Significant Financial Penalty for Worldcoin and Tools for Humanity
The Personal Information Protection Commission (PIPC) of South Korea has sanctioned Worldcoin and its partner Tools for Humanity (TFH) with a substantial fine totaling KRW 1.14 billion (approximately $861,408) due to violations regarding data disclosure requirements.
Violations of Personal Information Protection Act
According to the PIPC, both companies breached the Personal Information Protection Act (PIPA) by failing to adequately disclose the intentions behind their collection of iris data.
Breakdown of Penalties
- Worldcoin: Fined about $550,000 (KRW 725 million)
- Tools for Humanity: Fined approximately $287,000 (KRW 379 million)
Both entities are also subject to corrective actions and improvement directives from the regulatory authority.
Background of the Investigation
The PIPC launched an investigation into Worldcoin and TFH in February, prompted by complaints and media reports claiming that Worldcoin was collecting biometric data in exchange for virtual assets without proper authorization.
Nature of Violations
The investigation unveiled multiple infringements of the PIPA, revealing that both companies collected sensitive personal data without establishing a legal foundation.
Required Consent and Safety Measures
Given the sensitive nature of biometric information, both firms were obligated to acquire explicit consent from users and enforce stringent safeguards in data processing. However, they failed to adhere to these legal stipulations.
Lack of Transparency
Additionally, the PIPC found that Worldcoin and TFH did not adequately inform users about the purposes for which their data was collected or the duration for which it would be retained.
International Data Transfers
The companies also transferred biometric data abroad, including to Germany, without complying with the necessary transparency requirements mandated by the law, such as informing users about the destination of their data and the identity of the receiving parties.
Mandatory Corrective Measures
In light of these violations, both companies must now seek separate consent for processing iris data and ensure it is strictly used for its intended purpose. Furthermore, they are required to disclose important information to users when transferring iris data internationally.
User Rights and Deletion Options
The inquiry found that Worldcoin had not provided users with the ability to delete or suspend their iris code processing. Following this revelation, Worldcoin implemented a deletion feature in April.
Age Verification Procedures
Furthermore, WorldApp lacked adequate age verification measures for individuals under the age of 14, resulting in a directive for TFH to implement suitable procedures as part of the corrective orders.
Regulatory Commentary
“To ensure the safe protection and utilization of personal information, there is now an even greater necessity for processors (business operators) to understand and comply with their obligations under data protection laws.”