Skip to document content Go to main menu Go to search

Republic v Tools for Humanity Corporation (US) & 9 others; Katiba Institute & 4 others (Ex parte Applicants) (Judicial Review Application E119 of 2023) [2025] KEHC 5629 (KLR) (Judicial Review) (5 May 2025) (Judgment)

Republic v Tools for Humanity Corporation (US) & 9 others; Katiba Institute & 4 others (Ex parte Applicants) (Judicial Review Application E119 of 2023) [2025] KEHC 5629 (KLR) (Judicial Review) (5 May 2025) (Judgment)
Citation
Republic v Tools for Humanity Corporation (US) & 9 others; Katiba Institute & 4 others (Ex parte Applicants) [2025] KEHC 5629 (KLR)
Media Neutral Citation
[2025] KEHC 5629 (KLR)
Court
High Court
Court station
High Court at Nairobi (Milimani Law Courts)
Outcome
Allowed
Case number
Judicial Review Application E119 of 2023
Judges
RE Aburili
Judgment date
5 May 2025
Language
English
Type
Judgment
Original source file
Download DOCX (113.9 KB)
Collections
Date published
10 May 2025
Case action
Judgment
Court division
Judicial Review
Filing county
Nairobi
Order
Having said that, this Court finds and holds that the orders sought by the applicant are merited to the extent stated in this judgment and given the violations of data protection laws by the 1st to 5th Respondents as seen above, the Court makes the following orders: a.Judicial review order of Prohibition is hereby issued prohibiting the 1st to 5th Respondents and their agents from further collecting, processing or transferring the personal biometric data collected in Kenya using the Orb, without undertaking (or using an inadequate) Data Protection Impact Assessment contrary to section 31 of the Data Protection Act, 2019 or using consent obtained through inducement of a cryptocurrency—Worldcoin. And in the case of the 3rd to 5th Respondents, without registering as data processors or controllers in Kenya. b.Judicial review order of Certiorari is hereby issued bringing into this court for purposes of quashing and I hereby quash Worldcoin’s decision to collect, process, or transfer biometric data collected in Kenya using the Orb, without undertaking (or using an inadequate) Data Protection Impact Assessment contrary to section 31 of the Data Protection Act, 2019 and by consent obtained through inducement of a cryptocurrency—Worldcoin. c.Judicial review order of Mandamus is hereby issued compelling the 1st to 5th Respondents to, within 7 days of this order, permanently erase and destroy (under the supervision of the Data Protection Commissioner) the personal biometric data collected by the 1st to 5th Respondents from Kenya data subjects using the Orb, for having been obtained unlawfully. d.As regards prayer (c) of the motion seeking cancellation of the Certificates of registration, this court notes that the said Certificates of Registration were cancelled by the Office of the Data Protection Commissioner on 5th September 2023. The prayer is therefore overtaken by events. It is declined. e.This court declines to grant prayer (e) of the Motion as the 6th Respondent has demonstrated to this Court of the efforts of the Office of the Data Protection Commissioner to have commercial use of personal data legislated. The Respondent has also indicated the challenges being faced which include-that the current Data Protection Act, 2019 requires amendments to align with emerging challenges and technological advancements in the processing of personal data. f.Each party shall bear their own costs of these proceedings, the matter being of immense public interest. g.This file is closed.
Skip to document content
1.This judgment determines the judicial review notice of motion application dated August 25, 2023. The application is predicated on sections 7, 8, 9, 11 and 14 of the Fair Administrative Actions Act; sections 8 and 9 of the Law Reform Act cap 26; and order 53 of the Civil Procedure Rules (2010). The 5 ex parte applicants It seek the following orders:a.Prohibition restraining the 1st to 5th respondents and their agents from further collecting, processing, or transferring the personal biometric data collected in Kenya using the Orb, without undertaking (or using an inadequate) Data Protection Impact Assessment contrary to section 31 of the Data Protection Act 2019 or using consent obtained through inducement of a cryptocurrency—Worldcoin. And in the case of the 3rd to 5th respondents without registering as data processors or controllers in Kenya.b.certiorari to bring to this court and to quashing Worldcoin’s decision to collect, process, or transfer biometric data collected in Kenya using the Orb, without undertaking (or using an inadequate) Data Protection Impact Assessment contrary to section 31 of the Data Protection Act 2019 and by consent obtained through inducement of a cryptocurrency—Worldcoin.c.An order directing the Data Protection Commissioner to cancel the 1st and 2nd respondents’ certificate of registration as a data controller in Kenya for being obtained through misrepresentation or material non-disclosure contrary to section 19(2) of the Act and Regulation 5 and 16 of the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021.d.Mandamus compelling the 1st to 5th respondents to, within 7 days of the order, permanently erase and destroy (under the supervision of the Data Protection Commissioner) the personal biometric data collected by them from Kenya using the Orb for having been obtained unlawfully.e.A structural interdict directing the Cabinet Secretary (in consultation with the Data Commissioner) to prescribe practice guidelines for commercial use of personal data in Kenya under section 37(3) of the Act and to file the guidelines before the court within 12 months of the court’s order.
2.The application is verified by affidavit of Lempaa Suyianka sworn on August 24, 2023and a statutory statement also dated August 24, 2023.
3.The ex parte applicants’ case, comprising the grounds, statutory statement, affidavits in support, written and oral submissions together with authorities both constitutional, statutory as well as judicial pronouncements is that in July 2023, the 1st and 2nd respondents began collecting biometric data from the Kenyan public data subjects using the Orb device. The applicants assert that the 1st and 2nd respondents’ actions were done without conducting a proper Data Protection Impact Assessment (DPIA), as required under section 31 of the Data Protection Act 2019, and regulation 49 of the Data Protection (General) Regulations, 2021.
4.It is the applicants’ further case that this impugned act violated the right to privacy under article 31 of the Constitution. They state that the Data Protection Commissioner issued a cautionary note on July 28, 2023, urging heightened vigilance by Kenyans regarding the scanning of their data through the Orb device and advised Kenyans to ensure that they received proper information before disclosing any personal or sensitive data.
5.The applicants aver that on August 2, 2023, a joint statement by the Communications Authority of Kenya and the Data Protection Commissioner raised concerns about the security, consent, and legal safeguards regarding the data collected by Worldcoin and its affiliates.
6.The applicants, citing articles 22 and 258 of the Constitution of Kenya, 2010, argue that they are entitled to move the court alleging a violation of any right in the Bill of Rights or violation of the Constitution. They assert that the alternative dispute resolution mechanism under section 56 of the Data Protection Act is unavailable to them, noting that the mechanism under the Act is limited to "data subjects," who are defined as “identified or identifiable natural person who is the subject of personal data.”
7.The applicants rely on the decision in Republic v Joe Mucheru & others; Katiba Institute & another (ex parte) [2021] KEHC 122 (KLR), wherein it was held that non-data subjects cannot utilize the internal remedy process under the Data Protection Act.
8.The applicants aver that Worldcoin's actions amount to illegality in administrative action under article 47(1) of the Constitution and sections 4 and 7 of the Fair Administrative Action Act (FAAA), which require that administrative actions be lawful, reasonable and procedurally fair. Reliance is placed on the case of in Pastoli v Kabale District Local Government (2008) EA 300. It is urged that investigations by the Office of Data Protection Commissioner and the National Assembly have subsequently determined that Worldcoin breached Kenyan law.
9.The applicants also urge that Worldcoin failed to obtain mandatory type approval for its biometric device, the Orb, contrary to regulation 3(1) of the Kenya Information and Communications (Importation, Type Approval and Distribution of Communications Equipment) Regulations, 2010. Further, that Worldcoin did not carry out a Data Protection Impact Assessment (DPIA), which failure was in violation of section 31 of the Data Protection Act and regulation 49 of the Data Protection (General) Regulations, 2021. They cited the decision in Republic v Joe Mucheru & others; Katiba Institute & another supra where the court is said to have found that the State had illegally omitted a Data Protection Impact Assessment before processing personal data and rolling out the Huduma Cards.
10.According to the applicants, the consents allegedly obtained by Worldcoin from the data subjects were not valid as they did not conform to section 2 of the Data Protection Act and regulations 4(3) and 4(4), for reasons that the said consents were induced by offering the data subjects cryptocurrency (Worldcoin) worth approximately Kshs 7,000 or USD 50. This, according to the applicants, was in violation of the requirement that consent must be informed, specific, and freely given.
