European data and privacy regulators have already started looking investigating the collection of biometric data by crypto project Worldcoin which scans people’s irises to verify they are human.

Worldcoin had its official launch last week as people queued up around the world to have their eyeballs scanned by big silver orbs so they could get a unique World ID and start receiving the WLD cryptocurrency.

Co-founder Sam Altman, who is also CEO of ChatGPT creator OpenAI, said the project is “a reliable solution for distinguishing humans from AI online while preserving privacy”.

But European privacy watchdogs already have their hackles up.

France’s Commission Nationale de l’Informatique et des Libertés (CNIL) told Reuters the legality Worldcoin’s data collection regime “seems questionable, as do the conditions for storing biometric data”.

Meanwhile, the Bavarian State Office for Data Protection Supervision – which is reportedly tasked with supervising Worldcoin’s operation in the EU – started looking into Worldcoin back in November because of concerns it was collecting “sensitive data at a very large scale”.

Worldcoin claims its proprietary device, the Orb, permanently deletes iris pattern images it collects unless a user opts into its “data custody” regime.

If a user does choose to give Worldcoin custody of their biometric data, it is “processed locally” before being sent to “distributed secure data stores, where it is encrypted at rest” and then deleted from the Orb.

If you don’t choose to give Worldcoin custody of your eye and face scans, they get processed locally “and then permanently deleted”, leaving an IrisCode: “a set of numbers generated by the Orb” – which stops a person from signing up multiple times.

That IrisCode can’t be deleted, according to the project’s biometric data consent form, which TechCrunch points out could be a point of contention with European regulators.

Under the General Data Protection Regulation (GDPR), people have a right to demand organisations delete their personal data – something Worldcoin points out in a section of its consent form about GDPR rights  – yet the company designed its protocol such that an IrisCode, which reflects a person’s unique biometric data, can’t be deleted or else “the proof of uniqueness would not work”.

When Worldcoin was announced in 2021, Whistleblower Edward Snowden tweeted that it looked like the company was producing a “database of people’s iris scans”, and that deleting the scans is meaningless when Worldcoin is still saving “the hashes [IrisCodes] produced by the scans. Hashes that match future scans”.

Under the GDPR, biometric data is classed as “special category data” which carries stricter requirements for processing and storage than other forms of data.

Biometric data can only be gathered with the “explicit consent” of the user, which in the case of Worldcoin requires people to read through and comprehend the full 3,800-word consent form while they consider their promise of free money.

Australian law likewise considers biometric data as “sensitive”, limiting the contexts in which it can be legally collected.

Worldcoin does not currently have any Orb locations for iris scanning in Australia.

Around 2.1 million people have signed up to Worldcoin, according to the company’s website, with the first two million sign-ups happening during its controversial beta period that saw Orbs appear in developing countries.

A detailed MIT Technology Review investigation from last year described how its data collection regime was fraught with secrecy, confusion, technical glitches, and allegations that Orb operators bribed public officials all in an effort to teach Worldcoin’s neural networks how to identify humans.