- In a ruling on January 25, Justice Kimondo said no proper diligence was done before issuing both frims with the certificate.
- He noted that this was basis upon which sensitive personal data was collected from Kenyans and other residents in the country.
Milimani High Court judge Kanyi Kimondo has poked holes into a process conducted by the Office of the Data Protection Commissioner leading to certification of Worldcoin activities.
ODPC on September 15, last year issued a Certificate of Registration to Tools For Humanity Gmbh (World Coin) to operate as data controllers in Kenya.
In a ruling on January 25, Justice Kimondo said no proper diligence was done before issuing both firms with the certificate.
"The breaches now complained of speak volumes about the laxity of the Office of the Data Protection Commissioner. In hindsight, no proper diligence was done before issuing the 1st and 2nd respondents with a Certificate of Registration No. 00379 on September 15, 2022," he said.
He noted this was basis upon which sensitive personal data was collected from Kenyans and other residents in the country.
The judge added that the cancellation of the certificate on September 5, 2023, the subsequent enforcement notice a day after, both issued from the Data Commissioner was "all a poor stratagem to cover-up the negligence".
He further said at the time the actions were being taken, the data was beyond the reach of the ODPC and under the control of Worldcoin Foundation, a third party associated with the two.
The foundation was however not not registered as a data controller or processor in Kenya.
A letter on September 1, 2023, by Thomas Scott of Worldcoin states that the Iris Code data held by the foundation is housed in the United States, and the face and iris images are "either the EU (Italy) or South Africa depending on the latency at the time of sign-up".
Justice Kimondo made the statement during the ruling for an application by the ODPC seeking a preservation order to both firms allied with Worldcoin and their employees, agents or representatives.
This also applied to Sense Marketing, the agency hired to recruit people to Worldcoin.
The data agency claimed it had conducted a review of the activities by the respondents and established that the processing of the data neither met the requirements of the Data Protection Act nor had the firms provided "a lawful basis for such processing".
Following the review, it directed the respondents via a letter dated June 23, 2022, to "restrict the processing of personal data of persons located in Kenya until the lapse of 60 days, or following the provision of a clear lawful basis for processing of personal data; whichever is later".
Further, a probe was conducted into the activities of TFH US, TFH GmbH, WorldCoin Foundation and WorldAssets Limited.
This was done by ODPC and other state agencies including the Communications Authority of Kenya, Central Bank of Kenya and the Ministry of ICT and Digital Economy, the National Computer and Cybercrimes Coordination Committee.
The multi-agency team concluded that the respondents or their agents were collecting sensitive personal data from Kenyans through their products being the World App, WorldID and Worldcoin Protocol.
It also found that the consent obtained from Kenyans was insufficient or did not comply with section 32 of the Data Protection Act, and that there was no certainty about the location of the data.
Section 32 of the Act sets down the condition under which personal data is to be collected.
On May 30, 2023, the data protection agency issued a cessation notice to the Worldcoin allied firms and on August 14, the High Court granted a conservatory order barring them "from collecting any further data, losing, processing, using, transmitting, transferring, modifying or in any way dealing with the already collected data until the hearing of this application".
On September 5, ODPC formally cancelled the certificate and an enforcement notice was issued on September 6, 2023.
In its application before Justice Kimondo, it stated that there are ongoing investigations (including the multi-agency government inquiry) into the respondents’ Worldcoin Project.
The order, it said, are necessary to secure the sensitive personal data collected from Kenyans.
It also accused the Worldcoin companies of breaching sections 31, 48 and 49 of the Data Protection Act as well as various Regulations under the Act.
This was opposed by all the respondents. Tools for Humanity Corporation (Worldcoin) and Tools For Humanity Gmbh (World Coin)said the application offended the doctrine of sub judice as there are similar proceedings still pending in court under judicial review.
The doctrine of sub judice means a matter is under judicial consideration and comments on the same should be avoided or limited outside the courtroom to avoid influencing it.
Secondly, the firms stated that the matter has been overtaken by events in view of the conclusions of the investigations by ODPC and cancellation of the registration certificates.
They said following the cancellation, they ceased all their operations in the country and "there is no vulnerability, potential loss, modification, deletion, transfer and/or further processing of the data collected".
Sense Marketing denied they were the marketing agency for the Worldcoin companies and that they collected any personal data.
Although he noted there were indeed other proceedings touching on Tools for Humanity (Worldcoin), judge Kimondo was not satisfied with the sub judice argument.
This, he said, was because the suit before him pre-dated the High Court Judicial Review Application.
He went on to state that "the risk of transfer of sensitive personal data thus looms large", as the respondents had conceded that the personal data collected is now held by some third parties, outside Kenya's jurisdiction.
He however noted that he had no cause to doubt the promise by the respondents that they would never sell users’ personal or biometric data and, that they have no nefarious intent to harvest or monetise the personal and biometric data.
"But the High Court must enforce Article 31 of the constitution which guarantees every person the right to privacy," he said.
In conclusion, he granted the data protection agency the orders.
"A preservation order be and is hereby issued directed to the respondents, their employees, agents or representatives to preserve all personal data and sensitive personal data collected from Kenyans and Kenyan residents pertaining to the respondents’ operation of the Worldcoin Project for the period running from April 19, 2022 to August 8, 2023," the judge ruled.
Worldcoin used an Orb to collect facial recognition and iris scans of the subject "to verify proof of humanity".