UK regulators have warned about Worldcoin, amid concerns over the biometric data collected by the controversial cryptocurrency project.

The Office of the Information Commissioner (ICO), which defends individual privacy, has informed Decrypt that organizations are required to conduct a Data Protection Impact Assessment before starting to process “high risk” data, which is a key component of Worldcoin’s operations.

Founded by AI expert Sam Altman, the cryptocurrency project aims to offer digital passports to millions of people by scanning their irises, and on Monday, the co-founder ethereumVitalik Buterin, expressed his concern that this could reveal a person’s gender, ethnicity, and even certain medical conditions.

The ICO further warns that Worldcoin activity must be done on a consensual and voluntary basis, and that those who submit scans must also be able to withdraw from the project without incurring a loss.

“We have noted the launch of Worldcoin in the UK and will be inquiring about it,” said an ICO spokesperson in a statement emailed to Decryption.

It should be noted that ICOs have powers in the event of a serious data breach. Regulators can fine up to £17.5 million ($22.5 million) or 4% of a company’s global revenue, whichever is higher. And in April, they imposed a £12.7 million ($16.3 million) fine on TikTok amid allegations that the social network misused children’s data.

Despite ongoing investigations by the watchdog, Worldcoin continues to implement it in the UK.

The Orbs hardware, which scans a user’s eyes in exchange for a global ID, has now been installed at three locations in London. With a UK population of 67.3 million people, 58 million of whom are outside the capital, implementation is unlikely anytime soon.

Worldcoin has not responded to requests for comment from Decryptionhowever on its website, the project confirms that it is in full compliance with all laws and regulations governing the collection and transfer of biometric data, including the European General Data Protection Regulation (GDPR).

Complicating matters even more, the GDPR is technically no longer valid in the UK after Brexit.

However, most of these frameworks remain within national legislation, meaning the country has the independence to continue to review them.