South Korea’s Personal Information Protection Commission (PIPC) has imposed a collective fine of KRW 1.14 billion ($861,408) on Worldcoin and its subsidiary Tools for Humanity (TFH) for errors related to disclosure requirements, according to a September 25 press release.
The regulator said the companies violated the country’s Personal Information Protection Act (PIPA) by failing to disclose the purpose of collecting iris data.
According to the decision, Worldcoin must pay a fine of approximately $550,000 (KRW 725 million), while TFH owes approximately $287,000 (KRW 379 million). The PIPC also issued corrective orders and recommendations for improvement to the two companies.
Worldcoin Foundation was found guilty of violating PIPA provisions regarding the handling of sensitive information and transfers abroad. Meanwhile, TFH has breached its obligations regarding the transfer of biometric information abroad.
Multiple violations
In February, the PIPC began investigating Worldcoin and TFH based on information from complaints and media reports, which alleged that Worldcoin “collected biometric information without consent in exchange for virtual assets (“Worldcoin”).”
The investigation found that the two companies had violated several aspects of PIPA by collecting personal information, such as iris data, ‘without legal basis’.
Under PIPA, given the sensitivity of the biometric information, the two companies had to separately obtain consent and implement security measures for the processing of such data. However, the companies have violated the provisions of the law.
In addition, the regulator said the companies did not inform users about the “purpose of collection and use” and were not transparent about the “retention and use period” of the data, as determined by PIPA.
Furthermore, the companies have transferred this biometric data to countries such as Germany without complying with transparency obligations imposed by law, including disclosing where the data is sent and details of the receiving company.
The regulator has imposed new requirements on the companies, both of which are now required to obtain separate consent when processing iris information and ensure that such information is only used for the purpose of collection and nothing further. They are also required to inform users of relevant information when transferring iris data abroad.
The investigation also found that Worldcoin had not provided users with an option to delete or suspend the processing of their iris codes, which is required by law. Worldcoin later corrected this by adding a delete function in April.
Additionally, WorldApp did not have proper age verification procedures in place for children under the age of 14, and TFH has been ordered to implement appropriate measures as part of the corrective orders.
The PIPC noted:
“…to protect and use personal information securely, awareness and compliance with the obligations and responsibilities of processors (business operators) under the protection laws are more required than ever.”
