The Office of the Privacy Commissioner for Personal Data (PCPD) in Hong Kong recently concluded an extensive investigation into the Worldcoin project. Initiated in January 2024, this inquiry scrutinized the project’s identity verification methods, particularly the use of iris scanning technology, which raised significant concerns regarding the protection of personal data under the city’s Personal Data (Privacy) Ordinance (PDPO).
Findings and Actions Taken
Privacy Commissioner Ada Chung Lai-ling, on May 22, issued an enforcement notice to Worldcoin, mandating an immediate cessation of all operations in Hong Kong that involve scanning and collecting iris and facial images of the public. The decision came after the PCPD identified several critical issues with how Worldcoin managed the personal data of participants, violating multiple principles set forth in the PDPO.
Methodology of Investigation
The investigation included 10 covert visits to six different premises linked to the Worldcoin project between December 2023 and January 2024. These visits aimed to evaluate the necessity and legality of the data collection practices employed by Worldcoin, particularly the collection of facial images alongside iris scans.
The PCPD found that the collection of facial images was redundant, as the operators at these locations could verify the humanness of participants without needing to scan their faces. Additionally, the investigation highlighted significant lapses in informing participants about the privacy implications of the data collection:
- Inadequate Information Provision: Worldcoin failed to adequately inform participants about the data collection processes, hindering their ability to make informed decisions.
- Language Barrier Issues: The privacy notice provided by Worldcoin was not available in Chinese, leaving non-English speaking participants without a clear understanding of the project’s terms and conditions.
- Lack of Informed Consent: Operators did not sufficiently explain the documents related to data collection or address potential risks associated with biometric data disclosure.
As a result of these findings, the PCPD declared the collection of face and iris images by Worldcoin to be both unfair and unlawful, constituting a violation of Hong Kong’s data protection laws. The ruling also criticized Worldcoin’s practice of retaining sensitive biometric data for up to 10 years solely for AI model training, deeming it unjustified.
Worldcoin has faced scrutiny from regulators worldwide due to its data handling practices. The project, which was announced in 2021 and officially launched in July 2023, has already seen regulatory actions in other countries, including service suspensions in Kenya and pauses on iris scans in India due to privacy concerns.
During its operation in Hong Kong, Worldcoin scanned the faces and irises of 8,302 individuals for verification purposes. This extensive collection of sensitive personal data without adequate safeguards or clear consent has contributed to the heightened regulatory responses.
The enforcement action against Worldcoin by Hong Kong’s PCPD underscores the increasing global emphasis on protecting personal data, especially biometric data, within the framework of advancing technologies. The case serves as a pivotal example of the need for transparency, proper consent, and legal compliance in data collection practices, particularly in sectors involving sensitive personal information.
Featured image credit: Neerav Bhatt via Flickr