rounded

Written by: Liu Honglin, founder and director of Shanghai Mankiw LLP;

Huang Wenying, paralegal at Mankiw LLP in Shanghai;

Zhang Zihao, paralegal intern at Shanghai Mankiw LLP

 

Worldcoin, the crypto project founded by OpenAI founder Sam Altman, recently announced that it will open 50 business outlets in more than a dozen cities in Argentina, including two experience stores. However, in fact, a month ago, Worldcoin was also controversial for its operations in Argentina. At that time, many parties in Argentina accused or accused Worldcoin of seriously violating user privacy and Argentina's data privacy laws, which also put Worldcoin on the cusp of the storm.

 

* Source: Screenshot of Worldcoin official social media

 

Unlike other crypto projects, the operation of the Worldcoin project itself is extremely dependent on the operation of offline outlets. Of course, it is precisely because of this difference that Worldcoin's operations around the world have been hindered. Coincidentally, Worldcoin's operations have previously encountered obstacles in many countries and regions around the world, such as Kenya, France, Germany, Spain and Hong Kong, China, all of which have encountered regulatory challenges.

 

So, in just one month, Worldcoin suddenly turned the tide. Does this mean that Worldcoin has solved the regulatory problem in Argentina? Can the model of Worldcoin in Argentina be replicated in other countries? Has the controversial Worldcoin really found its own development path this time? First, attorney Mankiw will take you to review the regulation encountered by the Worldcoin project in Argentina and analyze the reasons why it has been criticized.

 

Worldcoin criticized in Argentina

 

Worldcoin is a crypto company co-founded by OpenAI CEO Sam Altman. The company's vision is to "build a comprehensive global financial and identity network." In Web2, when we authenticate our identity, we usually use fingerprints or facial recognition. Worldcoin uses irises as a medium to try to bring digital identity authentication into the world of Web3. To achieve this goal, Worldcoin uses a unique Orb device: Orb is a proprietary iris scanning and imaging device developed by Worldcoin. The Worldcoin project uses this device to set up offline scanning points around the world to scan users' irises and complete identity binding. Users who complete the binding will receive their own unique WorldID and WLD tokens worth $50.

 

However, Worldcoin's operations have not been smooth sailing from the beginning. As for operations in Argentina, Worldcoin had already settled in Argentina last year. However, an Argentine lawyer then complained that Worldcoin violated data privacy laws, and the Worldcoin project party also stopped its operations in Mendoza Province, Argentina. Until March 2024, officials in Buenos Aires Province, Argentina, were still accusing Worldcoin of failing to answer specific questions about the "abuse of terms" in its user terms and conditions. At the same time, Worldcoin could face a fine of up to 1 billion Argentine pesos (about 1.075 million US dollars) at the time. In addition, Worldcoin's scanning of minors' iris and facial data in Argentina has also caused the project party to suffer a lot of criticism and accusations.

 

At that time, the Worldcoin project said it would "seek opportunities to interact with government agencies, regulators, and third parties and answer any questions they may have."

 

Worldcoin faces global regulation

 

Similar to the situation in Argentina, Worldcoin has encountered varying degrees of regulatory obstacles in many countries due to privacy issues related to iris data collection. Even in some countries that embrace crypto assets, Worldcoin has not been spared. The following is a summary of the regulatory storms related to Worldcoin by attorney Mankiw:

 

  • Kenya was one of the first countries to launch Worldcoin registration and certification, but the Kenyan government later issued a ban, suspending Worldcoin registration and certification. The Kenyan Ministry of the Interior said in a statement that "Worldcoin activities are suspended immediately until relevant government agencies prove that there is no public risk."

  • In France, the French National Commission for Information Technology and Freedoms (CNIL) has raised questions about Worldcoin’s biometric data collection practices and has launched an investigation to ensure that its activities comply with French and European data protection regulations.

