MasiboLaw

By Betty Jepchumba

Recently, Kenya was thrown into a frenzy because of what can properly be called “The Worldcoin Saga.” A German-based company, Tools for Humanity(TFH) through its affiliate, the World Coin Foundation was scanning irises belonging to Kenyans in exchange for the equivalent of 7,000 Kenyan shillings. There was a huge public outcry, particularly from legal and privacy professionals as to the safety and security of the personal data being collected prompting the relevant authorities to take action.

Thereafter, the Office of the Data Protection Commissioner (ODPC) in conjunction with other agencies which included the Central Bank of Kenya, Communication Authority of Kenya, National Computer and Cybercrime Coordination Committee and the Ministry of Information Communication and Digital Economy launched an investigation into the entity known as World Coin. 

The investigations being carried out were to determine whether the processing of personal data was per the Data Protection Act as well as its Regulations. 

The allegations brought against the Company were that;

1. It unlawfully continued to process data belonging to Kenyans even after they were issued with a cease-and-desist letter.
2. It failed to obtain proper consent from the data subjects (Kenyans).
3. It was not transparent and clear on where the collected data will be located. 
4. It did not follow the proper procedure in notifying the ODPC of the cross-border data transfers involved.  
5. It did not conduct a Data Protection Impact Assessment in respect of its activities which would have introduced the relevant legal and technical safeguards. 

Determination

On issues up for determination, the Data Commissioner found that;

1. TFH was indeed registered as a data controller while the Worldcoin Foundation was not. Section 18 of the Data Protection Act requires that one has to be first registered as a data controller with the Data Commissioner before carrying out data control responsibilities. TFH had a Certificate of Registration but the Worldcoin Foundation did not and thus could not act as a Data Controller without making an independent application. 
2. Secondly, Consent, as per Section 2 of the Act should be free, express, unequivocal, specific and informed. This is to say that consent should not be influenced by anything except that it is the individual’s own free will. At the time, and even now, Kenya was facing a tough economic situation. The fact that TFH issued an exchange of tokens for personal data introduced an element of undue influence upon the data subject’s expression of free will. Furthermore, for one to access the tokens, one had to download the Wolrdcoin App from Playstore and agree to its terms and conditions. This process was found to have been done by orb operators. They downloaded the app on behalf of the subjects and accepted the terms and conditions for them which denied the subjects the chance to review before accepting. In totality, the Office found that the consent obtained by TFH and the Worldcoin Project was not compliant with Section 32 of the Act as read with Regulation 4 of the Data Protection (General) Regulations.
3. On the issue of transferring the data outside Kenya, the Office found that both the TFH and The Worldcoin Foundation did not fulfil the requirements of Regulation 46 which requires that there should be explicit consent from the subject and that the subject should be informed of the risks of transferring such data elsewhere. In this case, consent was tampered with by the orb operators as explained above. 
4. Consent should be more than just ticking a box. It must be expressly given and the two bodies should have requested for written statements or filing of electronic forms or even signing through email to show the subjects fully consented to the transfer of data. 
5. TFH and Worldcoin did not obtain confirmation of appropriate safeguards and properly notify the Data Commmisioner before transferring sensitive data out of the country contrary to section 49(1) of the Act.
6. The last matter for determination was whether Worldcoin conducted a Data Impact Assessment (DPIA). This assessment is normally conducted where an operation is likely to result in a high risk to the freedom and rights of data subjects as was in this case. Its purpose is to ensure that subjects have control over their data. The Act requires that this report be submitted 60 days before processing the data. TFH submitted their DPIA in June 2022 which was in good time. However, upon assuming controller responsibilities from TFH, Worldcoin did not submit a DPIA or at least demonstrate that the DPIA applying to TFH applied to Worldcoin as well. Therefore, in taking over controller responsibilities without conducting a DPIA, the Worldcoin Foundation violated Section 31 of the Act.
7. The final determination given by the ODPC is that TFH was in breach of the Data Protection Act 2019 as well as the Regulations and an Enforcement Notice will issue against them. 

Betty Jepchumba is a legal assistant at MasiboLaw, you can contact her through intern@masibolaw.co.ke/info@masibolaw.co.ke