Data protection at a crossroads: WorldCoin's iris scan

Technological innovation has always been a driving force in the evolution of society. From the invention of the wheel to the digital age, Humanity has constantly embraced new advances to improve efficiency and comfort in our lives.

However, Every progress brings with it risks and challenges, especially when it comes to safeguarding privacy and data protection.

In this article, we examine the nearest future (with dystopian overtones) of the social impact, risks and purpose of WorldCoin, cryptocurrency company of Sam Altman (co-founder of OpenAI and creator of ChatGPT) that offers interested people Cryptocurrencies in exchange for iris scanning causing long lines of people in shopping malls interested in providing their biometric data without knowing what the purpose of the data will be.

How does WorldCoin work?

The international company WorldCoin has made a strong entrance into the national and international market since its inception, offering a new market model through its universal vision; creating a digital passport for all real people without using our personal data. In other words, Prevent identity theft fraud by Artificial Intelligence or any robot; which would allow us to be identified anywhere using only our physical appearance: in this case, with the iris of our eyes. At the moment, more than 100,000,000 million people have “sold” their biometric personal data without taking into account the real purpose of this transaction and its consequences.

How does WorldCoin work?

The way to "buy" the iris is very simple. Users who visit the stand usually set up in shopping malls approach a silver orb and, at the same time, look inside. An infrared beam analyzes your iris in detail, and in exchange for the biometric data they enter about 10 WorldCoin tokens*.

Depending on the speculative value of the cryptocurrency at the time, it can be achieved between 30 and 200 euros for the scan.

Data protection at a crossroads: Worldcoin's iris scan and the future of privacy

What are the risks?

If we analyze the risks involved in this type of practice, we must take into account several aspects:

Like fingerprint, voice or DNA, Our iris is a unique biometric data, and as such, is included within the special categories of data protected by Article 9 of the General Data Protection Regulation. *** To process this type of data on a large scale, an Impact Assessment is mandatory. *** Currently, there is no evidence that one has been carried out in our country.
HE violate The principles relating to processing in Article 5 of the GDPR: specifically, the principles of transparency, data minimization, integrity, and confidentiality, since it is not known exactly what information is actually extracted and whether it is irreversibly anonymized.
There is also a defect in the collection of consent***** as a basis for legitimacy; this must be free, informed, specific, and unambiguous. This requires that the person providing it be fully aware of all the consequences arising from the processing of their personal data, since not only iris biometrics are captured, but images of the eyes and face are also scanned.
There is also no information about the servers they use. and the means to keep these records.
One must also take into account the long-term risksUnlike voice or fingerprints, the morphology of the iris (which differs in each eye) tends to remain the same throughout our lives, and the margin of error when identifying us is very limited compared to other biometric data. For example, if your cell phone, email, or bank account is hacked, the password can be changed and security restored; but if your iris is stolen as biometric data, the situation cannot be reversed. What's more, you could be subject to identity theft.

Where are we going?

Although WorldCoin presents itself as a project based on blockchain technology, apparently safe and with a good purpose, are still disruptive control technologies that hide other masked purposes following new business models that see biometric and health data as invaluable assets with which to market new products.

Countries such as France, Germany, Great Britain, and Kenya have shown interest, some issuing directives to stop user registration. In Spain, the Spanish Data Protection Agency is investigating several cases. and just finished As a precautionary measure, prohibit WorldCoin from continuing to process personal data in our country..

Furthermore, it urges the blocking of personal data already collected and bases its decision on the exceptional circumstances of Article 66.1 of the GDPR. "When an interested supervisory authority—in this case the AEPD—deems it urgent to intervene to protect the rights and freedoms of individuals, it may adopt provisional measures with legal effect in its territory and with a validity period that may not exceed three months."****** having as its objective and priority the protection and safeguarding of the rights of the holders of these biometric data who may suffer potentially irreparable damage and be left helpless.

Therefore, from this moment on, any activity of this company aimed at collecting personal data in Spain It would be illegal and could lead to penalties. which could reach €20 million if it continues collecting data. Therefore, it is very important to raise awareness among citizens (especially younger people) about this type of sales and the emerging technologies that could shape our immediate future, to the detriment of our freedom and most important fundamental rights.

Don't miss all the latest news on Data Protection & Regulatory Compliance from the best professionals in the sector in our Professional Master in Compliance & Data Protection Management.

* Token: “A unit of value that an organization creates to govern its business model and empower its users to interact with its products, while facilitating the distribution and sharing of benefits among all its shareholders.” – 'The Business Blockchain', William Mougayar.

** https://noticias.juridicas.com/base_datos/Privado/574082-regl-2016-679-ue-de-27-abr-proteccion-de-las-personas-fisicas-en-lo-que.html#a19 (Last visited March 5, 2024)

*** Hereinafter GDPR.

**** Basque Data Protection Authority https://www.avpd.euskadi.eus/webavpd00-content/es/contenidos/noticia/20240124_komunikatua/es_def/index.shtml (Last visited March 5, 2024)

***** Report from the Catalan Data Protection Authority https://web.gencat.cat/es/actualitat/detall/Proteccio-de-dades-avisa-de-lescaneig-de-liris (Last visited March 6, 2024)

****** https://www.aepd.es/prensa-y-comunicacion/notas-de-prensa/la-agencia-ordena-medida-cautelar-que-impide-a-worldcoin-seguir-tratando-datos-personales-en-espana AEPD, (Last visit March 6, 2024)
******* Art. 83 and 58 of the General Data Protection Regulation

Subscribe to our newsletter to stay up to date with all the news

Name and surname *

Email *

I give my express consent and accept the Privacy Policy.

EIP International Business School informs you that the data in this form will be processed by Mainjobs Internacional Educativa y Tecnológica, SAU as the party responsible for this website. The purpose of collecting and processing personal data is to manage your subscription to the newsletter as well as to send commercial information about the services of the data controller. The legitimacy is the explicit consent of the interested party. Data will not be transferred to third parties, except under legal obligation. You may exercise your rights of access, rectification, limitation and deletion of data at compliance@grupomainjobs.com, as well as the right to lodge a complaint with the supervisory authority. You can consult additional and detailed information on Data Protection in the Privacy Policy that you will find on our website.