By 
In the European Union, the hammer is coming down on the misuse of biometric data, as national privacy regulators enforce stringent actions for breaches of EU data protection laws.
Italian Authority Flags Worldcoin for Iris Scan Concerns
Italy’s privacy watchdog, Garante per la protezione dei dati personali, has issued a stern warning to Worldcoin about its iris scanning technology. The biometric identity company offers cryptocurrency in exchange for iris scans using a device called the Orb. Despite the Orb not being operational in Italy, Italian citizens can still download the World App, submit personal data, and reserve cryptocurrency tokens.
The Italian authority stressed that consent obtained under these circumstances, influenced by financial incentive and without sufficient information, does not meet the stringent consent requirements of the GDPR. The agency also highlighted concerns regarding the inadequate measures in place to verify the age of participants.
Legal expert Charles-Albert Helleputte from Squire Patton Boggs views the warning as justified, given the EU’s current regulatory stance on digital identity. He describes Worldcoin’s approach as a significant deviation from existing standards, particularly risky for minors and with potentially irreversible consequences if the biometric data were compromised.
Following similar concerns, Portugal mandated a halt to Worldcoin’s iris-scanning operations earlier in the year, leading to the implementation of new age verification processes by the company.
Significant Fines in Greece and Spain Demonstrate GDPR’s Reach
The effectiveness of GDPR as an enforcement mechanism is evident in recent hefty fines in Greece and Spain. The Hellenic Data Protection Authority fined Greece’s Ministry of Migration and Asylum €175,000 for inadequate cooperation and insufficient impact assessments related to biometric entry and exit systems on the Aegean islands. The systems, named Centaur and Hyperion, involve managing electronic security and biometric data processing. The ministry has been ordered to align with GDPR requirements within three months.
In Spain, the data protection authority (AEPD) imposed a larger fine of €365,000 on CTC Externalización S.L. for multiple GDPR infringements. The company, which operates in logistics and industrial services, was investigated after a complaint about its handling of employees’ biometric fingerprint data. The AEPD found that CTC failed to adequately inform employees about the use and storage of their biometric data, lacked verifiable security measures, and did not treat biometric data according to the GDPR’s special categories, violating several aspects of the regulation.
CTC has been given six months to implement corrective actions to comply with GDPR standards, highlighting the strict oversight and regulatory demands placed on organizations handling sensitive personal data within the EU.
Comments