Worldcoin, OpenAI CEO Sam Altman's bid to sew up the market for verifying humanness only started its official global rollout this week but it's already landed on the radar of European data protection authorities.
"Given Worldcoin is still in Beta, Orb availability is mostly limited to Argentina, Chile, India, Kenya, Portugal and Spain, as well as demos at blockchain and identity conferences."
Not how it works. GDPR gives DPA powers to for example order deletion of all of the iris data for not having being collected with proper consent and at that point operator bleeding "but it breaks our system" doesn't cut it. If it breaks the system, then it breaks their system. They should have thought about that before starting collecting data without proper consent.
Plus on top of Fines, GDPR gives DPAs some investigative powers and power to ask police assistance to enforce their orders. They might come and confiscate servers or shut them down personally, if the organization refuses to comply on their own.
Only business they can make is the little they do before the hammer falls and as said after that they can't claim and keep PII or any derivative data they have collected. The data has been poisoned with non-compliance. It will be ordered to be deleted, since the processor has no right possess it let alone process it. Any money they make will probably end up spent on paying fines.
It is non starter, specially their "you can't ask us to delete it". The most severe category of infractions of GDPR are exactly datasubject rights violations. Those are deemed more serious, then say failures of data breach and security. Since those infractions violate the corner stone data subject rights, which again are extension or specific application of the fundamental human right of right to privacy.
DPA will just say "if your organization/business/operation model is based on carte balance refusal to offer right of deletion while operating on legal basis of consent, your operations model is fundamentally incompatible with the laws of EU. More simply put, it is fundamentally illegal for you to operate in EU. Shutdown your operation immediately and permanently."
Also there is no free consent, if it cannot be withdrawn. Again part which is "I withdraw my consent for you to possess and process my information, I want nothing to do with you anymore. Delete everything". There is no free consent without the possibility to have ones data deleted. You can't claim legal basis of consent and then say that consent includes consenting to have ones data never deleted. Infact judge would invalidate such consent even from the data subjects side. You can't consent to relinguis core data subject rights. Those are mandatory minimal terms, legal right. You have them, want it you or not and cannot relinquish them.one can choose to never apply those right one has, but it doesn't remove them still existing or one giving them up.
This will get banned, since their operating model is fundamentally incompatible. That or they have to change their model to a compatible one. Which would mean re-engineering their whole operating concept and technology.