Blog by
Ms. Jane Ombiro, CIPP/E, CIPM, FIP
Data Protection Expert, South-End Tech Limited
Date: 14th May, 2025

In a landmark ruling, the High Court of Kenya has taken a firm stance against Worldcoin, a global digital identity project, over alleged violations of Kenya’s data protection laws. The case, filed in August 2023, highlighted critical privacy concerns surrounding the collection and processing of biometric data from Kenyan citizens.

Key Allegations against Worldcoin:

1. Failure to Conduct DPIA: Worldcoin reportedly began biometric data collection in July 2023 without first conducting a mandatory Data Protection Impact Assessment (DPIA), as required by the Data Protection Act, 2019.
2. Violation of Constitutional Privacy Rights: The data collection was deemed a breach of the right to privacy under Article 31 of the Constitution of Kenya, 2010.
3. Invalid Consent Practices: It was alleged that Worldcoin induced data subjects into providing consent by offering cryptocurrency worth approximately KES 7,000 (USD 50), raising concerns about the validity of such consents.
4. Ambiguous Purpose Limitation: Worldcoin reportedly merged multiple data processing purposes without obtaining separate, specific consent for each purpose, violating the principle of purpose limitation.
5. Unregistered Entities: Neither Worldcoin Foundation, World Assets Ltd, nor its local agent, Platinum De Plus Ltd, were registered as data controllers or processors in Kenya, a critical requirement under Kenyan data protection laws.
6. Unlawful Cross-Border Data Transfers: Worldcoin was accused of transferring sensitive biometric data outside Kenya without adequate safeguards, contravening Kenya’s data transfer regulations.
7. Lack of Enforceable Rights: The privacy policies of Worldcoin’s affiliates, including Tools for Humanity, failed to provide enforceable rights to Kenyan data subjects, opting instead for arbitration outside Kenya, further eroding user rights.
8. Misrepresentation in Registration: Worldcoin allegedly provided misleading information in its application to Kenya’s Data Commissioner, omitting essential establishment documents and contact details for its data processors.

High Court Ruling and Orders

After reviewing the evidence presented, the High Court issued several critical directives:

1. Immediate Data Processing Halt: Worldcoin and its agents were prohibited from further collecting, processing, or transferring biometric data in Kenya without first conducting a DPIA.
2. Permanent Data Deletion: Worldcoin was ordered to permanently erase all biometric data collected in Kenya within 7 days, under the supervision of the Data Protection Commissioner.
3. Registration Compliance: Worldcoin Foundation and Platinum De Plus Ltd were directed to register as data controllers or processors before resuming any data processing activities in Kenya.
4. Enhanced Oversight: The court further emphasized the need for strict adherence to Kenya’s data protection framework to prevent future breaches.

Key Takeaway for Foreign Entities

This ruling serves as a critical reminder for foreign entities processing biometric data in Kenya to strictly comply with the Data Protection Act, 2019, and its associated regulations. Non-compliance can result in severe legal consequences, including permanent data deletion orders, operational restrictions, and significant reputational damage.

Conclusion
As Kenya continues to strengthen its data protection regime, organizations must prioritize robust data governance, transparent consent practices, and comprehensive impact assessments to avoid similar enforcement actions.

 

Please do not hesitate to contact us for your Cybersecurity and Data Protection Solutions and Service needs on the telephone at +254115867309 +254721864169; +254740196519; +254115867309 or email. jombiro@southendtech.co.ke; dataprotection@southendtech.co.ke or info@southendtech.co.ke