CNPD (Portugal) - Deliberaçao 2024/137
From GDPRhub
| CNPD - Deliberaçao 2024/137 | |
|---|---|
 | |
| Authority: | CNPD (Portugal) |
| Jurisdiction: | Portugal |
| Relevant Law: | Article 5(1)(a) GDPR Article 7(3) GDPR Article 9(1) GDPR Article 13(2)(c) GDPR Article 17(1) GDPR Article 58(2)(f) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | 10.08.2023 |
| Decided: | 25.03.2024 |
| Published: | |
| Fine: | n/a |
| Parties: | Worldcoin Foundation |
| National Case Number/Name: | Deliberaçao 2024/137 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Portuguese |
| Original Source: | CNPD (in PT) |
| Initial Contributor: | lm |
The DPA imposed a temporary ban on the Worldcoin Foundation's processing of biometric data, finding that it provided insufficient information for data subjects to consent, made it impossible to erase collected data or revoke consent, and collected large amounts of minors' sensitive data.
English Summary
Facts
The Worldcoin Foundation (the controller) used a phone application and in-person sites to engage in large-scale processing of biometric data, particularly irises, eyes and faces. The data was subsequently processed for various purposes including the creation of a digital identity profile (World ID).
On 10 August 2023, the Portuguese DPA (CNPD) initiated an investigation. The CNPD found that the controller had collected the biometric data of over 300,000 data subjects within Portugal. It noted in particular that the controller (1) collected biometric data of minors, (2) made it impossible to exercise the right to erasure of the collected data, (3) made it impossible to revoke consent, and (4) provided deficient information to data subjects.
The controller collected data initially through a phone application through which data subjects could create a World ID in order to use Worldcoin cryptocurrency. In order to ‘verify’ the World ID, data subjects were encouraged to visit the controller’s in-person stores so that a device called an ‘Orb’ could capture high-resolution images of their irises, eyes, and faces. The controller alleged that this ‘verification process’ was necessary to establish ‘proof of personhood’ and prevent duplication of World IDs. Orb operators were taught to encourage data subjects to consent to the storage and use of the biometric data. The controller offered tokens to encourage data subjects to provide their biometric data via the Orb, and offered financial rewards for them to invite others to have their biometric data collected.
In February and March 2024, the CNPD received reports from data subjects concerning mass collection of minors’ biometric information, the impossibility of exercising rights to erasure, and inadequate disclosure concerning risks of processing at the time of collection. The CNPD observed that there were no measures in place to verify data subjects’ ages. It noted that the controller’s consent forms expressly mentioned the impossibility of erasure and of revoking consent. Finally, it also considered that the declaration of consent was partially provided only in English.
Holding
The CNPD noted its competence to decide the case due to processing in the national territory pursuant to Article 56 GDPR. It concluded that the controller violated Articles 5(1)(a), 7(3), 9(1), and 13(2)(c), and 17(1) GDPR. It imposed a temporary ban on processing for three months pursuant to Article 58(2)(f) GDPR.
The CNPD found that the only possible basis for lawful processing under Article 9(2) GDPR in this case was consent. Given the nature of the data, the CNDP emphasized that consent must be ensured with greater care to guarantee that it is freely given, informed, unequivocal, and explicit. It concluded that this standard was not met in this case. The controller violated Articles 5(1)(a)and 13 GDPR by only making reference to documents without providing direct information on biometric data processing and by providing some information only in English. The CNDP thus concluded that there was insufficient information provided for the data subjects to freely consent to the processing of their biometric data. The CNPD further noted that transparency and consent concerns were exacerbated in the case of minors, who lack capacity to give consent.
The controller also violated Articles 7(3) and 17(1) GDPR because it made it impossible to exercise the right to erasure or to revoke consent.
Given the high risk to the fundamental right of data protection, the CNPD concluded that urgent intervention was justified. In particular, the known collection and processing of minors’ biometric data under nontransparent conditions, in exchange for currency, and without the possibility to erase the data or revoke consent increased the need for urgent action to prevent further violations. Further, these violations, the CNPD noted, would be difficult or impossible to remedy, and could not be prevented by less restrictive measures. The CNPD thus invoked its power to temporarily restrict processing pursuant to Article 58(2)(f) GDPR.
Comment
The CNPD is the second DPA to issue a temporary ban on the Worldcoin Foundation's processing within national territory, with the Spanish DPA being the first to do so on 26 February 2024. On 21 March 2024, the Italian DPA also issued a warning that the controller's processing likely violated the GDPR, though it did not impose a temporary ban.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Portuguese original. Please refer to the Portuguese original for more details.
DELIBERATION/2024/137
I. Report
1. The National Data Protection Commission (CNPD) has learnt that a large-scale processing of biometric data is taking place, consisting in particular of the collection of images of people's irises, eyes and face and their further processing for various purposes, including the creation of a digital proof of identity, known as World ID. The provision of this biometric data by citizens is a prerequisite for them to be able to receive a certain amount of cryptocurrency, known as Worldcoin (WLD).
