On 05 May 2025, the High Court of Kenya declared Worldcoin’s biometric data collection in Kenya unlawful and in violation of the Data Protection Act (DPA) and the Constitution.¹ Worldcoin, a global digital identity cryptocurrency initiative commenced data collection in Kenya as early as 31 May 2021 as elaborated in the case commentary on Worldcoin in Kenya. Kenyans enrolled through incentivised sign ups, receiving tokens worth approximately KES. 7,000.² Within a week of its launch in Kenya, over 350,000 Kenyans had been registered, amounting to 25% of Worldcoin’s global customer market, drawing data concerns due to the lack of a Data Protection Impact Assessment (DPIA) and the transfer of sensitive data outside Kenya.³

The Communication Authority of Kenya jointly with the Office of the Data Protection Commissioner (ODPC) issued a warning to Kenyans to be cautious when giving out their personal data and ordered Worldcoin to cease the collection of sensitive personal data.⁴ The Kenyan Parliament in response established an ad hoc committee to investigate Worldcoin’s operations. Its main findings, as outlined in its report, related to the collection of sensitive personal data by Worldcoin, specifically biometric data.⁵ It highlighted that most Kenyans were not informed about the data collection and that consent was induced by the monetary payment in the form of cryptocurrency upon registration. Furthermore, Worldcoin did not disclose how it secured and stored the collected data, stored outside Kenya on Amazon Web services in South Africa.⁶ The ODPC on 06 September 2023 issued a determination finding Tools For Humanity (TFH) Corporation and TFH GmbH, the data processors collecting and processing biometric data on behalf of Worldcoin liable for breach of the right to privacy. This breach was ignored by the data controller, Worldcoin.⁷ The Parliament’’s findings and ODPC determination set the stage for a legal battle that culminated in the High Court decision of 05 May 2025 by R.E Aburili J.

The High Court Determination

The key allegations against Worldcoin and the key determinations are:

1. Collection of biometric data without a Data Protection Impact Assessment (DPIA)

The DPA requires data processors and controllers to conduct a DPIA where processing is likely to result in high risk to data subject rights and include measures envisaged to address such risks.⁸ Biometric data is sensitive data and by its nature is likely to pose high risks to data subject rights warranting a DPIA.⁹ The High Court held that Worldcoin defaulted in conducting a DPIA contrary to the DPA.¹⁰ Furthermore, the use of its biometric device, the Orb, without the required type approval was contrary to Regulation 3(1) of The Kenya Information and Communications Regulations which requires that all communication equipment used for processing or receiving information ought to have prior type approval and acceptance by commission prior to their use.¹¹ Type approval involves checking the compatibility of communication equipment with any operating communication network and conformity to national standards and issuance of a type approval certificate to show the conformity.¹²

2. Induced consent

Additionally, Worldcoin violated key consent requirements as per section 2 of the DPA¹³ and Regulation 4 of the Data Protection (General) Regulations, which mandate consent to be free and informed.¹⁴ Worldcoin’s consent was induced through offering approximately KES. 7,000/= to data subjects who could not withdraw their consent without losing the Worldcoin. The High Court held that the consent was not free, specific and informed as per section 2 of the DPA.¹⁵ It emphasized that consent should be informed and free from coercion as per the Data Protection (General) Regulations.¹⁶

The Court noted that processing was based on insufficient disclosures and incentives carried out through Orb operators like Platinum De plus which installed apps and accepted the terms and conditions on behalf of the users.¹⁷ The cryptocurrency offer created pressure on data subjects to consent, especially on vulnerable people who were unaware of their privacy rights and lacked understanding of the implications of trading personal data for tokens. The High Court held that luring poor Kenyans with cryptocurrency bypasses the essence of informed consent.¹⁸ Consent as per Regulation 4(3)( c) of the General Regulations, must be specific for each separate processing, meaning a single consent cannot be transferred to multiple processing activities.¹⁹

3. Cross-border data transfer

The High Court scrutinised Worldcoin’s cross-border transfer of biometric data which violated Sections 48 and 49 of the DPA²⁰ and Regulation 46(1) of the Data Protection (General) Regulations.²¹ These provisions require the transfer to be based on consent as well as proof and confirmation of adequate safeguards for the protection of personal data. Worldcoin failed to demonstrate compliance with these requirements despite transferring sensitive personal data outside Kenya. Its privacy policies subjected data subjects to arbitration outside Kenya, denying them enforceable rights within Kenya.²² The High Court held that Worldcoin violated the DPA provisions aimed at protecting the transfer of sensitive personal data outside Kenya.²³

4. Registration of data controllers and data processors

Entities processing personal data ought to comply with Section 18 of the DPA²⁴ and the Data Protection (Registration of Data Controllers and Data Processors) Regulations by registering as either data controllers, data processors or both.²⁵ The High Court found that Worldcoin provided misleading information, which is an offence contrary to the Data Protection (Registration of Data Controllers and Data Processors) Regulations, specifically regarding registration as a data controller.²⁶ Notably, it did not provide details on the data processors, Worldcoin Foundation and World Assets Limited, despite their active role in the processing of personal data. This warranted cancellation of the licence issued by the ODPC as per Regulation 16(b) and (c) as the applicants had sought via a complaint to the ODPC.²⁷ TFH GmbH (Germany) and TFH Corporation (US) were only registered as controllers and not processors. Additionally, Platinum De Plus Ltd, the Kenyan agent responsible for data collection on behalf of Worldcoin, failed to register with the ODPC or conduct a DPIA before the collection of sensitive biometric data contrary to the DPA provisions.²⁸

