Data Breach in Hong Kong: Worldcoin Had to Stop Its Operations
Hong Kong's Personal Data Privacy Commissioner (PCPD) has concluded its investigation, stating that cryptocurrency project Worldcoin's activities violate the city's personal data protection laws. In a notice dated May 22, PCPD Commissioner Ada Chung Lai-ling issued a mandatory enforcement notice to Worldcoin, ordering the iris scanning devices used as part of the project to immediately stop collecting iris and facial images of the public.
PCPD launched an investigation in January 2024 to investigate whether Worldcoin’s authentication methods pose serious risks to the privacy of citizens’ personal data and breach the requirements of the Personal Data (Privacy) Regulation (PDPO). As part of the investigation, secret visits were made to six different workplaces where the Worldcoin project was carried out from December 2023 to January 2024.
According to the findings of the investigation, iris scanning device operators were already able to verify on-site whether participants were real people. In this case, collecting facial images was considered an unnecessary step. PCPD found that Worldcoin’s data collection practices violated PDPO’s data minimization policy. This principle requires collecting only the minimum amount of personal data necessary.
Aside from issues with data collection practices, PCPD also criticized Worldcoin for its lack of informing participants. The investigation revealed that Worldcoin’s privacy notice was not available in Chinese. This meant that participants who did not speak English were not informed about what data was collected from them and how this data was used and stored during their participation in the project. PCPD also found that iris scanning device operators did not tell participants about the risks associated with giving their biometric data or answer questions. These deficiencies prevented participants from making informed decisions and meant that true consent was not obtained.
PCPD stated that Worldcoin’s retention of sensitive biometric data, such as iris and facial images, for up to 10 years for AI model training also violates PDPO’s data retention policies. This principle requires that personal data be stored only for as long as necessary. Worldcoin confirmed that the faces and irises of 8,302 people were scanned during its operations in Hong Kong. This indicates a potentially serious risk of data breach.
The Worldcoin project has faced privacy concerns since it was announced in 2021. The project managed to attract more than two million people before its official launch in July 2023. However, a lack of privacy transparency led to the suspension of services in Kenya and the discontinuation of iris scans in India. Finally, the investigation launched by the Hong Kong Personal Data Privacy Commissioner highlights Worldcoin’s problems in complying with global data protection regulations. This situation may set an important precedent for the future of the project and similar cryptocurrency projects to fulfill their obligations regarding the protection of personal data.