2. Accordingly, in pursuance of the powers laid down in Article 57(1)(a), (h) and (i) and Article 58(1)(b) of Regulation (EU) 2016/679 of 27 April 20\6 - the General Data Protection Regulation (GDPR) - in conjunction with Article 3, Article 4(2) and Article 8(1)(b) of Law No. 58/2019, all of which implement the GDPR in the internal legal order.Article 4(2) and Article 8(1)(b), all of Law No. 58/2019 of 8 August 2019, which implements the GDPR in the domestic legal order (GDPR Implementing Law), the CNPD opened the relevant investigation procedure, which has been running since 10 August 2023, to assess the compliance of these personal data processes with the GDPR.
3. The following facts relate to conduct attributable to the Worldcoin Foundation.
4. In this decision, the facts that came to the attention of the CNPD between mid-February and early March 2024 are taken into account, namely the reports received by this Authority concerning
(i) the collection of biometric data from minors (capturing images of the iris, eyes and face), (ii) the impossibility of exercising the right to erasure of data, (iii) the impossibility of exercising the right to revoke consent, and (iv) the deficient information provided to data subjects.
5. It is also worth mentioning, as it seems very significant, the announcement to the public, through the media, of the large increase in the collection of these biometric data, which has already covered more than 300,000 (three hundred thousand) people in the national territory and the visible trend of growth in this collection of biometric data, which led the company to adopt the methodology of prior appointment for the collection of data
' See the article in the newspaper 'Expresso', in its edition of 1 March 2024, quoting a source from the Worldcoin project.
biometrics, given the huge queues of people, including minors, waiting for their data to be collected in order to obtain cryptocurrency, as has been widely reported this month*.
6. Below, we will detail the facts that justify the CNPD, as the national supervisory authority for data protection, taking an urgent corrective measure under the provisional powers of correction provided for in Article 58(2) of the GDPR, until the ongoing investigation is concluded and a final decision is issued.
II. Analysis
i. The Facts
7. The Worldcoin Foundation 'is a foundation company, exempt from limited liability, a non-profit organisation incorporated in the Cayman Islands-*, with its registered office at Suite 3119, 9 Forum Lane, Camana Bay, P0 Box 144, George Town, Grand Cayman KY1-9006, and with no establishment in the European Union4 .
8. Since 24 July 2023, the launch date of Worldcoin, the Worldcoin Foundation "has assumed the role of data controller for the Worldcoin Project and related data processing activities (...) and now independently determines the purposes and means of the processing activities carried out in relation to World ID'*.
9. The company Tools for Humanity Corporation ("TFH"), headquartered in San Francisco in the United States of America and with a subsidiary established in Germany called Tools for Humanity GmbH, located at Allee am Rothelheimpark 41, 91052 Erlangen in the state of Bavaria, currently only carries out the relevant data processing activities of W0fld ID on behalf of the Worldcoin Foundation and as its processor and under its direction6 . TFH has no discretionary power to determine the means and the
In the various reports in the press and on television, there are several testimonies from people to this effect.
Cf. Response to the CNPD, dated 9/8/2023, attached to the case file, following a set of questions addressed by the CNPD on 23/8/2023 to the Worldcoin Foundation and Tools for Humanity Corporation (hereinafter, "Response to the CNPD"), and as stated in the clarification to question 5, in the Annex to the Response, with regard to the questions addressed to the Worldcoin Foundation.
^ Cf. information on the company's website, and in the documents "worIdcoin-privacy-notice-3-2-en.pdf' and https://.auIt.pactsafe io/s/8a18d792-fd76-44db-9b92-b0bb7981c248JIeaaI htmI#contract-s1ytru6kk. attached to the case file).
Cf. Reply to the CNPD, set out in points 2 and 3 of Part III and in the clarification to question 2 of the Annex to the Reply.
Cf. Reply to the CNPD, set out in point 3 of Part III and in the clarification to question 2 of the Annex to the Reply, as well as in Annexes II and III of the Reply.
AVG/2023/J2052
C'xr-ss00 Nmóul
purposes of processing within the framework of World ID and processes data relating to Word iD in accordance with the detailed instructions of the Worldcoin Foundation'.
10. TFH, whose co-founders initially contributed to the development of Pr0t0C0I0 W0rldcoin, is now only responsible for processing data from the World App, a mobile application that must be downloaded before biometric data can be collected.
11. The Worldcoin Foundation has been collecting biometric data for identification purposes in Portugal, by capturing images of people's irises, eyes and faces, which in itself constitutes the processing of personal data. The data collected is subsequently subject to other processing operations.
12. WOrlJcoin FounJatlOO carries out this treatment on personal sides in various locations throughout Portugal, namely Algés, Almada, Amadora, Braga, Cascais, Guimatâes, Lisboa, Loures, Maia, Matosinhos, Porto, Portimão, Rio de Mouro, Setúbal, Sintra, and Viana do tastelo°.
