In a significant ruling, Kenya’s High Court ordered Worldcoin, a cryptocurrency project, to delete all biometric data it collected from Kenyans, declaring the data collection illegal. The court, led by Justice Roselyne Aburili, found that Worldcoin violated Kenya’s Data Protection Act of 2019 by gathering iris scans and facial images without proper consent or a required Data Protection Impact Assessment (DPIA). The decision came after a legal challenge by the Katiba Institute, a Kenyan NGO, which argued that Worldcoin’s practices infringed on citizens’ constitutional right to privacy. The court gave Worldcoin seven days to erase the data under the supervision of Kenya’s Office of the Data Protection Commissioner (ODPC).
The issue before the court was whether Worldcoin’s method of collecting biometric data complied with Kenya’s data protection laws. Worldcoin offered Kenyans about $50 in cryptocurrency to scan their irises using a device called the Orb, which raised concerns about whether consent was freely given. The Katiba Institute argued that this financial incentive made the consent coercive, not informed, and violated the principle of voluntary agreement required by law. Additionally, Worldcoin failed to conduct a DPIA, a mandatory step to assess risks to personal data, which the court found to be a clear breach of the Data Protection Act.
The court’s reasoning focused on the right to privacy under Article 31 of Kenya’s Constitution. Justice Aburili emphasized that Worldcoin’s actions undermined this right by collecting sensitive biometric data without transparent safeguards or regulatory approval from the ODPC. The judge ruled that offering cryptocurrency as an inducement invalidated consent, as it exploited vulnerable individuals who might feel compelled to participate for financial gain. The absence of a DPIA further showed Worldcoin’s disregard for legal requirements, making its operations in Kenya unlawful.
The court’s conclusion was straightforward: Worldcoin’s data collection was illegal, and the data had to be deleted to protect Kenyans’ privacy. It issued three orders: one, a prohibition on further data collection without a proper DPIA or valid consent, two, a certiorari order to nullify Worldcoin’s decision to collect data, and lastly a mandamus order to erase all collected biometric data within seven days. The ODPC was tasked with overseeing the deletion to ensure compliance. This ruling not only halts Worldcoin’s operations in Kenya but also sets a precedent for how tech companies must handle personal data in the country.
Do you think the court’s ruling on Worldcoin sets the right precedent for data privacy in Kenya? Let us know in the comments below. Don’t forget to like, share, and comment on this post to keep the conversation going!
Leave a Reply