11.The applicants further asserted that, first, the consent was neither freely nor voluntarily given and that the data subjects could not refuse or withdraw their consent without detriment (losing out on the Worldcoin). Second, that Worldcoin merged several purposes for collecting and processing personal data without seeking specific consent for each purpose: Worldcoin, WorldID, and WorldApp. Third, that because of the concealment and failure to register Worldcoin Foundation and World Assets Ltd, either as data processors or data controllers in Kenya, the data subject’s consent was ambiguous.
12.The applicants urge that as was held in Basheshar Nath v Commissioner of Income Tax Delhi [1959] Supp 1 SCR 528, fundamental rights conferred by the Constitution cannot be waived. Reliance is also placed on the case of Revital Health (EPZ) Ltd v Public Procurement Oversight Authority & 6 others [2015] eKLR where the court is said to have held that the rights of the data subject overrides the economic interests of the search engine operator and the general interest of internet users. The applicants also urge that even if rights could be waived or consent bought, Worldcoin unlawfully made purchased consent with bitcoins instead of a “currency”.
13.Further averment by the applicants is that Worldcoin did not disclose distinct purposes for processing data across its platforms (Worldcoin, WorldApp, and WorldID) and that users had no realistic ability to withdraw consent, which nondisclosure was in violation of article 43 of the General Data Protection Regulations.
14.According to the applicants, the key entities behind Worldcoin, including Worldcoin Foundation and World Assets Ltd, are not registered as data controllers or processors in Kenya as required under section 18 of the Data Protection Act. Further, that on the part of Tools for Humanity GmbH (Germany)and Tools for Humanity Corporation (US) are only registered as data controllers and not data processors. Equally Platinum De Plus Ltd, the Kenyan agent, is faulted for also failing to register and conducting a DPIA.
15.The applicants maintain that under the Act, a “data controller” determines “the purpose and means of processing personal data” whereas, a “data processor” is one who “processes personal data on behalf of a data controller.”
16.Additionally, the applicants contend that Worldcoin's cross-border transfer of personal data breached section 25 of the Data Protection Act and article 46(1) of the General Data Protection Regulations, as it did not provide adequate safeguards or remedies for Kenyan data subjects. That Worlscoin’s privacy policy, which subjects any dispute to arbitration outside Kenya, is said to have failed to provide enforceable rights for data subjects. The Applicants state that Tools for Humanity’s privacy notice as at to date, does not show that they collect biometric data through the Orb device.
17.The applicants urge that Worldcoin, in its registration as a data controller, provided misleading information, violating regulation 5(2) of the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021. It is their case that Worldcoin did not include copies of the establishment documents or particulars of the data processors (Worldcoin Foundation and World Assets Ltd) including their name and contact details. This, according to the applicants, entitles the Data Protection Commissioner to cancel Worldcoin’s registration under regulation 16(b) and (c).
18.The applicants also argue that Worldcoin’s actions amount to abuse of power, citing the case of Keroche Industries Ltd v Kenya Revenue Authority [2007] 2 KLR 240. They state that under section 7(2)(o) of the Fair Administrative Action Act, a court may review administrative actions made in abuse of power. Further, that, elements of fairness under regulation 36 (a) and (d) of the Data Protection (General) Regulations, 2021 include granting the data subjects the highest degree of autonomy concerning control over their personal data and guarding against the exploitation of the need vulnerabilities of a data subject.
19.Worldcoin is said to have exploited the vulnerabilities of data subjects by offering cryptocurrency in exchange for biometric data, thereby violating article 28 of the Constitution on human dignity. It is also accused of being in breach of article 21(1) of the Constitution and Principles 11 and 13 of the UN Guiding Principles on Business and Human Rights,2011 requiring businesses to avoid infringing on the human rights of others or causing or contributing to adverse human rights impacts.
20.The applicants further challenge the failure by the Cabinet Secretary, Ministry of Information, Communication and the Digital Economy and the Data Protection Commissioner to issue guidelines on the commercial use of personal data as required under section 37(3) of the Data Protection Act. The applicants therefore seek for an order of mandamus compelling the Cabinet Secretary and the Data Protection Commissioner to issue these guidelines within 12 months of this court’s order.
The 1st to 4th Respondents’ Case
21.The 1st to 4th respondents filed a replying affidavit in response to the judicial review application. The affidavit is sworn on September 26, 2023 by Thomas Scott who introduces himself as the Chief Legal Officer and Corporate Secretary of Tools for Humanity Corporation.
22.In the replying affidavit, the 1st to 4th respondents depose in contention that the applicants lack locus standi to initiate these proceedings, both personally or by proximity to the issue in question. The 1st to 4th respondents argue that the applicants have failed to provide evidence that the 1st to 4th respondents unlawfully obtained and processed their members' data. They assert that this application is an improper challenge to the powers and functions of the Data Protection Commissioner and that any complaint should have been referred to the 6th respondent, the Data protection Commissioner, for administrative action in accordance with the Data Protection Act 2019.
23.The 1st to 4th respondents invoke the doctrine of exhaustion, citing section 9 of the Fair Administrative Action Act, 2015, which mandates that disputes be resolved through available legal mechanisms before resorting to judicial review. They contend that the applicants bypassed the statutory dispute resolution mechanism under section 56 of the Data Protection Act as read with the Data Protection (Complaints Handling Procedure and Enforcement) Regulations 2021, which allow a data subject to lodge a complaint with the Data Protection Commissioner. They further argue that the applicants should have first sought redress from the 6th respondent, who has primary jurisdiction over data privacy and protection disputes.
24.According to the 1st to 4th respondents, the 6th respondent initiated an investigation into the 1st and 2nd respondents' operations sometime on August 2, 2023 under ODPC Complaint No 1394 of 2023. That the investigations are said to have led to a notice to show cause and a subsequent Enforcement Notice issued on September 6, 2023 and the subsequent cancellation of the 1st and 2nd respondents' Data Controller Registration Certificates for breaching the Data Protection Act. The respondents argue that the applicants’ case is premature, as they are undertaking an ongoing review of the 6th respondent’s Investigation Report and Enforcement Notice which will inform a decision on the next steps forward in due course.
25.The 1st to 4th respondents rely on the Court of Appeal decision in Kenya Ports Authority v Modern Holdings (EA) Limited [2017] eKLR to emphasize that jurisdiction is a foundational issue that can be raised at any stage of the proceedings.
26.In support of the doctrine of exhaustion, the 1st to 4th respondents rely on the following well known cases: Speaker of the National Assembly v Njenga Karume [1992] 1 KLR 425, Cyrus Komo Chege v Karinga Njoroge Gachoka & 2 others [2015], Geoffrey Muthiga Kabiru & 2 others v Samuel Munga Henry & 1756 others [2015] eKLR, Mutunga Tea & Company Limited v Shikara Limited & another [2015] eKLR and Republic v Public Procurement Administrative Review Board & Energy Sectors Contractors Association, Zoec-Zhepede-Nginu ex parte Kenya Power & Lighting Company Limited [2020] eKLR.
27.The 1st to 4th respondents also rely on the case of Night Rose Cosmetics (1972) Ltd v Nairobi County Government & 2 others [2018] eKLR where the court is said to have observed that section 9 of the Fair Administrative Action Act is couched in mandatory terms.
28.The respondents further assert in contention that although the court in the case of Republic v Joe Mucheru, Cabinet Secretary Ministry of ICT & 2 others; Katiba Institute (ex parte) [2021] eKLR, observed that the complaint process under the Data Protection Act is accessible primarily to data subjects, the applicants were not without recourse, as they could have invited the 6th respondent (DPC) to initiate investigations suo motu under section 8(1)(e) of the Data Protection Act.
29.On the merits of the application, it is contended by the 1st to 4th respondents that a Data Protection Impact Assessment (DPIA) was submitted to the Data Commissioner in June 2022 and subsequently updated in September 2023, in compliance with section 31 of the Data Protection Act. They contend that the applicants have not specifically pointed out any deficiencies in that assessment.
30.Regarding the technological devices used, the 1st to 4th respondents assert that the Orb device used by the 1st and 2nd respondents does not require type approval by the Communications Authority of Kenya and that no guidelines have been issued to require such approval.
31.The 1st to 4th respondents further assert that participation in the Worldcoin project was voluntary and conducted with informed consent. They deny that any fiat currency was exchanged for personal data. They also clarify that the 3rd respondent applied for registration as a data processor sometime in July 2023 in accordance with section 18 of the Data Protection Act and regulation 14 of the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021, which application was pending approval by the ODPC.