13. The company Needasterisk, Unipessoal, Lda. and the company Eaglebrands Trade Marketing, Lda. have been appointed as service providers in the implementation of the Worldcoin project in Portugal10.
14. The company Needasterisk, Unipessoal, Lda. acts as the "Orb" operator in the biometric data collection process, as it declared to the CNPD1
15. Orb operators earn income depending on the number of people who join and register with Worldcoin. The Orb Operator Code of Conduct refers to earnings from registering end users in its rule #6, stating that the Orb operator should focus on the rewards generated by registering end users and not those from sub¬operators12.
16. Eaglebrand Trade Marketing, Lda, acts as a consultant for the project, providing a variety of services, including space and location search services and rental management.
Cf. Reply to the CNPD, contained in the clarification to question 5 of the Annex to the Reply to the
CNPD. Cf. ibid.
"Cf. information available on Elias /'Vor/dão r Ora/find-or4 and attached to the case file as Document "worldcoin - Data collection sites portugal.pdf'
'° ** Cf. See Reply the to response the CNPD, from the contained company in the clarification to question 26 of the Annex to the Reply to the CNPD.
i CNPD, dated 4/9/2023, attached to the
case file. '* See the document attached to the case file, called the "Orb Operator Code of Conduct".
in the locations where the Worldcoin operators are allocated, not operating the 'Orb', as also stated'°.
A) The processing of biometric data, in particular its collection
17. Personal data is collected face-to-face using a device called an "Orb", which captures high-resolution, multispectral images of each iris, an image of the eyes and an image of the face. These images are processed locally in the "Orb", using artificial intelligence models to ascertain that this is a human person and that they are alive4.
18. Based on the images collected, an alphanumeric code is generated in the "Orb" using an algorithm, which is a unique and personal identifier that corresponds to the biometric data collected, called the "Iris Code"1 '.
19. The Iris Code is then compared in real time with the Iris Code database to check whether that code already exists, i.e. whether the person in question has already registered with World ID, had their biometric data collected and, consequently, received the corresponding cryptocurrency. If the Iris Code is new, it is stored in that database ^.1
20. Once the iris code has been generated and entered into the database, the images captured by the "Orb" can be destroyed locally on the device, or kept there temporarily until they are sent to the Worldc0in Foundation's systems to be subjected to further processing operations for other purposes, depending on whether or not the data subjects have consented to their subsequent use17.
21. 0"Orb" has the capacity to carry out all these processing operations, including storing the data, and send them to the Worldcoin Foundation's systems, hosted on Amazon Web Services18 (AWS).
22. 0rb" operators and suboperators are taught to encourage people to consent to the storage and use of their biometric images by Worldcoin, telling them that this is a benefit for the company.
'^ See Eaglebrand's reply to the CNPD, dated 4/9/2023, attached to the case file. '4 Cf.
Reply to the CNPD, in point 8 of Part I.
*Cf. Data Protection Impact Assessment, version updated on 2/8/2023, pp. 22-23, contained in Annex I of the Reply to the CNPD, and points 3 and 4 of Part I of the Reply to the CNPD.
16 Cf. Response to the CNPD, set out in point 8 of Part I, and Data Protection Impact Assessment, set out in Annex I of Part I. Response to the CNPD, pp.22-23.
'7 Cf. Reply to the CNPD, contained in the clarification to question 8 of the Annex to the Reply to the CNPD.
Cf. Data Protection Impact Assessment in Annex I of the Reply to the CNPD, pp.22-23.
users, as they won't need to return to the 'Orb* every time Worldcoin updates the algorithm that generates the Iris Code, which happens about three times a year, and affirming that most people activate this functionality, consenting to this data processing'*.
23. Also when providing information to people to obtain their consent for the processing of biometric data, in particular with regard to the storage of the data and its use for training Worldcoin's algorithms, it is explained that if the data subjects choose not to give their consent for the storage and subsequent use of the images (by not activating this possibility), they will have full functionality, but potentially some inconvenience, as they will have to go back through the "Orb" to recheck the Iris Code when the algorithms are updated *.2
24. bl0metric0data They identify the uniqueness of each human being and are intrinsic to each one. person.
25. It is claimed that this data is intended to form the basis of a digital identity/passport (World ID), with a universal vocation, with a view to being used as a ptoya of identity and the human condition, i.e. establishing whether an individual is both human and unique*1 .
26. Thus, World ID is presented by Worldcoin as a global digital passport that guarantees people a privacy-preserving way to authenticate themselves as humans online in a world where intelligence is no longer a discriminator between people and AI**.
27.The Worldcoin Foundation believes that the possibility for an individual to confirm that they are a unique natural person in the network of World ID holders, without having to provide additional proof of their identity, is a potentially useful feature for a number of online services23 . The value for users comes from the fact that applications based on World ID will soon be developed, so that those who already have a World ID will be able to confirm their identity*.4
'^ Cf. Contents of the training of the operator of Y/oildcoin, slides 129-131, contained in Annex 4 of the Reply to the CNPD. ** Cf. Worldcoin Foundation Sensitive Biometric Data Consent Form, version 1.4, available on 1/8/2023,
on the website of the Norldcoin Foundation, attached to the case file.
