On 1 Aug., thousands of Kenyans lined up in front of the Kenyatta International Conference Centre. This would be a normal occurrence during national elections which, coincidentally, were held exactly one year ago in August 2022. However, this time the lines were full of Kenyans eager to exchange their iris scans for approximately USD50 from cryptocurrency exchange Worldcoin.
For perspective, the majority of Kenyans live on USD2.15 per day, so getting USD50 is no less than a miracle.
The offer ended less than 48 hours later when the Kenyan government ordered Worldcoin to stop signing up new users due to concerns about how the iris scans would be used, and the Ministry of Interior and National Administration launched an investigation into potential public safety risks.
The Office of the Data Protection Commissioner of Kenya stated Worldcoin's project is not safe for Kenyans, noting it is conducting investigations, while Kenya's Parliament formed a joint ad hoc committee to investigate the company's activities. The committee has 42 days to undertake the task and report back to the House.
Pending a lawsuit before the High Court of Kenya, a restraining order was issued against Worldcoin's parent company Tools For Humanity, Worldcoin Foundation, World Assets Limited and Platinum De Plus Limited for collecting, processing or transferring personal biometric data collected in Kenya. The restraining order was issued under an urgency certified by the High Court on an application by one party pending filing of a substantial judicial review application.
Additionally, the data protection commissioner, the Cabinet Secretary for Ministry of Information, Communications and the Digital Economy, Communications Authority of Kenya, and the Central Bank of Kenya are also joined as respondents in the lawsuit.
Here are some of the key issues raised in the lawsuit before the High Court and the possible consequences:
Consent
In the application it is argued that Worldcoin and Tools For Humanity unlawfully obtained consent, if any, by inducement of a cryptocurrency — Worldcoin. Under Regulation 4(3) of the Data Protection General Regulations 2021, a data subject must have the capacity to give consent — it must be voluntary, specific, unambiguous and able to be withdrawn freely — and specific consent must be sought for each purpose. Crucially, consent is not valid if presented as a nonnegotiable part of the terms and conditions for processing.
It is likely the promised USD50 formed a nonnegotiable part of the terms and conditions for processing, therefore vitiating any potential consent obtained from the iris providers.
The capacity of those data subjects to whom USD50 was paid by Worldcoin and Tools for Humanity is contestable, as less than 4% of Kenyan's primary language is English. Worldcoin's Privacy Notice is not in Kiswahili, or any other indigenous language of Kenya's people, but in English.
Data protection impact assessment
Regulation 49 of the DPGR requires a DPIA to be conducted under Section 31 of the Data Protection Act 2019, in cases of "processing operations considered to result in high risks to the rights and freedoms of a data subject." This includes processing biometric or genetic data.
In accordance with the DPA, where a controller is required to consult the Data Commissioner on the DPIA, they must do so within 60 days.
Whether a DPIA was conducted and submitted to the Data Commissioner, and whether any identified risks were mitigated prior to the processing of biometric data by Worldcoin, or whether it was a cosmetic exercise, is likely to be examined under the microscopic eye of the courts.
Registration with the Office of the Data Protection Commissioner
Under Section 18 of the Act, no person shall act as a data controller or data processor unless registered with the Data Commissioner.
It is alleged that Tools for Humanity obtained the registration certificate as a data controller through misrepresentation or material nondisclosure contrary to section 19(2) of the Act and Regulations 5 and 16 of the DPGR. Worldcoin and World Assets, the main beneficiaries with whom Tools For Humanity shares personal data, are not registered with the ODPC as data controllers or data processors or registered as a corporate entity in Kenya. Recently, the Tools for Humanity registration as a data processor was revoked by the Office of the Data Protection Commissioner and all Worldcoin activities have been banned in Kenya for one year.
Failure to register or deliberately providing misleading information to the commissioner's office amounts to an offense punishable by a fine not to exceed KES3 million, approximately USD200,000, or an imprisonment term not to exceed 10 years, or both. Additionally, Kenya's courts have the discretion to order the forfeiture of any equipment used or connected in any way with an offense, or prohibit any act to stop a continuing contravention.
Transfer of personal data outside of Kenya
This area has been one of the most contentious issues globally, and one which has attracted the highest fine under the EU General Data Protection Regulation. Facebook's parent company Meta was recently fined 1.2 billion euros by Ireland's Data Protection Commission for unlawful personal data transfers from the EU to the United States.
In the current case, since one or more of the first four respondents are likely to be based in the U.S., the question will certainly arise as to the lawful basis and appropriate safeguards for transfer of sensitive personal data outside of Kenya.
Under Sections 48 and 49 of the DPA and Regulation 40 of the DPGR, two conditions for transfer — consent and necessity — are burdensome procedures with very high standards for demonstrating compliance for transfer. In any event, for bulk transfers, it is highly unlikely that consent and necessity will satisfy the test for international data transfers from Kenya. There is currently no adequacy agreement between Kenya and the U.S., or any other country, for personal data transfers and, unlike the GDPR, standard contractual clauses have not been provided under the DPA, or approved by the ODPC.
Crucially, under Regulation 41(1) of the DPGR, the basis of appropriate safeguards allows for transfers where there is a legal instrument containing appropriate safeguards binding on the intended recipient that is "essentially equivalent" to the protection under the DPA. This means there must be zero risk transfer to the recipient country.
Alternatively, a data controller must have conducted a robust assessment of all circumstances surrounding the transfer and concludes that appropriate safeguards exist. Applying the recent DPC decision in the Meta case to the Kenya lawsuit, it is unlikely data transfers by Worldcoin from Kenya to the U.S. meet the mandatory conditions.
This case is a watershed moment for Kenya data protection. Whatever the outcome, it is likely to have far reaching consequences for data protection across the wider East African region, where most data protection laws are just taking off.