Portugal’s Worldcoin ban leaves one European iris-scan market

Portugal’s data protection authority ordered a three-month halt to Worldcoin’s local biometric data collection after complaints including scans of children’s eyeballs. The move leaves Germany as the only European country where Worldcoin can currently book iris scans, while privacy authorities continue to scrutinize the project under GDPR.

WTF Index TERMINATOR
◄ Terminator 4 Idiocracy 1 ►

Mass iris-scan biometric collection, including alleged scans of children and unclear consent/deletion rights, strongly raises surveillance and control risks.

Portugal’s Worldcoin ban leaves one European iris-scan market

Worldcoin’s European footprint has narrowed again after Portugal’s data protection authority ordered a three-month suspension of the project’s local biometric data collection. The decision follows complaints about children being scanned, limited information for users, and questions over whether people can delete their data or withdraw consent.

The order puts fresh pressure on a project built around proprietary eyeball-scanning Orbs and a promise to verify “humanness” in exchange for Worldcoin, a cryptocurrency devised by the company. After Spain’s similar three-month stop-processing order earlier this month, Portugal had been one of just two European countries where Worldcoin was still operating its iris-scanning system.

What Portugal ordered

Portugal’s authority, the CNPD, said it issued the three-month ban on Worldcoin’s local operations Tuesday. The authority said the suspension was issued Monday and gave Worldcoin 24 hours to comply with the stop-processing order.

The CNPD said it acted after receiving “dozens” of complaints about Worldcoin last month. Among the concerns were claims that Worldcoin had scanned children’s eyeballs. The authority also pointed to complaints that users were not given enough information about the processing of sensitive biometric data, and that users could not delete their data or revoke consent to processing.

The child data issue is central to the regulator’s urgency. The CNPD said Worldcoin’s orb operators had no age verification in place, suggesting the company was not taking robust steps to prevent children from accessing the scanning technology.

The regulator estimated that more than 300,000 people in Portugal had submitted to iris scans through Worldcoin’s Orbs in exchange for some Worldcoin. It also said the number of locations offering eyeball scans almost doubled in six months, and that heavy demand for cryptocurrency in exchange for a scan led Worldcoin to introduce a pre-booking system in the market.

Why biometric data raises the stakes

The case turns on more than a single national ban. Worldcoin’s model depends on collecting biometric data, and the source article describes a direct tension between that model and European data protection rights.

Worldcoin uses blockchain technology to store tokens derived from scanned biometrics. According to the source, that means the system is designed to retain personal data permanently, without a route for people to erase their information later.

EU data protection law gives people in the region rights over their personal data, including the ability to have data corrected, amended, or deleted. That creates an inherent legal conflict with Worldcoin’s approach, before regulators even reach other concerns such as incentives for people to get scanned, the sensitivity of biometric data, and the project’s goal of building an identity layer for “humanness.”

The CNPD described biometric data as special data under GDPR, with increased protection and high risks in treatment. It also emphasized that minors are especially vulnerable because they may be less aware of the risks and consequences of personal data processing, as well as their rights.

Europe’s shrinking map for Worldcoin

Before Portugal’s order, Spain had already imposed a similar three-month stop-processing order earlier this month. Worldcoin failed to get an injunction against the Spanish order, although its appeal continues.

After Spain’s ban, Portugal was one of just two European countries where Worldcoin’s Orbs were still operating. With Portugal now under a temporary suspension, Germany is the only European country where Worldcoin is currently able to harvest biometrics.

The Worldcoin.org website no longer includes Portugal among the countries where eyeball scans can be booked. The remaining list cited in the source includes Germany, Argentina, Chile, Japan, Singapore and the U.S.

Germany has a particular role in the broader regulatory picture. Worldcoin developer Tools for Humanity has a regional base there, and co-founder Alex Blania is German. Bavaria’s data protection authority leads on data protection oversight of the company in some cases and has been investigating Worldcoin since last year.

A spokesperson for the Bavarian authority told TechCrunch that its probe remains ongoing. The authority said it is examining more than 20 complaints from data subjects in Spain that touch on the processing of minors’ data.

The company’s response

Tools for Humanity was contacted for comment on the latest EU ban order. Spokeswoman Rebecca Hahn sent a statement attributed to Jannick Preiwisch, data protection officer at the Worldcoin Foundation.

In that statement, the Worldcoin Foundation said it is “fully compliant with all laws and regulations governing the collection and transfer of biometric data, including Europe’s General Data Protection Regulation”. It also said it has respect for the role and responsibilities of data protection authorities, including the CNPD in Portugal.

The statement said the CNPD report was the first time Worldcoin had heard from the authority about many of the issues, including reports of underage sign-ups in Portugal. It said the project has zero tolerance for underage sign-ups and is working to address them in all instances.

It is not clear from the source whether Worldcoin intends to appeal Portugal’s order.

What happens next

The CNPD said it will continue investigating Worldcoin’s local activity. The authority also clarified that it is not relying on GDPR’s Article 66 powers for the Portuguese stop-processing order.

Instead, Portugal’s authority said it began its own enquiry into the Worldcoin project back in August 2023, when it was not clear which involved entity was legally responsible for the data processing. Based on declarations provided by both companies, the CNPD said the Cayman Island-based Worldcoin Foundation presents itself as data controller of the biometric data and other related data processing with the World ID, while the US-based Tools for Humanity Corporation is the processor for that data processing and controller for the World App data processing.

Because of that structure, the Portuguese authority said it did not refer complaints to Germany under the one-stop-shop mechanism. In its view, the one-stop-shop does not apply to this specific data processing.

The broader signal is clear: privacy authorities in Southern Europe are willing to use urgent local action while wider investigations continue. For Worldcoin, the practical result is immediate and visible. Its European iris-scan operations have been reduced to one remaining market, and regulators are still asking whether its biometric identity system can fit within the rights and protections required under GDPR.