South Korea’s Personal Information Protection Commission (PIPC) imposed a collective fine of KRW 1.14 billion ($861,408) on Worldcoin and its affiliate Tools for Humanity (TFH) for failures related to disclosure requirements, according to a Sept. 25 press release.
The regulator said the companies violated the country’s Personal Information Protection Act (PIPA) by not disclosing the purpose of collecting iris data.
According to the decision, Worldcoin is required to pay a fine of around $550,000 (KRW 725 million), while TFH owes around $287,000 (KRW 379 million). The PIPC also issued corrective orders and improvement recommendations to the two firms.
Worldcoin Foundation was found guilty of violating PIPA provisions related to handling of sensitive information and overseas transfers. Meanwhile, TFH violated its obligations related to overseas transfers of biometric information.
Multiple violations
In February, the PIPC started probing Worldcoin and TFH based on information from complaints and media reports, which alleged that Worldcoin was “collecting biometric information without permission in exchange for virtual assets (‘Worldcoin’).”
The investigations revealed that the two firms had violated several aspects of the PIPA by collecting personal information, like iris data, “without a legal basis.”
Under PIPA, given the sensitivity of the biometric information, the two firms were required to obtain consent separately and implement safety measures for processing such data. However, the firms violated the provisions of the law.
Additionally, the regulator said the firms did not inform users of the “purpose of collection and use” and were not transparent about the data’s “retention and use period,” as stipulated by PIPA.
Furthermore, the firms transferred this biometric data to countries like Germany without fulfilling the transparency obligations imposed by the law, which includes disclosing where the data is being sent and details of the receiving company.
The regulator has imposed new requirements on the companies, both of which are now required to obtain separate consent when processing iris information and ensure that such information is only used for the purpose of collection and nothing further. They are also required to notify users of relevant information when transferring iris data overseas.
The investigation also revealed that Worldcoin had not provided an option for users to delete or suspend the processing of their iris codes, which is required by law. Worldcoin later amended this by adding a delete function in April.
Additionally, WorldApp did not have proper age verification procedures in place for children under 14, and TFH has been ordered to implement the appropriate measures as part of the corrective orders.
The PIPC noted:
“…in order for personal information to be safely protected and utilized, awareness and compliance with the obligations and responsibilities of processors (business operators) under the protection laws are more strongly required than ever.”