32.In conclusion, the 1st to 4th respondents urge the court to find that the application is not properly before this court, having been filed in disregard of mandatory statutory processes. They argue that the issues raised have already been addressed by the Data Protection Commissioner, and are currently the subject of pending appellate proceedings. They therefore invite the court to dismiss the judicial review application for want of jurisdiction.
The 5th Respondent’s Case
33.The 5th respondent in response to the application filed a replying affidavit sworn by Charles Wanjagi Mburu on September 19, 2023. Mr Wanjagi introduces himself as a director of the 5th respondent.
34.In his affidavit, the deponent contends that the 5th respondent was solely involved in marketing Worldcoin in Kenya and not involved in the collection or processing of personal data. He also asserts that the applicants, who are not natural persons, lack locus standi under the Data Protection Act 2019, as data subjects are defined as natural persons and that therefore, only natural persons can lodge complaints under the Act. The 5th respondent further reiterates that the applicants failed to exhaust the remedies available under the Data Protection Act before seeking judicial review, as required by section 9 of the Fair Administrative Action Act, 2015.
35.The 5th respondent further challenges the applicants' claims regarding consent, asserting that users had the ability to withdraw consent and delete their data through various official channels. Moreover, that a Data Protection Impact Assessment (DPIA) was not required under section 31(1) of the Act as it would only be mandatory in very specific instances. The 5th respondent urges that the applicants have not shown that their complaints meet the threshold required under the said section.
36.According to the 5th respondent, judicial review is not available against private entities like the 5th respondent, which is not subject to the statutory obligations under the Data Protection Act.
37.In its written submissions, the 5th respondent contends that the applicants failed to approach the 6th respondent ODPC for resolution of the dispute, thereby bypassing the prescribed procedure. This is said to have contravened the principle of exhaustion, as emphasized by the Court of Appeal in Speaker of the National Assembly v Karume (Civil Application 92 of 1992) [1992] KECA 42 (KLR), where the court is said to have emphasised the need to strictly follow statutory procedures for redress of any grievance provided under the law. It is also submitted that the Applicants have failed to satisfy the doctrine of exhaustion as was held in Jeremiah Memba Ocharo v Evangeline Njoka & 3 others [2022] eKLR.
38.The 5th respondent also relies on the case of Jeremiah Memba Ocharo v Evangeline Njoka & 3 others supra, regarding exceptions to recourse to internal dispute resolution mechanisms in line with the doctrine of exhaustion. It is submitted that the ex parte applicants have failed to show that the instant application falls within the exceptions to the doctrine of exhaustion as stated in the above case, noting that section 64 of the Data Protection Act provides for the right of appeal to this court.
39.The 5th respondent also submits that as was held in the cases of Republic v Kenya Cricket Association [2006] eKLR and Republic v Kenya Association of Music Producers (KAMP) & 3 others ex parte Pubs, Entertainment and Restaurants Association of Kenya (PERAK) [2014] eKLR, judicial review orders can only be issued against public bodies or entities performing public functions.
The 6th Respondent’s Case
40.The 6th respondent Data protection Commissioner filed a replying affidavit sworn by Oscar Onyango Otieno on November 17, 2023. According to the 6th respondent, sometime in March 2022, the Office of the Data Protection Commissioner (ODPC) discovered that Tools For Humanity US (TFH US) had been collecting sensitive personal data from Kenyan residents and transferring it abroad. The ODPC through a letter dated April 19, 2022 requested information from TFH US, including the legal basis for processing the data and the safeguards in place. That at that time, TFH US and TFH GmbH were not registered as Data Controllers or Processors with the Office of the Data Protection Commissioner, but that later on, they applied for registration as data controllers.
41.The 6th respondent avers that TFH US through their advocates responded to the letter of the ODPC on April 21, 2022, seeking an extension within which to submit their reply, which request was granted with the same being extended to May 6, 2022. That in their subsequent response vide their letter dated May 6, 2022, TFH US described its relationship with TFH GmbH and their operations and it also went ahead to describe its two-phase plan of their project namely: Phase 1-Field Test or Machine Learning Phase (which incorporated phase 1.5 of the project-New Opt-in Phase) and Phase 2-Post-Field Test.
42.That on June 17, 2022, the advocates are said to have forwarded a DPIA Report to the ODPC supposedly prepared by FTH US and FTH GmbH.
43.That upon review of the supposed DPIA, the ODPC raised concerns about the legality of the data processing, including unclear contractual relationships, insufficient details on Know Your Customer (KYC), legal obligations and the legislative provisions relied on, the lack of defining the basis of the legitimate interest relied upon and the validity of the consents sought for transferring data outside Kenya. That the ODPC directed TFH US to restrict processing of personal data of persons located in Kenya until the lapse of 60 days or following the provision of a clear lawful basis for the processing.
44.The 6th respondent narrates that the advocates representing TFH US in a letter to the ODPC, forwarded a letter from TFH US dated July 15, 2022, which letter indicated that it was a response to ODPC’s letter dated June 23, 2022. In the letter, TFH US indicated that they had ceased all orb sign-ups. However, that TFH US indicated that it had decided not to block the Worldcoin Mobile App or operator portal claiming that the 60-day delay was disproportionate.
45.That on August 22, 2022, following the implementation of the Data Protection (Registration of Data Controllers and Data Processors) Regulations, TFH GmbH and TFH US applied for registration as a data controller and an invoice for payment on August 24, 2022 was generated. That consequently, upon being prompted through the online systems, TFH GmbH was requested to submit proof of its annual turnover. However, that on September 2, 2022, Bowmans is said to have informed the ODPC via email that TFH GmbH was a venture capital backed entity in its pre-revenue stage and that no revenue was being generated by it.
46.Similarly, that TFH US submitted its application for registration as a data controller on August 29, 2022 and was issued with an invoice for payment on the same day. However, that TFH US had not submitted its Profit & loss account information alongside its establishment documents as required by the registration regulations. The submission criteria, according to the 6th respondent, is sequentially elaborate in ODPC’s system and as such, an applicant can establish the required documentation from the successive prompts in the application system. Consequently, that TFH US’s application process was incomplete since its approval depended on the submission of its account statement.
47.That vide a letter dated September 5, 2022, the Office of the Data Protection Commissioner (ODPC) wrote to Bowmans to clarify differences between the interpretation and guidance of the Data Protection Act (Data Protection Act) and the European Data Protection Board (EDPB) guidance on lawful justification for processing personal data. The ODPC then issued the following directives:a)On lawful basis: Contrary to TFH US’s view that multiple bases could be used for data processing, the ODPC referred to regulation 5 of the Data Protection (General) Regulations, 2021, stating that only one legal basis can be relied upon for each processing activity.b)On legal obligation: ODPC emphasized that there must be a clear and traceable connection between personal data processed and existing legal obligations. TFH US was faulted for relying on emerging or anticipated obligations.c)On legitimate interest: The ODPC found TFH US’s reliance on legitimate interest inconsistent with sections 30(b)(vii) and 45 of the Data Protection Act, noting less intrusive methods could achieve the same objective.
48.The ODPC, it is urged, directed TFH US to outline how it would comply with the Act, to address the issue of its account statement and to also prepare and maintain a data processing schedule and record, showing lawful purposes for each activity.
49.That as ODPC and TFH corresponded on the Data Protection Impact Assessment (DPIA), the ODPC was processing TFH GmbH’s application for registration as a data controller and a Certificate of Registration Serial No 00379 dated September 15, 2022was issued to TFH GmbH, valid for 24 months.
50.That vide an email dated September 14, 2022, Bowmans informed ODPC that its Clients would proceed with processing sensitive personal data of Kenyans despite ODPC’s directive issued on June 23, 2022to restrict processing until either 60 days lapsed or a lawful basis was provided.
51.Further, that by a letter dated November 10, 2022, Bowmans responded to the ODPC’s September 5, 2022 letter, enclosing a letter from TFH US (referenced to be trading as Worldcoin) alongside a data processing schedule and record of processing activities prepared by TFH US. However, that TFH US failed to demonstrate an existing legal obligation for data processing, as no specific KYC details or legislative provisions were provided as requested in the ODPC’s letter dated June 23, 2022; to justify legitimate interest for processing sensitive personal data by third parties, with the justification also failing to meet the requirements under section 30(1)(b)(vii) and 45 of the Data Protection Act.
