How OpenAI founder's Worldcoin copes with Argentina's legal regulation

Author: Mankiw Blockchain Law

Worldcoin, the crypto project founded by OpenAI founder Sam Altman, recently announced that it will open 50 business outlets in more than a dozen cities in Argentina, including two experience stores. However, in fact, a month ago, Worldcoin was also controversial for its operations in Argentina. At that time, many parties in Argentina accused or accused Worldcoin's operating model of seriously violating user privacy and Argentina's data privacy laws, which also put Worldcoin on the cusp.

*Source: Screenshot of Worldcoin's official social media

Unlike other crypto projects, the operation of the Worldcoin project itself is extremely dependent on the operation of offline outlets. Of course, it is precisely because of this difference that Worldcoin's operations around the world have been hindered. Coincidentally, Worldcoin's operations have hit a wall in many countries and regions around the world, such as Kenya, France, Germany, Spain and Hong Kong, China, all of which have encountered regulatory challenges.

So, in just one month, Worldcoin suddenly turned the tide. Does this mean that Worldcoin has solved Argentina's regulatory problems? Can Worldcoin's model in Argentina be replicated in other countries? Has the controversial Worldcoin really found its own development path this time? First, lawyer Mankiw will take you to review the supervision encountered by the Worldcoin project in Argentina and analyze the reasons why it has been criticized.

Worldcoin was criticized in Argentina

Worldcoin is a crypto company co-founded by OpenAI CEO Sam Altman. The company's vision is to "build a comprehensive global financial and identity network." In Web2, when we authenticate our identity, we usually use fingerprints or facial recognition, while Worldcoin uses irises as a medium to try to bring digital identity authentication into the world of Web3. To achieve this goal, Worldcoin uses a unique Orb device: Orb is a proprietary iris scanning and imaging device developed by Worldcoin. The Worldcoin project uses this device to set up offline scanning points around the world to scan the user's iris and complete identity binding. Users who complete the binding will obtain their own unique WorldID and WLD tokens worth $50.

However, Worldcoin's operations have not been smooth sailing from the beginning. For operations in Argentina, Worldcoin has already settled in Argentina last year. However, an Argentine lawyer subsequently filed a complaint against Worldcoin for violating data privacy laws, and the Worldcoin project also stopped its business in Mendoza Province, Argentina. Until March 2024, officials in Buenos Aires Province, Argentina, were still accusing Worldcoin of failing to answer specific questions about the "abuse of terms" in its user terms and conditions. At the same time, Worldcoin could face a fine of up to 1 billion Argentine pesos (about 1.075 million U.S. dollars) at the time. In addition, Worldcoin's scanning of minors' iris and facial data in Argentina also caused the project to suffer a lot of criticism and accusations.

At that time, the Worldcoin project said it would "seek opportunities to interact with government agencies, regulators and third parties and answer any questions they may have."

Worldcoin encounters global regulation

Similar to the situation in Argentina, Worldcoin has encountered varying degrees of regulatory obstacles in many countries due to privacy issues involved in iris data collection. Even in some countries that embrace crypto assets, Worldcoin has not been spared. The following is a summary of the regulatory storms related to Worldcoin by lawyer Mankiw:

• Kenya, Kenya was one of the first countries to launch Worldcoin registration and certification, but later the Kenyan government issued a ban to suspend Worldcoin's registration and certification. Kenya's Ministry of Interior said in a statement that it was "immediately suspending Worldcoin activities until the relevant government agencies prove that there is no public risk".

• France, the French National Commission for Information and Freedoms (CNIL) questioned Worldcoin's biometric data collection methods and launched an investigation to ensure that its activities comply with French and European data protection regulations.

• Germany, the German Bavarian State Data Protection Supervisory Office raised concerns about Worldcoin's large-scale biometric information processing, believing that these technologies are "neither mature nor fully analyzed for the specific core purpose of processing financial information."

• Spain, the Spanish Data Protection Agency (AEPD) ordered Worldcoin to stop collecting and processing data in Spain and issued a three-month temporary injunction, claiming to be investigating complaints that Spanish users could not withdraw consent and that Worldcoin allegedly collected data on minors.

• In Hong Kong, the Privacy Commissioner for Personal Data, Ms. Chung Lai-ling, issued an enforcement notice to Worldcoin, ordering it to immediately cease all operations in Hong Kong involving the use of iris scanning devices to scan and collect iris and facial images of the public. The PCPD began investigating the Worldcoin project in January 2024 to determine whether the identity verification method posed a serious risk to the privacy of citizens' personal data and violated the requirements of the Personal Data Protection Ordinance.

