Kenyan Govt Accuses Worldcoin of Illegally Collecting Biometric Data

The German organization behind the Worldcoin project has so far collected over 400,000 Kenyans' facial and iris data and this has raised concern about the authenticity of the project to not breach consumer's data privacy policy. 

Seeing that this is properly followed, Members of the Kenyan have questioned two cabinet ministers about the Worldcoin operation in Kenya and how it has been setting up shops to obtain data from the citizens.

However, the response from the two ministers varied as lack of professionalism—While the responses from Eliud Owalo, cabinet secretary for ICT and the digital economy, and Kithure Kindiki, interior ministry colleague, still lack points, the individuals will be subjected to another round of questioning in a week to provide more clarity on the overall situation.

Kenya's cabinet secretary for ICT and digital economy, Eliud Owalo, was questioned today regarding Worldcoin's operations in Kenya. According to Owalo, the corporation unlawfully gathered iris data, and there are intentions to retain that data before an assessment of the case is conducted. 

Worldcoin Data Controller Has Its Limit

According to Owalo, the Office of the Data Protection Commissioner (ODPC) in Kenya has registered Worldcoin as a data controller. The license, however, did not suggest that Worldcoin was permitted to process user data in Kenya; the ODPC granted the certificate just to establish that Worldcoin was acknowledged in Kenya. 

• “The certificate simply signifies that an entity is known to the ODPC and that it processes personal data of persons located in Kenya. Further, it does not amount to certification of the processing activities of the entity or serve as an endorsement from the ODPC of an entity’s compliance with the provisions of the Data Protection Act or any other laws, including but not limited to the constitution of Kenya 2010,” Owalo explained. 

The cabinet secretary went on to say that the ODPC awarded the certificate to Worldcoin after it provided the relevant paperwork “pursuant to the registration regulations”. 

Who Gave Permission for the Biometric Data to Be Collected by Worldcoin?

When asked about this topic, Owalo did not provide a full answer, instead offering breaks from current data protection legislation. He reminded parliament, for example, that Worldcoin had been registered as a data controller in April 2023.  

• “An entity required to process personal data is required to identify itself with the ODPC by registering with the office. And according to the Data Protection Act 2019, an entity should therefore make an application for registration as a data controller where it determines the purpose and means of handling personal data,” said Owalo. 

The CS went on to explain how a data processor implements the ODPC, particularly where the business handles data for a data controller as part of a contractual duty. Certain businesses are permitted to register as both data controllers and data processors.

Owalo stressed that this certificate demonstrated Worldcoin's compliance with particular provisions of the Data Protection Act 2019, notably the registration section. 

• “The license does not in any manner endorse an entity’s compliance with the Data Protection Act or its subsidiary regulations, nor is it a valid license for an organization to operate In Kenya,” he said.

To that end, it is obvious that Worldcoin was only granted a data controller certificate, not the power to collect iris data from Kenyans. However, the firm obtained this critical biometric data, after which the impacted Kenyans earned slightly more than $54 in World tokens.

• “There is a divergence between mere registration and operationalization in conformity to the law. Registration does not imply that a company operating in Kenya has been given authority to behave in a manner that it deems appropriate,” Owalo said. 

What’s the Future of the Biometric Data That Has Been Collected by Worldcoin?

According to Owalo, the Kenyan authorities directed Worldcoin to stop collecting iris data in May of this year. Following the decision, various agencies, including the ODPC and the Communications Authority of Kenya (CA), halted operations in the country in August when the matter received extensive media attention.

The Kenyan government has asked the courts for preservation orders to complete the current investigation into Worldcoin's actions. The evaluation is being carried out by some organizations.

This will make Worldcoin save all personal data gathered from Kenyans during the program. The findings of this study will be submitted to parliament the following week.