German watchdog orders Worldcoin to delete illegally collected biometric data

German data protection authority (BayLDA) has issued a directive to Worldcoin, the digital identity project founded by OpenAI CEO Sam Altman, to delete biometric data collected in violation of European Union privacy laws.
The order follows an investigation into Worldcoin’s compliance with the EU’s General Data Protection Regulation (GDPR), according to Cointelegraph.
The BayLDA’s decision, announced on December 19, mandates that Worldcoin establish a GDPR-compliant data deletion procedure within one month. The ruling affects iris scans collected during the project's early rollout in the summer of 2023, when Worldcoin allegedly lacked a sufficient legal basis for gathering the data.
Strengthening User Privacy and Data Rights
Michael Will, president of BayLDA, emphasized the importance of the decision in upholding the privacy rights of Worldcoin users. "With today’s decision, we are enforcing European fundamental rights standards in favor of the data subjects," Will stated. Users will now have the "unrestricted opportunity to enforce their right to erasure" of personal biometric data.
In addition to the data deletion requirement, Worldcoin must revise its consent procedures for certain data processing activities and delete specific datasets collected during its initial launch phase. The BayLDA’s investigation also highlighted ongoing complaints regarding data protection for minors, which may prompt further regulatory scrutiny.
Worldcoin’s parent organization, the World Foundation, has appealed the ruling, seeking judicial clarification on the EU’s definition of "data anonymization."
In a blog post, the foundation argued that clearer standards for anonymization are critical to safeguarding privacy in the era of artificial intelligence. Damien Kieran, Chief Legal and Privacy Officer at Tools for Humanity (TFH), which contributed to the Worldcoin project, stated that "data anonymization, not just deletion, is essential" to protect user privacy.
As the appeal progresses, the outcome could set a precedent for how biometric data and privacy-enhancing technologies are governed across the European Union.
Byte Federal, a leading U.S. Bitcoin ATM operator, recently disclosed a data breach affecting 58,000 customers. The company reported to Maine’s attorney general that sensitive personal information may have been exposed.