*! Cf. reply to the CNPD in Part 1, point 2.
2* See h11DS.//D\-D(. w0rldG0ln 0ra/lao.S, '0 which is 0 d0fldlD),
*Cf. Reply to the CNPD, in points 1 and 2 of Part 1.
Cf. Contents of the training of the Worldcoin operator, slides 20-22 in Annex 4 of the Reply to the CNPD.
28. In order for biometric data to be processed, including the collection operation, potential members must first install an application (World App) on their electronic device, which also constitutes a cryptocurrency wallet*'
29. 0 development, distribution and maintenance of this application is the responsibility of the TFH company, as described above in point 10 of this resolution.
30. With the application installed and the assistance of the "Orb" operator, the data subject/adherent must go through the steps of the "sign-up procedure", which begins with creating an account, indicating their mobile phone number, declaring that they are over 18, declaring their agreement with the privacy policy and the terms and conditions of the service (by reference to online connections).
31. The sign-up process ends with the reading of a two-dimensional code (ÇRcode), received on the data subject's mobile phone, and 'read' by the "Orb" which puts the device into capture mode, collecting images of the iris, face and eye contour**.
32.These images are processed in the "Orb" and the code generated is sent directly via the Internet to the Worldcoin Foundation's systems. The process ends with the World ID being downloaded to the user's mobile device27.
33. In return for handing over their personal data, each citizen receives tokens that correspond to cryptocurrencies, and there is news of the possibility of converting them into physical money, an essential element for increasing adherence to this project.
B) Recent reports received by the CNPD: the collection of data from minors, insufficient information, the impossibility of deleting data and revoking consent, and the economic weakness of citizens.
34.From 18 February 2024 until 15 March 2024, the CNPD has received several reports from citizens that, inter alia, data is being collected and subsequently processed.
*Cf. CNPD Inspection Report, following the inspection carried out on 11/8/2023 at one of the data collection sites, page 2, attached to the case file.
*^ Ibidem, page 3.
*Cf. Data Protection Impact Assessment, in Annex 1 of the Reply to the CNPD, pp.8-9, jUf\tâ 60S üUtOS. Cf. page extracted from the social network Facebook attached to the case file.
biometric data of minors. It is claimed that the biometric data of minors was processed without the authorisation of their legal representatives (cf. joint participations ü0S aUtos)2
35.It should be emphasised that when signing up to the biometric data collection procedure there is no mechanism for verifying the age of the subscriber, and the operator does not take the necessary care to confirm age, namely by showing identification documents.
36.The CNPD has carried out a number of investigative steps in the context of reports of the processing of minors' biometric data, with a view to better ascertaining the facts, which are attached to the case file.
37. Since 2 March 2024, this Commission has also received reports stating that data subjects have wanted to exercise their right to erasure of their data, but have not been granted this right (cf. reports attached to the case file) *.3
38. Finally, by the same token, it has come to the attention of the CNPD that several data subjects only became aware of the risks involved in the processing of their data due to the recent media coverage of the phenomenon, and that these risks were never properly explained to them (cf. reports attached to the case file)
*1 .
2 Better identified in the files with the codes: FORM-P.20240225105023.BIK931; FORM-P.20240225190230.1SWX8E;
VVDBIO.20240226162944.ÇTMX48; FORM P.20240306211753.LSARCU; FORM-D.20240306221241.NUMP8U; F0RM-
P.20240307115907.C8KIJY; FORM-P.2024D307214745.7IIÇCC; FORM-P.2024030B115619.XX14HK; F0RM-
D.20240309141134.23H951; FORM-D.20240310191712.1RED4B;VVDBI0.20240310195102.BL5KHK;
VVDBIO.20240311131051.UB79XD; VVDBIO.20240311141406.TSJWIA; FORM-P.2024D311124123.TKTBLF: F0RM-
P.20240312185854.KJRVDA; FORM-D.20240313J03517.9E79E7; FORM-D.20240313182234.WMDIWX; F0RM-
D.20240313223602.YYWDFK. FORM-P.20240314101948.C7DL18; VVDBIO.20240314124732.HTMF3E; F0RM-
D.20240314180027.KFHXDI.
39. Furthermore, they were not provided with information on the processing carried out, namely the data that was actually being collected and the purposes for which it was intended, as well as the form and manner of exercising the rights provided for in the legislation on the protection of personal data (cf. reports attached to the case file).
40. It has also been reported by the media that there are a number of citizens who authorise these collections and treatments because they are economically weak and/or are not fully aware of the purposes and implications of their participation in the Worldcoin project (cf. news and television reports broadcast between the end of February 2024 and the present date, attached to the case file).
41. 0 text presented for signing up to the World App ("I agree to the Biometric Data Consent Form and to the Foundation's User Terms and Conditions") did not provide any direct information regarding the processing of biometric data, but merely included links to the "Privacy Notice" and to the TFH3* company's User Terms, and it was not even compulsory to open these links to ensure that the potential user had the essential information to agree to their personal data being processed It'.
