THE WORLDCOIN CASE IN KENYA

by

CyJurII Theorist

Mercy Chore

Citation Number: [2025] KEHC 5629 (KLR).

The Worldcoin Foundation is part of a global digital identity and cryptocurrency initiative that leverages biometric data, specifically iris scans, to verify individuals and provide them with a unique digital identity tool. World Assets Ltd., an affiliated entity, is responsible for distributing 75% of all Worldcoin tokens (WLD) that have been allocated to the Worldcoin community. In Kenya, the project commenced by collecting biometric data from individuals in exchange for cryptocurrency tokens valued at approximately USD 55. These scans were conducted using a specialized biometric imaging device known as the Orb.

The data collection started as early as May 2021, which is before the Worldcoin Foundation and all its affiliates(“the Worldcoin”) had officially registered as a data controller under Kenya’s Data Protection Act, 2019(“the Act”). Section 18(1)(a) of the Act provides that a data controller or processor must not process personal data unless the data subject has given consent for one or more specified purposes. Worldcoin’s failure to register and to obtain valid, lawful consent constituted a foundational legal breach.

1.     Classification of biometric data and legal safeguards

Under Section 2 of the Act, biometric data such as iris scans is categorized as sensitive personal data, which includes personal data resulting from specific technical processing based on physical, physiological or behavioural characterization, including blood typing, fingerprinting, deoxyribonucleic acid analysis, earlobe geometry, retinal scanning and voice recognition.

Section 49 of the Act further stipulates that sensitive personal data must not be transferred outside Kenya unless adequate safeguards are in place and the data subject has consented. Despite this, Worldcoin transferred biometric data collected in Kenya to servers abroad without demonstrating the existence of adequate protection mechanisms or obtaining express, unequivocal, free, specific, and informed consent, thereby violating this critical provision.

2.    Failure to conduct a Data Protection Impact Assessment (DPIA)

Processing sensitive personal data that poses a high risk to individual rights requires a Data Protection Impact Assessment (DPIA) under Section 31 of the Act. This legal safeguard ensures that risks such as identity theft, unauthorized access, and long-term privacy harms are mitigated. Worldcoin failed to carry out a DPIA prior to initiating its biometric data collection program, leaving data subjects vulnerable and exposed to potentially severe consequences.

3.     Nature and Purpose of the Judicial Review Application

The case of Republic v Tools for Humanity Corporation (US) & 8 others; Katiba Institute & 4 others (Ex parte Applicants); Data Privacy & Governance Society of Kenya (Interested Party) [2025] KEHC 5629 (KLR) arose from a judicial review application filed before the High Court of Kenya. The application challenged the legality of Worldcoin’s data collection and processing activities in Kenya and the regulatory response, or lack thereof, by the Office of the Data Protection Commissioner (ODPC) and other government agencies. The application was grounded on allegations that Worldcoin’s operations violated key provisions of the Data Protection Act, including:

·        Failure to conduct a Data Protection Impact Assessment (DPIA) as required under Section 31;

·        Use of financial inducements to obtain biometric data, which undermined the validity of consent under Section 32;

·        Absence of lawful cross-border data transfer mechanisms, contrary to Part VI of the Act; and

·        Misrepresentations made during the application for data controller registration.

The Applicant alleged that the actions of Worldcoin and the regulatory inaction by the ODPC infringed constitutionally protected rights, namely, the right to privacy (Article 31), human dignity (Article 28), and fair administrative action (Article 47). The Applicants further argued that the ODPC’s failure to act contravened principles of legitimate expectation and amounted to a breach of statutory duty.

4.    The High Court’s ruling

On 5th May, 2025, Justice Roselyne Aburili delivered a landmark judgment declaring Worldcoin’s operations in Kenya unlawful.

The Court found that the company had targeted economically vulnerable populations by offering financial incentives, primarily cryptocurrency, in exchange for iris scans. This practice, the Court held, violated the principle of informed consent as defined under Section 32 of the Act, which requires that consent be specific, informed, and unambiguous. Offering monetary rewards without adequate disclosure of the risks and intended data uses invalidated consent and raised serious ethical concerns around coercion, exploitation, and the commodification of personal data.

In her ruling, Justice Aburili issued the following binding directives:

·        Immediate deletion of all biometric data collected without a valid DPIA and informed consent;

·        Cessation of all data collection and processing activities by Worldcoin until full compliance with the law is demonstrated;

·        A government directive to develop and publish comprehensive guidelines governing the commercial use of personal data in Kenya.

The judgment was firmly anchored in Article 31 of the Constitution, affirming the right to privacy and the individual’s protection from arbitrary or unlawful intrusion into their personal data.

5.     Global regulatory backlash against Worldcoin

Kenya is not alone in raising concerns about Worldcoin’s data practices. Regulatory pushback has intensified across several jurisdictions:

·        In Spain, the High Court upheld a ban on iris scans after the data protection agency found Worldcoin’s activities violated GDPR principles.

·        Brazil issued a nationwide prohibition in early 2025, denouncing Worldcoin’s use of financial incentives to gather data from vulnerable citizens.

·        Germany ordered the deletion of unlawfully acquired data by Worldcoin, citing inadequate anonymization and consent procedures.

·        In South Korea, authorities imposed a fine equivalent to US$79,000 for unauthorized data transfers and insufficient transparency in biometric processing.

These international actions reflect a growing global consensus. In essence, while digital identity systems offer innovation, they must be held to the highest legal and ethical standards, emphasizing informed consent, autonomy, and strict regulatory oversight.

6.    Conclusion

The Worldcoin case in Kenya underscores the urgent need for vigilance, accountability, and robust enforcement in the governance of emerging technologies that intersect with personal data and individual rights. The High Court’s judgment affirms the centrality of informed consent, transparency, and lawful data handling under Kenya’s Data Protection Act, 2019. It also sets a precedent for holding both domestic and foreign actors accountable where personal data is commodified or collected in a manner that exploits vulnerable populations.

Sources

1.      Reuters, “Spain’s High Court upholds temporary ban on Worldcoin iris-scanning venture) (11 March 2024), available at: https://www.reuters.com/technology/spains-high-court-upholds-temporary-ban-worldcoin-iris-scanning-venture-2024-03-11/

2.     IDTECH, “Brazil Upholds Ban on Worldcoin’s Biometric Data-for-Crypto Program”(26th March, 2025), available at: https://idtechwire.com/brazil-upholds-ban-on-worldcoins-biometric-data-for-crypto-program/

3.     IDTECH, “German Regulator Orders Worldcoin to Delete Biometric Data Over GDPR Violations”(20th December, 2024), available at: https://idtechwire.com/german-regulator-orders-worldcoin-to-delete-biometric-data-over-gdpr-violations/

4.     FINTECH HONGKONG, “South Korea Fines Worldcoin US$790K Over Biometric Data Privacy Breaches” (26th September, 2024), available at:  https://fintechnews.hk/30917/fintechkorea/south-korea-fines-worldcoin/

5.     Office of the Data Protection Commissioner (ODPC). (May 2025). Guidance Note on Processing of Biometric Data. Draft guidance published by the ODPC, Kenya, available at: https://www.odpc.go.ke/wp-content/uploads/2025/05/Draft-1-Guidance-Processing-of-Biometric-Data.pdf.