Worldcoin, OpenAI CEO Sam Altman’s bid to sew up the market for verifying humanness by convincing enough mobile meatsacks to have their eyeballs scanned in exchanged for crypto tokens (yes, really), only started its official global rollout this week but it’s already landed on the radar of European data protection authorities.

Why should anyone feel the need to prove their humanness on the Internet? Well one reason is that by unleashing free power tools like ChatGPT Altman’s generative AI company is leading the charge to make it harder to distinguish between bot-generated and human digital activity. But don’t worry, he’s got an eyeball-scanning orb-plus-crypto-token to sell humanity on for that!

Pop-up locations where willing guinea pigs (i.e. humans) can get some Worldcoin “digital tokens” in exchange for feeding their biometric data into its proprietary Half Life-esque orbs have sprung up in four markets in Europe so far: The U.K., France, Germany and Spain. And, surprising precisely no-one, privacy regulators in at least three of those markets are already expressing concerns and/or actively investigating WTF Worldcoin is doing with European’s sensitive personal data.Earlier this week the U.K.’s Information Commission Office (ICO) was asked about Worldcoin launching in the U.K. and said publicly it would be “making enquiries”, before issuing some boilerplate warning that: “Organisations must conduct a Data Protection Impact Assessment (DPIA) before starting any processing that is likely to result in high risk, such as processing special category biometric data. Where they identify high risks that they cannot mitigate, they must consult the ICO.”

The ICO’s remarks also emphasized the need for “a clear lawful basis to process personal data”, adding: “Where they are relying on consent, this needs to be freely given and capable of being withdrawn without detriment”.

One privacy compliance question to consider, then, is can consent be freely given if people are being encouraged to hand over their biometrics in exchange for a token which is being presented as a form of virtual currency?

Fast forward a few days and France’s data protection authority, the CNIL, has followed the ICO’s remarks with even more specific expressions of concern, as first reported by Reuters — out-and-out questioning the legality of what Worldcoin is doing. The French authority also revealed it’s already been actively investigating Worldcoin.“The legality of [Worldcoin’s data] collection seems questionable, as do the conditions for storing biometric data,” a CNIL spokesperson confirmed by email, adding: “Worldcoin collected data in France, and the CNIL initiated investigations.”

Per the CNIL, the investigation it started has been passed to Bavaria’s DPA — after it found the German state authority was Worldcoin’s lead data supervisor in the EU (owing, presumably, to Worldcoin having a subsidiary in the German state). It added that it is providing support to Bavaria’s probe “under the mutual assistance procedure” in EU law.

The bloc’s General Data Protection Regulation (GDPR) — a pan-EU law which is still baked into legacy U.K. data protection rules (hence the ICO sharing the same sort of concerns as EU peers) — contains a mechanism called the One-Stop-Shop that’s intended to streamline regulatory oversight in instances where concerns cut across Member State borders, as here. Or at least when the data processor in question has a main establishment in the EU, as Worldcoin apparently does.

In this scenario the data controller only needs to liaise with a single lead DPA. And in Worldcoin’s case that’s apparently the state of Bavaria’s DPA.We contacted the Bavarian authority with questions about the investigation. But a spokesperson told us that because it’s an ongoing procedure it’s unable to go into details. (They did confirm one of the first aspects it will look at, out of a range of “many” questions, is the obligation to carry out a data protection impact assessment — which they said “should provide a clear analysis of the impact of the envisaged processing operations on the protection of personal data and the safeguards in place to address these risks”.)

We’ve also reached out to Spain’s DPA to ask if it shares its peers concerns about Worldcoin’s data processing in that EU market and will update this report with any response.

On the legality point, the GDPR classes biometric data that’s used for the purpose of identification — which is exactly what the Worldcoin project intends — as so-called “special category data”. This type of (very sensitive) data has the strictest rules for legal processing.A spokeswoman for Tools For Humanity, the for-profit technology company that led the development of Worldcoin and operates the World App, confirmed to TechCrunch that consent is the lawful basis being claimed for processing Europeans biometrics data. “Under GDPR, the project relies on the users’ consent for creating the proof of personhood and for opting into data custody,” she told us.

She also pointed us to Worldcoin’s biometric data consent form and privacy notice — documents that run to almost 3,800 words and almost 3,400 words, respectively.

Since Worldcoin is relying on people’s consent to process their special category data, under EU law it must meet an even higher bar — of explicit consent — in order for this processing to be lawful. This means the description shown to, er, eyeball providers before their biometrics are harvested must be extremely clear and specific about what the processing is for. And let’s just say that achieving the highest bar for clarity when you’re presenting individuals with circa 7,000 words of legalese while simultaneously telling them they’ll get a bunch of crypto if they do the scan looks challenging to say the least. (NB: Consent under EU law must also be freely given.)