Office of the Data Protection Commissioner v Tools for Humanity Corporation (Worldcoin) & 2 others (Miscellaneous Criminal Application E315 of 2023) [2024] KEHC 312 (KLR) (Crim) (25 January 2024) (Ruling)
Neutral citation:
[2024] KEHC 312 (KLR)
Republic of Kenya
Miscellaneous Criminal Application E315 of 2023
K Kimondo, J
January 25, 2024
Between
Office of the Data Protection Commissioner
Applicant
and
Tools for Humanity Corporation (Worldcoin)
1st Respondent
Tools For Humanity Gmbh (World Coin
2nd Respondent
Sense Marketing
3rd Respondent
Ruling
1.The Office of the Data Protection Commissioner (hereafter the applicant or the Data Commissioner) craves one primary relief: A preservation order directed to the respondents, their employees, agents or representatives to “preserve all personal data and sensitive personal data collected from Kenyans and Kenyan residents pertaining to the Respondent’s operation of the Worldcoin project for the period from 19th April 2022 to 8th August 2023”.
2.I should add that there is a general prayer for any “ancillary order the court may deem appropriate” to effect the preservation order. There is also an order for costs.
3.The notice of motion is dated 9th August 2023 and predicated upon a deposition by Oscar Onyango Otieno, the Deputy Data Commissioner, of even date and his further affidavit sworn on 30th November 2023.
4.The motion was first presented at the Constitutional & Human Rights Division as Miscellaneous Application Number E028 of 2023. It was ordered to be transferred to the Criminal Division and re-numbered.
5.On 15th September 2022, the Data Commissioner issued the 2nd respondent with a Certificate of Registration No. 00379 to operate as data controllers in Kenya.
6.The 1st and 2nd respondents then recruited agents such as Sense Marketing (the 3rd respondent) who operated in various trading malls or public events to recruit people onto the Worldcoin Platform for a daily commission. Upon consent, Worldcoin used an Orb to collect facial recognition and iris scans of the subject “to verify proof of humanity”.
7.The applicant claims to have conducted a review or investigation of the activities of the respondents and established that the processing of the data neither met the requirements of the Data Protection Act nor had the 1st and 2nd respondents provided “a lawful basis for such processing”. It then directed the respondents vide a letter dated 23rd June 2022 to “restrict the processing of personal data of persons located in Kenya until the lapse of 60 days or following the provision of a clear lawful basis for processing of personal data; whichever is later’’.
8.The applicant and other state agencies including the Communications Authority of Kenya, Central Bank of Kenya and the Ministry of ICT and Digital Economy, the National Computer and Cybercrimes Coordination Committee carried out investigations on the activities of TFH US, TFH GmbH, WorldCoin Foundation and WorldAssets Limited.
9.The multi-agency team concluded that the 1st and 2nd respondents or their agents were collecting sensitive personal data from Kenyans through their products; World App, WorldID and Worldcoin Protocol; that the consent obtained from Kenyans was insufficient or did not comply with section 32 of the Data Protection Act; and that there was no certainty about the location of the data.
10.On 30th May 2023, the applicant issued a cessation notice to the respondents. On 5th September 2023, the applicant formally cancelled the certificate issued to the respondents and served an Enforcement Notice on 6th September 2023. The latter required the respondents to among other things-i.Simplify consent in line with the conditions of consent under section 32 of the Data Protection Act as read with Regulation 4 of the Data Protection (General) Regulations 2021;ii.Review its operations to ensure orb operators do not operate users’ and/or data subjects’ mobile phones;iii.Prior to opting into data custody, ensure that users have given informed consent; andiv.Put in place mechanisms to obtain explicit consent for the transfer of sensitive personal data out of Kenya.
11.I should add that on 14th August 2023, the High Court (Sifuna J) granted a conservatory order barring the respondents “from collecting any further data, losing, processing, using, transmitting, transferring, modifying or in any way dealing with the already collected data until the hearing of this application”.
12.In a synopsis, the applicant, avers that there are ongoing investigations (including the multi-agency government inquiry) into the respondents’ Worldcoin Project; and, that the orders are necessary to secure or to “ascertain the availability status and security” of the personal data and sensitive personal data collected from Kenyans.
