On March 6th , the Spanish Data Protection Agency (AEPD) imposed a provisional precautionary measure that dictated the suspension of Worldcoin´ activity in Spain for a period of three months.
In its statement, the AEPD[1] “demands the termination of the collection and processing of special categories of personal data, as well as the blocking of data already collected. The AEPD has received several complaints alleging insufficient information, collection of data from minors, and hindrance of consent withdrawal, among other infractions.”
The AEPD’s decision is based on exceptional circumstances, considering it of utmost importance to adopt precautionary measures aimed at the immediate termination of processing activities to avoid the potential transfer of data to third parties and safeguard the fundamental right to the protection of personal data, with said decision being made within the framework of the regulation contained in the General Data Protection Regulation (GDPR).
Worldcoin, which is also already present in Portugal, scans its users’ irises for a cryptocurrency reward. In Portugal, these famous spheres can be found in strategic locations, such as the Oriente station in Lisbon, through which thousands of people commute daily.
Exactly two days after the AEPD decided to impose the aforementioned precautionary measure, the Portuguese National Data Protection Commission (CNPD)[2] issued a statement whose heading is as follows: “CNPD advises citizens to carefully consider the surrender of their biometric data.“
In referred statement, the CNPD informs that it has received multiple complaints from citizens about the conditions under which biometric data is being collected by the Worldcoin Project, and similar to our neighbor Spain, expresses its particular concern about the collection of data from minors without parental authorization, as well as the manner in which this data may be used by the aforementioned company. The CNPD confirms that an investigation process into the processing of personal data by the Worldcoin Project is underway, which is in the decision-making phase.
However, with the issuance of said statement, the CNPD aims to raise awareness among citizens about the sensitivity of the data they intend to provide, emphasizing that they are unique and part of their identity, with all the risks that entails, and to effectively consider the significance of providing their biometric data involving, in return, a payment.
Without prejudice to the enormous utility that Artificial Intelligence has brought to all of our lives, simplifying procedures, and reducing the execution time of many tasks, which is highly recognized, its use entails, on the one hand, an informed and above all, a thoughtful utilization. Otherwise, are we selling our identity in exchange for what?
The European Union is also aware of this concern. Yesterday, March 13th, 2023, the European Parliament formally adopted the AI Act, the European legal framework intended to regulate the use of artificial intelligence in the European Union. The AI Act still needs to be formally adopted by the EU Council and will enter into force within 20 days of its publication in the Official Journal of the European Union.
GDPR Department
Marta Valadas Coriel | Sofia Batista Linguiça
[1] AEPD Statement of March 6th , 2024.
[2] CNPD Statement of March 8th, 2024.
