Worldcoin is an open-source protocol or system that aims to provide universal access to the global economy to every person.¹ Developed under the Tools for Humanity (TFH) Project and co-founded by Sam Altman, the CEO of OpenAI,² Worldcoin has been described as a new global digital currency aimed at creating a new identity and financial network owned by every single person.³ Some of the tools developed to enable Worldcoin to achieve its mission include World ID which helps in solving identity-based hurdles; Worldcoin token which is freely distributed to individuals for their uniqueness, and World App which enables transactions globally using Worldcoin tokens including other digital and traditional currencies.⁴

According to the Data Protection Commission, the genesis of Worldcoin in Kenya can be traced back to May 31 2021 when it is alleged that the cryptocurrency company began collecting data.⁵ This was reiterated in the submissions by the ICT Cabinet Secretary which indicated that collection of data was being done in public places.⁶ The company however applied for registration as data controllers on August 22 2022 after commencing their activities contrary to mandates in the Data Protection Act 2019.⁷ The Data Protection Commission also noted that they got wind of data collection by the company in April 2022 when Worldcoin started scanning the irises of individuals.⁸ It was later discovered that this data that falls within the ambit of sensitive personal data was being collected from the populace and then transferred outside Kenya.⁹ Sensitive personal data has been defined in the Data Protection Act 2019 as one which reveals a person’s race, health status, genetic data, biometric data, and sexual orientation of the data subject among others.¹⁰ The Data Protection Act 2019 in section 49 also requires that appropriate safeguards are put in place and consent of the data subject is obtained where sensitive personal data is processed outside Kenya.

Although the Worldcoin project had already commenced its data collection activities in Kenya, it was rolled out globally on July 24 2023 in more than 20 countries¹¹ and in order to register one had to visit a Worldcoin operator in order to be verified using a device known as an Orb.¹² The Orb uses biometric data i.e iris scan to ‘establish an individual’s unique personhood.’¹³ Once that is done a digital World ID is created and can be used pseudonymously without revealing an individual’s identity.¹⁴ Kenyans who registered were gifted with tokens equivalent to $54 or Kshs. 7,700.¹⁵ This is despite the fact that the Office of the Data Protection Commissioner (ODPC) had already instructed the company to halt iris scans and collection of personal data in Kenya.¹⁶ The enrollment was however short-lived when regulatory bodies i.e. Communications Authority of Kenya, Data Protection Commission, and Capital Markets Authority, raised regulatory concerns.¹⁷ The Capital Markets Authority through a cautionary statement released to the public noted that Worldcoin is not regulated in Kenya.¹⁸ The entity further cautioned the public against dealing in unregulated entities and products.¹⁹

The Office of the Data Protection Commissioner (ODPC) also released a press statement calling for vigilance from members of the public. In the press release, the ODPC noted that it was aware that the processing of sensitive personal data by Worldcoin was going on and it was paramount that proper safeguards be in place as required by the Data Protection Act 2019.²⁰ The ODPC also urged Kenyans to receive proper information before disclosing any personal or sensitive data.²¹ Following the concerns raised and in order to ensure public safety, the government through the Ministry of Interior and National Administration suspended the activities of Worldcoin.²²

Consequently on 15th August 2023, an Adhoc Committee was established to inquire on the activities of Worldcoin in Kenya to which it published a report on the inquiry on 28th September 2023 (Report on the Inquiry into the Activities and Operations of Worldcoinin Kenya). The Ad hoc Committee was established following a request for a statement by the Hon Gitonga Mukunji on the Parliamentary floor from the cabinet secretary of the Ministry of Interior and National Administration and the Cabinet Secretary of the Ministry of Information Communication and the Digital Economy on the data collection/registration exercise of Worldcoin.

In conducting its inquiry the Adhoc Committee established the following terms of reference; making an inquiry into operations and objectives of Worldcoin activities in Kenya, legal and regulatory compliance of World Coin, and due diligence by relevant authorities prior to commencement of its operations, the organizational structure of world coin, money considerations paid to members of the public upon registration, exposure to health hazards, legal and regulatory gaps that permitted Worldcoin operations and other emerging issues.

For this commentary, we shall focus on the inquiry into legal and regulatory compliance of the operations of World Coin, due diligence conducted by relevant authorities, and the safety of data collected by World Coin.

Adhoc Committee Findings

Data Protection Compliance of WorldcoinData Collection Exercise

The report by the Adhoc Committee raised several data protection issues related to the data collection operations of World Coin. The Committee raised questions as to their registration as data controllers and processors as prescribed under the Data Protection Act (DPA), adherence to the set data collection principles, retention rectification and erasure, transfer of personal data outside Kenya, conducting a Data Protection Impact Assessment (DPIA), consent and the rights of the data subject.

