Worldcoin directed by HK data privacy regulator to cease operations

Worldcoin

An important component of Worldcoin’s business is its “World ID”, which is a registered digital identity created by collecting participants’ face and iris images through iris scanning by an “Orb” (a physical imaging device). After creating a World ID at physical Orb Operators (six of which were in Hong Kong), participants gain access to the Worldcoin cryptocurrency token (called “Worldcoin” or “WLD”), which is tradeable like other cryptocurrencies.

Contravention of PDPO – PCPD’s findings

After investigations, the PCPD found that Worldcoin had contravened the DPPs of the PDPO below for the following reasons:

DPP 1(1): Purpose of collecting personal data

Given that iris scanning already fulfilled the purpose of verifying the “humanness” of the participants, the PCPD’s view was that scanning and collection of face images was not required. In any event, both the collection of face and iris images were not necessary and were excessive, because there were less privacy-intrusive means to verify a participant’s identity.

DPP 1(2): Manner of personal data collection

PCPD concluded that Worldcoin failed to provide adequate information to participants to enable them to make an informed choice or give a real consent, because (a) Worldcoin’s “Privacy Notice” and “Biometric Data Consent Form” (“Worldcoin’s Documents”) were not made available in Chinese, (b) the Orb Operators did not offer any explanation and did not confirm the participants’ understanding of Worldcoin’s Documents, (c) Worldcoin’s Documents did not inform the participants of the possible risks regarding the disclosure of biometric data, and (d) no age verification was conducted at the Orb Operators before the collection of biometric data from the participants.

DPP 1(3): Data users’ right to be informed

PCPD concluded that Worldcoin failed to inform participants (a) of the purpose for which their personal data was to be used, (b) whether it was obligatory to supply the personal data, (c) of the classes of persons to whom their personal data may be transferred, and (d) of the right and means to request access to and to correct their personal data.

DPP 2(2): Retention of personal data

PCPD concluded that Worldcoin’s policy was to retain participants’ biometric data for ten years to train its AI models for its user verification process. The retention of personal data of participants for such a prolonged period was not justified.

DPP 5: Insufficient transparency of personal data policy and practices

At the material time, Worldcoin’s Privacy Notice was not available in Chinese.

DPP 6: Rights of data access and correction

PCPD concluded that the “Biometric Data Consent Form” did not provide the means for the participants to access and correct its personal data.

Takeaway points

This case shows PCPD’s proactive attitude in investigating potential contraventions of requirements under the PDPO, as well as the PCPD’s wide investigation and enforcement powers under the PDPO.

As consumers are becoming more careful and aware about their data privacy rights, and regulators are more proactive in policing potential data privacy breaches, companies which handle or collect personal data, especially sensitive or biometric data, should make sure that their practices and polices comply with the requirements under the PDPO, including the DPPs. The PCPD’s “Guidance on Collection and Use of Biometric Data” should be referred to before a company decides to collect biometric data, e.g. DNA samples, fingerprints, palm veins, hand geometry, iris, retina and facial images.

As this case also demonstrates, compliance with data privacy laws is so important that it can affect whether or not a company’s operations remain viable.

While there is no legal requirement under Hong Kong law for companies to appoint a data protection officer, it would be good practice^[1] for a senior executive (for a major corporation) or the owner/operator (for a small organisation) to act as the data protection officer to oversee the company’s compliance with the PDPO and implementation of personal data policies. 

[1] According to the “Privacy Management Programme: A Best Practice Guide” published by the PCPD.