On 2 April 2024, the Italian Data Protection Authority (Garante) announced that on 21 March 2024, it issued a warning to Worldcoin Foundation regarding its intention to collect biometric data (via iris scanning) for digital identification, claiming that such data processing would violate the Regulation (EU) 2016/679 (GDPR).

Worldcoin Foundation supports the Worldcoin project, launched in 2019 by Sam Altman, the CEO of OpenAI LLC (OpenAI). The project is based on iris scanning to verify the identity of users and on linking such processing to the “financial instrument” market, specifically the cryptocurrency called WLD. The iris is scanned by a biometric device named Orb, which scans the face and iris of users to create a unique identification code (the so-called “World ID”) worldwide for each user. The Orb is not yet available in many countries (and is not offered in the EU).

Following an investigation and based on the information received from Worldcoin Foundation, the Garante stated that should iris scanning to verify the identity of users be introduced in Italy, it would be likely in violation of the GDPR. Particularly, the Garante claimed that:

  • Biometric data processing based on the consent of project members, issued upon an insufficient privacy notice, cannot be considered a valid legal basis according to the requirements under the GDPR. In particular, the Garante stated that users do not appear to be provided with sufficient information within the privacy notice to ensure that they are fully aware of the high risks related to the processing of biometric data.
  • The promise to receive free WLD tokens from Worldcoin once the user gives its consent to the processing of biometric data via Orb negatively affects the ability to give free and unconditional consent.
  • There is no mechanism to verify the age of users during iris scanning.

Please find here the relevant decision of the Garante, issued on 21 March 2024, and here the press release dated 1 April 2024, both available only in Italian language.

This decision is not the first fight from the Garante against tech. In recent months, the Italian DPA has focused enforcement efforts on the interaction between new tech tools and the rights and protections of data subjects under the GDPR – by way of example, in March 2023, the Garante temporarily banned OpenAI, provider of the generative AI service ChatGPT (another Sam Altman company), from processing personal data of individuals residing in Italy.

The Garante is not only keen to pioneer the fight against what it considers improper personal data collection, but also positioning itself to claim jurisdiction on non-EEA players (such as Worldcoin Foundation) in the early stage of deployment, and in burgeoning, disruptive areas of technology.

Is the Worldcoin initiative “just” another (a more tech-savy) way to think to digital identities or is it creating unique issues that need to be tackled rather sooner (i.e., even prior deployment) than later (when it is there). What is for sure is that Worldcoin proposes a very disruptive digital identify compared to where the EU currently stands; the revision of the eIDAS framework promotes a digital identity wallet, but the outcome of what was recently adopted in March 2024 is far less ambitious than even the initial proposals that could have helped, among others, to protect the online safety of minors. Worldcoin is another dimension, close to science fiction; the potential of harm to those who have their iris scanned and their data later compromised is infinite. A digital identity based on iris scanning, when compromised, stays as such forever.

It is encouraging to see the active role of the Garante in key societal topics, noting that the Italian DPA is committed to promoting innovation and developing new technologies that are aligned to EU values. In doing so, it is helping to shape GDPR data protection standards to new tech challenges, while preserving the fundamental rights of data subjects.

Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only, and is not intended to constitute or be relied upon as legal advice.