German Watchdog Orders Worldcoin to Delete Non-Compliant Data

German Regulator Enforces GDPR Standards The Bavarian State Office for Data Protection Supervision, BayLDA, has ordered Worldcoin, now rebranded as World, to erase biometric data in violation of GDPR. The announcement , which came on Dec. 19, was the culmination of an in-depth probe into whether the project was in compliance with EU data protection laws. For failing to meet the set privacy standards, the regulator has particularly homed in on World’s iris-based digital identity verification system. Data Deletion and Compliance Deadlines BayLDA ordered World to create a GDPR-compliant data deletion process within a month to give all users the full right to request data erasure. It also includes records gathered in the early phase of operation of Worldcoin due to a lack of legitimate legal basis for acquiring such data. Improving Privacy Rights for Users Michael Will, president of BayLDA, said the ruling ensures EU fundamental privacy rights are upheld in a legally and technologically highly complex case. “Users who entrusted Worldcoin with their iris data will now be completely free to avail themselves of their right to erasure,” Will observed. The ruling bolsters the ambitions of the GDPR, which sets the course for individual data sovereignty. Anonymization Clarification Sought by Worldcoin In response, World Foundation filed an appeal to shed light from the judiciary on whether its PETs meet EU standards for truly anonymizing data. World argues that there is no consistent definition of anonymization-a critical privacy protection tool within AI-driven innovation-under the GDPR. Data anonymization is key to being able to validate that someone is human without compromising privacy”, said Damien Kieran, chief legal officer at World. He added that ambiguous definitions weaken the EU’s regime to protect privacy effectively. Ongoing Compliance Challenges Despite halting operations in several EU countries to improve GDPR adherence, BayLDA found multiple compliance gaps. The authority called for stricter protocols, including explicit user consent for certain data-processing steps. It also reserved the option to investigate potential administrative violations further. Commitment to Privacy and Innovation The World Foundation reiterated commitments to regulatory collaboration, promising that it would address privacy concerns while continuing to drive innovation. It said that “clear GDPR standards are necessary to move technology forward in the privacy-first world”. World appeals a ruling to shape regulatory frameworks in a manner that protects human rights while supporting AI-driven advancements in verified digital identity.