CNPD (Portugal) - Deliberação 2024/137: Difference between revisions

From GDPRhub
mNo edit summary
mNo edit summary
Line 71: Line 71:
}}
}}


The DPA imposed a three month ban on a controller's processing of biometric data, finding that the controller provided insufficient information for data subjects to consent, made it impossible to erase collected data or revoke consent, and collected large amounts of minors' sensitive data.
The DPA imposed a three month ban on the Worldcoin Foundation's processing of biometric data, finding that it provided insufficient information for data subjects to consent, made it impossible to erase collected data or revoke consent, and collected large amounts of minors' sensitive data.


== English Summary ==
== English Summary ==

Revision as of 13:44, 3 April 2024

CNPD - Deliberaçao 2024/137
LogoPT.png
Authority: CNPD (Portugal)
Jurisdiction: Portugal
Relevant Law: Article 5(1)(a) GDPR
Article 7(3) GDPR
Article 9(1) GDPR
Article 13(2)(c) GDPR
Article 17(1) GDPR
Article 58(2)(f) GDPR
Type: Investigation
Outcome: Violation Found
Started: 10.08.2023
Decided: 25.03.2024
Published:
Fine: n/a
Parties: Worldcoin Foundation
National Case Number/Name: Deliberaçao 2024/137
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Portuguese
Original Source: CNPD (in PT)
Initial Contributor: lm

The DPA imposed a three month ban on the Worldcoin Foundation's processing of biometric data, finding that it provided insufficient information for data subjects to consent, made it impossible to erase collected data or revoke consent, and collected large amounts of minors' sensitive data.

English Summary

Facts

The Worldcoin Foundation (the controller) used a phone application and in-person sites to engage in large-scale processing of biometric data, particularly irises, eyes and faces. The data was subsequently processed for various purposes including the creation of a digital identity profile (World ID).

On 10 August 2023, the Portuguese DPA (CNPD) initiated an investigation. The CNPD found that the controller had collected the biometric data of over 300,000 data subjects within Portugal. It noted in particular that the controller (1) collected biometric data of minors, (2) made it impossible to exercise the right to erasure of the collected data, (3) made it impossible to revoke consent, and (4) provided deficient information to data subjects.

The controller collected data initially through a phone application through which data subjects could create a World ID in order to use Worldcoin cryptocurrency. In order to ‘verify’ the World ID, data subjects were encouraged to visit the controller’s in-person stores so that a device called an ‘Orb’ could capture high-resolution images of their irises, eyes, and faces. The controller alleged that this ‘verification process’ was necessary to establish ‘proof of personhood’ and prevent duplication of World IDs. Orb operators were taught to encourage data subjects to consent to the storage and use of the biometric data. The controller offered tokens to encourage data subjects to provide their biometric data via the Orb, and offered financial rewards for them to invite others to have their biometric data collected.

In February and March 2024, the CNPD received reports from data subjects concerning mass collection of minors’ biometric information, the impossibility of exercising rights to erasure, and inadequate disclosure concerning risks of processing at the time of collection. The CNPD observed that there were no measures in place to verify data subjects’ ages. It noted that the controller’s consent forms expressly mentioned the impossibility of erasure and of revoking consent. Finally, it also considered that the declaration of consent was partially provided only in English.

Holding

The CNPD concluded that the controller violated Articles 5(1)(a), 7(3), 9(1), and 13(2)(c), and 17(1) GDPR. It imposed a temporary ban on processing for three months pursuant to Article 58(2)(f) GDPR.

The CNPD found that the only possible basis for lawful processing under Article 9(2) GDPR in this case was consent. Given the nature of the data, the CNDP emphasized that consent must be ensured with greater care to guarantee that it is freely given, informed, unequivocal, and explicit. It concluded that this standard was not met in this case. The controller violated Articles 5(1)(a) and 15 GDPR by only making reference to documents without providing direct information on biometric data processing and by providing some information only in English. The CNDP thus concluded that there was insufficient information provided for the data subjects to freely consent to the processing of their biometric data. The CNPD further noted that transparency and consent concerns were exacerbated in the case of minors, who lack capacity to give consent.

The controller also violated Articles 7(3) and 17(1) GDPR because it made it impossible to exercise the right to erasure or to revoke consent.

Given the high risk to the fundamental right of data protection, the CNPD concluded that urgent intervention was justified. In particular, the known collection and processing of minors’ biometric data under nontransparent conditions, in exchange for currency, and without the possibility to erase the data or revoke consent increased the need for urgent action to prevent further violations. Further, these violations, the CNPD noted, would be difficult or impossible to remedy, and could not be prevented by less restrictive measures. The CNPD thus invoked its power to temporarily restrict processing pursuant to Article 58(2)(f) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Portuguese original. Please refer to the Portuguese original for more details.