42. The information contained in that privacy notice also says nothing about the collection and other processing of biometric data, but merely presents the World App's terms and services, which in turn refer to a new link in the body of that text, where the consent form for the processing of biometric data by the Worldcoin Foundation finally appears.
43. This whole complex process, which requires successive steps, does not constitute a right to information easily accessible, neither transparent nor intelligible.
44. In addition, the declaration of consent is presented partly in English (I agree with the Biometric Data Consent Form and the Foundation's User Terms and Conditions).
** The addresses of the links (httos //worldsoin.paCtSafe.io/legal h\mI#con1rac1-üx3iz24-o and httos://worIrlcoin pactSafe.io/legal.htmI#contract-91r7n2jt refer to pages that present information from TFH, and not from the Woildcoin Foundation, which is responsible for processing biometric data. Although the versions of the documents have already undergone more than one change in the last week, it is confirmed that this is information about the processing of data by TFH, within the scope of the World App, and not about the processing of biometric data by the Worldcoin Foundation.
ItIt Cf. CNPD Inspection Report, following the inspection action, of 11/8/2023, at one of the data collection sites, attached to the case file.
45. In version 1.4 of the Worldcoin Foundation's 'Sensitive Biometric Data Consent Form'*4, it is further stated that '(If you decide to sign up for an Orb we will create a unique Iris Code...] which can no longer be deleted (if we deleted it, the proof of exclusivity would not work)'. This was reiterated publicly on television by the Regional Director of TFH on 3/3/2024, which acts as a subcontractor for Worldcoin FoUndation, that 'this data will be deleted. The iris code will not, because this, once again, the iris code is what proves humanity'3 *
46. Furthermore, although point 2.5 of the "Worldcoin Foundation's Sensitive Biometric Data Consent Form" states that consent can be revoked, the truth is that this information was not and is not made available to the holder when the World App account is created. In fact, the links Biometric Data Consent Form and User Terms and Conditions of the TFH company do not contain this information (see Annex V of the CNPD Inspection Report mentioned above).
C) The collection of biometric data by appointment due to increased demand
47. At the beginning of March 2024, the CNPD also became aware, through various news and media reports, that the collection of biometric data for identification, by capturing images of people's irises, eyes and face, was now being carried out by appointment only, due to the high increase in demand, with queues of people waiting their turn for collection, including minors.
48. At the beginning of this month, it was estimated that in Portugal more t h a n 300,000 (three hundred thousand) people had already had their biometric data collected, including minors*6 .
49.In fact, at the beginning of September 2023, Warldcoin FoundatlDn had nine (9) sites, all located in large shopping centres, to collect biometric data through the "Orb" and declared that it had already achieved more than 180,000 (one hundred and eighty thousand) users in Portugal^'.
*Cf. Worldcoin Foundation Sensitive Biometric Data Consent Form, version 1.4, available on 10/8/2023, on the Worldcoin Foundation website, attached to the case file.
** According to statements made to TVI's Jornal Nacional.
36See the newspaper 'Expresso', quoting a source from the Worldcoin project, in its edition of 1 March 2024, page 16, attached to the case file.
37See the reply to the CNPD, set out in point 3 of part IV, attached to the case file.
50. At the beginning of March 2024, six months later, the number of users had increased significantly by around 67 per cent, while the number of data collection sites had almost doubled to a total of 17.
51.The CNPD also learnt from the media that there would be a financial reward for those who had already provided their biometric data if they took another person to have that data collected, which may have contributed to an increase in demand.
ii. The conviction of the facts proven
52. The CNPD establishes the facts set out above, based on the elements found and the evidence gathered by the CNPD's Inspection Unit, both in the face-to-face inspection of one of the biometric data collection sites through "Orb", on 11/8/2023, and in the remote verification actions carried out; in the statements made by the Worldcoin Foundation, TFH, Needasterisk, Unipessoal, Lda. and Eaglebrands Trade Marketing, Lda, in response to questions posed by the CNPD (rf. Documents attached to the case file); in the consultations and checks of the websites and documents made available there by the Worldcoin Foundation and TFH, and other indicative evidence attached to the case file.
53. Also contributing to this conviction is the content of the dozens of reports received by the Commission, especially those on the collection of minors' personal data, and the investigative actions carried out or underway in this regard, as well as the information provided by data subjects in statements to and publicised by the media.
54. The CNPD continues to receive enquiries on an almost daily basis about the facts covered by this decision, including the collection of biometric data o n minors.
III. bif9it0
55. The GDPR applies to the processing of personal data of data subjects who are in Portugal, carried out by a controller who is not established in the European Union, when the processing activities are related to the provision of services, as is the case with the processing of personal data carried out by Worldcoin Foundation, by virtue of Article 3(2)(a) of the GDPR.