The Office of the Data Protection Commissioner was called upon during the inquiry to address issues concerning the compliance of Tools for Humanity, the developers running Worldcoin, before their data collection exercise. The ODPC investigated the activities of Worldcoin and requested an explanation of its activities in Kenya relating to data collection on 19 April 2023. Additionally, the ODPC requested the submission of a DPIA per section 31 of the DPA. Notably, the ODPC was dissatisfied with the submitted DPIA and requested Worldcoin to cease data collection of persons in Kenya pending the 60-day determination to which they submitted a response explaining compliance and gaps noted in the DPIA. It was after this that Tools for Humanity applied for registration as Data Controllers and Processors and a Registration Certificate was issued. Tools for Humanity was registered as a Data controller under the provisions of sections 18 and 19 of the DPA and a certificate was issued by the ODPC on 15 September 2022.

The committee’s report highlights several data protection findings of World Coin:

• Collection of sensitive personal data: Worldcoin collects biometric data, which is considered to be sensitive personal data under the DPA. “sensitive personal data” means data revealing the natural person’s race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including names of the person’s children, parents, spouse or spouses, sex or the sexual orientation of the data subject. Biometric data is unique to each individual and can be used to easily identify and track people. Section 44 of the DPA further prescribes the conditions upon which sensitive data can be collected among which include, ensuring all the principles of processing personal data are complied with as specified under section 25 and where processing is carried out in the course of legitimate activities with appropriate safeguards. Not only did Worldcoin fail to establish compliance with the data protection principles of lawfulness fairness and transparency as well as the principles of transfer; Worldcoin also failed to establish that they had appropriate safeguards put in place to facilitate the collection of sensitive personal data i.e. Iris during their data collection exercise.

• Consent: The bedrock of the lawful processing of personal data is consent. The DPA prescribes that a data controller or processor cannot collect personal data unless the data subject consents to the processing for one or more specified purposes.²³ The conditions of consent are prescribed in section 32 (1) and it is upon the data controller and processor to establish that the data subject has indeed given consent for the data collection. Consent is described in the Act to mean, ‘any manifestation of express, unequivocal, free, specific and informed indication of the data subject’s wishes by a statement or by a clear affirmative action, signifying agreement to the processing of personal data relating to the data subject. Additionally, under the rights of the data subject, the data subject has the right to be informed of the use to which the personal data will be used.²⁴ The ODPC noted that one of its concerns with the data collection exercise was based on the legality of the exercise itself as well as how Worldcoin was seeking to acquire consent. The Adhoc Committee report notes that the majority of Kenyans who presented themselves for the data collection exercise were not adequately informed of what the exercise entailed to be in a position to give informed consent and were swayed by the monetary gain promised after registration.

• Security and storage of data: A data controller or processor has the responsibility of ensuring that, before the data collection exercise, the data subject is notified of the technical and organizational security measures taken to ensure the integrity and confidentiality of the data.²⁵ Worldcoin did not provide clear information about how it secures and stores the biometric data it collects. This was demonstrated by the witnesses who gave their recount of the data collection exercise. Furthermore, it was unclear the location of storage of the data collected noting approximately 508,569 Kenyan users were verified. This raises concerns about the potential for data breaches and misuse of data. Section 50 of the DPA gives the cabinet secretary authority to determine whether the nature of certain processing should only be effected through a server or data center located in Kenya. The numbers, type of data collected and lack of clarity as to the location of storage necessities the application of section 50. Furthermore, despite the claim of security measures by Worldcoin, there is no clarity as to whether the data stored can be deleted or retracted if need be, allowing the data subjects to exercise their right to access personal data.²⁶

• Transfer of Personal Data outside Kenya: Section 48 of the DPA outlines the conditions for the transfer of personal data outside Kenya. The Adhoc Committee noted that Worldcoin failed to comply with the provisions as they could not establish whether appropriate safeguards concerning security were put in place, noting that data collected during the exercise was not being stored in Kenya. Despite the claim by Worldcoin that data collected was safely stored in Amazon Web Services based in South Africa, it was not clear whether the data stored could be retracted and deleted should the need arise. Provisions of the DPA are clear on the transfer of personal data. Additionally, section 49 provides for the conditions for transferring sensitive personal data. The provision notes that the processing of sensitive personal data out of Kenya shall only be effected upon obtaining consent of a data subject and on obtaining confirmation of appropriate safeguards. The Adhoc Committee report established that the manner in which consent was obtained was not in accordance with the provisions of the DPA and no consent was sought from the data subjects regarding the transfer of their sensitive personal data, neither was a confirmation of safeguards given. This was equally corroborated by the office of the ODPC and sighted as one of the justifications for suspending the registration of TFH halting further data processing activities.

• Lack of transparency: Worldcoin has been accused of being opaque about its data collection and processing activities. Worldcoin began data collection and processing in 2021 without following due process in complying with the DPA, particularly as it relates to a DPIA until it was requested by the ODPC. Only after an inquiry into its activities was brought into question did they submit a DPIA. This lack of transparency raises several issues regarding legality, lawfulness, and fairness in conducting the data collection exercise. The lack of information to the verified users on the extent to which their data will be used and what exactly Worldcoin makes it difficult for users to exercise their data protection rights.

