South Korea’s Personal Information Protection Commission (PIPC) has imposed a hefty collective fine of KRW 1.14 billion ($861,408) on Worldcoin and its affiliate Tools for Humanity (TFH) for failing to comply with disclosure requirements. The fine was issued for violations related to the country’s Personal Information Protection Act (PIPA), specifically for not disclosing the purpose of collecting iris data.
The regulator ordered Worldcoin to pay approximately $550,000 (KRW 725 million) in fines, while TFH was fined around $287,000 (KRW 379 million). In addition to the fines, corrective orders and improvement recommendations were also issued to the two companies.
Worldcoin Foundation was found to have breached PIPA provisions concerning the handling of sensitive information and overseas transfers, while TFH failed to meet its obligations regarding the overseas transfer of biometric information.
The investigation into Worldcoin and TFH began in February, following complaints and media reports alleging that Worldcoin was collecting biometric information without proper consent in exchange for virtual assets. The probe revealed that the companies had violated various aspects of the PIPA by collecting personal information, including iris data, without a legal basis.
Under PIPA, sensitive biometric information requires separate consent and strict safety measures for processing. However, Worldcoin and TFH failed to obtain proper consent and were not transparent about the purpose, retention, and use period of the data. Additionally, the companies transferred this data to countries like Germany without fulfilling transparency obligations.
As part of the corrective measures, Worldcoin and TFH are now required to obtain separate consent for processing iris information, ensure data is only used for its intended purpose, and inform users of relevant information when transferring data overseas. Worldcoin has also added a delete function for users to manage their iris codes.
Furthermore, Worldcoin lacked proper age verification procedures for children under 14, leading to TFH being ordered to implement appropriate measures. The PIPC emphasized the importance of processors complying with protection laws to safely protect and utilize personal information.
In conclusion, the fines and corrective measures imposed on Worldcoin and TFH highlight the significance of adhering to data protection regulations and the need for increased awareness and compliance among business operators in handling sensitive information.