Suo Motu Investigation by the ODPC Commissioner on the Operations of the Worldcoin

Cases Detail

Cases

Suo Motu Investigation by the ODPC Commissioner on the Operations of the Worldcoin

Country: Kenya
Court: Office of the Data Protection Commissioner
Status: Determination and Investigation
Tags: data protection,privacy breaches,compliance

Case Summary

On its own initiative through Section 9(1)(a) of the Data Protection Act (hereinafter ‘the Act’), the ODPC (hereinafter ‘the Office’) instituted investigations against the operations of Tools for Humanity Corporation, Tools for Humanity GmbH (hereinafter ‘TFH’) and Worldcoin Foundation (hereinafter ‘Worldcoin’) under the ‘Worldcoin Project’.

Particular focus was made on the processing of (sensitive)personal data belonging to Kenyan citizens and residents through the Worldcoin Project. The Worldcoin Project aimed at creating a globally-inclusive identity and financial network with the potential of increasing economic opportunities and distinguishing humans from AI online while preserving privacy, enabling global democratic processes and showing a potential path to AI-funded Universal Basic Income (UBI). 

TFH began collecting and processing the personal data for purposes of developing a machine learning algorithm to establish a protocol in May 2021. The algorithm was meant to differentiate between real human and non-human irises as well as one real human iris versus those of the people who signed up for the protocol. The Office contacted TFH and were in constant correspondence with them including reviewing their Data Protection Impact Assessment (DPIA). However, in May 2023, the Office raised concerns over the processing of sensitive personal data by the TFH and asked them to cease such processing. In June 2023, TFH clarified the Office’s concerns and stated that they suspended their actions for 14 days, however also expressed that if the  Office did not correspond with them on the same on 23rd June 2023, they would assume that they clarified and addressed all concerns regarding the processing activities.

They then transferred the controller responsibilities to Worldcoin. 

In later months, an upsurge in the Worldcoin Project occurred in Kenya necessitating the ODPC to issue a statement to the public liaising with the Communications Authority of Kenya expressing the measure they have taken and correspond with TFH to cease all activities as well as securely store all collected data. The ODPC then instituted a Miscellaneous Application to the High Court of Kenya seeking preservation orders to preserve the personal data of Kenyans (including traffic data).

Issues for determination

  1. Whether TFH and Worldcoin were registered as Data Controllers in Kenya.
  2. Whether TFH and Worldcoin obtained proper consent for the processing of sensitive personal data
  3. Whether the transfer of personal data outside Kenya by TFH and Worldcoin was in compliance with Sections 29(d) of the Act and Regulations 23(e) of the Data Protection (General) Regulations as read with Sections 48 and 49 and Regulation 40 of the  Data Protection (General) Regulations
  4. Whether Worldcoin conducted a Data Protection Impact Assessment on the processing activities for which they were the data controller as required under Section 31 of the Act as read with Regulations 49,50 and 51 of the Data Protection (General) Regulations, 2021.
  5. Whether TFH continued processing Kenyans’ sensitive personal data after the cease-and-desist letter of 30th May 2023 and whether this impeded the Data Commissioner in the exercises of her powers under Section 9 of the Act.

Determination

Tools for Humanity Corporation and Tools for Humanity GmbH were found liable for breach of the Data Protection Act and the attendant Regulations and an Enforcement Notice was issued.

This was in light of the institutions violating major contributory factors the regulations governing data processing in Kenya including prior consent, transfer of data beyond the country as well as DPIAs.

Analysis

  1. Whether TFH and Worldcoin were registered as Data Controllers in Kenya

In distinguishing between ‘licensing’ and ‘registration’, the ODPC clarified that it is mandated to register data controllers and processors and not license them.

From the investigations carried out by the Office, Tools For Humanity GmbH and Tools for Humanity Corporation applied for registration as data controllers pursuant to Section 19 of the Act and paid for the same leading to them obtaining a certificate of registration in accordance with the same section of the Act. 

However, the Worldcoin Foundation-who assumed data controller responsibility over TFH’s operations in Kenya was not registered with the ODPC as a data controller and was yet to be issued with a certificate of registration or have its name entered into the register of data controllers and processors. 

Therefore, the Worldcoin Foundation was acting as a data controller in Kenya contravening Section 18(1) of the Data Protection Act with respect to all the personal data processed since it took over the responsibility from TFH in July 2023. 

  1. Whether TFH and Worldcoin obtained proper consent for the processing of sensitive personal data

Consent was relied upon by TFH to collect biometric data and transfer it out of Kenya. The provision of Worldcoin tokens particularly was conditional on provision of consent to process biometric data. TFH and Worldcoin thereby placed themselves in a position of innate economic influence by issuing such tokens-cryptocurrency that is convertible to legal tender introducing an element of influence over data subjects’ expression of their free will. 

Such influence was not cognizant of the socioeconomic conditions in Kenya. This is justified by consent in a more inclusive space being more simplified for users to understand the risks of transferring their personal sensitive data for the Project. 

