Garante per la protezione dei dati personali (Italy) - 9998877
Garante per la protezione dei dati personali - 9998877 | |
---|---|
Authority: | Garante per la protezione dei dati personali (Italy) |
Jurisdiction: | Italy |
Relevant Law: | Article 4(14) GDPR Article 7 GDPR Article 9(1) GDPR Article 9(2) GDPR Article 58(2)(a) GDPR |
Type: | Investigation |
Outcome: | Other Outcome |
Started: | |
Decided: | 21.03.2024 |
Published: | |
Fine: | n/a |
Parties: | Worldcoin Foundation |
National Case Number/Name: | 9998877 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Italian |
Original Source: | Garante per la protezione dei dati personali (in IT) |
Initial Contributor: | lm |
The DPA issued a warning against the Worldcoin Foundation, finding that its processing of biometric data probably lacked a legal basis under the GDPR and would likely fail to meet standards of consent, due in part to the promise of free tokens in exchange for consent.
English Summary
Facts
The Italian DPA (Garante) initiated an investigation concerning the Worldcoin Foundation’s (the controller) cryptocurrency project. The controller offers a phone application (World App) where data subjects create a digital identity profile (World ID). An in-person device called the ‘Orb,’ which scans data subjects’ irises and faces, can be used to establish a ‘verified’ World ID. In exchange for the biometric data, data subjects are offered ‘free’ Worldcoin tokens via the phone application.
During the investigation, the Garante observed that Italian citizens could download the World App, wherein they could provide personal data and claim ‘free’ tokens. The Garante noted that Orbs were not present in Italy at the time of the investigation. However, it considered that the World App’s availability anticipated the future installation of Orbs in Italy. The Garante also considered that the controller lacked age verification mechanisms for installation of World App or processing of biometric data via the Orb.
The Garante made a request for information, which the controller responded to with documentation as well as a data protection impact assessment. It asserted that its legal basis for processing biometric data was consent.
Holding
The Garante issued a warning against the controller pursuant to Article 58(2)(a) GDPR, finding that the processing of biometric data that may be carried out in Italy would likely lack legal justification under Article 9(2) GDPR and violates Article 7 GDPR consent obligations.
The Garante categorised the imaging of data subjects’ irises and faces as ‘biometric data’ pursuant to Article 4(14) GDPR. Processing of such data is generally prohibited under Article 9(1) GDPR, and the Garante cautioned that in this case consent was unlikely to suffice as a justifying legal basis pursuant to Article 9(2) GDPR. It noted that the controller provided insufficient information about risks related to processing for data subjects to form adequate consent pursuant to Article 7 GDPR. In addition, the Garante considered that the promise of free tokens adversely affected conditions for consent. It thus concluded that consent is probably an insufficient legal basis.
In addition, the Garante considered that the high risks of processing were exacerbated by the absence of filters preventing children under the age of 18 from accessing Orbs or World App.
Comment
The Garante is the third DPA to issue a decision concerning the Worldcoin Foundation after initiating an investigation. The Spanish DPA and Portuguese DPA both issued a temporary ban on the Worldcoin Foundation's processing within national territory. Unlike in Italy, the Worldcoin Foundation had already begun conducting in-person biometric processing with the Orb in both Spain and Portugal.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
SEE ALSO Press release of 2 April 2024 [doc. web no. 9998877] Provision of 21 March 2024 (Publishing in the Official Journal) Register of measures n. 179 of 21 March 2024 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members, and the councilor. Fabio Mattei, general secretary; HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as the free movement of such data (hereinafter, “Regulation”); HAVING REGARD to the Code regarding the protection of personal data, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 (Legislative Decree 30 June 2003, no. 196, as amended by Legislative Decree 10 August 2018, no. 101, hereinafter “Code”); HAVING REGARD to Guidelines 3/2019 on the processing of personal data through video devices (Version 2.0) and Guidelines 05/2022 on the use of facial recognition technologies for police tasks (Version 2.0), adopted by the European Committee for Protection of the data (hereinafter “EDPB”); NOTED that, as of July 2023, national news agencies have reported the launch of the Worldcoin project by the Worldcoin Foundation, a project based on iris scanning to verify the identity of users and linking such processing to the tools market financial, in this specific case the cryptocurrency called “WLD”. In this context, in response to the request for information formulated as part of the investigation launched by this Authority, the Company provided feedback by producing related supporting documentation, including the Data Protection Impact Assessment; HAVING NOTED, in particular, the fact that the iris scan takes place through an