Many people have been asking whether WorldCoin complies with data protection laws in Kenya. It turns out that it is, although Kenyans might not be aware of their rights spelled out in the law.
Worldcoin, a blockchain company founded by OpenAI chief Sam Altman, is offering Kenyans free tokens in exchange for their iris scans. The tokens are currently worth about $54 or KES 7,000, which is significant for many Kenyans. The Worldcoin project has been met with some privacy concerns, as the iris scans could be used to create a universal ID system. However, Worldcoin says data from the iris scans will be hidden with encryption technology and the biometric information deleted. But privacy experts and even Vitalik Buterin, founder of Ethereum, have raised doubts mainly about how trusted the orbs are. TechCrunch previously reported hacks of Worldcoin orb operators. Biometric Update, a digital ID focused publication, has also reported iris scans from other sources and processed WorldID being traded on the dark web.
The Worldcoin project has been popular in Kenya, with long queues forming at shopping malls where the iris scans are being taken. Some crypto firms in Kenya, including Nuzo, are also taking advantage of the popularity of Worldcoin, offering to help people convert their tokens to cash. In the past week, the World App, a cryptocurrency wallet for WorldCoin, has seen a surge and claimed the top spot on the download charts of the play store in Kenya.
TechCabal has established that WorldCoid is registered as a data processor by the office of the data protection commissioner (ODPC) under its parent company’s name, Tools for Humanity GmbH. However, the company is based in Berlin. This means it has permission from Kenyan authorities to collect private data from locals.
Under the Data Protection Act 2021, anyone who acts as a data controller or processor must register with the data commissioner. The law directs data controllers and processors to handle data lawfully, be mindful of limiting data collection, restrict further data processing, and ensure data quality. They must establish and maintain robust security measures to safeguard personal data.
The law requires data controllers and processors to store personal data covered by the Act within Kenya. Cross-border processing of sensitive personal data is prohibited. Still, exceptions may apply with specific conditions, such as providing safeguards to the data commissioner, obtaining explicit consent from data subjects after informing them of potential risks, or when the transfer is necessary for contract performance.
The Act also grants exemptions from its provisions in national security cases, legal requirements, crime prevention, apprehension, or prosecution. So far, none of these exceptions has been detailed by the data commissioner’s office, and none of our attempts to seek clarification has borne fruit.
Non-compliance with the Data Protection Act 2021 attracts a penalty of up to KES 5 million ($35,000) or 1% of the undertaking’s annual turnover, whichever is lower. Individuals face a fine of up to KES 3 million ($21,000), imprisonment of up to ten years, or both. The law applies to all companies processing personal data of data subjects in Kenya, regardless of location. Data subjects, including those who had their iris scanned, can request confirmation, location, and purpose of data processing. They can also request to have their information erased from the processors’ systems.