On completion of its investigation into the Worldcoin project, the Office of the Privacy Commissioner for Personal Data (PCPD) publishes its findings today. The matter arose from the PCPD’s concern that the operation of Worldcoin in Hong Kong involved serious risks to personal data privacy. As such, the PCPD has proactively commenced an investigation against the Worldcoin project in January 2024 to determine whether the operation of Worldcoin in Hong Kong has contravened the requirements of the Personal Data (Privacy) Ordinance (PDPO), Chapter 486 of the Laws of Hong Kong.
The PCPD carried out 10 covert visits during the period from December 2023 to January 2024 at six premises involved in the operation of the Worldcoin project. On 31 January 2024, the PCPD entered the aforesaid six premises with court warrants to carry out investigations. The premises were respectively located at Yau Ma Tei, Kwun Tong, Wan Chai, Cyberport, Central and Causeway Bay. Thereafter, two rounds of inquiries were carried out and the investigation is now completed.
The investigation findings revealed that participants of the Worldcoin project needed to allow the relevant organisation collect their face and iris images through iris scanning to verify their humanness and generate iris codes, thereby obtaining a registered identity (namely, World ID; Worldcoin called it a digital passport), after which the participants would be able to receive Worldcoin tokens, a cryptocurrency, at regular intervals for free. Worldcoin confirmed that there were 8,302 individuals with their faces and irises scanned for verification during its operation in Hong Kong.
Having considered the circumstances of the case and the information obtained from the investigation, the Privacy Commissioner for Personal Data (the Privacy Commissioner), Ms Ada CHUNG Lai-ling, found that the operation of Worldcoin in Hong Kong had contravened the Data Protection Principles (DPPs) in Schedule 1 to the PDPO relating to the collection, retention, transparency, data access and correction rights, which included (please refer to Annex 1 for the details of contraventions):-
-
DPP 1(1) - the PCPD considered that the face and iris images collected by the Worldcoin project were unnecessary and excessive, contravening the requirements of DPP 1(1).
-
DPP 1(2) - Worldcoin collected personal data unfairly. In particular, the relevant “Privacy Notice” and “Biometric Data Consent Form” were not available in Chinese, the iris scanning device operators at the operating locations also did not offer any explanation or confirmed the participants’ understanding of the aforesaid documents. They also did not inform the participants the possible risks pertaining to their disclosure of biometric data, nor answered their questions.
-
DPP 1(3) - On or before the collection of personal data, participants were not clearly informed of the information as specified under the PDPO, including the purpose(s) of collection, whether it was obligatory or voluntary for them to supply their personal data, the classes of possible transferees, and the right and means to request access to and correction of their personal data.
-
DPP 2(2) - Worldcoin would retain personal data for a maximum of 10 years for the purpose of training AI models for the user verification process. The PCPD considered that the retention period was too long and amounted to prolonged retention of personal data.
-
DPP 5 – Insufficient transparency of the personal data policy and practices. The Privacy Notice at the material time was not available in Chinese. The PCPD was of the view that participants using Chinese as native language would not be able to clearly understand the relevant policies and practices, terms and conditions of the Worldcoin project, and hence there was a lack of transparency.
-
DPP 6 - Participants did not have the means to exercise their rights of data access and correction.
The Privacy Commissioner has served an enforcement notice on Worldcoin Foundation, directing it to cease all operations of the Worldcoin project in Hong Kong in scanning and collecting iris and face images of members of the public using iris scanning devices.
The Privacy Commissioner, Ms Ada CHUNG Lai-ling, pointed out that “If members of the public notices that Worldcoin is still operating at any premises with the iris scanning devices in Hong Kong, please report the matter immediately to the PCPD (telephone: 2827 2827 or email: complaints@pcpd.org.hk) for our enforcement actions. In addition, if members of the public have any queries about the handling of their registered World ID, they can inquire with relevant organisation and the PCPD (telephone: 2827 2827 or email: communications@pcpd.org.hk).”
Download the Investigation Findings “The Operation of the Worldcoin Project in Hong Kong Contravenes the Personal Data (Privacy) Ordinance”:
https://www.pcpd.org.hk/english/enforcement/commissioners_findings/files/r24_01335_e.pdf
On 31 January 2024, the PCPD entered sixe premises involved in the operation of the Worldcoin project with court warrants to carry out investigations.
On 31 January 2024, the PCPD entered sixe premises involved in the operation of the Worldcoin project with court warrants to carry out investigations.
