Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Create an account
Join our community for free to access exclusive whitepapers, reports, and regulatory information.
Portugal: CNPD temporarily bans Worldcoin from collecting biometric data for 90 days
The Portuguese data protection authority (CNPD) published, on March 26, 2024, its decision No. 2024/137, in which it imposed a temporary ban on the Worldcoin Foundation's collection of biometric data for 90 days for violation of the General Data Protection Regulation (GDPR), following an ongoing investigation.
Background to the decision
The CNPD noted that it became aware of Worldcoin's practices of collecting, on a large scale, biometric data by scanning images of people's irises, in exchange for the payment of a certain quantity in cryptocurrency. On August 10, 2023, the CNPD initiated its investigation into Worldcoin's operations to evaluate its compliance with the GDPR.
Additionally, the CNPD noted that Worldcoin collected biometric data from iris scans in several cities in Portugal and subjected the personal data collected to further processing. The biometric data was used to generate a unique identifier, the World ID, which, according to Worldcoin, will serve as a universal digital identification/passport, as both proof of a person's identity and of the fact that they are human.
Findings of the CNPD
In its preliminary evaluation, the CNPD highlighted the following failings in Worldcoin's operations:
- the collection of biometrics of minors without their legal representatives' consent;
- the lack of an age verification mechanism;
- the impossibility of exercising the right to erasure;
- the impossibility of exercising the right to withdraw consent; and
- the lack of information provided to data subjects.
The CNPD further found that Worldcoin failed to collect informed consent for processing biometric data and to provide a means for withdrawing consent, in violation of Articles 5(1)(a) and 13(2)(c) of the GDPR.
Moreover, regarding the impossibility of exercising the right to erasure, the CNPD found that Worldcoin acted in violation of Article 17 of the GDPR, and consequently, Article 7(3) of the GDPR.
Outcomes
In light of the above, and given the risk to the data subject's rights, the CNPD decided to prohibit Worldcoin from collecting biometric data for a period of 90 days.
The decision, however, is not finalized and the CNPD noted that it will conclude its investigation and issue a final decision.
You can download the decision here and read CNPD's press releases here and here.
Send us your Feedback!
Please let us know what you think of DataGuidance! It will only take 60 seconds and help us make the site better for you.