instrument called "Orb" which uses the face and ocular structure of an individual to create a unique identification code, the so-called “IrisCode”; once the iris has been scanned and the aforementioned IrisCode has been saved, the Orb creates an ID for each user worldwide (World ID), eliminating the collected image; Furthermore, NOTED that the Worldcoin ecosystem also consists of the World App which allows user verification by exchanging the public identification key with the Orb via a QR code generated by the App itself and making the World ID available to each user and WLDs redeemed or purchased; NOTING, again, that the consent required for the processing of biometric data is also extended to the automated decision-making process underlying the authentication of individuals and that the same consent is necessary to redeem the free WLD tokens offered in exchange by the data controller; HAVING NOTED that, currently, the Orbs are not present in Italy but that Italian citizens can already download the World App from the app stores, provide the relevant personal data and reserve their free WLD tokens and that the availability of the App from the territory Italian could bring forward the installation of ORBs in Italy; Furthermore, NOTED that there is no mechanism for verifying the age of users during iris acquisition or installation of the App; this, despite the fact that the Worldcoin ecosystem and the World App are not intended for children under 18; CONSIDERING that the art. 4 point 14) of the Regulation defines «biometric data» as “personal data obtained from a specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person which allow or confirm univocal identification, such as facial image or data dactyloscopic". From the information available regarding the Orbs and the creation of the IrisCode, it appears that the data processed in this way falls within the definition of biometric data; CONSIDERING that the art. 9 of the Regulation imposes a general prohibition on the processing, among others, of "biometric data intended to uniquely identify a natural person", except for the exceptions provided for in the following paragraph. 2 and, in particular, to letter. a) which refers to the explicit consent of the interested party. Furthermore, the following par. 4 provides that “Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data relating to health”; CONSIDERING that, in implementation of this last provision, the Code has expressly provided for a hypothesis of biometric data processing, with reference to the obligations of the art. 32 of the Regulation, which allows its use with regard exclusively to the procedures for physical and logical access to data by authorized parties (art. 2-septies, paragraph 7). CONSIDERING furthermore that according to recital 51 of the Regulation "Such personal data [biometric data] should not be subject to processing, unless processing is permitted in the specific cases referred to in this Regulation [...]" and that "In addition to the requirements specific to such processing, the general principles and other rules of this Regulation should apply, in particular as regards the conditions for lawful processing”; CONSIDERING that according to recital 39 of the Regulation "It is appropriate that natural persons are made aware of the risks, rules, guarantees and rights relating to the processing of personal data" and that, in the present case, this need appears more pressing for the presence of high risks linked to the processing of biometric data of interested parties, potentially even minor ones; CONSIDERING that “The use of biometric data, in particular facial recognition, entails greater risks for the rights of interested parties. It is essential that the use of these technologies occurs in due respect of the principles of lawfulness, necessity, proportionality and data minimization enshrined in the GDPR. Although the use of these technologies may be perceived as particularly effective, data controllers should first assess the impact on fundamental rights and freedoms and consider less intrusive means of achieving the legitimate purpose of the respective processing” (para. 73 , Guidelines 3/2019) and that "the processing of biometric data, in all circumstances, constitutes in itself a serious interference" (Guidelines 05/2022); CONSIDERING that, from the information sent by the company - following the request made by the Authority - and from that available on the website https://worldcoin.org/, the processing of biometric data is based on the legal basis of the consent of the interested parties which is requested in the face of information which, at present, does not appear to provide information regarding the risks associated with the processing of this type of data; CONSIDERING, therefore, that, in the specific case, users do not appear to have sufficient information available to guarantee them full awareness of the high risks associated with the processing of their biometric data; CONSIDERING that, in this context of lack of transparency, the consent for the processing of the biometric data of the interested parties could not satisfy the requirements required by the Regulation and that, therefore, it could not constitute an adequate legal basis for the processing; Furthermore, CONSIDERING that the promise of free WLD tokens by the data controller negatively impacts the existence