  • In Germany, the Bavarian State Data Protection Supervisory Office has raised concerns about Worldcoin’s large-scale processing of biometric information, arguing that the technologies are “neither mature nor adequately analyzed for the specific core purpose of processing financial information.”

  • In Spain, the Spanish Data Protection Agency (AEPD) ordered Worldcoin to stop collecting and processing data in Spain and issued a three-month temporary injunction, claiming to be investigating complaints that Spanish users were unable to withdraw their consent and that Worldcoin was allegedly collecting data on minors.

  • In Hong Kong, the Privacy Commissioner for Personal Data, Ms. Chung Lai-ling, issued an enforcement notice to Worldcoin, ordering it to immediately cease all operations in Hong Kong involving the use of iris scanning devices to scan and collect iris and facial images of the public. The PCPD began investigating the Worldcoin project in January 2024 to determine whether the identity verification method posed a serious risk to the privacy of citizens’ personal data and violated the requirements of the Personal Data Protection Ordinance.

 

How should Worldcoin deal with various regulatory challenges? Lawyer Mankiw believes that its strategy of actively resuming business in Argentina is worth learning from.

 

Worldcoin’s proactive approach

 

Under Argentina’s unique favorable conditions and context, Worldcoin demonstrated its ability to adapt flexibly and successfully resolved the crisis through a series of strategies.

 

Favorable premise: Mile's "chainsaw reform"

 

At the end of 2023, Argentina welcomed a new president known for his boldness, Javier Milley. Just six months after taking office, this ambitious leader passed a series of regulations known as "chainsaw reforms," ​​including the inclusion of cryptocurrency as an important part of the reform.

 

At the end of last year, Argentine Foreign Minister Diana Mondino pointed out that the Argentine government is preparing a decree to allow the country to use Bitcoin and other tokens for legal payments under certain conditions. This trend has been particularly noticeable in the past few years. The continued depreciation of the peso, the sharp fluctuations in the exchange rate, and the government's strict restrictions on the market have made cryptocurrencies gradually become an alternative choice for Argentines to save and invest. Such a policy environment provides Worldcoin with unique conditions for conducting business locally.

 

Positive Reform: Efforts Made by the Worldcoin Project

 

How did Worldcoin's operations come back to life in Argentina? To understand this question, we first need to understand the controversial points that Worldcoin was accused of in Argentina:

 

  • Privacy data protection, pursuant to Argentina’s Law No. 25326, the Personal Data Protection Law (“PDPL”) and related provisions, data processing controllers are obliged to register their databases with the AAIP, provide information on their processing policies, indicate the purposes for which and for how long they will process sensitive data, and protect the same, as well as detail the security and confidentiality measures used to protect personal information;

  • General consumer protection: The Buenos Aires provincial government accused Worldcoin of adding unfair terms to its user agreement that may have violated consumer rights. These terms included allowing service to be disconnected without compensation, requiring users to waive class action rights, and placing arbitration in California;

  • Worldcoin was also accused of failing to prevent minors from registering, processing iris data of users in Brazil, and storing private data of Argentine users. These actions were considered to violate the regulations on the use, protection and storage of user data.

 

After Worldcoin was pushed to the forefront in Argentina, the project team responded quickly, actively cooperated with Argentina's regulatory policies, and made corresponding rectifications:

 

  • First, Worldcoin pledged to continue working with regulators to ensure that its project meets all regulatory requirements and provides users with a secure and transparent service. The company emphasized its commitment to privacy and data protection and said it would cooperate with governments and regulators to provide more information about its privacy and data protection practices.

  • Worldcoin said it has been making technical improvements, especially in data processing and user privacy protection. This includes improving data protection measures in its identity verification process and ensuring that sensitive biometric data (such as iris scan data) is deleted after use to avoid storing such highly sensitive personal information.

