Bavaria's data watchdog had not finished its privacy and security assessment of Worldcoin when the project launched, the head of the agency said.
Michael Will, president of Bavaria's Data Protection Authority, the lead agency supervising the OpenAI-tied project in Europe, told CoinDesk on Monday that it was still reviewing the project when it went live on July 24, though he noted that the company is not legally obliged to notify the authorities and get their approval prior to the launch. Bavaria is a German state where Worldcoin has set up an entity to manage the data for its European users, so the local authority is leading the investigation.
At the same time, Worldcoin's financial aspect is also under investigation. Germany's Federal Financial Supervisory Authority, known as BaFin, is monitoring the project. It is unclear at the moment whether it needs a permit from BaFin, as other crypto firms do, a spokeswoman from the authority told local newspaper Tagesspiegel.
Worldcoin is co-founded by Sam Altman, the entrepreneur behind popular chatbot ChatGPT, and aims to promulgate a new way to verify that a user is human and unique on the internet using iris scans, artificial intelligence and zero-knowledge proofs. Verified users can receive grants of the Worldcoin token. Developers can build applications on top of this identification protocol, including a wallet where the Worldcoin token is distributed.
"[Worldcoin] complies with all laws and regulations governing the processing of personal data in the markets where Worldcoin is available, including the General Data Protection Regulation (“GDPR”)," the company said in a statement to CoinDesk. "In the European Union, Tools for Humanity [the company behind Worldcoin] is under the supervision of the Bavarian State Office for Data Protection Supervision (Bayerisches Landesamt für Datenschutz). The project will continue to cooperate with governing bodies on requests for more information about its privacy and data protection practices."
Even before the project's full launch, it was the subject of controversy. Criticism has centered around potential privacy issues, the reported manipulation of people in developing countries, as well as the fact that a private company is building global identification infrastructure, which is normally the work of government entities.
The Bavarian DPA's journey with Worldcoin started last November, when its French counterpart asked it for information on whether the project had a Bavarian entity that was acting as the data controller, an entity that decides how and why data is processed under GDPR and is ultimately liable for the data processing. At the time, Worldcoin was doing testing in France, said Will.
It took a few months, but in March, Worldcoin responded to the information request from the DPA and also submitted a privacy impact assessment, which is required under GDPR for companies processing sensitive data such as biometric information. Based on that information, the Bavarian DPA concluded that the local Worldcoin entity fulfilled the requirements of GDPR, but had some additional questions, said Will.
More recently, about two weeks ago, a journalist from German newspaper Handelsblatt contacted the DPA to confirm whether they were in contact with Worldcoin co-founders, one of whom resided in Bavaria, said Will. The journalist received this information from one of the co-founders, he said. Worldcoin's co-founders include Altman and Alex Blania, who is reportedly of German origin.
This was a "strange" event and perhaps a "miscommunication," said Will, as the authority was in his reading not in regular contact with Worldcoin. Perhaps "there was a little bit of confusion, maybe not understanding properly what it means when you have notified" the authorities, said the Bavarian DPA President.
The company is now in contact and cooperating with the regulators, said Will.
The Bavarian DPA, along with French and U.K. regulators, have said they are investigating the project. Authorities in Kenya have suspended Worldcoin operations in the country – citing privacy, security and financial regulation concerns – and reportedly raided its warehouses and seized hardware. Prior to the reported raid, Worldcoin said it suspended operations due to "crowd control" issues.
At the moment, the European data authorities are investigating Worldcoin's data flows, the pseudonymization of personal data, such as the biometric iris scans, as well as the transparency and fairness around users' consent, said Will. Worldcoin is expected to respond to the authorities' latest information request by September, at which point the investigation might delve deeper into its specific technology.
On data flows, Will explained that "everyone talks about iris scans," but in Worldcoin's documentation there is a clear distinction between the iris scan and the identification code created based on the biometric data that is stored the database. So the authority will look into whether the iris scan data is indeed deleted, as Worldcoin claims, he said.
Worldcoin's technologies are not altogether new, but the way they combine them is, said Will. The complexity of the project is a challenge, he is confident in the regulators' ability to conduct an assessment.
UPDATE: (Aug. 8, 21:43 UTC): Added statement from Worldcoin.
CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk offers all employees above a certain salary threshold, including journalists, stock options in the Bullish group as part of their compensation.