In a significant move towards enforcing data privacy regulations, South Korea’s Personal Information Protection Commission (PIPC) has imposed a hefty fine on Tools for Humanity, the developer behind the Worldcoin project. The company has been penalized over 1.1 billion Korean won (roughly $830,000) for violations related to the mishandling of personal data and breaches in overseas data transfer protocols.
Details of the Violations
The PIPC’s press release, dated September 26, shed light on the specifics of the violations. It was revealed that Worldcoin failed to properly inform users about the purpose of collecting their iris data and the duration for which this sensitive information would be stored. Further complicating matters, up until March 22, the project did not offer a Korean translation of its consent form for biometric data collection, creating a significant barrier for South Korean users to understand what they were consenting to.
As a result, the project’s Foundation was fined 725 million won (approximately $545,000) for improper handling of sensitive biometric information and the subsequent transfer of this data to foreign entities. Additionally, Tools for Humanity (TFH) incurred a 379 million won (approximately $285,133) penalty for non-compliance with local regulations governing international data transfers.
Insufficient User Notifications
Another critical issue highlighted by the PIPC was the lack of transparency regarding where users’ personal information was being transferred. Worldcoin and TFH did not sufficiently disclose the recipients of this data, including their names and contact details, as required by South Korean law. This lack of transparency raised significant concerns among users and regulators alike.
Data Deletion and Age Verification Concerns
The investigation also uncovered that Worldcoin lacked an established procedure for users to request the deletion of their iris data. Furthermore, until April 2024, Tools for Humanity did not adequately verify the ages of signees under 14, posing additional privacy risks. These oversights contributed to the severity of the penalties imposed.
Worldcoin’s Response and Future Outlook
Despite these significant shortcomings, the PIPC has not imposed a complete ban on the collection of sensitive biometric data by Worldcoin in South Korea. The commission indicated that the project could resume its data collection activities provided that it addresses the identified issues.
The investigation into Worldcoin and TFH by the PIPC commenced earlier this year following complaints and media reports suggesting that “Worldcoin is collecting biometric information without permission in exchange for virtual assets (‘Worldcoin’).”
In response to the ruling, Tools for Humanity expressed its willingness to comply with the regulations and highlighted that they have since rectified the issues identified by the regulators. In a press release, the company stated that they “welcome” the PIPC’s decision and emphasized that the weaknesses identified were related to initial disclosures provided when Worldcoin first launched in South Korea.
According to the company, the PIPC’s investigation concluded that Worldcoin’s operations, including the use of their “Orb” device for verifying user identity, are now in compliance with the country’s data protection laws.
Conclusion
As the digital landscape evolves, the enforcement of data privacy regulations becomes increasingly critical. The PIPC’s actions against Tools for Humanity and the Worldcoin project underscore the importance of transparency, user consent, and stringent adherence to local data protection laws. Moving forward, it will be crucial for companies operating in South Korea and globally to prioritize and safeguard user data to avoid similar penalties and ensure trust in their digital services.
