In a move sure to raise eyebrows across crypto and privacy advocacy communities, the National Privacy Commission (NPC) clarified on October 13, 2025, what “registration” actually means—and spoiler alert, it’s not a stamp of approval. As the iris-scanning saga involving World/Tools For Humanity continues to unfold in the Philippines, this distinction could be the difference between regulatory clarity and continued confusion.

The 66-Page Cease and Desist Order

On October 8, 2025, the NPC issued a cease and desist order (CDO) against Tools for Humanity (TFH), the entity behind Sam Altman’s Worldcoin project (now rebranded as “World”). The 66-page order, dated September 23, concluded a multi-month investigation finding the company’s iris-scanning practices violated the Data Privacy Act of 2012 (DPA).

The immediately executory order commands TFH to:

  • Stop all Orb iris-scanning operations
  • Remove the World App from Apple App Store, Google Play, and all platforms accessible in the Philippines
  • Cease any further collection, transfer, or disclosure of biometric data already gathered
  • Halt all personal data processing activities related to World App and Orb verification

The Four Major Violations

1. Invalid Consent Due to Undue Influence

“The integrity of a Filipino citizen’s biometric data is non-negotiable, as it is a unique and permanent identifier,” said Deputy Privacy Commissioner Jose Amelito S. Belarmino II. “When consent is compromised by the lure of compensation, it ceases to be a genuine expression of choice.”

The NPC found that offering crypto tokens worth thousands of pesos in exchange for iris scans exploited socioeconomic vulnerabilities, invalidating the concept of freely given consent required under the DPA.

2. Lack of Transparency and Information

Despite TFH’s claims of compliance, the NPC determined the company failed to provide adequate transparency about how biometric data would be processed, stored, and protected—a fundamental requirement under data privacy law.

3. Excessive Collection of Biometric Data

“The collection of biometric data, specifically iris scans, was deemed excessive and disproportionate for the stated purpose of ‘proof of humanity’ or mere authentication,” the NPC stated. The commission emphasized that iris scans represent immutable identifiers that expose data subjects to significant risks including identity fraud, theft, and reputational damage persisting for their lifetime.

4. Risk of Grave and Irreparable Injury

The NPC invoked its authority under NPC Circular No. 2020-02, which allows ex parte cease-and-desist orders when continued operations may cause “grave or irreparable harm” or are deemed “detrimental to public interest.”

The DICT Policy Rift

Conflicting Government Positions

On the very same day NPC Deputy Commissioner Belarmino announced the order (October 7), Department of Information and Communications Technology (DICT) Secretary Henry Aguda publicly endorsed cooperation with Worldcoin’s iris-scanning technology, calling it a “unique solution” for identity verification in banking and government programs.

Aguda stated, as quoted by ABS-CBN: “Maganda ‘yan kapag ‘yung beneficiaries na-scan mo na, alam mo na na sila talaga ‘yung tatanggap ng ayuda” (“It’s good when beneficiaries are scanned, you know for sure they’re the ones receiving the aid”).

This created an awkward policy rift within government itself, as the NPC is technically an attached agency of the DICT—yet the DICT secretary was endorsing technology the NPC had just banned.

NPC’s October 13 Clarification: Registration ≠ Approval

Exclusive Jurisdiction Reasserted

The NPC reasserted its exclusive jurisdiction as the country’s independent data protection body under the DPA. When it comes to determining the legality of personal data processing activities, the NPC is the final authority—not other government agencies, not industry players, and definitely not companies claiming their technology is innovative enough to bypass regulations.

The statement emphasized: “Registration is only one of several compliance obligations under the Data Privacy Act of 2012 and its Implementing Rules and Regulations. The process serves to enhance transparency and oversight but does not relieve entities of their duty to ensure lawful and fair data processing.”

What Registration Actually Means

The NPC’s clarification serves as a crucial reminder that regulatory registration is a baseline requirement, not a destination. Companies operating in the Philippines need to understand that getting on the registry is just the beginning of compliance, not the end.

While the NPC collaborates with other agencies on matters of shared concern, it stressed that its authority over data privacy matters remains exclusive and independent. This is the NPC essentially saying: “We appreciate the conversation, but when it comes to data privacy, we make the final call.”

Tools for Humanity’s Defense and Appeal

Company Response

Ryuji Wolf, the local operator representing World in the Philippines, described the NPC’s order as a “surprising reversal” and a “setback for responsible digital innovation.” The company confirmed it will file a motion for reconsideration within the 10-day window provided.

Wolf argued: “This sudden change in interpretation undermines the certainty that legitimate investors rely on when working with the Philippines. The order comes as a surprise given we worked closely with regulators to ensure that our technology not only meets but exceeds the country’s data protection requirements.”

