreement to the corresponding processing of personal data.  In Spain, children under 14 will require the consent of their parents or legal guardians.


The entity planning to process the data must provide certain information to the data subject at the time of obtaining the data and the consent, for example:

  • The identity and contact details of the entity which will process the data
  • The purpose of said processing
  • The period for which the data will be stored
  • The existence of the right to withdraw consent, the right to lodge a complaint with a supervisory authority, the right to request from the processing entity access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability
  • Information about the use of the data for automated decision-making, if applicable
  • The recipients or categories of recipients of the personal data, if any
  • The existence of transfers of the data to third countries or international organisations, if applicable, and any potential risks of such transfer.

This information must be expressed in an intelligible and easily accessible form, using clear and plain language, adapting the language to the public to which the information is aimed. It cannot be full of technicisms or hidden as a clause within a contract which focusses on other issues.  


And with that, the data is collected, processed, and, if the entity is complying with the GDPR, protected by way of the implementation of appropriate technical and organisational measures to ensure a level of security appropriate to the risk.


However, while the obligation to implement such measures exists, so too does the obligation to notify the data protection supervisory authority of certain data breaches, that is to say, in the event that a security breach allows personal data to be destroyed, lost, altered or accessed by an unauthorised person.  Because even with the best will in the world, data breaches can happen.  


At the time of writing, Worldcoin states in their whitepaper online that, “It should be very difficult to use by a fraudulent actor who stole or acquired World ID credentials. Further, it should always be possible for an individual to regain possession of a lost or stolen World ID.”.  Note the use of the word “should”.  


Nowadays, we can’t avoid sharing our data.  


Our employers have access to our bank details, the restaurant we ordered food from has access to our address, the transport company we bought a ticket with has access to our identification number, etc.  


Controlled data sharing has huge benefits for individuals and society, and regulations like the GDPR facilitate such sharing by fostering trust between the data subject and the processing entity.


However, uncontrolled data sharing can lead to identity theft, cybercrime, cyberbullying and cyberstalking, etc.  Whether Worldcoin looks like a worthwhile place to invest your data or not is up to you.  But the controversy stirred up as a result of their data drive serves as a reminder to take a moment to consider who is asking for our personal data and why, before entrusting them with it.  

Publication date: 7 March 2024

Last updated: 13 March 2024