> As a result, despite the improvements already introduced, adjustments are still required to bring the company's data processing in line with the applicable provisions Among other things, the company will be obliged to provide a deletion procedure that complies with the provisions of the GDPR within one month of the decision taking effect. In addition, “Worldcoin” will be obliged to provide explicit consent for certain processing steps in the future. Moreover, the deletion of certain data records previously collected without a sufficient legal basis was ordered ex officio. The company has already received the decision and has informed us that it is going to appeal it.
The allusion to "improvements already introduced" would seem to refer (though I'm uncertain of this) to https://world.org/blog/announcements/worldcoin-foundation-un... - which was described there as "reinforced after conversations with data protection authorities focused around further biometric template protection, particularly the Bavarian Data Protection Authority (“BayLDA”), the Worldcoin Foundation’s Lead Supervisory Authority in the EU."
Cryptographic systems that ensure no single party can access data at rest, even if that party were to be compromised, corrupted, or forced to reveal secrets by law enforcement, are absolutely incredible technical achievements - but it seems that, at least in this case, they are insufficient solutions in the eyes of EU regulators. (Not a lawyer, this is not legal advice.)
I hope the stance towards cryptographic erasure evolves thoughtfully over time in general, but World's approach here, beginning to collect data for seemingly unlimited purposes before having a completed system for SMPC, was never going to be one that would lend itself towards establishing positive regulatory precedent.
https://www.lda.bayern.de/media/pm/pm2024_08_en.pdf (EN)
https://www.lda.bayern.de/media/pm/pm2024_08.pdf (DE)
Quote from the officlal English version:
> As a result, despite the improvements already introduced, adjustments are still required to bring the company's data processing in line with the applicable provisions Among other things, the company will be obliged to provide a deletion procedure that complies with the provisions of the GDPR within one month of the decision taking effect. In addition, “Worldcoin” will be obliged to provide explicit consent for certain processing steps in the future. Moreover, the deletion of certain data records previously collected without a sufficient legal basis was ordered ex officio. The company has already received the decision and has informed us that it is going to appeal it.
The allusion to "improvements already introduced" would seem to refer (though I'm uncertain of this) to https://world.org/blog/announcements/worldcoin-foundation-un... - which was described there as "reinforced after conversations with data protection authorities focused around further biometric template protection, particularly the Bavarian Data Protection Authority (“BayLDA”), the Worldcoin Foundation’s Lead Supervisory Authority in the EU."
Cryptographic systems that ensure no single party can access data at rest, even if that party were to be compromised, corrupted, or forced to reveal secrets by law enforcement, are absolutely incredible technical achievements - but it seems that, at least in this case, they are insufficient solutions in the eyes of EU regulators. (Not a lawyer, this is not legal advice.)
I hope the stance towards cryptographic erasure evolves thoughtfully over time in general, but World's approach here, beginning to collect data for seemingly unlimited purposes before having a completed system for SMPC, was never going to be one that would lend itself towards establishing positive regulatory precedent.