Collection and Use of 'Sensitive Information' Iris Codes
Violation of Data Subject Consent and Notification Obligations
Chairman Koh Hak-su of the Personal Information Protection Commission is striking the gavel at the 16th plenary meeting of the Personal Information Protection Commission for 2024, held on the morning of September 25 at the Government Seoul Office in Jongno-gu, Seoul. [Photo by Personal Information Protection Commission]
Worldcoin affiliate, co-founded by OpenAI CEO Sam Altman, has been fined a total of 1.1 billion KRW for violating domestic personal information protection laws.
The Personal Information Protection Commission (PIPC) held its 16th plenary session on the 25th and decided to impose a total fine of 1.104 billion KRW, along with corrective orders and improvement recommendations, on Worldcoin Foundation (hereinafter Worldcoin Foundation) and Tools for Humanity (hereinafter TFH) for violating personal information protection regulations.
The PIPC launched an investigation in February this year following media reports that "Worldcoin is collecting biometric information without consent in exchange for the virtual asset 'Worldcoin'." In South Korea, 93,463 people installed the 'World App' that allows them to receive Worldcoin, and among them, 29,991 participated in iris authentication.
Personal Information Processing Flow of Worldcoin Foundation and TFH [Image=Personal Information Protection Commission]
The investigation revealed that the Worldcoin Foundation, after capturing the data subjects' irises through the 'Orb' (iris recognition device) and generating iris codes using this data, failed to properly notify domestic data subjects of the required information under the Personal Information Protection Act, such as the 'purpose of collection and use' and 'retention and use period.'
The iris code itself is sensitive biometric information that uniquely identifies an individual and cannot be changed. Under the Personal Information Protection Act, separate consent must be obtained and safety measures must be implemented for processing such data, which was violated in this case.
Furthermore, the Worldcoin Foundation and TFH transferred personal information, including iris codes, overseas to countries such as Germany without informing data subjects of the legally required information, including the 'country to which personal information is transferred' and the 'name (corporate name) and contact information of the recipient.'
The Worldcoin Foundation did not establish methods or procedures for requesting deletion or suspension of processing of iris codes. TFH was found to have inadequate age verification procedures for children under 14 years old when signing up for the World App.
Accordingly, the PIPC decided to impose fines of 725 million KRW on the Worldcoin Foundation and 379 million KRW on TFH. The Worldcoin Foundation was ordered to: ▲faithfully obtain separate consent when processing sensitive information ▲ensure that iris information and other personal data are not used beyond the initially collected purpose ▲effectively provide deletion functions upon data subject requests. TFH was ordered to: ▲implement age verification procedures within the World App. Both were commonly ordered to: ▲adequately notify data subjects of statutory information when transferring personal information overseas, along with corrective orders and improvement recommendations.
Worldcoin argued that iris codes correspond to anonymous information since they cannot identify specific individuals. They explained that various advanced technologies are applied during the iris code processing to enhance security.
On the other hand, the PIPC judged that iris codes constitute sensitive biometric information under the Personal Information Protection Act. This judgment considered ▲Worldcoin capturing iris images directly from data subjects and generating iris codes from them ▲the iris-related information being unique, non-transferable, and unchangeable, making each iris code unique ▲and that the iris codes are linked internally to World ID, functioning as identifiers attributable to specific individuals.
Damian Kieran, Chief Privacy Officer (CPO) of TFH, stated, "We respect the results of the PIPC investigation," and added, "We will continue open and transparent communication with regulatory agencies worldwide while further developing technologies to strengthen personal information protection."
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