of the conditions for consent prescribed by the Regulation (art. 7); CONSIDERING, furthermore, that the high risks of the processing indicated above are further amplified by the absence of filters to prevent access to the Orbs and the World App to minors under the age of 18; HAVING RECOGNIZED, therefore, the need to address, pursuant to art. 58, par. 2, letter. a), of the Regulation and of the art. 154, paragraph 1, letter. f), of the Code, a warning towards Worldcoin Foundation, as data controller, on the fact that the processing of biometric data that should be carried out in Italy, through the ORBs and with the methods described above, can probably violate the provisions of the Regulation, with all the consequences, including sanctions, provided therein; CONSIDERED appropriate, for the same reasons explained above, to provide, pursuant to art. 154-bis, paragraph 3, of the Code, the publication of this provision in the Official Journal of the Italian Republic; HAVING SEEN the documentation in the documents; GIVEN the observations made by the general secretary pursuant to art. 15 of regulation no. 1/2000; SPEAKER prof. Pasquale Stanzione; ALL THIS CONSIDERING THE GUARANTOR: pursuant to art. 58, par. 2, letter. a), of the Regulation and of the art. 154, paragraph 1, letter. f), of the Code, warns Worldcoin Foundation, with headquarters in Suite 3119, 9 Forum Lane, Camana Bay, PO Box 144, George Town, Grand Cayman KY1-9006, Cayman Islands, as data controller of personal data, that the processing of biometric data that may be carried out in Italy, through the ORBs and with the methods described above, may likely violate the provisions of the Regulation; pursuant to art. 154-bis, paragraph 3, of the Code provides for the publication of this provision in the Official Journal of the Italian Republic. Rome, 21 March 2024 PRESIDENT Stantion THE SPEAKER Stantion THE GENERAL SECRETARY Mattei SEE ALSO Press release of 2 April 2024 [doc. web no. 9998877] Provision of 21 March 2024 (Publishing in the Official Journal) Register of measures n. 179 of 21 March 2024 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members, and the councilor. Fabio Mattei, general secretary; HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as the free movement of such data (hereinafter, “Regulation”); HAVING REGARD to the Code regarding the protection of personal data, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 (Legislative Decree 30 June 2003, no. 196, as amended by Legislative Decree 10 August 2018, no. 101, hereinafter “Code”); HAVING REGARD to Guidelines 3/2019 on the processing of personal data through video devices (Version 2.0) and Guidelines 05/2022 on the use of facial recognition technologies for police tasks (Version 2.0), adopted by the European Committee for Protection of the data (hereinafter “EDPB”); NOTED that, as of July 2023, national news agencies have reported the launch of the Worldcoin project by the Worldcoin Foundation, a project based on iris scanning to verify the identity of users and linking such processing to the tools market financial, in this specific case the cryptocurrency called “WLD”. In this context, in response to the request for information formulated as part of the investigation launched by this Authority, the Company provided feedback by producing related supporting documentation, including the Data Protection Impact Assessment; HAVING NOTED, in particular, the fact that the iris scan takes place through an instrument called "Orb" which uses the face and ocular structure of an individual to create a unique identification code, the so-called “IrisCode”; once the iris has been scanned and the aforementioned IrisCode has been saved, the Orb creates an ID for each user worldwide (World ID), eliminating the collected image; Furthermore, NOTED that the Worldcoin ecosystem also consists of the World App which allows user verification by exchanging the public identification key with the Orb via a QR code generated by the App itself and making the World ID available to each user and WLDs redeemed or purchased; NOTING, again, that the consent required for the processing of biometric data is also extended to the automated decision-making process underlying the authentication of individuals and that the same consent is necessary to redeem the free WLD tokens offered in exchange by the data controller; HAVING NOTED that, currently, the Orbs are not present in Italy but that Italian citizens can already download the World App from the app stores, provide the relevant personal data and reserve their free WLD tokens and that the availability of the App from the territory Italian could bring forward the installation of ORBs in Italy; Furthermore, NOTED that there is no mechanism for verifying the age of users during iris acquisition or installation of the App; this, despite the fact that the Worldcoin ecosystem and the World App are not intended for children under 18; CONSIDERING that the art. 4 point 14) of the Regulation defines «biometric data» as “personal data obtained from a specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person which allow or confirm univocal identification, such as facial image or data dactyloscopic". From the information available regarding the Orbs and the creation of the IrisCode, it appears that the data processed in this way falls within the definition of biometric data; CONSIDERING that the art. 9 of the Regulation imposes a general prohibition on the processing, among others, of "biometric data intended to uniquely identify a natural person", except for the exceptions provided for in the following paragraph. 