Faced with various regulatory challenges, how should Worldcoin solve them? Lawyer Mankiw believes that its strategy of actively resuming business in Argentina is worth learning from.

Worldcoin's Positive Countermeasures

Under Argentina's unique favorable premise and background, Worldcoin demonstrated its ability to adapt flexibly and successfully resolved the crisis through a series of strategies.

Favorable Precondition: Mile's "Chainsaw Reform"

At the end of 2023, Argentina ushered in a new president known for his boldness, Javier Mile. Just six months after taking office, this ambitious leader passed a series of regulations known as "Chainsaw Reforms", including the inclusion of cryptocurrencies as an important part of the reform.

At the end of last year, Argentine Foreign Minister Diana Mondino pointed out that the Argentine government was preparing a decree that would allow the country to use Bitcoin and other tokens for legal payments under certain conditions. This trend has been particularly noticeable in the past few years. The continued depreciation of the peso, the sharp fluctuations in the exchange rate, and the government's strict restrictions on the market have made cryptocurrencies gradually become an alternative choice for Argentine people to save and invest. Such a policy environment provides Worldcoin with unique conditions for conducting business locally.

Positive Reform: Efforts made by the Worldcoin Project

How did Worldcoin's operations "come back to life" in Argentina? To figure this out, we must first understand the controversial points that Worldcoin has been accused of in Argentina:

• Privacy data protection, according to Argentina's Law No. 25326, the Personal Data Protection Law ("PDPL") and related provisions, the person in charge of data processing is obliged to register its database with the AAIP, provide information about its processing policy, explain the purpose and processing time of sensitive data they need to protect the same information, and detail the security and confidentiality measures used to protect personal information;

• General consumer protection, the Buenos Aires Provincial Government accused Worldcoin of adding unfair terms to the user agreement, which may violate consumer rights. These terms include allowing service interruption without compensation, requiring users to waive class action rights, and setting the arbitration venue in California;

• User data infringement, Worldcoin was also accused of failing to prevent minors from registering, processing users' iris data in Brazil, and storing private data involving Argentine users. These actions are considered to violate the regulations on the use, protection and storage of user data.

After Worldcoin was pushed to the forefront in Argentina, the project party responded quickly, actively cooperated with Argentina's regulatory policies, and made corresponding rectifications:

• First, Worldcoin promised to continue to work with regulators to ensure that its project meets all regulatory requirements and provides users with safe and transparent services. The company emphasized its commitment to privacy and data protection and said it would cooperate with governments and regulators to provide more information about its privacy and data protection practices.

• Worldcoin said it has been making technical improvements, especially in data processing and user privacy protection. This includes improving data protection measures in its identity verification process and ensuring that sensitive biometric data (such as iris scan data) is deleted after use to avoid storing such highly sensitive personal information.

Specific technical solutions include:

• The revised privacy terms allow users to cancel the verification of their World ID by permanently deleting the iris code;

• A new appendix is ​​added to the privacy protection policy, and a special agency is established in Argentina to handle complaints and claims from Argentine users;

• The statement of refusing to provide services to persons under the age of 18 is updated in the terms, and a data deletion channel is also opened for registered minors, through which the person involved and the guardian can delete the relevant data saved by Worldcoin;

• According to the requirements of the Argentine regulatory authorities, an Argentinian version of the privacy policy is provided on the official website, and some of the terms have been adjusted in a targeted manner.

Through the above series of reforms, Worldcoin was able to make a comeback in Argentina, gain recognition from the Argentine government, and successfully set up 50 operating points in more than a dozen cities. In fact, such situations are common in the encryption and Web3 industries. For example, Lawyer Mankiw previously talked about one of the TON ecological games, "Hamster Fighting", which has aroused widespread attention and controversy in Iran. So, for Web3 projects and entrepreneurs, how should encryption projects prevent and adjust compliance in the face of government supervision?

The enlightenment brought by Worldcoin's Jedi counterattack

Lawyer Mankiw believes that the experience brought by Worldcoin has played an extremely important reference role for many project parties in the Web3 field, especially entrepreneurs in the two tracks of DID and DePIN. We believe that the following two types of risks are issues that entrepreneurs and project parties in these two fields should pay attention to:

• Privacy protection issues. One of the main issues that Worldcoin faces in Argentina and other countries is privacy data protection. Privacy protection is also a critical challenge for decentralized identity (DID) and decentralized Internet of Things (DePIN) projects in the Web3 field.

• Cross-border data issues. For Web3 projects, especially DID and DePIN, the problem of cross-border data transmission is particularly prominent. Different countries have different regulatory requirements for cross-border data transmission, and project parties need to fully understand and comply with relevant laws.