52.According to the 6th respondent, while TFH GmbH had completed registration on September 15, 2022, TFH US submitted a certified income statement for the year ending December 31, 2021, through the system on March 7, 2023. Further, that after back end verification, a Certificate of Registration Serial No 01945 dated April 18, 2023 was issued to TFH US, valid for 24 months.
53.The 6th respondent further state that around May 2023, the ODPC, whilst exercising its functions under section 8(e) of the Act, established that TFH US and TFH GmbH were processing sensitive personal data (iris scans and facial data) from Kenyan residents. The ODPC wrote to Bowmans on May 30, 2023, reiterating that the legal bases cited (contract performance, legitimate interest, legal obligation and consent) were inadequate under the Data Protection Act.
54.Further, that the ODPC directed both entities to immediately cease collection and restrict processing of sensitive personal data and to provide proof of valid, informed and specific consent from data subjects, including a sample processing contract with their agents, within 14 days.
55.It is urged by the 6th respondent that the letter of May 30, 2023 also reserved ODPR’s right to notify data subjects of its directives to the two entities, upon which, TFH US subsequently responded via a letter dated June 16, 2023, attaching an appendix asserting that facial images collected were not sensitive data, that a lawful basis existed through contractual obligations and compliance with sections 25 and 44 of the Act, that processing of the data was done with minimal intrusion, using zero knowledge proof and data minimization and that users must agree to the Terms and Conditions and privacy notice to access WorldApp and World Wallet and that Orb Operators were not data processors since they don’t access the data.
56.In the written submissions dated 29th February 2023, the 6th respondent refers to the case of Seventh Day Adventist Church (East Africa) Limited v Permanent Secretary, Ministry of Nairobi Metropolitan Development & another [2014] eKLR, where the court is said to have referred to sections 7 and 8 of the Fair Administrative Actions Act (FAAA), which guide the judicial review process. Section 7(1)(a) of the FAAA is said to allow an individual aggrieved by an administrative action to seek judicial review, and that section 7(2) specifically provides for cases where a mandatory procedure was not followed or where the action was taken with an ulterior motive.
57.It is the 6th respondent’s submission that at the core of the applicants' claims is the 1st-5th respondents’ failure to adhere to the legal framework governing the collection and processing of sensitive personal data, particularly in relation to data protection and privacy.
58.The 6th respondent urges that the application specifically faults the conduct of the said respondents in what can termed as manifest prejudice to Kenyan data subjects’ rights to privacy. The right to privacy, it is submitted is guarantees under article 31 of the Constitution. According to the 6th respondent, an analysis of the issues presenting for determination in this matter properly fits this court’s jurisdiction to hear and determine them.
59.Reliance is placed on the case of Samuel Kamau Macharia and another v Kenya Commercial Bank Limited & 2 others [2012] eKLR, Application No 2 of 2011 where the court is said to have observed that the court’s jurisdiction flows from either the Constitution or legislation or both and that a court of law cannot arrogate itself jurisdiction exceeding that which is conferred upon it by law.
60.The 6th respondent also relies on the case of Republic v Zacharia Kahuthu & another (Sued as Trustees and on Behalf of and as Officials of the Kenya Evangelical Lutheran Church); Johaness Kutuk Ole Meliyio & 2 others (Interested Parties) ex parte Benjamin Kamala & another [2020] eKLR where the court in ousting its jurisdiction to hear a matter, is said to have stated that judicial review addresses the legality of a dispute rather than contested matters of evidence. It further held that reconciling diametrically opposed positions requiring oral evidence falls outside the scope of judicial review, as such determination entails a merit review, which is beyond the jurisdiction of a judicial review court.
61.According to the 6th respondent, the question then becomes whether this case presents diametrically opposed positions necessitating evidentiary analysis. It is submitted that it does not, since the following facts are not in dispute: (a) the 1st to 5th respondents jointly and/or severally collected and/or processed biometric data; (b) the 1st to 5th respondents failed to undertake a Data Protection Impact Assessment (DPIA) deemed adequate by the Office of the Data Protection Commissioner (ODPC), in contravention of section 31 of the Data Protection Act 2019; and (c) the 1st to 5th respondents jointly and/or severally offered cryptocurrency to data subjects as a precondition to collecting their iris scans.
62.On the question of the exhaustion doctrine, it is submitted that there was no competent tribunal to hear and determine the applicants’ complaints at first instance before moving to this court because, while the 6th respondent exercises quasi-judicial authority in handling complaints about privacy violations, its jurisdiction is limited to data subjects being natural persons acting on their own behalf.
63.The 6th respondent submitted that section 8(f) of the Data Protection Act empowers the ODPC to receive and investigate any complaint regarding rights infringement under the Act but that, section 56 of the same Act stipulates that only an aggrieved natural person or their authorised representative under regulation 4(3) of the Data Protection (Complaints Handling Procedures and Enforcement) Regulations, 2021 can lodge such a complaint. Section 2 of the Act is said to define a "data subject" as an identified or identifiable natural person who is the subject of personal data.
64.Therefore, according to the 6th respondent, the ODPC lacks the jurisdictional capacity of a tribunal competent to address the applicants’ complaint as envisaged under section 9(2) and 9(4) of the Fair Administrative Action Act (FAAA), hence the application does not fall afoul of the exhaustion doctrine under section 7(b) of the FAAA.
65.As to the alleged failure to apply for leave to serve summons outside Kenya, it was submitted that order 5 rule 21 of the Civil Procedure Rules allows for such service to notify the defendant of the action and afford them time to enter appearance. The 6th respondent relies on the case of Paulina Wanza Maingi v Diamond Trust Bank Limited & another [2015] eKLR, cited with approval by Majanja J in Amina Hersi Moghe & 2 others v Diamond Trust Bank Kenya Limited & another [2021] eKLR, where the court is said to have held that summons to enter appearance are meant to inform a defendant of the procedural steps required and the consequences of non-compliance.
66.The 6th respondent also refers to order 5 rule 8(2) which is said to allow for service of summons on an advocate with instructions to accept service. In this case, it is contended that the 1st to 4th respondents filed a memorandum of appearance and actively participated in the proceedings, including filing a replying affidavit and submissions, as well as participating in related proceedings such as the miscellaneous criminal case filed by the ODPC.
67.According to the 6th respondent, the court in Amina Hersi Moghe supra , is said to have held that a defendant who participates in proceedings without objecting to lack of service is deemed to have waived the right to challenge the suit’s validity on that ground.
68.It is the 6th respondent’s submission that pursuant to order 51 rule 1 of the Civil Procedure Rules, any application under the Rules must be brought by way of motion and be heard in open court unless directed otherwise and that in this case, no such application or summons was pending before the court for determination.
69.Further reliance is placed on the decision in Motaung v Samasource Kenya EPZ Limited t/a Sama & 2 others (Petition E071 of 2022) [2023] KEELRC 320 (KLR) (6 February 2023) where Dr Gakeri J considered whether a case should be dismissed for want of proper service and noted that procedural justice must be balanced with substantive justice and held that unless a procedural defect renders justice unattainable, the ultimate aim is to achieve substantive justice and that in that case, the court was persuaded that the petitioner should be allowed an opportunity to comply with order 5 rule 21 of the Civil Procedure Rules, 2010.
70.On the question of whether there was an adequate Data Protection Impact Assessment (DPIA) by TFH US, TFH GmbH and the WorldCoin Foundation, it is submitted that regulation 49 of the Data Protection (General) Regulations, 2021 classifies processing operations likely to present high risks, including: (a) automated decision-making or profiling with legal or similar effects; (b) large-scale processing for a purpose other than originally intended; (c) processing of biometric or genetic data; (d) changes increasing risk to data subjects; (e) large-scale processing of personal data; and (f) use of innovative technology or organizational methods.
71.The 6th respondent further submits that the statement by the 5th respondent’s director denying that Platinum De Plus was a data processor contradicts his own depositions on oath at paragraphs 20 to 22 of his affidavit, where he depones that Platinum De Plus helped users claim WLD tokens and had no interaction with personal data. It is also submitted that even so, the Multi-Agency Investigation Report (MAIR) (page 61 of Thomas Scott’s affidavit) concluded that Platinum De Plus operated as an Orb operator and collected personal data under the guise of marketing Worldcoin.
