Gov’t orders Worldcoin to halt operations over data privacy violation

Authorities said the collection of face and iris images were excessive.

The Worldcoin Project, which was set up by OpenAI chief Sam Altman, was ordered to stop its operations after the Office of the Privacy Commissioner for Personal Data (PCPD) concluded that it had breached the country’s Personal Data (Privacy) Ordinance.

An enforcement notice has been served to Worldcoin Foundation, “directing it to cease all operations of the Worldcoin project in Hong Kong in scanning and collecting iris and face images of members of the public using iris scanning devices,” PCPD said. 

Launched last July in Hong Kong, the cryptocurrency project generates a private digital identity for its users called the World ID after collecting their iris images. However, some countries have expressed concern over the use of an individual’s personal data.

Worldcoin said it has collected information from 8,302 Hong Kongers during its operation in the country. 

According to PCPD, it conducted 10 covert visits from December 2023 to January 2024 at six premises involved in the operation of the project. These were in Yau Ma Tei, Kwun Tong, Wan Chai, Cyberport, Central, and Causeway Bay. 

Following its investigation, the PCPD said Worldcoin’s collection of face and iris images was “unnecessary and excessive.”

Authorities also found the collection of personal data unfair. 

PCPD note the “Privacy Notice” and “Biometric Data Consent Form” were not available in  Chinese, and the iris scanning device operators at the operating locations did not offer any explanation or confirmed the participants’ understanding of the aforesaid documents. Participants were also not informed about the possible risks pertaining to their disclosure of biometric data, nor answered their questions, it added.

The government said Worldcoin also lacked in informing participants about the purpose of collection, whether the supplying of data  was obligatory or voluntary, the classes of possible transferees, and the right and means to request access to and correction of their personal data.

PCPD said Worldcoin retaining personal data for 10 years for the purpose of training AI models for user verification was too long.

Furthermore, the PCPD said there was insufficient transparency of the personal data policy and practices, and that participants did not have the means to exercise their rights of data access and correction. 

ALSO READ: Ripple to issue US-backed stablecoin to bring more liquidity to XRP Ledger

Privacy Commissioner Ada Chung Lai-ling urged the public to report to authorities if Worldcoin defies the government’s order. 

In a statement, Worldcoin Foundation maintained it "operates lawfully and is designed to be fully compliant with all laws and regulations governing data collection and use, including the Personal Data (Privacy) Ordinance of Hong Kong, among many other similar statutes across other markets."

The company said it has been implementing efforts to enhance data security through data minimization, user control over data, and advanced technology such as personal custody, iris code deletion, and secure multi-party computation.

"Unfortunately, the authorities in Hong Kong overlooked these aspects in their evaluation of the humanness verification process," it said.