advertisement
Kenya Confirms Deletion Of Worldcoin Biometric Data
Kenya’s Office of the Data Protection Commissioner (ODPC) has confirmed that all biometric data previously collected from Kenyan citizens by Tools for Humanity (TFH), the company linked to the Worldcoin project, has been deleted following regulatory intervention.
In a public notice, the ODPC said it had verified that the data controller had erased all biometric information collected in Kenya, bringing the matter into compliance with the Data Protection Act, 2019. The confirmation follows months of scrutiny over Worldcoin’s biometric data collection practices in the country.
Tools for Humanity collected biometric data from Kenyan citizens using specialised Orb devices as part of the Worldcoin initiative. The data primarily included iris scans, which were used to generate unique digital identifiers, as well as facial images captured alongside the scans for identity verification. Participants were offered cryptocurrency as an incentive in exchange for providing their biometric information.
advertisement
While the programme was presented as voluntary, subsequent investigations by the ODPC found that the collection and processing of biometric data did not comply with Kenyan law. The regulator identified multiple breaches of the Data Protection Act, including failure to obtain valid consent. According to the ODPC, offering financial incentives compromised the voluntary nature of consent, rendering it legally invalid.
The ODPC also found that Tools for Humanity failed to conduct a mandatory Data Protection Impact Assessment (DPIA) prior to collecting sensitive biometric data, as required under the Act. In addition, the company was cited for transferring biometric data outside Kenya without the necessary authorisation and for failing to properly register related entities, including the Worldcoin Foundation, as data controllers or processors.
Biometric data is classified as sensitive personal data under Kenyan law and is subject to heightened safeguards due to its permanent and uniquely identifiable nature. The Data Protection Act requires organisations collecting such data to demonstrate lawful purpose, informed consent, and robust technical and organisational safeguards.
advertisement
In its statement, the ODPC reiterated its mandate under the Data Protection Act, 2019, which includes overseeing the collection, storage, and processing of personal data in Kenya, ensuring compliance with data protection principles outlined in Section 25 of the Act, and safeguarding individuals’ right to privacy. The office is also responsible for establishing the legal and institutional framework for personal data protection and ensuring that data subjects can access their rights and remedies under the law.
The ODPC said it had engaged with Tools for Humanity as the data controller and confirmed that all biometric data previously collected from Kenyan citizens had now been deleted. The office did not disclose the volume of data involved or whether additional enforcement actions or penalties would follow.
“The Office remains dedicated to enforcing the law, protecting data subjects, and ensuring that all data controllers and processors are held accountable for any non-compliance,” the ODPC said.
advertisement
The case has become a landmark test of Kenya’s data protection regime, highlighting the regulatory risks associated with large-scale biometric data collection by technology companies.
The ODPC said it will continue monitoring organisations that process personal data in Kenya and warned that unauthorised collection, processing, or cross-border transfer of biometric data could attract enforcement action.
More to follow…