German regulator orders Worldcoin to enhance privacy measures after biometric data probe
Worldcoin must delete unlawfully collected data within one month, says Bavarian regulator after concluding investigation.
The Bavarian State Office for Data Protection Supervision (BayLDA) has ordered Worldcoin to implement stricter privacy measures after concluding its investigation into the company’s biometric data practices.
Worldcoin (WLD) has been instructed to provide a GDPR-compliant data deletion process within one month. The BayLDA also required the company to obtain explicit user consent for certain data processing activities and to delete data previously collected without a sufficient legal basis.
Investigation concluded
The investigation, initiated in April 2023, scrutinized Worldcoin’s collection and use of iris-derived biometric data, which the company uses to create unique digital identities through its World ID system.
The system aims to authenticate individuals and prevent duplicate registrations. While Worldcoin voluntarily paused its activities in certain EU countries during the investigation, the BayLDA identified additional compliance issues.
Michael Will, President of BayLDA, said:
“With today’s decision, we are enforcing European fundamental rights standards in favor of the data subjects. All users who provided Worldcoin with their iris data will now have the unrestricted right to demand the erasure of their data.”
The BayLDA’s ruling requires Worldcoin to introduce a GDPR-compliant data deletion process within one month of the decision’s implementation.
The authority also mandated explicit consent for specific data processing activities and ordered the deletion of data collected without a sufficient legal basis. Additionally, issues such as the protection of minors and potential administrative offenses remain under separate examination.
The investigation was conducted in coordination with European data protection authorities under the General Data Protection Regulation (GDPR) framework.
Regulatory challenges
Worldcoin’s operations extend across Europe and globally, making the enforcement of uniform data protection standards complex. The project has faced scrutiny globally due to concerns over its biometric data practices and compliance with local laws. However, not all investigations have progressed.
In Kenya, authorities initially suspended Worldcoin’s operations over privacy, security, and financial concerns. After further review, the investigation was closed without further action, provided the company complies with local regulations.
Despite this, scrutiny continues in other regions, such as Hong Kong and Singapore, over data collection practices and potential financial misconduct, highlighting persistent global concerns about the project’s operations.