72.That the MAIR Report further discloses (at page 66) that some “Worldcoin staff” installed the Worldcoin App for users, accepted the terms and conditions on their behalf and collected iris data in exchange for free WLD tokens without adequately informing users of the process or purpose.
73.The 6th respondent’s further submission is that the marketing activities by Platinum De Plus constitute data processing as provided under section 2 of the Data Protection Act (Data Protection Act), which defines processing as any operation on personal data, whether automated or not, including collection, recording, structuring, storage and adaptation activities in which Platinum De Plus was involved. To support this position, reliance is placed on the case of Office of the Data Protection Commissioner v Tools for Humanity Corporation (Worldcoin) & 2 others (Misc Crim App E315 of 2023) [2024] KEHC 312 (KLR) (25 Jan 2024), where the court acknowledged that Worldcoin’s agents downloaded the app, accepted terms and used the Orb for identity verification, thus acting as processors.
74.It is further submitted that given that Platinum De Plus was indeed involved in processing personal data, the analysis shifts to the validity of the consents obtained from data subject, which consent is defined under section 2 of the Data Protection Act as a manifestation of the data subject's express, unequivocal, free, specific, and informed agreement through a statement or affirmative action.
75.That regulation 4(3) of the general regulations mandates that data controllers and processors ensure: (a) the data subject has the capacity to consent, (b) the consent is voluntary, and (c) the consent is specific to the processing purpose. Regulation 4(4) further states that consent is not free where: it is presumed from silence; made a non-negotiable term; withdrawal results in detriment; multiple purposes are bundled without specific consent for each; or the data subject’s intent is ambiguous.
76.The 6th respondent further submits that the standards under section 2 of the Data Protection Act and regulation 4(3) and (4) are mirrored in article 4 of the EU GDPR, which defines consent in the same manner. It is submitted that these provisions require that each distinct purpose for data processing be accompanied by its own, clear consent.
77.According to the 6th respondent, the Worldcoin Data Consent Form v2 2, submitted by TFH US and TFH GmbH, seeks a single consent for multiple processing purposes. These include calculating and comparing unique identifiers, optimizing algorithms, training AI models using iris images, detecting human users and personnel training.
78.That the form’s introductory paragraph states that users agree to the collection of iris data and its transfer to facilities in Germany and other countries for training neural networks. The concluding statement is said to confirm the explicit consent to transmit data to multiple countries including the US, India, Japan, UK and the Germany. It is the 6th respondent’s submission that the bundling undermines user autonomy and restricts the ability of data subjects to consent to certain uses while rejecting others.
79.The 6th respondent relies on the court of Justice of the European Union decision in Orange România SA v Autoritatea Naţională de supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP) and emphasized the duty of data controllers to prove that data subjects gave informed, unambiguous consent after being adequately informed in plain language. The 6th respondent argues that in the present matter, TFH US and TFH GmbH confirmed (at page 60 of the applicants' pleadings) that distribution of WLD on the Ethereum blockchain was a core project component.
80.Further, that during sign-ups, users were offered 25 free World coin tokens (worth approx Kshs 7,000 or $45) upon submitting their iris data. It is the 6th respondent’s submission that this incentivized participation based on financial gain rather than free will.
81.The 6th respondent also submitted that moreover, as per the 1st- 3rd respondents’ website (https://worldcoin.org/blog/worldcoin/what-is-worldcoin-operator), Orb operators were compensated for every individual they enrolled, creating a commission-based recruitment model. These two factors, according to the 6th respondent deprived users of the ability to freely consent, contravening regulation 4(4), which prohibits consent mechanisms tied to inducements or non-negotiable terms.
82.It is the 6th respondent’s submission that the Multi-Agency Team confirmed that the consent obtained by TFH US, TFH GmbH, and Worldcoin Foundation did not comply with section 32 of the Data Protection Act (Data Protection Act). The 6th respondent further submits that Section 30 of the Act recognizes consent as a lawful basis for processing personal data, but since the consents obtained failed to meet statutory criteria, the resulting data processing was unlawful.
83.Further, it is submitted section 49 of the Data Protection Act and regulation 40 of the general regulations require safeguards, including consent and confirmation of appropriate protections, before transferring sensitive personal data out of Kenya. Regulation 41 is said to stipulates that such transfers must be based on appropriate safeguards, either through binding legal instruments equivalent to protections under Kenyan law or an assessment concluding that suitable protections exist. It also requires documentation of the transfer, including recipient details, justification and data description, to be available upon the Data Protection Commissioner’s request.
84.The 6th respondent submits that it was the responsibility of the 1st to 4th respondents to establish and justify adequate safeguards to the ODPC, which they failed to do. Reliance is placed on Maximillian Schrems v Data Protection Commissioner (6 October 2015), where the Grand Chamber of the court is said to have held that EU data protection laws must provide clear rules and minimum safeguards to protect personal data, especially where there is a risk of unlawful access.
85.Accordingly, the 6th respondent submits that the transfer of sensitive personal data by TFH US, TFH GmbH and Worldcoin Foundation to foreign destinations without proper safeguards and under flawed consents violated the Data Protection Act. The consents obtained, it is urged, was inadequate and did not meet statutory requirements.
86.It is submitted that prayers (a), (b), and (c) of the Application should be granted on the grounds that TFH US, TFH Germany, Worldcoin Foundation, WorldAssets, and Platinum De Plus Limited have collectively processed and transferred sensitive personal data of Kenyan residents without lawful basis and without an adequate DPIA, in violation of the Data Protection Act. Moreover, that despite investigations and enforcement actions by the ODPC, the respondents failed to comply. They urged that Prayer (d) should be denied as explained in paragraphs 41 and 42 of the ODPC’s replying affidavit.
The 8th Respondent’s Case
87.The 8th respondent filed a replying affidavit sworn by Christopher Wambua on December 4, 2023. It is the 8th respondent’s case that it was established under the Kenya Information and Communications Act, 1998, which regulates the communications sector, including broadcasting, cybersecurity, telecommunications and electronic commerce, postal and courier services.
88.It is deposed that the 8th respondent licenses and regulates communication services which include telecommunication services, the management of frequency spectrum, broadcast services and postal courier services. According to the 8th respondent, whereas it regulates ICT services, there are numerous sectors such as banking, health insurance and the entertainment industry that leverage ICT services. However, that their services remain regulated by the respective sector regulators.
89.It is therefore contended that Worldcoin being a financial/banking service that uses a communication platform to collect data, is under the regulatory ambit of the Central Bank of Kenya (CBK) with respect to financial services and the Office of the Data Protection Commissioner when it comes to protection, collection and processing of personal data. The 8th respondent’s case is that it does not have jurisdiction over matters relating to cryptocurrency.
90.It is further urged that the 8th and the 9th respondents have a Memorandum of Understanding whose purpose is to explore arears of mutual partnership and to facilitate for collaborative regulation.
91.According to the 8th respondent under section 23(ee) of the Kenya Information and Communications Act, telecommunication operators must ensure that personal data processing complies with the Data Protection Act 2019.
92.The 8th respondent avers that it was unaware of the activities of the 1st to 5th respondents. Further, that pursuant to the Importation, Type Approval and Distribution of Communications Equipment, Regulations 2010, the 8th respondent did not receive any application for type approval nor type acceptance from the Worldcoin entity and thus, did not conduct any inquiries or evaluate Worldcoin’s communications equipment prior to its operations in the country.
93.It is the 8th respondent’s case that following the suspension of operations of Worldcoin in the country on August 2, 2023, a multi-agency taskforce was formed to investigate the Worldcoin project, resulting in a joint public statement addressing regulatory concerns. That the statement revealed that the WorldApp and its associated cryptocurrency raised issues such as a lack of regulatory framework for digital currencies and the overlap of responsibilities between regulators.
94.According to the deponent, the 8th respondent together with the multi-agency taskforce are in the process of reviewing the Orb device. It is urged that the 8th respondent has further put in place a regulatory Sandbox to assess new technologies like WorldApp. The regulatory Sandbox, it is stated, will allow live testing of current digital technology products and services.
95.The 8th respondent submits that the 1st to 5th respondents violated regulation 3(1) of the Kenya Information and Communications (Importation Type Approval and Distribution of Communication Equipment Regulations,2010 by using the Orb device without approval. This position, according to the 8th respondent, was reaffirmed by the court in the case of Royal Media Services Limited v Telkom Kenya Limited & 2 others [2000] eKLR, where it was emphasized that some of the requirements such as type approval are public safety requirements.
