Sam Altman, the founder of OpenAI, knows how to do this to attract the attention of regulators. His Worldcoin project is in the crosshairs of many personal data protection authorities. Its operation is enough to trigger a few alarms.
Worldcoin offers tamper-proof digital identifiers. And to achieve this, he uses an Orb, a device whose function is to scan, therefore record, a copy of the users’ iris. He thus proceeds to the collection of biometric data, which are very sensitive with regard to the GDPR.
Impromptu visit to the Parisian site
At the end of July, the Cnil joined several of its counterparts in opening an investigation. And according to Politico, a delegation from the Commission made a surprise visit last week to the Parisian premises of Worldcoin located in the 3rd arrondissement.
Users can go there to have their eyeball scanned. The orb center of the American startup, installed in a coworking space, was therefore visited by representatives of the Cnil. On this occasion, they wished to interview a senior executive.
The members of the Cnil were able to meet the head of Worldcoin’s operations in France – which have similar centers in other European cities, and in particular in Germany, Portugal, Spain and the United Kingdom.
The Cnil has not publicly expressed itself on this impromptu meeting on the Parisian website of Worldcoin nor on the lessons learned from its exchanges with the startup executive. This initiative is a continuation of the investigation launched a few weeks earlier.
The legality of the collection qualified as doubtful
For the French regulator, “the legality of the data collection seems doubtful, as do the conditions for storing biometric data.”The investigation is being carried out in collaboration with the Bavarian data protection authority, the leader in this file, in accordance with the GDPR.
Several aspects of Worldcoin justify the vigilance of European regulators. Given its nature and the data processed, the project should have been the subject of an impact study. With its headquarters in the Cayman Islands, the Worldcoin Foundation seems to be evading this obligation.
The collection of biometric data also requires compliance with strict conditions. The investigation will demonstrate whether Worldcoin complies with the rules imposed by European regulations, the GDPR.
But the regulators will also seek to shed light on the use made of biometric data and on their possible transfer outside Europe. The startup must also guarantee users’ rights over their data, including their deletion.