 

Specific technical solutions include:

 

  • Revised privacy terms to allow users to de-verify their World ID by permanently deleting their iris code;

  • Add a new supplement to the privacy protection policy and set up a special agency in Argentina to handle complaints and claims from Argentine users;

  • Update the terms and conditions to disclaim the provision of services to persons under the age of 18. For registered minors, a data deletion channel is also available, through which both the minor and the guardian can delete the relevant data stored by Worldcoin.

  • In accordance with the requirements of the Argentine regulatory authorities, an Argentinian version of the privacy policy is provided on the official website, and some of its terms have been adjusted accordingly.

 

Through the above series of reforms, Worldcoin was able to make a comeback in Argentina, gain recognition from the Argentine government, and successfully set up 50 operating points in more than a dozen cities. In fact, such situations are common in the crypto and Web3 industries. For example, Lawyer Mankiw previously talked about one of the TON ecosystem games, "Hamster Fight", which has aroused widespread attention and controversy in Iran. So, for Web3 projects and entrepreneurs, how should crypto projects prevent and adjust compliance in the face of government supervision?

 

The revelation of Worldcoin’s counterattack

 

Attorney Mankiw believes that the experience brought by Worldcoin has played an extremely important role in reference for many project parties in the Web3 field, especially entrepreneurs in the two tracks of DID and DePIN. We believe that the following two types of risks are issues that entrepreneurs and project parties in these two fields should pay attention to:

 

  • Privacy protection issues. One of the main issues that Worldcoin faces in Argentina and other countries is privacy data protection. Privacy protection is also a crucial challenge for decentralized identity (DID) and decentralized Internet of Things (DePIN) projects in the Web3 field.

  • Cross-border data transmission issues. For Web3 projects, especially in the fields of DID and DePIN, the problem of cross-border data transmission is particularly prominent. Different countries have different regulatory requirements for cross-border data transmission, and project parties need to fully understand and comply with relevant laws.

 

Regarding the above two issues, Mankiw suggested that project parties should make adequate compliance preparations and emergency measures both before and after the event to protect business development:

 

Processing and storage of sensitive data

 

The DID project involves legal issues in the field of digital identity authentication. The project party will inevitably come into contact with highly sensitive information of users, such as personal identity, address, bank account, and even fingerprint, iris and other identity data. The collection, storage and processing of these data require extremely high security and transparency. The project party must ensure that the data will not be abused during the collection and use process, and must clarify the user's right to know and consent. Similarly, in the DePIN project, some DePIN devices may collect more sensitive processing sensor data or user behavior data, etc. When the above situation exists, strict privacy protection standards must also be followed. Regarding the processing and storage of sensitive data, Mankiw believes that compliance risks can be reduced through the following business arrangements:

 

  • Transparency in data collection. Project owners need to clearly explain to users the purpose, storage time, and processing methods of data. This not only helps to enhance user trust, but also complies with the requirements of data protection regulations in various countries.

  • Data minimization principle. Collect only the minimum data required to complete the service and avoid excessive collection of user information. The DePIN project needs to pay special attention to collect only data directly related to the IoT service.

  • Security measures. The latest encryption technology and data protection measures are used to ensure the security of sensitive data during transmission and storage. For the DePIN project, this includes ensuring that sensor data cannot be stolen or tampered with during the collection and transmission process.

  • User consent mechanism. Before data is collected, users are clearly informed of the purpose of their data and their explicit consent is obtained. For DID and DePIN projects, this means that before collecting and using user data, it is necessary to ensure that users fully understand the purpose of their data.

  • Data access and deletion. Provide users with access to their data and allow them to delete their data if they wish, ensuring that users have control over the data collected by their devices.

