The Bavarian data protection authority (Germany) has adopted a resolution that will require Worldcoin to delete all data related to the irises it scanned for months in exchange for cryptocurrencies.
In this way, the Bavarian State Office for Data Protection Supervision (BayLDA) has upheld the Spanish Data Protection Agency (AEPD), which provisionally ordered Worldcoin to cease all its operations in Spain 'in light of indications of serious breaches, to prevent potentially irreparable harm and protect citizens' rights.'
The Bavarian authority, where the company maintains its base of operations in Europe, has ordered the deletion of all stored irises, given that the necessary security measures for the processing of biometric data have not been adopted.
In this regard, it has been urged that future handling of irises be conducted on the basis of the explicit consent of the data subject. Furthermore, the right to data deletion must be included.
The resolution of the BayLDA has also found that the company did not implement the relevant protocols to address the processing of data from minors, which will be subject to a separate new investigation.
The German regulator has provided for a series of fines in case Worldcoin fails to comply with the decreed measures, without prejudice to the administrative sanctions corresponding to past breaches of personal data protection.
The ruling of the BayLDA is binding at the European level as it has been adopted in coordination with all the national data protection agencies involved.
For its part, Worldcoin's owner, Tools For Humanity (TFH), has announced through its legal and privacy director, Damien Kiera, that it will appeal the decision to 'seek judicial clarity on whether the processes and, in particular, the privacy-enhancing technologies implemented globally comply with the EU's global definition of anonymization.'