ICO turns its attention to Worldcoin crypto project launched by ChatGPT creator

Worldcoin was launched on 24 July 2023 by OpenAI (ChatGPT creator) boss Sam Altman. It is a crypto-based project that offers participants a share of a crypto token (WLD) in exchange for their biometric data.

The underlying mission of the project is said to be “creating a globally-inclusive identity and financial network, owned by the majority of humanity”. More specifically, it states within its white paper that it aims to “increase economic opportunity, scale a reliable solution for distinguishing humans from AI online while …[creating] a potential path to AI-funded UBI [universal basic income]”.

How does it work?

It utilises an iris-scanning technology that is capable of distinguishing between human and artificial intelligence. It then issues a digital form of identification through which human participants will, in theory, receive a share of the economic dividends that are said to be produced by an AI driven economy. 

Implications from a privacy perspective

With over 2 million participants signing up to the project prior to its launch, this represents a gargantuan exercise of the processing of biometric data - this being ‘special category’, under the UK and EU data protection regulatory regimes. Special category data warrants more protection due to its sensitive nature.

Worldcoin has stated that all biometric data will be saved on a decentralised blockchain. However, the project has given rise to a number of data privacy related criticisms, including the suggestion that they may be gathering more data than is made clear (and thereby are failing to obtain valid consent).

Regulatory implications in the UK 

Whilst Worldcoin claims that it intends to comply with all regulatory regimes within the jurisdictions that it operates in, regulators are beginning to express caution.

On 31 July 2023, the ICO released a statement making the following three points:

• “Organisations must conduct a Data Protection Impact Assessment (DPIA) before starting any processing that is likely to result in high risk, such as processing special category biometric data…”
• “Organisations also need to have a clear lawful basis to process personal data. Where they are relying on consent, this needs to be freely given and capable of being withdrawn without detriment”.
• “We note the launch of WorldCoin in the UK and will be making enquiries”.

Clyde & Co comment

The brief but broad nature of the ICO’s statement has been taken by some to be indication of the fact that significant investigation is required before the implications of this crypto project are properly understood by the regulator. A similar position has also been adopted by other regulators, including in Europe. The French regulator has also commented on the legality of such data collection by Worldcoin, with the CNIL describing such activities as “questionable”. The German data protection regulator in Bavaria is also understood to have commenced investigations arising from privacy concerns. 

Whilst this new technology will invariably be met with some level of regulatory resistance, both the UK and EU have made it clear that they are ‘open for business’ in the crypto sector. Notwithstanding obvious concerns (including meeting the standard of informed consent for Worldcoin participants), when taken at face value, this could become a project of genuine social utility. Accordingly, it may find some traction in more crypto-friendly jurisdictions.