2 and, in particular, to letter. a) which refers to the explicit consent of the interested party. Furthermore, the following par. 4 provides that “Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data relating to health”; CONSIDERING that, in implementation of this last provision, the Code has expressly provided for a hypothesis of biometric data processing, with reference to the obligations of the art. 32 of the Regulation, which allows its use with regard exclusively to the procedures for physical and logical access to data by authorized parties (art. 2-septies, paragraph 7). CONSIDERING furthermore that according to recital 51 of the Regulation "Such personal data [biometric data] should not be subject to processing, unless processing is permitted in the specific cases referred to in this Regulation [...]" and that "In addition to the requirements specific to such processing, the general principles and other rules of this Regulation should apply, in particular as regards the conditions for lawful processing”; CONSIDERING that according to recital 39 of the Regulation "It is appropriate that natural persons are made aware of the risks, rules, guarantees and rights relating to the processing of personal data" and that, in the present case, this need appears more pressing for the presence of high risks linked to the processing of biometric data of interested parties, potentially even minor ones; CONSIDERING that “The use of biometric data, in particular facial recognition, entails greater risks for the rights of interested parties. It is essential that the use of these technologies occurs in due respect of the principles of lawfulness, necessity, proportionality and data minimization enshrined in the GDPR. Although the use of these technologies may be perceived as particularly effective, data controllers should first assess the impact on fundamental rights and freedoms and consider less intrusive means of achieving the legitimate purpose of the respective processing” (para. 73 , Guidelines 3/2019) and that "the processing of biometric data, in all circumstances, constitutes in itself a serious interference" (Guidelines 05/2022); CONSIDERING that, from the information sent by the company - following the request made by the Authority - and from that available on the website https://worldcoin.org/, the processing of biometric data is based on the legal basis of the consent of the interested parties which is requested in the face of information which, at present, does not appear to provide information regarding the risks associated with the processing of this type of data; CONSIDERING, therefore, that, in the specific case, users do not appear to have sufficient information available to guarantee them full awareness of the high risks associated with the processing of their biometric data; CONSIDERING that, in this context of lack of transparency, the consent for the processing of the biometric data of the interested parties could not satisfy the requirements required by the Regulation and that, therefore, it could not constitute an adequate legal basis for the processing; Furthermore, CONSIDERING that the promise of free WLD tokens by the data controller negatively impacts the existence of the conditions for consent prescribed by the Regulation (art. 7); CONSIDERING, furthermore, that the high risks of the processing indicated above are further amplified by the absence of filters to prevent access to the Orbs and the World App to minors under the age of 18; RECOGNIZED, therefore, the need to address, pursuant to art. 58, par. 2, letter. a), of the Regulation and of the art. 154, paragraph 1, letter. f), of the Code, a warning towards Worldcoin Foundation, as data controller, on the fact that the processing of biometric data that should be carried out in Italy, through the ORBs and with the methods described above, can probably violate the provisions of the Regulation, with all the consequences, including sanctions, provided therein; CONSIDERED appropriate, for the same reasons explained above, to provide, pursuant to art. 154-bis, paragraph 3, of the Code, the publication of this provision in the Official Journal of the Italian Republic; HAVING SEEN the documentation in the documents; GIVEN the observations made by the general secretary pursuant to art. 15 of regulation no. 1/2000; SPEAKER prof. Pasquale Stanzione; ALL THIS CONSIDERING THE GUARANTOR: pursuant to art. 58, par. 2, letter. a), of the Regulation and of the art. 154, paragraph 1, letter. f), of the Code, warns Worldcoin Foundation, with headquarters in Suite 3119, 9 Forum Lane, Camana Bay, PO Box 144, George Town, Grand Cayman KY1-9006, Cayman Islands, as data controller of personal data, that the processing of biometric data that may be carried out in Italy, through the ORBs and with the methods described above, may likely violate the provisions of the Regulation; pursuant to art. 154-bis, paragraph 3, of the Code provides for the publication of this provision in the Official Journal of the Italian Republic. Rome, 21 March 2024 PRESIDENT Stantion THE SPEAKER Stantion THE GENERAL SECRETARY Mattei