56. The CNPD is the national supervisory authority for the purposes of the GDPR, pursuant to the combined provisions of Article 3o , Article 4(2) and Article 6(1)(b), all of the GDPR Implementing Law.
57. Under the terms of Article 55(1) of the GDPR, supervisory authorities are competent to carry out the tasks and exercise the powers conferred on them by the GDPR in the territory of their own Member State, so the CNPD is competent in this case, since some of the data processing operations carried out by the Worldcoin Foundation, namely the face-to-face collection of biometric data, are carried out in national territory, 0â0 Article 56 of the GDPR being applicable here.
58. The CNPD monitors and enforces the application of the GDPR, and investigates the processing of personal data, under the powers laid down in Article 57(1)(a) and (h) and with the investigative powers conferred by Article 58(1)(b) of the GDPR.
i. The enhanced protection of biometric data
59. Personal data resulting from specific technical processing relating to the physical or physiological or behavioural characteristics of a natural person which enable or confirm his or her unique identification are considered biometric data within the meaning of Article 4(14) of the GDPR.
60. The Worldcoin Foundation is responsible for the processing of personal data relating to World ID, including the processing of iris, eye and facial biometric data within the meaning of Article 4.0(7) of the GDPR.
61. Biometric data are classified as special data under the terms of Article 9(\) of the GDPR, given their sensitivity from the point of view of fundamental rights and freedoms, their susceptibility to unambiguous identification of a person and their potential for discrimination. The context of their processing could entail significant risks for the rights and freedoms of data subjects* .
62. In fact, it is a very personal element, in that it is an unrepeatable identifying element in each human being, hence its special protection (cf. Article 9(1) of the GDPR). The use of biornetry makes it possible to measure innate physical characteristics of each human being, such as the iris, face, fingerprint, hand contour or voice. And although the characteristics of physical data are immutable, as technology develops there are more and more reports of biometric identifiers being spoofed.
63. There is no question here that biometric authentication and identification is, as a rule, more robust than other methods, such as the use of authentication credentials with username and password combinations.
See Recital 51 of the GDPR.
64.If, on the one hand, these credentials are more susceptible to attack because they don't require a great deal of technological knowledge, and social engineering methods are often enough, on the other hand, the damage they cause is limited in time, and it's enough, for example, to change the username and password.
65. Attacks carried out with the aim of seizing biometric data, on the other hand, have irreversible consequences, as the data subject cannot change the physical characteristic that gave rise to the biometric template, and there is a real and high risk of identity theft, as they will be a constant threat to the citizen's identity if they are stolen.
66.As a result, any act of appropriating biometric data, compromising the security of a person's identity, becomes attractive to the world of cybercrime.
67. However, the processing of biometric data is subject to a particularly restrictive regime, and its processing is prohibited as a rule (cf. Article 9(1) of the GDPR), although, exceptionally, such processing is permitted only on the basis of one of the grounds for lawfulness set out in Article 9(2) of the GDPR.
O8. Going through this list, only consent is, in the abstract, the basis for lawfulness that can be included in the treatment analysed here.
69. However, given the nature of the data in question, this consent must also be ensured with greater care, endeavouring to guarantee that it is free, informed, unequivocal and explicit, always in the light of the specific purposes that may justify it, as is clear from the combined provisions of Article 4(11), Article 7 and Article 9(2)(a) of the GDPR.
70. The mere reference to documents or information, which are essential to the formation of the holder's identity, to successive layers of information, plus the fact that some of the information provided is in |The information provided to data subjects under Article 12(0) of the GDPR does not fulfil the requirements of accessibility of the information provided to data subjects. The information provided to data subjects under Article 13 o f the GDPR is therefore deemed to be deficient.
71. Thus, in the case under analysis, the consequence of insufficient information on the processing of biometric data is, from the outset, a serious breach of the legal duties incumbent on the controller, which directly affects the principle of transparency set out in Article 5(1)(a) of the GDPR, jeopardising the validity of the consent obtained, as it does not constitute informed consent.
72.What's more, there is no reference to or information about the specific purposes that would justify this processing of data in view of the creation of World ID, which is truly undefined in its object - referring to a set of supposed abstract advantages of verifying human identity in a world dominated by artificial intelligence (AI), which would always genetically jeopardise any free and informed consent that could authorise the transfer of especially sensitive data, because it does not represent any e!ement that would make it possible to issue a conscious declaration of will, to be gauged in relation to the present and future, and controllable/d0lTli0aVable uses of the personal data in question, which are unambiguous and permanent.
73. Added to this is the fact that, at the time of collection, no information was given to the data subject about the right to revoke their consent, as a result of the legal obligation laid down in Article 13(2)(c) of the GDPR, when the data processing is based on Article 9(2)(a) of the GDPR, as in this case.
74. Therefore, the information provided is not sufficient to freely and consciously determine the decision to dispose of personal data by its owner, particularly when particularly sensitive and specially protected data is involved.
ii. From the treatment of sensitive data to semen
75. These reasons are even more obvious when sensitive personal data of minors is involved.
76. In fact, as mentioned above in point 35, when signing up to the biometric data collection procedure there is no mechanism for verifying the age of the subscriber, and the Orb operator does not take the care required to confirm age, namely by showing an identification document.