• Transfer of Personal Data Outside Kenya: In consideration of the impact of worldcoin activities in Kenya and the data protection implications of the same, the Adhoc Committee made a number of observations, however, those relevant to data protection are:-

• There is a need to develop stand-alone legislation to regulate new and emerging technologies.

• The DPA and subsidiary regulations do not sufficiently prescribe documents required to ascertain eligibility prior to the issuance of a certificate of registration to data controllers and processors;

• The DPA lacks proper mechanisms for the enforcement of the rights of the data subjects and procedures for vetting local and foreign data controllers and processors ; and

• There is a disharmony between the Data Protection Act and the Companies Act on proof of registration.

In line with the observations canvassed, the Adhoc Committee, among others, made the following recommendations:-

• Parliamentary review of legal frameworks to harmonize the DPA with the Companies Act expressly requiring companies to provide proof of registration as foreign companies under the Act and the same be submitted before registration as data controllers and processors;

• Amendment of Sec 63 of the DPA to provide the ODPC with the discretion to impose administrative fines in alignment with global standards;

• Amendment of the DPA to establish a board where the ODPC will report and account for its day-to-day operations;

• Review of the Computer Misuse and Cyber Crimes Act 2018 to co-opt the Data Commissioner or a representative of the ODPC as a member of the National Computer and Cyber Crime Co-ordination Committee;

• Provision of legislative interventions to govern the collection of bio-data from Kenyans;

• Within 3 months of publishing the report, the ODPC is expected to report to the National Assembly on measures it has taken to sensitize the public on the provisions of the Act as prescribed under the DPA; and

• Within 6 months of the publishing of this report, the ODPC is expected to carry out an Audit of all registered data controllers and processors as prescribed under section 23 of the DPA and submit a report of the same to the National Assembly.

The observations and recommendations suggested by the Adhoc Committee bring out some observable gaps in the DPA as well as implementation limitations. These include but are not limited to:

• Registration of Data Controllers and Processors: One of the key issues that the Worldcoin inquiry brought out was that there was a lack of proper due diligence in the registration of the Tools for Humanity as data controllers and processors which led to the issuance of their certificate of registration even where it was clear that the ODPC was dissatisfied with the outcome of their DPIA. The Registration of Data Controllers and Data Processors Regulations 2021 further outlines the requirements for registration and refusal for registration, which may need to be revised to provide an extra layer of security particularly for foreign data controllers and processors. Additionally, the ODPC in vetting whether to grant a certificate of registration may be required to do a more in-depth inquiry into the data collection activities of a registering data controller or processor before approving their registration.

• Implementation of the DPA: The inquiry noted the gaps in implementing the DPA as it relates to sensitizing the public about the Act as provided for under section 8(g) of the DPA since a majority of Kenyans are still not well versed or aware of the DPA or how to exercise their rights and responsibilities under the DPA. Further, the DPA mandates the ODPC to create guidelines that would aid in the operationalization and implementation of the Act. The observations made by the Adhoc committee on legislation are already addressed through existing subsidiary legislation, implementation mechanisms may however be lacking. The ODPC since its inception has made strides in the development of regulations and guidelines as mandated by law. Registration of Data Controllers and Processors Regulations as well as the Guidance Note on Consent both issued in 2021 among others already exist to ensure that issues on consent and registration that came up are already canvassed. However, from the inquiry, it is clear that implementation mechanisms on the same are lacking as the data protection issues arising from the Worldcoin case should not ideally come up when there already exists legislative frameworks.

• ODPC Checks and Balances: Overall, there is a note that the ODPC lacks a checks and balances mechanisms as its operations and decisions cannot be adequately justified and or validated, this was made apparent through the approval mechanisms for Tools for Humanity as data controllers and processors and gaps in the manner in which the DPIA was approved and data collection exercise continued even after the ODPC issued a notice to Tools for Humanity to cease its data collection exercise.

Conclusion

Although the Worldcoin incidence was avoidable, owing to the already established data protection ecosystem, it put to test the strength of data protection awareness and legislation in Kenya. It brought out key elements noting the fact that the legislative framework is often trying to play catch up with emerging technologies and the need to futurise laws to be able to address some of the emerging issues; not only related to data but also the likely impact such emerging technologies will have on the end users. This case may have also compelled the compliance of various companies, especially foreign companies that conduct data collection exercises in the country. It has exposed some areas of weakness in the data protection legislative frameworks which need to be better fortified with better implementation mechanisms, and harmonization of laws. It has tested the extent to which the DPA can protect personal data and has established the importance of the ODPC in holding data controllers and processors accountable for noncompliance, establishing the need for accountability mechanisms of the office in how it handles data protection matters, particularly those of public interest.

Image is from gizmodo.com