96.Additionally, the 8th respondent submits that section 31 of the Data Protection Act mandates a data processor to undertake a Data Protection Impact Assessment (DPIA) prior to processing personal data, where the processing operation is likely to result in a high risk to the data subject’s rights and freedoms based on the nature, scope, context and purposes of the processing.
97.According to the 8th respondent, between May 31, 2021 and January 2022, the 1st to 5th respondents conducted their activities without a DPIA, as mandated by the Data Protection Act and the European Union Guidelines on DPIA. The 8th respondent submits that section 2 of the Data Protection Act defines what consent means, while section 32 of the Act gives the conditions for consent.
98.The 8th respondent maintained that the 1st to 5th respondents violated these legal requirements by using a broad consent form, failing to specify individual processing purposes, contrary to regulation 4(4)(d) of the Data Protection (General) Regulations 2021.
Analysis and Determination
99.I have carefully considered the judicial review application, the opposition thereto and the parties’ respective written and oral submissions for and against the application for judicial review orders. In my view, the following are the main issues for determination, with ancillary questions to be resolved:i.Whether the court has jurisdiction to hear the judicial review application, on account of the applicants’ failure to exhaust all available dispute resolution mechanisms with the ODPC and or on account of the lack of locus standi by the applicants.ii.Whether service was effected upon the 1st to 4th respondentsiii.Whether judicial review orders are available against private entitiesiv.Whether the applicants are entitled to the Reliefs sought
100.On whether the court has jurisdiction to hear the judicial review application, on account of the applicants’ failure to exhaust all available dispute resolution mechanisms with the ODPC and or on account of the lack of locus standi by the applicants, the 1st to 5th respondents have challenged this court’s jurisdiction to hear the instant judicial review application on grounds that the applicants have failed to exhaust their administrative remedies with the Office of the Data Protection Commissioner, which according to the 1st to 5th respondents, is the proper forum for resolving disputes related to data protection and privacy. The said respondents also contend that the applicants have no locus standi in this matter, not being data subjects as defined in section 2 of the Data Protection Act.
101.The applicants, the 6th and 9th respondents are of the same view on this and argue that the exhaustion doctrine does not apply to the applicants, as the applicants are not data subjects but are acting in the public interest under articles 22 and 258 of the Constitution.
102.The 6th respondent on its part argues that there is no tribunal competent to hear and determine the applicants’ complaints because, whilst the 6th respondent exercises quasi-judicial authority in addressing complaints of infringement or threatened violation of the right to privacy, its authority under the Act is invariably limited to data subjects who lodge such complaints on their own behalf.
103.It is also the 6th respondent’s case that indeed, while section 8(f) of the Data Protection Act empowers the ODPC to receive and investigate any complaint by any person on infringements of the rights under the Act, section 56 of that Act is categorical that the locus to lodge that complaint before the 6th respondent is by an aggrieved natural person. Section 56 is said to state that ‘a data subject who is aggrieved by a decision of any person under this Act’ or their authorized representative as provided under regulation 4 (3) of the Data Protection (Complaints Handling Procedures and Enforcement) Regulations, 2021(“Enforcement Regulations”).
104.According to the 6th respondent, section 2 of the Act defines a data subject as ‘an identified or identifiable natural person who is the subject of personal data.’ Further, that the Act does not confer adequate jurisdiction to the ODPC to qualify as a tribunal before whom the applicants herein would have approached for redress of the present application under section 7(b) of the Fair Administrative Action Act.
105.It is established law that the doctrine of exhaustion mandates that parties must first exhaust all available administrative remedies before resorting to judicial review. This principle is grounded in the need to respect the institutional competence of administrative bodies and ensure that courts are not prematurely involved in matters that can be adequately addressed within a statutory framework. The principle is enshrined in section 9(2) of the Fair Administrative Action Act, which bars judicial review where an adequate remedy exists, unless exceptional circumstances are demonstrated.
106.Section 9(2)(3) of the Fair Administrative Action Act provides that:(2)The High Court or a subordinate court under sub section (1) shall not review an administrative action or decision under this Act unless the mechanisms including internal mechanisms for appeal or review and all remedies available under any other written law are first exhausted.(3)The High Court or a subordinate court shall, if it is not satisfied that the remedies referred to in subsection (2) have been exhausted, direct that applicant shall first exhaust such remedy before instituting proceedings under subsection (1).
107.In Amugune v Advocates Disciplinary Tribunal & another; Law Society of Kenya & 2 others (Interested Parties) [2025] KEHC 4305 (KLR) it was observed thus:Relying of the provisions of section 9(2)(3) and (4) of the Fair Administrative Action Act on the issue of exhaustion of alternative remedies, Nyamweya PJ (as she then was in the High Court) stated as follows:“Exhaustion of alternative remedies is also now a constitutional imperative under article 159(2)(c) of the Constitution, and is exemplified by emerging jurisdiction on the subject, which was initially stated in Speaker of National Assembly v Karume (1992) KLR 21 in the following words:“Where there is a clear procedure for redress of any particular grievance prescribed by the Constitution or an Act of Parliament, that procedure should be strictly followed. Accordingly, the special procedure provided by any law must be strictly adhered to since there are good reasons for such special procedures.”
108.The doctrine of exhaustion of alternative remedies was further explained by the Court of Appeal in Geoffrey Muthinja Kabiru & 2 others v Samuel Munga Henry & 1756 others (2015) eKLR as follows:It is imperative that where a dispute resolution mechanism exists outside courts, the same be exhausted before the jurisdiction of the courts is invoked. Courts ought to be fora of last resort and not the first port of call the moment a storm brews within churches, as is bound to happen. The exhaustion doctrine is a sound one and serves the purpose of ensuring that there is a postponement of judicial consideration of matters to ensure that a party is first of all diligent in the protection of his own interest within the mechanisms in place for resolution outside the courts. This accords with article 159 of the Constitution which commands courts to encourage alternative means of dispute resolution.”
109.Similarly, in Samson Chembe Vuko v Nelson Kilumo & 2 others [2016] eKLR the Court of Appeal, cited other decisions with approval, among them: Speaker of the National Assembly v Karume [2008] 1 KLR 425 where the Court of Appeal held, inter alia:…where there is a clear procedure for the redress of any particular grievances prescribed by the Constitution or the Act of Parliament, that procedure should be strictly followed.”
110.In Mutanga Tea & Coffee Company Ltd v Shikara Limited & another [2015] eKLR the Court of Appeal restated the doctrine of exhaustion of remedies as follows:This court has in the past emphasized the need for aggrieved parties to strictly follow any procedures that are specifically prescribed for resolution of particular disputes (Speaker of the National Assembly V Karume (supra) was a 5(2)(b) applicant for stay of execution of an order of the High Court issued in Judicial Review proceedings rather than in a petition as required by the Constitution. In granting the order, the court made the often-quoted statement that:T[W]here there is a clear procedure for the redress of any particular grievances prescribed by the Constitution or an Act of Parliament, that procedure should be strictly followed.”See also Kones v Republic & another ex parte Kimani Wanyoike & 4 others [2008] 3 KLR (ER) 296.It is readily apparent that in those cases the court was speaking to issues of the correct procedure rather than of the correct forum for resolution of a dispute. However, we entertain no doubt in our minds that the reasoning of the court must apply with equal force to require an aggrieved party, where a specific dispute resolution mechanism is prescribed by the Constitution or a statute, to resort to that mechanism first before purporting to invoke the inherent jurisdiction of the High Court.The basis for that view is first that article 159(2)(c) of the Constitution has expressly recognized alternative forms of dispute resolution, including reconciliation, mediation, arbitration and traditional dispute resolution mechanisms. The use of the word “including” leaves no doubt that article (159(2)(c) is not a closed catalogue. To the extent that the Constitution requires these forms of dispute resolution mechanisms to be promoted, usurpation of their jurisdiction by the High Court would not be promoting, but rather, undermining a clear constitutional objective. A holistic and purposive reading of the Constitution would therefore entail construing the unlimited original jurisdiction conferred on the High Court by article 165(3)(a) of the Constitution in a way that will accommodate the alternative dispute resolution mechanisms.Secondly, such alternative dispute resolution mechanisms normally have the advantage of ensuring that the issues in dispute are heard and determined by experts in the area; and that the dispute is resolved much more expeditiously and in a more cost effective manner. In Rich Productions Ltd v Kenya Pipeline Company & another, Petition No 173 of 2014, the High Court explained why it must be slow to undermine prescribed alternative dispute resolution mechanisms thus:The reason why the Constitution and the law establish different institutions and mechanism for dispute resolution in different sectors is to ensure that such disputes as may arise are resolved by those with the technical competence and the jurisdiction to deal with them. While the court retains the inherent and wide jurisdiction under article 165 to supervise bodies such as the 2nd respondent, such supervision is limited in various respects, which I need, not go into here. Suffice to say that it (the court) cannot exercise such jurisdiction in circumstances where parties before it seek to avoid mechanisms and processes provided by law, and convert the issues in dispute into constitutional issues when it is not.”On the same reasoning, this court, in Republic v The National Environmental Management Authority, CA No 84 of 2010 upheld a decision of the High Court, which declined to entertain a judicial review application by a party who had a remedy, which he had not utilized, under the National Environment Tribunal. The court reiterated that where Parliament has provided an alternative remedy in the form of a statutory appeal procedure, it is only in exceptional circumstances that an order of judicial review will be granted. More recently in Vania Investment Pool Ltd. v Capital Markets Authority & 8 others, CA No 92 of 2014 this court also upheld a decision of the High Court in which the court declined to entertain a judicial review application by an applicant who had failed to first refer its dispute to the Capital Markets Appeals Tribunal established by the Capital Markets Act.”
