Skip to content

Media Statements

Privacy Commissioner Urges the Public to Stay Vigilant about the Worldcoin Project and Not to Disclose Biometric Data Arbitrarily (

Date: 31 January 2024 

Privacy Commissioner Urges the Public to Stay Vigilant about
the Worldcoin Project
and Not to Disclose Biometric Data Arbitrarily

The Office of the Privacy Commissioner for Personal Data (PCPD) executed court warrants this afternoon and entered six premises of the Worldcoin project located at Yau Ma Tei, Kwun Tong, Wan Chai, Cyperport, Central and Causeway Bay to carry out investigations.
 
The PCPD is concerned that the operation of Worldcoin in Hong Kong involves serious risks to personal data privacy, and believes that the collection and processing of sensitive personal data by the relevant organisation may be in contravention of the requirements of the Personal Data (Privacy) Ordinance (PDPO). With a view to protecting the personal data privacy of members of the public, the PCPD has proactively commenced an investigation against Worldcoin in accordance with established procedures.
 
According to the intelligence collected earlier, participants of the Worldcoin project need to let the relevant organisation collect their iris information through iris scanning in order to obtain a registered identity (i.e. World ID; Worldcoin called it a human passport for the Internet), after which the participants would receive free cryptocurrency Worldcoin tokens.
 
The PCPD has exercised its powers under the PDPO in today’s operation to enter six premises with court warrants for the purposes of investigation. The PCPD requested the relevant parties to furnish required documents and information.
 
The Privacy Commissioner for Personal Data, Ms Ada CHUNG Lai-ling, appeals to members of the public to stay vigilant about the Worldcoin project.  She said, “Members of the public should carefully protect their sensitive personal data and avoid participating in any activities that collect sensitive personal data, such as iris scanning, arbitrarily”.  Before providing any biometric data, citizens should consider the following issues in relation to the relevant organisation:
  • The legitimacy for collecting biometric data;
  • The extent and purpose of collection of the biometric data;
  • The intended use of those data and the classes of persons or organisations to whom the data will be disclosed or transferred;
  • The retention period of the biometric data; and
  • The safety precautions taken for the protection of the biometric data.
The Privacy Commissioner, Ms Ada CHUNG Lai-ling, pointed out that “Iris information is a kind of biometric data. Generally speaking, biometric data is unique and cannot be altered, and can be regarded as sensitive personal data. Any person or organisation as a data user in Hong Kong that controls the collection, holding, processing or use of personal data must comply with the requirements under the PDPO and the relevant Data Protection Principles (DPPs)”.
 
With regard to the collection of personal data, DPP 1 requires that personal data must be collected for a lawful purpose directly related to a function or activity of the data user; the collection of the data must be necessary, adequate but not excessive in relation to that purpose, and the means of collection must be lawful and fair. Organisations must take all practicable steps to notify the data subjects on or before the collection of the data the purpose of data collection, the classes of persons to whom the data may be transferred, whether it is obligatory or voluntary for the data subjects to supply the data and the consequences for the data subjects if the data subjects fail to supply the data.
 
As regards data retention, DPP 2 requires data users to take all practicable steps to ensure that personal data is not kept longer than is necessary for the fulfillment of the purpose for which the data is used.
 
In respect of the use of personal data, DPP 3 requires that unless with the data subject’s express and voluntary consent, personal data must not be used for any “new purpose”, that is, a purpose other than the purpose for which the data was to be used at the time of the collection of the data.
 
With regard to the security of personal data, DPP 4 requires that all practicable steps shall be taken by data users to ensure that any personal data held by them is protected against unauthorised or accidental access, processing, erasure, loss or use.
 
Members of the public who wish to lodge any complaint against Worldcoin in relation to the collection, holding, processing or use of personal data, or wish to provide any information of the Worldcoin project, please contact PCPD (telephone: 2827 2827; email: complaints@pcpd.org.hk) as soon as possible.
 
For further information about the collection of biometric data, please refer to the “Guidance on Collection and Use of Biometric Data” available at:
https://www.pcpd.org.hk//english/resources_centre/publications/files/GN_biometric_e.pdf

 The PCPD executed court warrants and entered six premises of the Worldcoin project to carry out investigations.


The PCPD entered six premises with court warrants for the purposes of investigation and requested the relevant parties to furnish required documents and information.


The PCPD entered six premises with court warrants for the purposes of investigation and requested the relevant parties to furnish required documents and information.
 
-End-