Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Kenya: ODPC finds Worldcoin, Tools For Humanity Corporation and Tools For Humanity GmbH liable for data protection violations

On October 17, 2023, the Office of the Data Protection Commissioner (ODPC) published its determination and investigation report in complaint No. 1394 of 2023 as issued on September 6, 2023, in which it found Worldcoin Foundation, Tools For Humanity Corporation and Tools For Humanity GmbH (together TFH), liable for violation of the Data Protection Act, 2019 (the Act) and the Data Protection (General) Regulations, 2021 (the Regulations) following an investigation.

Background to the Decision

The ODPC stated that on May 21, 2021, TFH began collecting and processing sensitive personal data from Kenyan citizens including iris scans and facial images, through an app for the purposes of developing a machine learning algorithm. The ODPC noted that TFH later transferred controller responsibilities to Worldcoin Foundation. Subsequently, the ODPC suspended Worldcoin's operations in Kenya and launched an investigation into the data processing activities of TFH and Worldcoin Foundation.

Findings of the ODPC

Following its investigation, the ODPC determined that Worldcoin Foundation did not register as a data controller when it took over controller responsibilities from TFH in violation of Section 18(1) of the Act. Further, the ODPC found that third-party operators acting on behalf of TFH assisted data subjects in downloading the app and consented to the collection and transfer of biometric data on behalf of the users. In this regard, the ODPC stated that the consent obtained was not informed, valid, or specific in violation of Section 32 of the Act and Regulation 4 of the Regulations.

In addition, the ODPC found that the transfer of sensitive personal data out of Kenya was in violation of Section 49(1) of the Act as TFH and Worldcoin Foundation did not obtain confirmation of appropriate safeguards from the ODPC. The ODPC also faulted TFH and Worldcoin Foundation for failing to conduct a data protection impact assessment (DPIA) before undertaking processing activities as required under Section 31 of the Act.

Outcomes

Therefore, the ODPC stated that an enforcement notice would be issued against TFH and Worldcoin Foundation for the aforementioned violations. Additionally, the investigation report recommended that TFH's operations should remain suspended in Kenya for 12 months from the date of the determination or until TFH:

  • conducts a Systems Security Audit to determine the type of data processed and the number of Kenyan data subjects involved;
  • carries out a DPIA;
  • simplifies consent in line with Section 32 of the Act and Section 4 of the Regulations; and
  • incorporates a subsidiary in Kenya with a physical office.

You can read the determination and investigation report here.