111.In Revital Healthcare (EPZ) Ltd & another v Ministry of Health & 5 others [2015] Emukule J, citing with approval the case of Damian Belforite v Attorney General of Trinidad & Tobago CA 84/2004 held:Where there is a parallel remedy, constitutional relief should not be sought unless the circumstances of which the complaint is made include some feature which makes it appropriate to take that course. As a general rule there must be some feature, which, at least arguably indicates that the means of least redress otherwise available would not be adequate to seek constitutional relief in the absence of such feature would be misuse, abuse of the court process.”
112.From the above plethora of judicial pronouncements, it is obvious that the doctrine of exhaustion is well grounded in section 9(2) of the Fair Administrative Action Act. Furthermore, article 159(2)(c) of the Constitution mandates courts and tribunals, in the exercise of judicial authority, to be guided by certain principles, among them, that (c) alternative forms of dispute resolution including reconciliation, mediation, arbitration and traditional dispute resolution mechanisms shall be promoted, subject to clause (3).
113.This constitutional edict generally calls upon courts and tribunals to promote alternative dispute resolution mechanism and to implore parties to proceedings to use available alternative administrative remedies before approaching the courts, and it is only in exceptional circumstances that parties can by-pass those mechanisms. It is for that reason that courts have emphasized that judicial restraint should be exercised in favour of expert-led, efficient and cost-effective administrative mechanisms, unless the alternative remedies are inadequate or ill-suited to the issues raised.
114.The Fair Administrative Action Act under section 9(4) provides as follows;(4)Notwithstanding subsection (3), the High Court or a subordinate court may, in exceptional circumstances and on application by the applicant, exempt such person from the obligation to exhaust any remedy if the court considers such exemption to be in the interest of justice.
115.The Court of Appeal in Nyaoga v Chairman Kisii County Assembly & 3 others [2023] KECA 1540 (KLR) aptly discussed what section 9(4) of the Fair Administrative Action Act entails as follows:That having been said, this court also needs to look at the flip side and discuss the exception to the doctrine of exhaustion before coming to our final conclusion. These exceptions provide circumstances where an individual may bypass the exhaustion requirement and directly seek redress from court. In Chief Justice and President of the Supreme Court of Kenya & another v Bryan Mandila Khaemba [2021] eKLR this court acknowledged that the doctrine of exhaustion notwithstanding, courts still retain residual jurisdiction to intervene in exceptional circumstances despite existence of alternative remedies where the action complained of is marred by illegality and procedural irregularities.
25.As provided in section 9(4) of the Fair Administrative Action Act, there are exceptions to the exhaustion rule in exceptional circumstances [underlined and emboldened for emphasis]. In the case of Republic v National Environmental Management Authority ex parte Sound Equipment Ltd, [2011] eKLR this court stated:“…where there was an alternative remedy and especially where parliament had provided a statutory appeal procedure, it is only on exceptional circumstances that an order for judicial review would be granted and that in determining whether an exception should be made…it is necessary for the court to look carefully at the suitability of the statutory appeal in context of the particular case and ask itself what, in the context of the statutory powers, was the real issue to be determined and whether the statutory appeal procedure was suitable to determine it.”
26.Section 9(4) of the Fair Administrative Actions Act provides that the High Court or subordinate court may, in exceptional circumstances and on application by the applicant exempt such person from the obligation to exhaust any remedy if the court considers such remedy to be in the interest of justice. See the William Odhiambo Ramogi case (supra) paragraphs 60 & 61.
27.This court in Fleur Investments Limited v Commissioner of Domestic Taxes & another [2018] eKLR did state that:“whereas courts of law are enjoined to defer to specialized tribunals and other ADR statutory bodies created by parliament to resolve certain specific disputes, the court cannot, being a bastion of justice, sit back and watch such institutions roughshod on the rights of citizens who seek refuge under the Constitution and other legislations for protection. This court is perfectly in order to intervene where there is clear abuse of discretion by such bodies, where arbitrariness, malice, capriciousness and disrespect of the rules of natural justice are manifest. Persons charged with statutory powers and duties ought to exercise the same reasonably and fairly.”
116.In the present case, the applicants and the 6th respondent while relying on articles 22 and 258 of the Constitution have argued, correctly in the view of this court, that the internal complaints mechanism under section 56 of the Data Protection Act was unavailable to them. This is because that section restricts the right to lodge complaints to “data subjects”. The section provides as follows:56.Complaints to the Data Commissioner(1)A data subject who is aggrieved by a decision of any person under this Act may lodge a complaint with the Data Commissioner in accordance with this Act.
117.Section 2 of the Data Protection Act defines a data subject as follows:data subject" means an identified or identifiable natural person who is the subject of personal data;
118.The section further defines identified or identifiable natural person as follows;Identifiable natural person" means a person who can be identified directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social or social identity;
119.The court in Republic v Joe Mucheru & others; Katiba Institute & another (ex parte) [2021] KEHC 122 (KLR), also emphasised that complainants who are not data subjects have no standing to initiate a complaint procedure under the Act. This position has also been upheld by 6th respondent who acknowledges that his mandate under the Act is confined to complaints brought by data subjects or their authorized representatives.
120.In the circumstances, this court finds that although the Applicants did not formally apply for exemption as mandated under section 9(4) of the Fair Administrative Action Act, this court finds that they were not obligated to seek such exemption as the exemption was not necessary, since the remedy of resorting to alternative internal dispute resolution mechanism under section 56 of the Data Protection Act was not available and or applicable to the applicants.
121.It follows that a party cannot be told to exhaust alternative remedies which are not available to them. To do so would impede access to justice and occasion a miscarriage of justice where a statutory remedy is, in substance, unavailable.
122.I am fortified on this position by the decision in the case of R v Independent Electoral and Boundaries Commission (IEBC) & others ex parte The National Super Alliance (NASA), where the Court held:While, exceptions to the exhaustion requirement are not clearly delineated, courts must undertake an extensive analysis of the facts, regulatory scheme involved, the nature of the interests involved – including level of public interest involved and the polycentricism of the issue (and hence the ability of a statutory forum to balance them) to determine whether an exception applies.”
123.As acknowledged by the Court of Appeal in the Mutanga Tea & Coffee Company Ltd v Shikara Limited & Municipal Council Of Mombasa (2015) JELR 106790 (CA) case, the Court of Appeal in this case emphasized that, generally, parties must exhaust available statutory dispute resolution mechanisms before seeking judicial review in court. However, the court acknowledged that in exceptional circumstances, such as when constitutional issues are at stake, the High Court may entertain a matter without the need to exhaust alternative remedies.
124.Thus, the High Court may, in exceptional circumstances, where it finds that the exhaustion requirement would not serve the values enshrined in the Constitution or law, it may permit the suit to proceed before it. This exception to the exhaustion requirement is particularly likely where a party pleads issues that border on constitutional interpretation especially in virgin areas or where an important constitutional value is at stake.