 

Cross-border data transfer compliance

 

Project parties need to ensure that data complies with the laws and regulations of various countries during cross-border transmission. For example, the EU's General Data Protection Regulation (GDPR) has strict requirements for data outbound transfer. my country has also promulgated the "Cybersecurity Law of the People's Republic of China", "Data Security Law of the People's Republic of China", "Personal Information Protection Law of the People's Republic of China", "Measures for Data Outbound Security Assessment" and related laws and regulations to form a legal framework for cross-border data transmission. For DID and DePIN projects, which involve highly sensitive identity data and sensor data, cross-border transmission requires more caution and strict compliance with local laws and regulations. Attorney Mankiw made the following suggestions:

 

  • Localized data storage. Where possible, consider setting up localized data storage facilities in the user’s country to reduce the complexity and risk of cross-border data transmission. For DID projects, this can effectively reduce the compliance risks brought about by cross-border data transmission.

  • Transparent user agreements. Clearly specify the relevant terms of cross-border data transfer in the user agreement to ensure that users understand and agree that their data may be transferred to other countries. The DePIN project can detail the cross-border data transfer and processing process in the agreement.

 

Continuous compliance and post-event response

 

As an emerging industry, Web3 has attracted many entrepreneurs with ideals, ideas and enthusiasm to make a lot of innovations and bold attempts in the past decade. However, due to the rapid development of the industry, laws and regulations often lag behind, leading to many conflicts. When many project parties start operations, the laws in related fields may not be perfect or even blank, and they often face regulatory difficulties after operating for a period of time. So in this case, how should the project party respond? Lawyer Mankiw suggested:

 

  • Actively maintain communication with local regulators. After Worldcoin encountered regulatory risks in Argentina, the project team communicated with regulators many times, tried to maintain dialogue, made adjustments to the privacy policy and user agreement, and banned minors from performing iris scanning at the operation point. In addition, the Argentine government's positive attitude towards the crypto world allowed the project team to resume operations. It is worth noting that before the deadline of this article, the Kenyan government also relaxed its supervision of Worldcoin.

  • Conduct compliance reviews regularly. During business operations, conduct compliance reviews regularly to ensure continued compliance with the latest legal requirements. In the face of a changing regulatory environment, maintaining flexibility and foresight and adjusting operational strategies in a timely manner are important strategies for Web3 projects.

  • Promptly respond to regulatory requirements and prepare remedial measures. When faced with new regulatory requirements or unexpected compliance issues, project owners should take prompt action to make adjustments. For example, modify the terms of the user agreement, enhance data protection measures, or suspend certain operations to comply with new regulations. When user rights are damaged due to compliance issues, project owners should take timely remedial measures and provide appropriate compensation to maintain user trust and the company's reputation.

  • Seek professional legal advice and compliance guidance. The legal opinions given by professional lawyers can help project parties make correct decisions in terms of law and regulation and reduce risks. Attorney Mankiw reminds that when Web3 entrepreneurial teams encounter compliance issues during operations, they should consult professional lawyers in a timely manner to seek legal advice and compliance guidance.

 

References

1.https://whitepaper.Worldcoin.org/#a-new-identity-and-financial-network

2.https://finance.eastmoney.com/a/202405283089356552.html

3.https://medium.com/@shixiangyyds/%E4%B8%96%E7%95%8C%E5%B8%81-wld-

%E5%8A%A0%E5%AF%86%E8%B4%A7%E5%B8%81-f9a47625d937

4.https://www.coinlive.com/zh/news-flash/490891

5.https://restofworld.org/2024/Worldcoin-argentina/zh/

6.https://www.thepaper.cn/newsDetail_forward_26730945

7. ttps://www.voachinese.com/a/7593022.html

8.https://www.bbc.com/zhongwen/simp/science-66298854

9.https://cnad.gob.sv/the-national-commission-of-digital-assets-cnad-of-el-salvador-and-the-national-securities-commission-cnv-of-argentina-strengthen-collaboration-in-digital-assets-2/https://cn.cryptonews.com/news/argentina-lawmaker-unveils-draft-Worldcoin-regulation-bill.htm

10.https://www.panewslab.com/zh/sqarticledetails/fi9ku5qw.html

11.https://vault.pactsafe.io/s/8a18d792-fd76-44db-9b92-b0bb7981c248/legal.html#contract-byutjvtyt