77. It must be said from the outset that minors, lacking the legal capacity to do so (cf. Article 123 of the Civil Code), do not even have the autonomy to give their consent, even if the data processing is signalled as having been consented to by them.
78. In fact, minors, as particularly vulnerable people, are the object of special protection by national and European legislators, and there are no exceptions to this principle, unless there is a legal provision.
79. All this is aggravated by the fact that, as mentioned above, the deletion of some data is not allowed and processing continues after consent has been revoked, making the damage resulting from the illegality irreparable.
80. It should also be emphasised that the impossibility of exercising the right to erasure is expressly mentioned in the Woridcoin Foundation's "Sensitive Biometric Data Consent Form", which reads: "[I]f you decide to sign up for an Orb we will create a unique iris code [...] that can no longer be deleted (if we deleted it, the proof of exclusivity would not work)"**.
81. This impossibility of exercising the right to erasure was also reiterated to the general public via television by the Regional Director of TFH, which acts as a subcontractor for the Worldcoin Foundation, who declared "(...) this data will be erased. Not the 'iris code', because this, again, the iris code, is what proves humanity40 i.e. the 'iris code' is personal data that can never be erased, in violation of the right to erasure provided for in Article 17 of the GDPR.
82. This denial of the guarantee of the right to erasure, assumed by the data controller, is also reflected in the impossibility of guaranteeing the right to revoke consent, insofar as if the data subject were to exercise this right, the consequence would be the erasure of the data, pursuant to point b) of Article 17(1) of the GDPR. Therefore, there would also appear to be a violation of Article 7(3) of the GDPR. It should be noted that the holders of personal data concentrate in themselves a set of fundamental, inalienable rights which are enshrined, since Iogo, in Article 8 of the Charter of Fundamental Rights of the European Union (CDF\EJE) and in Article 35 of the Constitution of the Portuguese Republic (CRP), as well as being recognised in Article 16 of the Treaty on the Functioning of t h e European Union.
83. The right to the protection of personal data must also be combined with other related fundamental rights, such as the right to privacy, personal identity, genetic identity of the human being, personality development, good name, reputation and image (Article 26 of the CRP), as well as the principle of equality (Article 13 of the CRP) and the right to freedom (Article 27 of the CRP) - constitutional rights, freedoms and guarantees that take on particular relevance both in physical reality and in a digital environment.
84. In short, as recital 38 of the GDPR states, "children deserve special protection with regard to their personal data, since they may be less aware of the risks, consequences and guarantees involved and of their rights in relation to the processing of personal data".
39 Cf. Document "Worldcoin.consent form.pdf", attached to the case file.
4* According to Ricardo Macieira's statements broadcast by TVI's Jornal Nacional on 13/3/2024.
iii. The necessity and urgency of temporarily limiting treatment
85. The dozens of reports received by the CNPD between 18 February 2024 and 15 March 2024,6 0 C00tinuous fIUx0 of reports submitted in recent days, indicate that the processing of biometric data has not complied with all the legal requirements of the GDPR.
8b. The fact that biometric data of minors is currently being collected as part of the Worldcoin project, without the consent of their legal representatives, would in itself justify a g0f action by the CNPD to protect the rights, freedoms and guarantees of this category of data subjects, who deserve special protection, given the obvious illegality.
87 However, the CNPD's knowledge that the biometric data of minors has been collected and is being processed, under the conditions and for the purposes described above, in exchange for the receipt of virtual currency, and without the possibility of deleting some of the data, undoubtedly imposes, the increased need for urgent action by the CNPD to prevent violations of the fundamental right to the protection of personal data, which would otherwise be impossible or difficult to remedy, or would allow the perpetuation of biometric data collection without the necessary guarantee of compliance with all legal requirements.
88. In view of the overall phenomenon, the CNPD is also aware that similar reports and alleged illegalities are widespread and common in other European Union countries, where the Worldcoin Project is taking place and biometric data is being collected.
89. In recent weeks, there has been a proliferation of news and statements in the media from various citizens who have signed up to the service, confirming the verisimilitude of the facts reported to the CNPD and generating significant social alarm.
90. The obvious upward trend in the number of people willing to provide their biometric data in order to receive cryptocurrency, demonstrated by the Worldcoin Foundation's own statistics, combined with the increase in the number of data collection sites, boosting the number of minors who may give up their personal data, reinforces the need for the CNPD to act swiftly, before the investigation process is concluded and the final decision issued.
