‘So far, the government’s attempts at regulating data processing activities of WorldCoin through suspension and investigations have been reactive, belated, lukewarm, and conflicted.’
I. WorldCoin’s operations
In the first week of September 2023, a Kenyan Parliamentary Ad Hoc Committee of Inquiry continued its investigations on a biometric crypto project that WorldCoin, a US-based cryptocurrency company, launched in the country. On its website, the company explains the project as a vital entry point to ‘universal access to global economy’. The company revamped its operations in Kenya in July 2023, collecting sensitive personal data through retinal scanning of Kenyans. With this, the company aims to use the data to develop a unique digital identity system (World ID) based on proof of personhood.
II. Government of Kenya’s response
Considering Worldcoin’s past controversies, it found itself in the middle of a storm in Kenya. On 2nd August 2023, Kenya’s Ministry of Interior and Administration of National Government released a statement ‘suspending’ the company’s operations in Kenya pending investigations. The government cited a potential breach of privacy and related rights of Kenyans amongst reasons for the suspension.
The Office of the Data Protection Commissioner (ODPC) and the Communications Authority of Kenya (CA) also issued a joint statement on WorldCoin operations. The statement highlights privacy as a regulatory concern that the WorldCoin operations raise. It further notes that the company must cease operating in Kenya and urges the public to take caution when providing their personal data. The Capital Markets Authority also issued a statement that WorldCoin’s products are not regulated in Kenya, a position that is shared by the Attorney General of Kenya shares.
However, the Cabinet Secretary for ICT has taken a contradicting position, noting that WorldCoin’s operations are legal.
III. Government’s approach vis-à-vis obligation to protect human rights
The UDHR, Article 2 of ICCPR, as read with relevant Human Rights Council Resolutions, Article 8 of the Malabo Convention, other African instruments, and Article 21(1) of the Kenyan Constitution, obligates the State of Kenya to protect its citizens against abuse of their privacy and related rights by third parties, including by entities like WorldCoin and their sub-contractors. Paragraph 10 of General Comment No. 16 on Article 17 of ICCPR further guides Kenya to take effective measures to ensure people’s personal information personal information of people does not reach the hands of unauthorized persons. Additionally, Principle 1 of the United National Guiding Principles on Human Rights 2011, requires Kenyan State to take appropriate steps to prevent, investigate, punish, and redress such human rights abuses through effective policies, legislation, regulations, adjudication, and remediation. The requirement can only be met if Kenya takes proactive action to protect, ensure a coherent approach, and formulate and implement adequate data protection laws.
The Kenyan government’s response to the WorldCoin controversy conflicts with the operational principles of the State’s duty to protect the framework as follows:
- The government failed to take favourable proactive action in aligning its processes to ensure WorldCoin demonstrates mechanisms for respecting privacy and related human rights before launching in Kenya.
- The government bodies’ conflicting verdicts inevitably indicate a lack of coordination and coherent policy for implementing WorldCoin’s biometric crypto project in Kenya. It also evidences deviance from Kenya’s obligation to develop a common and consistent approach as envisaged under the Personal Data Protection Guidelines for Africa.
- The government exhibited laxity in implementing the existing laws. The government allowed WorldCoin’s marketing operations, including allowing it to use public premises such as KICC as retinal scanning points without assurance of legal authorization. This way, it contributed to the controversy by failing to ensure that any interference with personal information is in accordance with all laws per the standards set out in paragraph 3 of General Comment No. 16.
- The past and present controversies raised regarding how WorldCoin collects data (through monetary inducement), stores, and uses personal data indicate that WorldCoin’s data processing operations could be an affront to various provisions of the Kenyan data protection law. The operations were a direct affront to provisions, including those on data subject rights (section 26 of the Data Protection Act (DPA)) and data protection principles (section 25 of DPA). There was also no assurance of required grounds for processing sensitive personal data (sections 44 and 45 of DPA) and safeguards for transferring personal data outside Kenya (sections 48 and 49 of DPA).
- Though the Office of the Data Protection Commissioner (ODPC) reportedly suspended WorldCoin’s test operations in May 2022, the subsequent operation of the company’s marketing agents by set up retinal scanning points in Kenya remains unexplained. The controversy reveals that the ODPC’s authorization failed to proactively consider proportionality, necessity, and legitimate aims of the data processing operations as envisaged under Article 24 of the Kenyan Constitution and SIRACUSA Principles.
- All the public statements issued by government bodies do not address remediation issues for the Kenyans whose data had already been collected by WorldCoin before the suspension.
- The public statements issued by various government agencies are indecisive and came rather late. Furthermore, the statements appear more as damage control tools since they show now a coordinated effort to ensure WorldCoin complies with Kenyan data protection law. That is so since the Data Protection Act 2019 (sections 8, 9, and part VIII), Kenya Information and Communications Act 1998, and Consumer Protection Act 2012 (section 13) all grant the ODPC and CA broad and stern enforcement powers which these institutions have curiously failed and or ignored to invoke.
- That Kenyans had been queuing for registration with WorldCoin in their thousands is a pointer that the Kenyan government has not done enough to discharge its mandate of creating public awareness on the provisions of DPA (section 8(1)(g)).
Even as the parliamentary inquiry is ongoing, the WorldCoin controversy has illuminated the extent to which the Kenyan government was and still is unprepared to protect its citizens from abuse of their privacy and related rights in this digital age. So far, the government’s attempts at regulating data processing activities of WorldCoin through suspension and investigations have been reactive, belated, lukewarm, and conflicted. Consequently, its performance of Kenya’s human rights obligation to protect has been underwhelming. The experience in Kenya has shown that proactive regulatory measures, coordination of regulatory activities, consistent government policy approach, and stern regulatory actions (from planning to implementation of innovative projects) are critical ingredients of respect for privacy and related human rights when emerging technologies are rolled -out and implemented.