Maybe they can only ban the coins, or if they want to give punishment, they could work together to track and put the owner in jail. For example, they can work together and ask the US to jail the owner if the project also collects data illegally from US citizens. They can also try to destroy any backup of the blockchain data, although that is meaningless if there is sufficient decentralization in the data distribution. I do hope they manage to stop any private data from being exposed even further, although no one should willingly give their biometrics data to some random projects.
On the other hand, do they judge the data collection as being too intrusive because of the iris scan only, or is there something else? What makes this different from apps requesting KYC from their users? Simply because the government has no monitor about it, hence why think it is dangerous?