Sam Altman, the founder of OpenAI, knows how to get the attention of regulators. His Worldcoin project is in the crosshairs of many personal data protection authorities. Its operation is enough to trigger some alarms.
Worldcoin offers tamper-proof digital IDs. And to achieve this, it operates an Orb, a device whose function is to scan, therefore record, a copy of the iris of users. It thus collects biometric data, which is very sensitive under the GDPR.
Impromptu visit to the Parisian site
At the end of July, the Cnil joined several of its counterparts in opening an investigation. And according to Politico, a delegation from the Commission made a surprise visit to the Paris premises of Worldcoin located in the 3rd arrondissement last week.
Users can go there to have their eyeball scanned. The orb center of the American startup, installed in a coworking space, therefore received a visit from representatives of the CNIL. On this occasion, they wanted to interview a senior executive.
The members of the Cnil were able to meet the head of Worldcoin’s operations in France – which have similar centers in other European cities, and in particular in Germany, Portugal, Spain and the United Kingdom.
The Cnil has not expressed itself publicly on this impromptu meeting on the Parisian site of Worldcoin nor on the lessons learned from its exchanges with the framework of the startup. This initiative is a continuation of the investigation opened a few weeks earlier.
The legality of the collection qualified as questionable
For the hexagonal regulator, “the legality of data collection seems questionable, as do the conditions for storing biometric data.” The investigation is carried out in collaboration with the Bavarian protection authority, leader in this file, in accordance with the GDPR.
Several aspects of Worldcoin justify the vigilance of European regulators. Given its nature and the data processed, the project should have been the subject of an impact study. With its headquarters in the Cayman Islands, the Worldcoin Foundation seems to evade this obligation.
The collection of biometric data also requires compliance with strict conditions. The survey will demonstrate whether Worldcoin complies with the rules imposed by European regulations, the GDPR.
But regulators will also seek to shed full light on the use made of biometric data and their possible transfer outside of Europe. The startup must also guarantee the rights of users to their data, including their deletion.