For the above two issues, Mankiw lawyers suggest that project parties should make adequate compliance preparations and emergency measures both before and after the event to protect business development:

Processing and storage of sensitive data

DID projects involve legal issues in the field of digital identity authentication. Project parties will inevitably come into contact with highly sensitive information of users, such as personal identity, address, bank account, and even fingerprint, iris and other identity data. The collection, storage and processing of these data require extremely high security and transparency. Project parties must ensure that data will not be abused during collection and use, and clarify the user's right to know and consent. Similarly, in the DePIN project, some DePIN devices may collect more sensitive processing sensor data or user behavior data, etc. When the above situation occurs, strict privacy protection standards must also be followed. Regarding the processing and storage of sensitive data, Mankiw believes that compliance risks can be reduced through the following business arrangements:

• Data collection transparency. The project party needs to clearly explain to users the purpose, storage time and processing method of the data. This not only helps to enhance user trust, but also complies with the requirements of data protection regulations in various countries.

• Data minimization principle. Only collect the minimum data required to complete the service and avoid excessive collection of user information. The DePIN project needs to pay special attention to only collect data directly related to the IoT service.

• Security measures. Use the latest encryption technology and data protection measures to ensure the security of sensitive data during transmission and storage. For the DePIN project, this includes ensuring that sensor data is not stolen or tampered with during collection and transmission.

• User consent mechanism. Explicitly inform users of the purpose of their data before data is collected and obtain their explicit consent. For DID and DePIN projects, this means that before collecting and using user data, it is necessary to ensure that users fully understand the purpose of their data.

• Data access and deletion. Provide users with access to their data and allow users to delete their data when necessary, ensuring that users can control the data collected by their devices.

Compliance of cross-border data transmission

Project parties need to ensure that data complies with the laws and regulations of various countries during cross-border transmission. For example, the EU's General Data Protection Regulation (GDPR) has strict requirements for data outbound transfer. my country has also promulgated the "Cybersecurity Law of the People's Republic of China", "Data Security Law of the People's Republic of China", "Personal Information Protection Law of the People's Republic of China", "Measures for Data Outbound Security Assessment" and related laws and regulations to form a legal framework for cross-border data transmission. For DID and DePIN projects, which involve highly sensitive identity data and sensor data, cross-border transmission requires more caution and strict compliance with local laws and regulations. Mankiw made the following suggestions:

• Localized data storage.Where possible, consider setting up localized data storage facilities in the user's country to reduce the complexity and risk of cross-border data transmission. For DID projects, this can effectively reduce the compliance risks brought about by cross-border data transmission.

• Transparent user agreement.Specify the relevant terms of cross-border data transmission in the user agreement to ensure that users understand and agree that their data may be transferred to other countries. The DePIN project can detail the cross-border transmission and processing process of data in the agreement.

Continuous compliance and post-event response

As an emerging industry, Web3 has attracted many entrepreneurs with ideals, ideas and enthusiasm to make a lot of innovations and bold attempts in the past decade. However, due to the rapid development of the industry, laws and regulations often lag behind, leading to many conflicts. When many project parties start operations, the laws in related fields may not be perfect or even blank, and they often face regulatory difficulties after operating for a period of time. So how should the project party respond in this case? Lawyer Mankiw suggested:

• Actively maintain communication with local regulatory authorities.After Worldcoin encountered regulatory risks in Argentina, the project party communicated with the regulatory authorities many times, tried to maintain dialogue, made adjustments to the privacy policy and user agreement, and prohibited minors from performing iris scanning at the operation point. In addition, the Argentine government’s relatively positive attitude towards the crypto world allowed the project party to resume operations. It is worth noting that before the deadline of this article, the Kenyan government also relaxed its regulation of Worldcoin.

• Perform compliance reviews regularly. In the process of business operations, regular compliance reviews are conducted to ensure continuous compliance with the latest legal requirements. In the face of a changing regulatory environment, it is an important strategy for Web3 project parties to maintain flexibility and foresight and adjust operational strategies in a timely manner.

• Respond to regulatory requirements quickly and prepare remedial measures. When faced with new regulatory requirements or sudden compliance issues, project parties should take prompt action to make adjustments. For example, modify the terms of the user agreement, enhance data protection measures, or suspend certain operations to comply with new regulations. When user rights are damaged due to compliance issues, project parties should take timely remedial measures and provide appropriate compensation to maintain user trust and the company's reputation.

• Seek professional legal advice and compliance guidance. Legal opinions given by professional lawyers can help project owners make correct decisions in terms of law and regulation and reduce risks. Attorney Mankiw reminds that when Web3 startup teams encounter compliance issues during operations, they should consult professional lawyers in a timely manner to seek legal advice and compliance guidance.