World’s Technical Claims

The company maintains that its “proof of human” system:

  • Verifies humanness without collecting personal information like names, addresses, birthdays, or phone numbers
  • Doesn’t store, sell, or purchase biometric data
  • Processes biometric images anonymously and locally, deleting them within seconds
  • Creates only biometric hashes, not raw iris images
  • Simply verifies unique humans, not bots or AI accounts

The Compliance Claims

World asserts it “complied with all applicable laws in the Philippines, worked with regulators and formally registered with the National Privacy Commission.” The company highlighted:

  • Year-long transparent compliance process
  • NPC registration completed
  • DICT Sandbox participation
  • Consultations with data privacy experts and government bodies
  • Over 1,000 Filipino employees across operations
  • Millions of Filipinos enrolled since February 2025 launch

International Context: Global Regulatory Challenges

Pattern of Regulatory Pushback

Tools for Humanity has faced similar regulatory challenges worldwide:

  • Kenya: High Court ordered halt to biometric data collection and processing
  • Germany: Data regulators paused operations pending privacy updates
  • Hong Kong: Operations halted for privacy-related concerns
  • Spain: €3.9 million fine imposed by data protection authority

The NPC noted: “It is also public knowledge that TFH’s operations in various jurisdictions have been halted for several privacy-related concerns. TFH, despite the challenges faced in various jurisdictions, failed to exercise due diligence in complying with the DPA, its IRR, and its related issuances before launching its operations in the Philippines.”

Industry and Expert Response

IT Groups Support NPC Action

The National Association of Data Protection Officers of the Philippines (NADPOP) and the Philippine Computer Emergency Response Team (PH-CERT) expressed support for the NPC’s move on October 9, 2025.

The Function Creep Concern

Privacy officials remain wary of “function creep”—the gradual expansion of technology use beyond its original purpose. The concern is that biometric data collected for “proof of humanness” could eventually be used for identification, tracking, or surveillance purposes without additional consent.

What This Means for Filipinos

Your Biometric Data Rights

The NPC’s action actively defends your right to control your own biometric data and personal information. It establishes several important principles:

  • Innovative technology doesn’t automatically trump privacy rights
  • Financial incentives can invalidate consent if they exploit vulnerabilities
  • Biometric data requires the highest level of protection
  • Registration with regulators doesn’t equal permission to violate privacy laws
  • Data protection experts, not tech companies or other agencies, determine privacy compliance

Reporting Violations

The NPC urged the public to report any continuing processing or use of data by TFH or World App to:

The Broader Implications

Precedent for Emerging Technologies

This case sets important precedents for how emerging technologies—particularly those involving biometric data—will be regulated in the Philippines:

  • Registration is necessary but not sufficient for compliance
  • Working with some government agencies doesn’t override data protection authority
  • International regulatory challenges signal red flags for local regulators
  • Socioeconomic context matters when evaluating consent
  • Innovation must be balanced with fundamental rights protection

The Crypto-Privacy Intersection

The dispute highlights tensions at the intersection of cryptocurrency innovation and privacy protection. Offering crypto tokens as compensation for biometric data creates unique regulatory challenges around:

  • Whether financial incentives invalidate consent
  • How to prevent exploitation of vulnerable populations
  • Balancing innovation with fundamental rights
  • Determining appropriate regulatory frameworks for novel technologies

What’s Next: Timeline and Expectations

Immediate Steps

  • October 2025: TFH files motion for reconsideration (10-day deadline)
  • Short-term: NPC reviews motion and decides whether to modify, lift, or maintain CDO
  • Ongoing: Potential legal challenges through Philippine courts

Possible Outcomes

  1. CDO Upheld: World operations remain banned in Philippines
  2. Modified Requirements: Operations allowed with additional safeguards
  3. Court Battle: Extended legal proceedings if TFH appeals beyond NPC
  4. Regulatory Compromise: Negotiated solution with enhanced protections

Key Takeaways

  • October 8, 2025: NPC issued 66-page cease and desist order against Tools for Humanity
  • Four major violations: Invalid consent, lack of transparency, excessive collection, irreparable harm risk
  • Registration ≠ approval: NPC clarified compliance extends far beyond registration
  • Policy rift: DICT endorsed technology same day NPC announced ban
  • Global pattern: Similar regulatory challenges in Kenya, Germany, Hong Kong, Spain
  • Over 1,000 jobs affected: Filipino employees working across World operations
  • Millions enrolled: World claims millions of Filipinos signed up since February 2025

Take Action: Stay Informed on Data Privacy

If you’re concerned about your data privacy rights or want to understand how regulatory decisions affect the crypto ecosystem in the Philippines, this is the moment to engage. The NPC’s stance demonstrates that privacy protection is an active, ongoing process—not a one-time checkbox.

For comprehensive coverage of how this dispute unfolded and its implications for the broader crypto and privacy landscape in Southeast Asia, the BitPinas newsletter provides detailed timeline and analysis.

The key takeaway? Registration matters, but it’s not everything. Real data protection requires vigilance, clear authority, and willingness to push back against practices that compromise individual privacy—even when they come wrapped in the language of innovation and progress.

LEAVE A REPLY

Please enter your comment!
Please enter your name here