13.The application is strenuously opposed by all the respondents. The 1st and 2nd respondents have lodged grounds of opposition dated 20th November 2023 as well as a replying affidavit sworn on 19th September 2023 by Thomas Scott, the Chief Legal Officer and Corporate Secretary of Tools for Humanity Corporation.
14.The objections are two-fold: Firstly, that the application offends the doctrine of sub judice as there are similar proceedings commenced in Republic v Tools for Humanity & 8 Others ex-parte Katiba Institute & 5 Others, Nairobi High Court Judicial Review Application No. E119 of 2023 and which is still pending. Secondly, that the matter has been overtaken by events in view of the conclusions of the investigations by the applicant and cancelation of the 1st and 2nd respondents’ registration certificates.
15.It is also averred that following the cancellation, the 1st and 2nd respondents ceased all their operations in Kenya; and, that “there is no vulnerability, potential loss, modification, deletion, transfer and/or further processing of the data collected by the 1st and 2nd respondents” to justify the grant of a preservation order.
16.The 3rd respondent on the other hand has lodged a replying affidavit sworn by Kelvin Olende on 18th October 2023. He deposes that the 3rd respondent is an “experiential marketing agency” hired by the 1st and 2nd respondents under an Orb Operator Agreement. Their task was to recruit agents to be deployed in malls and other public spaces to sign-up people into the Worldcoin Project.
17.He denied that they were the marketing agency for the 1st or 2nd respondents or that they collected any personal data. He deposed further in paragraphs 11 and 12 as follows:(11)That the agents were to educate people about world coin and thereafter persons who were interested would be assisted in downloading the app from the app store, registering after accepting all the terms and conditions and thereafter they were to use the Orb to verify proof of humanity.(12)That the information we had was that the Orb was to be used to verify whether a person is a human being. I wish to state that it was our understanding that the Orb does not store any data and all scans are deleted once the verification is done.
18.All the parties filed brief submissions. Those by the applicant are dated 22nd November 2023. The 1st and 2nd respondents’ submissions are dated 14th November 2023 together with a list of precedents while those by the 3rd respondent are dated 5th December 2023.
19.On 19th December 2023 I heard further arguments from learned counsel for all the disputants
20.I take the following view of the matter. It is true that there are other proceedings commenced in Republic v Tools for Humanity & 8 Others ex-parte Katiba Institute & 5 Others, Nairobi High Court Judicial Review Application No. E119 of 2023. That suit is pending and there is a real risk of one court embarrassing the other. The situation is undesirable and costly to the parties. It is also poor use of scarce judicial resources.
21.However, I am not satisfied that this matter is sub judice for two main reasons. Firstly, the present suit pre-dates the High Court Judicial Review Application. Secondly, although the reliefs sought are largely similar, there are at least 11 parties in the Judicial Review Application who are not parties to this Miscellaneous Criminal Application.
22.The 1st and 2nd respondents run the Worldcoin Project aimed at establishing “universal access to the global economy regardless of country or background” and building “the world’s largest identity and financial network and giving ownership to everyone”. Doubt is removed by exhibit TS-1 annexed to the replying affidavit sworn on 19th September 2023 by Thomas Scott.
23.It is common ground that the 1st and 2nd respondents were granted a certificate by the applicant on 15th September 2022 to operate in the Republic as data controllers. I have seen the letter to the applicant dated 1st September 2023, in which they assert that they would “never sell users’ personal or biometric data…despite speculation, there is no nefarious intent or plan by Worldcoin here…it is not to harvest and monetize data, and all the personal and biometric data is securely stored”
24.The applicant’s position is that the 1st and 2nd respondents did not make full disclosures in contravention of the Data Protection Act and the Data Protection (Registration of Data Controllers and Data Processors) Regulations 2021.
25.The applicant’s case, as I understood it, is that sensitive data of Kenyans has been transferred to a third party, Worldcoin Foundation, who is not registered as a data controller in Kenya; and, that the data now resides in other countries. In a synopsis, it accuses the respondents of breaching sections 31, 48 and 49 of the Act as well as various Regulations under the Act.
26.Article 31 of the Constitution guarantees every person the right to privacy. The Data Protection Act was enacted in 2019 to give further effect to that right. Beyond the establishment of the office of the Data Commissioner, it was also meant to make provision for the regulation of the processing of personal data; to provide for the rights of data subjects and obligations of data controllers and processors; and for connected purposes.
