Spain’s Data Authority Orders Immediate Block of Worldcoin Over Iris-Scan Controversy
Spain’s Agencia Española de Protección de Datos (AEPD) has mandated the urgent suspension of Worldcoin, the high-profile project known for offering cryptocurrency in exchange for iris scans. For the first time, the privacy watchdog has activated an emergency procedure that requires Tools for Humanity, the company behind the initiative, to instantly cease data processing and to block all data captured on Spanish soil. This move signals a strong stance on biometric data collection and user consent in Europe.
In a recent decision, the AEPD invoked Article 66.1 of the General Data Protection Regulation to impose a temporary six-month block that could be extended. The regulator determined that Worldcoin is not obtaining valid consent because users are not given enough information nor are they able to exercise their rights, including withdrawing consent or requesting deletion of data already collected. The ruling underscores the emphasis on informed consent and data subject rights in biometric schemes that rely on highly sensitive personal data.
Worldcoin, a startup founded in 2019 by Sam Altman, the chief executive of OpenAI, aims to build “the largest financial and identity network in the world” by identifying users online. The project uses ocular scans—the iris—as a unique, personal, and non-transferable biometric marker that is transformed into a digital identity code. Worldcoin asserts that iris-derived data are later discarded to prevent privacy issues, turning biometric data into a masked, anonymous identifier that can function like a digital ID.
AEPD’s assessment highlights that the company’s operations carry notable risks. As reported by local outlets, the Spanish data protection authority had previously received several complaints, including from Catalonia, which were being analyzed as part of ongoing investigations into Worldcoin’s practices. These concerns reflect a wider scrutiny of biometric data collection methods across jurisdictions that have strict consent and transparency requirements for processing such sensitive information.
Although Worldcoin has operated in Spain since mid-2023, the controversy reignited earlier this year when crowds queued at shopping centers across the country to join the program. Many participants were drawn not by a desire to advance the project’s stated mission but by the incentive of roughly 30 euros in cryptocurrency offered for iris scans. The Worldcoin app functions as a digital wallet, enabling payments or transfers with digital assets. The company has claimed to have enrolled nearly 3.5 million people globally and around 300,000 in Spain, figures that have been contested amid the regulatory scrutiny.
The Catalan Data Protection Authority (APDCAT) warned that handling biometric data such as the iris “poses a high risk to the rights and freedoms of individuals.” It also stressed that any such processing must rely on informed consent. In this evolving regulatory landscape, authorities stress that biometric systems cannot be rolled out without robust transparency, explicit consent, and channels for users to exercise rights quickly and effectively. The broader implication is clear: biometric identity schemes must align with rigorous privacy safeguards and user rights regimes across diverse jurisdictions. (Source attribution: AEPD communications and APDCAT guidance, 2024)