Submit your iris print to “the Orb” and receive a nominal amount of digital currency, plus your very own biometrically-derived unique identifier.
This is not the plot of the latest dystopian sci-fi blockbuster, but an exchange devised by OpenAI CEO Sam Altman’s new project, Worldcoin—which aims to become the world’s leading digital identity provider.
Worldcoin says it obtains “explicit consent” to collect biometric information under the General Data Protection Regulation (GDPR). But does this arrangement meet the law’s strict definition of “consent”?
What is worldcoin?
Worldcoin has several projects, including:
- World ID (a digital identity).
- WLD (a cryptocurrency).
- World App (a consumer mobile app that provides access to the World ID and a wallet for storing WLD).
Worldcoin ultimately aims to provide “proof or personhood”: A World ID confirms that a digital actor is linked to a human being. The intention is to allow organisations to know whether a real person is using an online service, rather than a bot or a duplicate user.
Developers can integrate World ID authentication into their products using the World ID software development kit (SDK). This will allow users to log into a service using their World ID.
According to Worldcoin’s website, a user can confirm they are a real person by providing a phone number or providing their biometric information.
What are Orbs?
Worldcoin also operates “Orbs”: Cameras designed to scan people’s eyes, derive biometric information (iris prints), and transmit the information to Worldcoin.
Orbs are operated by third-party vendors (“Worldcoin Operators”) and have been established in cities across at least five European countries—France, Germany, Spain, Portugal, and the UK—together with countries in other continents, such as Japan, Mexico, and the US.
After submitting their iris scan to an Orb, a person gets a nominal amount of WLD (in the UK, £50’s worth) “simply for being a unique human”.
“The majority of humans who are alive today will receive WLD tokens, making WLD the most widely distributed digital currency,” proclaims WorldCoin’s Tokenomics blog post.
Worldcoin and the GDPR
Worldcoin faces scrutiny from several European data protection authorities (DPAs).
So what are some of the potential GDPR issues with the Worldcoin project?
Biometric Information is Special Category Data
Under the GDPR, biometric information used to identify a unique individual is one of the “special categories of personal data”.
You always need a legal basis for processing personal data. These come from Article 6 of the GDPR.
And on top of that requirement, you need an additional lawful basis under Article 9 of the GDPR before you can process special category data.
Worldcoin’s privacy notice states: “When it comes to your biometric data, we ask for your explicit and informed consent”.
This suggests that the company is relying on Article 9 (2) (a): “the data subject has given explicit consent to the processing of those personal data for one or more specified purposes”.
But is “explicit consent” the right legal basis for submitting your iris print to an Orb?
Consent under the GDPR
Article 9’s requirement that consent is “explicit” comes on top of the GDPR’s usual consent requirements, set out at Article 4 (11) and Article 7.
In summary, these provisions require that a person’s consent must be:
- Freely given
- Given via a clear, affirmative action
- Easy to withdraw
Worldcoin should be able to clear most of these GDPR compliance hurdles by:
- Ensuring people understand what they are consenting to.
- Asking people to clearly signify their agreement to the processing.
- Not “bundling” the request for consent to collect biometric information with requests for consent for other purposes.
But one consent condition in particular could be a problem for Worldcoin.
Freely given consent
Consent must be “freely given”: The person must be making a free choice to consent.
Worldcoin’s Biometric Data Consent Form says that if a person does not provide their iris print, they will not get their WLD and will not be able to establish a “unique, portable identity”.
Article 7 (4) of the GDPR states that when assessing whether a person’s consent is “freely given”, one factor is whether “the provision of a service.. is conditional on consent”.
Recital 42 of the GDPR says: “Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment”.
The questions for Worldcoin are:
- Is my consent “freely given” if I receive £50 (of cryptocurrency) and a digital identity in exchange for consenting?
- If I refuse to consent and do not get the £50 or the digital identity, is this a detriment?
In Worldcoin’s defence, it might be argued that the choice is simple: Don’t consent unless you want to. Do you really need £50 of an obscure cryptocurrency, and an as-yet unrecognised digital identity?
But consider whether this defence will apply if Worldcoin becomes, as is its aim, “the largest privacy-preserving identity and financial network”.
If WLD becomes a widely-accepted currency, and a World ID is required to access essential services, will Worldcoin’s consent for collecting biometric information remain “freely given”?
Similar questions arise for any organisation relying on consent.
Ensure you can demonstrate that every person’s consent meets all the GDPR’s requirements—particularly in sensitive areas such as biometric identity.