There was no proof that the consent obtained by TFH was valid, informed or specific, preempting the ODPC to ask for the suspension of processing of data. Despite their response to terminate any processing, they continued to process personal data contrary to cessation directive issued by the ODPC. 

The Office also observed that TFH did not put in place a mechanism to ensure orb operators did not assist in signing up for the World ID and consenting to the biometric data processing. The involvement of the third-party orb operators was an indication of the prejudice involved in the reliance placed on TFH.  

Consent thereby obtained by the TFH and Worldcoin was invalid for non-compliance when read in light of Section 32 of the Act alongside Regulation (4) of the Data Protection (General) Regulations. 

  1. Whether the transfer of personal data outside Kenya by TFH and Worldcoin was in compliance with Sections 29(d) of the Act and Regulations 23(e) of the Data Protection (General) Regulations as read with Sections 48 and 49 and Regulation 40 of the  Data Protection (General) Regulations

Section 29 of the Act calls for prior consent as a requirement that the data controllers must obtain from the data subjects. Section 23 of the Regulations calls for data controllers/processors to develop and constantly update in a public manner their personal data handling practices including the requirements that tag alongside transferring such data outside the country. Section 48 on the other hand sets out the conditions for transfer of personal data outside Kenya while Regulation 40 sets out general principles for transfers of personal data outside the country by data controllers/processors, Regulation 46 further affirms that transfer of personal data to another country must account for the data subject’s explicit consent and knowledge of risks associated.

TFH and Worldcoin did not demonstrate that they fulfilled conditions of explicit consent thereby causing the ODPC to conclude that the transfer of sensitive personal data was unlawful. They further affirmed this illegality through the organisations having not obtained confirmation of appropriate safeguards from the Office contrary to Section 49(1) of the Act. 

  1. Whether Worldcoin conducted a Data Protection Impact Assessment on the processing activities for which they were the data controller as required under Section 31 of the Act as read with Regulations 49,50 and 51 of the Data Protection (General) Regulations, 2021

The purpose of a DPIA is to demonstrate the implementation of the data protection principles to ensure data subjects retain control over their personal data. This is reinforced by Section 25 of the DPA which states that it is the data controller’s obligation to process personal data in accordance with the principles of data protection envisaged. 

While TFH did submit a DPIA to the Office rightfully, upon it transferring controller responsibility to Worldcoin Foundation, the latter organisation did not submit a DPIA or demonstrate to the ODPC that the DPIA submitted by TFH addressed a set of similar processing operations that presented similar high risk and that the technical and organisational measures implemented by Worldcoin were similarly designed to effectively implement the data protection principles.

Therefore, by violating Section 31 of the DPA, the ODPC concluded that the Worldcoin Foundation acted without conducting a DPIA.

  1. Whether TFH continued processing Kenyans’ sensitive personal data after the cease-and-desist letter of 30th May 2023 and whether this impeded the Data Commissioner in the exercises of her powers under Section 9 of the Act

Despite the cease and desist letter, TFH continued to process personal data contrary to the cessation directive issued by the ODPC in August 2023. In doing so the Office deemed that the TFH acted in a manner that impeded the Data Commissioner in the exercise of her powers under Section 9 of the Act.

Frequently Asked Questions

Frequently Asked Questions

A data subject is a natural person who is the subject of personal data held by a controller and who can be identified, directly or indirectly, through that personal data.

Each data subject has the right:

  • to be informed whether or not his or her personal data is being processed,
  • to request information about the processing, if data has been processed,
  • to be informed of the purpose of the processing and whether the data is being used in accordance with those purposes,
  • to be informed about third parties who receive personal data in Kenya and abroad,
  • to request the rectification of incomplete or inaccurate processed data, and
  • to request the erasure or destruction of personal data.

Data processing refers to any operation performed on personal data, either entirely or partially, automatically or manually. This includes collection, recording, storage, preservation, modification, revision, disclosure, transmission, assignment, making available, classification, or prevention of use.

Data controller: is a natural or legal person who determines the purposes and means of personal data processing and is accountable for the data filing system's establishment and administration.

Data processor: is a natural or legal person that processes personal data on the basis of a data controller's authorization.

The data controller or processor is required to provide the following information: the purpose of the processing, the recipients of the processed data and the purpose of the transfer, the method used to collect personal data and its legal basis, and any other rights granted to the data subject by law.

The principles governing data processing are as follows: it must be processed fairly and lawfully, it must be accurate and up to date, it must be processed for specified, explicit, and legitimate purposes, it must be adequate, relevant, and not excessive in relation to the purposes for which it is processed, and it must be retained for the duration specified by law or for no longer than is necessary for the subsequent processing.

A Data Protection Impact Assessment can be used to identify and mitigate high risks associated with data processing that may impact the rights and freedoms of data subjects.

A data controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data. On the other hand, a data processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.