91. The CNPD's duty to act is supported by the case law of the Court of Justice of the European Union (CJEU), which emphasises that when the data subject does not benefit from an adequate level of protection, the supervisory authority is obliged, under EU law, to react appropriately in order to remedy the shortcoming, regardless of the origin or nature of the shortcoming. In this respect, Article 58(2)(d) of the Treaty on the Functioning of the European Union provides In this regard, Article 58(2) of the GDPR lists the different powers of correction that the supervisory authority may exercise. It is up to this supervisory authority to choose the appropriate means to fulfil its role of ensuring full compliance with this regulation with all the diligence required. This is clear from the recent CJEU ruling of 14 March 2024 and the case law cited therein*1
92. All things considered, the risk to the fundamental right to the protection of the personal data of its holders, in an extremely sensitive dimension, is extremely high, justifying its prevalence over others and the interest that underlies it, namely economic, and justifies the urgent intervention of the CNPD, insofar as the potential unlawfulness of this processing will produce damage that is difficult to repair to the rights and freedoms of the data subjects, particularly when they are minors.
93. In order to determine the urgency of precautionary measures, it must be taken into account that the purpose of Interim relief is to guarantee the effectiveness of the future final decision. Urgency must therefore be assessed in the light of the need to adopt such measures in order to prevent serious or irreparable damage, as is clear from the case law of the CJEU4 2.
94. In the present case, given the complexity of the ongoing investigation, due to the technological issues inherent in the Worldcoin Project, the need for additional diligence, as well as the participations that have recently been added to it, in the impossibility of adopting a final decision in a timely manner, the urgency and need for the CNPD to adopt a provisional measure, under its powers of correction, is fully justified.
95. In view of these circumstances, under the powers of correction conferred on it by Article 58(2) of the GDPR, it is deemed appropriate, necessary and proportionate to order the Worldcoin Foundation, as the data controller in question, to temporarily restrict the processing of biometric data, with regard to the processing operation for the collection of iris, eye and face data, under the terms of Article 58(2)(f) of the GDPR.
96.This measure is appropriate, as it is capable of achieving the desired end, since it interrupts the collection and subsequent processing of personal data, revealing the effectiveness of the protection of the essential contents of the fundamental right to data protection, especially the data of minors.
97. The measure is necessary because the damage to the rights affected cannot be prevented by least restrictive measure, among those set out in Article 58(2) of the GDPR.
98. Finally, the temporary limitation of data processing is also a measure that respects the principle of proportionality in the strict sense, since the damage that could result from adopting this measure does not outweigh the damage that it is intended to prevent. In fact, such a measure represents an indispensable interference in the activity of the person responsible for the treatment, justifying the limitation of their right to freedom of private economic initiative, in order to achieve the useful effect of defending the public interest in safeguarding fundamental rights.
99. In fact, as explained above, there is a well-founded fear that if this measure is not adopted, it could lead to a situation of fait accompli - it should be emphasised that once the biometric data has been provided, the processing of some data is maintained and it is not possible to delete some data - or, at the very least, causing damage that would be difficult to repair for a very large number of particularly vulnerable data subjects, such as minors and people in economic difficulty, whose biometric data is being processed without their consent being given in appropriate terms.
100. However, considering what is described in points 61, 62 and 65 of this deliberation, regarding the sensitivity of biometric data, as an unrepeatable identifying element in each human being, and the real risks of identity theft, it seems that the serious or irreparable damage resulting from this is clearly greater than the damage that the measure of temporary limitation of data processing embodied in the biometric data collection operation may bring to the Worldcoin Foundation.
IV.Decision
101. In view of the above, taking into account the established facts, the indicative evidence, and the clear urgency of the CNPD's action, in order to guarantee the immediate safeguarding of the right to the protection of personal data, a fundamental right enshrined in Article 8o of the CDFUE and Article 35 of the CRP, the CNPD resolves, under the corrective power set out in Article 58(2)(#) of the GDPR, in conjunction with Article 58(1)(b) of the GDPR, that the right to the protection of personal data shall be protected.
6 of Law No 58/2019 of 8 August 2019, and also in conjunction with Article 89(1) of the Code of Civil Procedure. Administrative Procedure:
To order the Worldcoin Foundation, within a maximum period of 24 (twenty-four) hours, to temporarily limit the processing of biometric data, as regards the processing operation for the collection of Iris, eye and face data, in the national territory (Mainland Portugal, Madeira Autonomous Region and Azores Autonomous Region), for a period of 90 (ninety) days.
102. Due to the aforementioned and sustained urgency of the temporary limitation of the processing of personal data in Portugal, the prior hearing of interested parties is waived, under the terms of Article 2(2) of the GDPR and 89 of the Code of Administrative Procedure.
103. Notify the Worldcoin Foundation of the content of this Decision:
a. In the person of its legal representative;
b. Through its data protection officer, to the e-mail address on file, under the combined provisions of Article 39(1)(e) of the GDPR and Article 112(1)(c) and (2)(a) of the Code of Administrative Procedure.
104.The contents of this decision are hereby notified to Tools for Humanity Corporation, as subcontractor of the Worldcoin Foundation, and to its German subsidiary Tools for Humanity GmbH.
1ã5. The contents of this decision should be brought to the attention of the company Needasterisk, Unipessoal, Lda, which provides the service of "Orb" Operator.
The November meeting of 25 March 2024
Paula Meira Lourenço
