Embedded Files
by
Laila Mohamed Ali
CyJurII Scholar
on 19 October 2025
Neutral citation: [2025] KEHC 5629 (KLR).
Facts
Worldcoin Foundation, a global digital identity and cryptocurrency project, began collecting biometric data, specifically iris scans and facial images from Kenyan citizens starting in 2023. Participants were offered a small amount of WLD tokens (cryptocurrency) in exchange for allowing the company to scan and store their biometric data, which was said to be part of a “global digital identity” initiative.
However, the Kenyan Data Protection Commissioner (ODPC) discovered that:
1. Worldcoin had not conducted a Data Protection Impact Assessment (DPIA) as required by the Data Protection Act 2019 of Kenya.
2. The company collected and stored sensitive biometric data without clear safeguards on its storage, transfer, or processing.
3. The company had “ Platinum De plus ” which installed apps and accepted the terms and conditions on behalf of the users
4. The High Court scrutinised Worldcoin’s cross-border transfer of biometric data which violated Sections 48 and 49 of the DPA and Regulation 46(1) of the Data Protection (General) Regulations. These provisions require the transfer to be based on consent as well as proof and confirmation of adequate safeguards for the protection of personal data.
5. Worldcoin provided misleading information, which is an offence contrary to the Data Protection, it did not provide details on the data processors, despite their active role in the processing of personal data.
6. The collection may have violated Article 31 of the Kenyan Constitution, which guarantees the right to privacy.
The ODPC and the Government of Kenya filed a petition before the High Court of Kenya, seeking an injunction and deletion of all collected data. In May 2025, the court ruled in favor of the government, ordering:
Immediate deletion of all biometric data collected in Kenya.
Suspension of any further processing of biometric data until compliance with the Data Protection Act.
A declaration that Worldcoin’s data collection violated the constitutional right to privacy.
Issue
Did Worldcoin Foundation violate the Data Protection Act 2019 and Article 31 of the Constitution of Kenya by collecting and processing biometric data without a prior Data Protection Impact Assessment and informed consent?
Rules
1. Kenya Data Protection | Act 2019 provides that:
o Any entity processing personal or sensitive data must conduct a Data Protection Impact Assessment (DPIA) before initiating processing.
o Consent must be explicit, informed, and freely given.
o Biometric data is classified as sensitive personal data, requiring higher safeguards and limited processing.
2. Constitution of Kenya | Article 31:
Guarantees every individual the right to privacy, including protection against the collection.
Application
• Evidence showed that Worldcoin collected biometric data from thousands of Kenyans without first conducting a DPIA, in direct
violation of statutory obligations.
• The company failed to disclose how or where the biometric data would be stored and whether it would be transferred abroad, raising concerns about cross-border data flows and data sovereignty.
• Although participants “consented” in exchange for cryptocurrency, the court held that such consent was neither informed nor voluntary, considering the financial incentive and lack of understanding of data risks.
• The court emphasized that privacy protection cannot rely solely on consent; it requires systemic safeguards and legal accountability in processing design.
• Accordingly, the court found Worldcoin Foundation liable for unlawful processing of sensitive personal data and ordered permanent deletion and suspension of its operations in Kenya until full compliance.
Conclusion
The High Court held that Worldcoin Foundation violated both the Data Protection Act 2019 and Article 31 of the Constitution of Kenya. The judgment reaffirmed that organizations handling biometric data must perform impact assessments, obtain explicit informed consent, and implement robust data-security controls. The ruling set a strong precedent for data protection and digital privacy enforcement in Africa’s rapidly growing tech sector.
The Case’s Impact on Cyber Law and Society
1. Strengthening Digital Sovereignty
The decision demonstrates that African courts can assert national jurisdiction over global tech companies, protecting citizens from unregulated data collection by foreign entities.
2. Expanding the Definition of Sensitive Data
The case clarifies that biometric identifiers, such as iris and facial data, are not mere technical inputs but deeply personal and thus deserve the highest level of legal protection.
3. Improving Compliance and Corporate Accountability
Tech firms are now obliged to conduct Data Protection Impact Assessments and establish transparent data-handling policies before launching projects in foreign jurisdictions.
4. Linking Constitutional and Cyber Rights
The ruling bridges traditional constitutional rights and modern digital law, affirming that digital privacy is a constitutional right, not a mere technical preference.
5. Building Public Trust in Digital Justice
By holding a global organization accountable, the court strengthened citizens’ confidence in the rule of law and proved that privacy rights apply equally in the digital domain.
References
1. Kenya High Court’s Worldcoin Determination: Upholding Consent, Accountability and Data Sovereignty in Biometric
Data Processing https://cipit.strathmore.edu/kenya-high-courts-worldcoin-determination-upholding-consent-accountability-and-data-sovereignty-in-biometric-data-processing/
2. CA of Kenya : press statement about worldcoin https://www.ca.go.ke/ca-and-data-commissioner-warn-kenyans-over-worldcoin
3. Kenya law | Republic v Tools for Humanity Corporation (US) & 8 others; Katiba Institute & 4 others (Ex parte Applicants); Data Privacy & Governance Society of Kenya (Interested Party) (Judicial Review Application E119 of 2023) [2025] KEHC 5629 (KLR) (Judicial Review) (5 May 2025) (Judgment) https://new.kenyalaw.org/akn/ke/judgment/kehc/2025/5629/eng@2025-05-05
Page updated
Google Sites
Report abuse