5. Transparency and accountability principles

The DPA provides for principles of data protection such as transparency and accountability, which each data controller and processor must adhere to.²⁹ The High Court established that Worldcoin failed to uphold transparency and accountability principles under Section 25 of the DPA.³⁰ Worldcoin merged several purposes for data collection and the processing of personal data, such as worldID, WorldApp and Worldcoin without specific consent for each collection and processing.³¹ The privacy notice of TFH did not indicate that the collection of biometric data was through the Orb device.³² The High Court established that Worldcoin and its agents were processing sensitive data without a legally cognizable basis as provided for by Section 30 of the DPA which stipulates that personal data may only be processed if the processing is necessary for performance of a contract, compliance with legal obligations and other lawful purposes.³³ Worldcoin and its agents processed personal data despite the ODPC’s directive to cease the processing for 60 days or until a lawful basis was determined.³⁴ The High Court held that the processing was contrary to Section 30 of the DPA, which stipulates that processing of personal data should be based on data subjects’ consent or lawful bases such as performance of contract.³⁵

The High Court, based on the actions of processing personal data without safeguards and consent, found that Worldcoin was in breach of the right to privacy under Article 31 of the Constitution and in violation of the DPA.³⁶

High court orders

Grounded on the above determination of constitutional and statutory violations by Worldcoin and its agents, the High Court issued the following orders to halt the unlawful practices and reinforce Kenya’s commitment to protection of personal data:

1. Prohibition order to prevent Worldcoin and its agents from any further collection, processing and transfer outside Kenya of personal biometric data collected using the Orb device in Kenya. They were also prohibited from processing such data without conducting a DPIA as per Section 30 of the DPA and without obtaining proper consent from data subjects.³⁷

2. An order of certiorari to quash the decision by Worldcoin to collect, process and transfer biometric data without an adequate DPIA, declaring the decision unlawful.³⁸

3. An order of Mandamus compelling Worldcoin and its agents to permanently destroy or erase the biometric data collected from Kenya using the Orb device within 7 days of the judgment, which is to be supervised by the Data Protection Commissioner.³⁹

Key lessons and recommendations

The High Court’s landmark judgment affirms Kenya’s commitment to protecting its citizens’ privacy in the evolving technology landscape. It is a message to global technology companies operating in Kenya to ensure compliance with the DPA and its regulations when processing personal data and particularly sensitive personal data. Here are key lessons and recommendations to ensure strict adherence to the DPA.

1. Consent

Consent must meet the requirements of the DPA by being informed, specific, unambiguous and freely given.⁴⁰ Offering tokens in exchange for consent compromises its voluntariness, especially for vulnerable communities unaware of the implications. There is a pressing need to enhance public awareness through training and digital literacy to ensure a full comprehension of what informed consent entails, making it easier to exercise the right without manipulation or undue pressure. Section 32 (1) of the DPA places the burden of proof of consent on the data processor or controller who should maintain comprehensive and clear documentation evidencing consent, including when, how and for what purpose the consent was given.⁴¹ Consent is not a mere tick box exercise, and the adoption of a consent checklist to verify that consent is freely given is critical to ensure voluntary expression of a data subject’s wishes, free from undue influence and manipulation.⁴²

2. Mandatory compliance with the DPA

The judgment serves as a critical lesson for foreign entities, which manage approximately 40% of Kenya’s key infrastructure sectors, like telecommunication, to adhere to the DPA due to its extraterritorial nature, especially on cross-border data transfers to ensure data sovereignty.⁴³ Cross-border data transfer should be after the establishment of sufficient safeguards to secure the personal data.⁴⁴ This ensures Kenya’s regulatory authority over its citizens’ data is preserved, aligning with the Kenya Cloud Policy and the National AI strategies, which emphasize safeguarding personal data and data sovereignty.⁴⁵

3. Need for public awareness and digital literacy

The judgment exposes a gap in the public understanding of their privacy rights and obligations in the digital era. Due to lack of digital literacy skills, most Kenyans are vulnerable to data exploitation through participating in invasive data collection and processing activities.⁴⁶ There is a critical need to educate citizens on their data privacy rights, enabling them to make informed consent avoiding manipulation and coercion. Nationwide collaboration between civil societies, industry stakeholders and government agencies will be key to promoting digital literacy among Kenyans.⁴⁷

Conclusion

With the rapid digital transformation that has expanded data flows, Kenya’s commitment to protecting personal data and asserting data sovereignty has never been more critical. As the world becomes increasingly interconnected through new technologies, principles such as accountability and transparency are key to ensuring data security. The High Court’s judgment reaffirms this commitment by emphasising adherence to the DPA and regulations, especially for foreign entities that manage vital infrastructure. It serves as a wake-up call to Kenya and other Global South countries on cross-border data compliance and the critical need for public awareness on how to safeguard personal data.

Image used if from freepik.com