-End-
Annex 1
Details of the Contraventions of the Personal Data (Privacy) Ordinance by the Worldcoin Project
-
Purposes of collecting personal data
DPP 1(1) of the PDPO provides that personal data shall only be collected for a lawful purpose directly related to a function or activity of the data user; the data collected is adequate but not excessive in relation to that purpose.
The PCPD considered that scanning or collection of face images was not required for the purpose of verifying the humanness of the participants as the iris scanning device operators were already in the position to carry out such verification at the operating locations. Taking into account biometric data is sensitive personal data, any wrongful disclosure or leakage of such data could lead to grave consequences.
The PCPD was of the view that given that there were less privacy-intrusive means as alternative options to verify the identity of the participants, the collection of face and iris images for such purpose was not necessary, and excessive, thereby contravening the requirements of DPP 1(1).
-
Manner of personal data collection
DPP 1(2) provides that the means of personal data collection shall be lawful and fair in the circumstances of the case.
The investigation findings revealed that participants of Worldcoin had to register their identities and had their biometric data collected before they could receive Worldcoin tokens with monetary value.
The PCPD considered that Worldcoin had unfairly collected the personal data. Although Worldcoin had its “Privacy Notice” and “Biometric Data Consent Form” in place, they were not available in Chinese at the material time. Moreover, the iris scanning device operators at the operating locations also did not offer any explanation or confirmed the participants’ understanding of the “Privacy Notice” and the “Biometric Data Consent Form”. They also did not inform the participants of the possible risks pertaining to the disclosure of biometric data, nor answered their questions. Furthermore, according to information obtained in the investigation, no age verification was conducted by the iris scanning device operators before the scanning to confirm whether the participants had reached the age of 18. Overall speaking,
Worldcoin failed to provide adequate information to participants to enable them to make an informed choice or give a real consent. The PCPD considered that the collection of face and iris images under the above circumstances constituted an unfair collection which contravened DPP 1(2).
DPP 1(3) requires a data user to inform the data subjects, on or before collecting the personal data, the purpose for which their personal data is to be used, the classes of persons to whom their data may be transferred and whether it is obligatory or voluntary to supply the personal data.
The PCPD considered that Worldcoin failed to inform participants, on or before collecting their personal data, the purpose for which their personal data was to be used, whether it was obligatory or voluntary to supply the personal data, the classes of persons to whom their data may be transferred, and the right and means to request access to and correction of their personal data. In addition, the “Privacy Notice” and “Biometric Data Consent Form” of Worldcoin were not available in Chinese at the material time. The PCPD was of the view that Worldcoin failed to provide the information as specified under the PDPO to participants who primarily communicated in Chinese, hence
contravening DPP 1(3).
-
Retention of personal data
DPP 2(2) requires data users to take all practicable steps to ensure that personal data is not kept longer than is necessary for the fulfillment of the purpose for which the data is or is to be used.
The PCPD found that it was not justified for Worldcoin to retain highly sensitive biometric data such as face and iris images for a maximum of 10 years, merely for the purpose of training AI models for the user verification process. The PCPD was therefore of the view that Worldcoin retained personal data of participants for prolonged period and contravened DPP 2(2).
-
Insufficient transparency of the personal data policy and practices
DPP 5 obliges data users to take all practicable steps to ensure openness of their personal data policies and practices, the kind of personal data held and the main purposes for holding it.
According to the investigation,
the Privacy Notice of Worldcoin was not available in Chinese at the material time
. The PCPD was of the view that non-English speaking participants would not be able to understand the policies, practices, terms and conditions of the Worldcoin project, and hence the Worldcoin project lacks transparency, thereby contravening DPP 5.
Although the Worldcoin project recently provided a Chinese version of the Privacy Notice, there is no evidence up to the present to prove the adequacy and effectiveness of the relevant measure and its compliance with the requirements of DPP 5.
-
Rights of data access and correction
DPP 6 provides that a data subject shall be entitled to request access to and the correction of his personal data. If a data user refuses the data subject’s data access or correction request, the reasons for the refusal shall be provided.
The “Biometric Data Consent Form” of Worldcoin stated that the Worldcoin project might mistakenly conclude that someone had already signed up before. However, Worldcoin did not have means for users to report suspected errors.
The PCPD therefore considered that participants did not have the means to exercise their data access and correction rights, which constituted a contravention of DPP 6.
-End-