27.The breaches now complained of speak volumes about the laxity of the Office of the Data Protection Commissioner. In hindsight, no proper diligence was done before issuing the 1st and 2nd respondents with a Certificate of Registration No. 00379 on 15th September 2022. That became the foundation upon which sensitive personal data was collected from Kenyans or Kenyan residents. The belated cancellation of the certificate on 5th September 2023; the subsequent Enforcement Notice dated 6th September 2023 both issued under the hand of Immaculate Kasait, the Data Commissioner was all a poor stratagem to cover-up the negligence.
28.By the time those actions were being taken, the data was beyond the reach of the Office of the Data Commissioner. For instance, it was now under the control of Worldcoin Foundation, a third party associated with the 1st and 2nd respondents and who was not registered as a data controller or processor in Kenya. In the letter dated 1st September 2023 from Worldcoin under the hand of Thomas Scott (exhibit ODPC-7), he states that the Iris Code data held by Worldcoin Foundation is housed in United States; the face and iris images also held by Worldcoin Foundation is “either the EU (Italy) or South Africa depending on the latency at the time of sign-up”.
29.It is also conceded that the wallet address, WorldID, is in the hands of Worldcoin Foundation in the United States and blockchain. The WorldApp account data and wallet address held by TFH are now domiciled in the United States or blockchain.
30.The 1st and 2nd respondents admitted that they were giving people “an amount of WLD Tokens, which are digital units created (‘minted’) and issued by the project” and can choose to sell them in the open market or exchanges. The fluctuating price of 1 WLD was equal to Kshs 180. Although the respondents deny that there was any inducement or coercion, on a preponderance of all the evidence, I remain doubtful that all the participants gave full or informed consent.
31.The 1st and 2nd respondents’ case is that the Orb Operator partners, such as the 3rd respondent, “do not access or process peoples’ personal data when conducting Orb signups”. The 3rd respondent submitted, quite lamely in my view, that as an experiential agent, it did not collect any such data or personal information.
32.But from the material paragraphs of the affidavit of Kelvin Olende, that I highlighted earlier, the 3rd respondent assisted in downloading the app from the app store, registering after accepting all the terms and conditions and thereafter they used the Orb to verify proof of humanity. The agent’s understanding was that “the Orb does not store any data and all scans are deleted once the verification is done”. It is however not lost on me that the Orb is a new technology and the fears by the applicant may be eventually debunked.
33.However, I am satisfied that the respondents deployed the Orb to collect facial recognition and iris scans of the subjects “to verify proof of humanity”. By the respondents own admission, they also collected some biometric data. This sensitive personal data was collected on the respondents’ World App, WorldID and Worldcoin Protocol.
34.Furthermore, from the way the exercise was conducted by its agents including Sense Marketing (the 3rd respondent), I remain doubtful, particularly due to freebies of WLD Tokens or digital units that the consent of the participants was fully informed or was properly obtained.
35.The respondents freely conceded that the personal data is now held by some third parties including Worldcoin Foundation which is not registered in Kenya as a data controller or processor. The data is now housed outside the jurisdiction of the Republic including the United States, Italy and South Africa. The risk of transfer of sensitive personal data thus looms large.
36.I have no cause to doubt the promise by the respondents that they would never sell users’ personal or biometric data; and, that they have no nefarious intent to harvest or monetize the personal and biometric data. But the High Court must enforce Article 31 of the Constitution which guarantees every person the right to privacy.
37.For all those reasons the applicant’s Notice of Motion dated 9th August 2023 is allowed in the following terms-a.That a preservation order be and is hereby issued directed to the respondents, their employees, agents or representatives to preserve all personal data and sensitive personal data collected from Kenyans and Kenyan residents pertaining to the respondents’ operation of the Worldcoin Project for the period running from 19th April 2022 to 8th August 2023.b.That I decline to make an order for costs.
It is so ordered.
DATED, SIGNED AND DELIVERED AT NAIROBI THIS 25TH DAY OF JANUARY 2024.KANYI KIMONDOJUDGERuling read virtually on Microsoft Teams in the presence of: -Mr. Kiproptich for the applicant instructed by G & A Advocates LLP.Ms. Wanjala holding brief for Mr. Nderu for the for the 3rd respondent instructed by Nderu, Ngaruni & Kimeru Advocates.Mr. E. Ombuna, Court Assistant.