The Spanish Data Protection Agency (APED) ordered a precautionary measure on Wednesday against a global technology company, known as Tools for Humanity Corporation, to cease the collection and processing of personal data that it is carrying out in Spain under its Worldcoin project. Additionally, the company was ordered to keep hold of all personal data already collected.
Worldcoin is an iris biometric cryptocurrency project that aims to provide a method to authenticate people’s identity online through World ID, which is created by scanning their irises. Furthermore, people who sign up have the opportunity to receive cryptocurrency in exchange.
The processing of biometric data is considered to require special protection under Article 9 of the General Data Protection Regulation (GDPR), given the sensitivity posing a high risk to people’s rights. According to the APED’s statement, the decision to implement a precautionary measure is grounded on exceptional circumstances, in which it is necessary and proportional to enact provisional measures aimed at the immediate cessation of the processing of personal data. The APED aims to prevent possible transfer to third parties and safeguard the fundamental right to the protection of personal data. According to Article 66.1 of GDPR, in exceptional circumstances, when an interested control authority considers it urgent to intervene to protect the rights of people, it may adopt provisional measures with legal effects in their territory and with a period of validity that may not exceed three months.
The APED is an independent agency of the Spanish government dedicated to overseeing the protection of Spaniards’ personal data. The agency’s aim is to educate people of their rights and ensure that those operating within the data privacy space comply with the proper laws and norms.
Worldcoin claimed that World ID is a secure and permissionless identity protocol. The goal of the project is to prove users’ “humanness” online while simultaneously preserving their privacy. Worldcoin claimed that APED circumvented the procedures under GDPR.