125.In the case of Krystalline Salt Limited v Kenya Revenue Authority (2019) eKLR the court expressed its view on the definition of “exceptional circumstances” as follows:What constitutes exceptional circumstances depends on the facts and circumstances of the case and the nature of the administrative action at issue. Thus, where an internal remedy would not be effective and/ or where its pursuit would be futile, a court may permit a litigant to approach the court directly. So too where an internal appellate tribunal has developed a rigid policy which renders exhaustion futile. The Fair Administrative Action Act does not define ‘exceptional circumstances. However, this court interprets exceptional circumstances to mean circumstances that are out of the ordinary and that render it inappropriate for the court to require an applicant first to pursue the available internal remedies. The circumstances must in other words be such as to require the immediate intervention of the court rather than to resort to the applicable internal remedy.”
126.Accordingly, in this case, I am satisfied that the circumstances disclosed by the applicants are such that there was no available alternative mechanism for resolution of the dispute herein as the applicants not being data subjects, had no locus standi to file a complaint before the ODPC. They are, therefore automatically excluded and therefore exempted from resorting to the mechanisms available under the Data Protection Act, the applicants not being data subjects who are identifiable natural persons and as such they could not have lodged a complaint under section 56 of the Data Protection Act.
127.Onto the next question of whether the applicants have locus standi in this matter, this issue is linked to the first issue above for reasons that it borders on jurisdiction of this court to entertain the judicial review application filed by the applicants.
128.The 1st to 5th respondents contended in detail that the applicants, not being data subjects, had no locus standi to bring these proceedings and urged the court to dismiss the application. The applicants and the 6th respondent were of a different view, and argued that the matter was brought under articles 22, 258 of the Constitution and that therefore they are properly suited to institute proceedings relating to violation of fundamental rights,
129.The question of locus standi, a Latin for "place to stand" is critically important in any legal proceedings because it determines whether a party has the legal right to bring a case before the court. In simple terms, it asks: Does this person or entity have sufficient interest in the matter to justify involvement in the case?
130.Historically, Kenyan courts adopted a strict approach to this question of locus standi such that only parties directly affected could sue. However, with the promulgation of the 2010 Constitution, particularly articles 22 and 258, locus standi was greatly expanded to the extent that individuals can bring cases on behalf of others; Public interest litigation is allowed; and Cases can be brought in defense of the Constitution, even without personal injury.
131.Therefore, while locus standi remains relevant, it is now interpreted more broadly to enhance access to justice and uphold the rule of law.
132.In a landmark case of Mumo Matemu v Trusted Society of Human Rights Alliance & 5 others [2013] eKLR (Kenya Court of Appeal), which case involved the appointment of Mumo Matemu to the Ethics and Anti-Corruption Commission (EACC). The Trusted Society of Human Rights Alliance, a civil society organization, challenged Mr Mumo Matemu’s appointment on grounds of integrity and suitability under Chapter Six of the Constitution.
133.The key issue that arose for determination was whether the Trusted Society of Human Rights Alliance had locus standi (standing) to challenge the appointment, given that it was not personally affected by the decision. The Court of Appeal held that the Trusted Society of Human Rights Alliance did have locus standi under articles 22 and 258 of the Constitution. These provisions allow any person to bring a claim alleging violation of a right or fundamental freedom, anyone to institute proceedings in the public interest or on behalf of others. The Court of Appeal stated inter alia:the Constitution of Kenya, 2010 has liberalized the concept of standing. It is now enough that the person bringing the suit is acting in the public interest.”
134.An appeal was lodged to the Supreme Court which upheld the decision of the Court of Appeal on locus standi. This case expanded the interpretation of locus standi in Kenya and confirmed that public interest litigation is permitted, even where the petitioner has no direct personal interest in the matter, creating a major shift from the older, restrictive approach (where a party had to show direct injury or loss).
135.For clarity purposes, article 22 of the Constitution stipulates as follows:
22.Enforcement of Bill of Rights(1)Every person has the right to institute court proceedings claiming that a right or fundamental freedom in the Bill of Rights has been denied, violated or infringed, or is threatened.(2)In addition to a person acting in their own interest, court proceedings under clause (1) may be instituted by—(a)a person acting on behalf of another person who cannot act in their own name;(b)a person acting as a member of, or in the interest of, a group or class of persons;(c)a person acting in the public interest; or(d)an association acting in the interest of one or more of its members.(3)The Chief Justice shall make rules providing for the court proceedings referred to in this article, which shall satisfy the criteria that—(a)the rights of standing provided for in clause (2) are fully facilitated;(b)formalities relating to the proceedings, including commencement of the proceedings, are kept to the minimum, and in particular that the court shall, if necessary, entertain proceedings on the basis of informal documentation;(c)no fee may be charged for commencing the proceedings;(d)the court, while observing the rules of natural justice, shall not be unreasonably restricted by procedural technicalities; and(e)an organisation or individual with particular expertise may, with the leave of the court, appear as a friend of the court.(4)The absence of rules contemplated in clause (3) does not limit the right of any person to commence court proceedings under this article, and to have the matter heard and determined by a court.”
136.On the other hand, article 258 of the Constitution provides that:258.Enforcement of this Constitution(1)Every person has the right to institute court proceedings, claiming that this Constitution has been contravened, or is threatened with contravention.(2)In addition to a person acting in their own interest, court proceedings under clause (1) may be instituted by—(a)a person acting on behalf of another person who cannot act in their own name;(b)a person acting as a member of, or in the interest of, a group or class of persons;(c)a person acting in the public interest; or(d)an association acting in the interest of one or more of its members
137.the Constitution at article 260 defines ‘person’ to include, a company, association or other body of persons whether incorporated or unincorporated; which term was well interpreted in the Mumo Matemu case (supra) where the court affirmed that civil society organizations and individuals can challenge public appointments or government action in defense of constitutional values—even without being personally affected. It showcased the modern, progressive view of locus standi under Kenya’s 2010 Constitution.
138.In the instant case, only strangers in Jerusalem know not that the applicants herein are have at all times litigated in the public interest. This case involves the public, not just the individual data subjects who were subjected to the impugned data collection and processing actions but also the potential Kenyan residents who may be motivated to submit themselves to the impugned processes, which the applicants identify to be, actions that violate the constitutional values and right to privacy and dignity.
139.Accordingly, and on the authority of the Mumo Matemu case, I find that the applicants have the necessary locus standi to institute these proceedings and that the objection as to their locus standi is found to be misplaced and devoid of any merit and is dismissed.
Whether service was effected upon the 1st to 4th respondents
140.The second main issue for determination is the issue of service of the application upon the 1st to 4th respondents. The 1st-4th respondents have contended in their submissions that the applicants failed to obtain leave of court to serve the 1st to 4th respondents who claim to be foreign entities and domiciled outside Kenya. It is their case that the procedure for service of court process is provided for under order 5 rule 21 of the Civil Procedure Rules (CPR). That the failure to seek leave according to them is a fundamental issue, and that without such leave, the court cannot assume jurisdiction over foreign respondents.
141.They also urge that proper service can only be effected through diplomatic channels or by court direction as prescribed under order 5 rules 25 to 29. They urge that the applicants have not provided evidence of such service or sought leave for it, which renders the proceedings defective.
142.In response, the 6th respondent ODPC argues that order 5 rule 8(2) permits for service to be done through an advocate with instructions to accept service. According to the 6th respondent, the 1st to 4th respondents have actively participated in the proceedings, including filing a memorandum of appearance, replying affidavits, and legal submissions, which according to the 6th respondent indicates that they did not object to the service.
143.It is not in contention that the 1st to 4th respondents before this court are foreign entities and proprietors of Worldcoin, WorldID, WorldApp, and the Orb. This is acknowledged by the applicants in their statutory statement where they define the said respondents as such. The applicants also state in their statutory statement that service upon the Worldcoin entities will be through their Kenyan agents by email or registered mail.
144.This court notes that the issue of improper service has been raised at this late stage of the proceedings, for the first time. While the court acknowledges that service upon parties outside the jurisdiction ordinarily requires leave of the court and compliance through the prescribed procedure, the circumstances of this case compel a different conclusion.
145.The record speaks for itself. The respondents have, from the outset, had their authorized agents in Kenya, undertaking the data collection and processing from Kenyan residents and have actively participated in these proceedings through their authorized counsel, the law firm of Coulson Harney LLP, domiciled in Kenya, without ever raising the issue of service. A Memorandum of Appearance was filed by the said firm, together with responses, not under any form of protest. Counsel also attended mentions and hearings, and vigorously engaged with the substance of the case without protest.
146.It is trite law that a party who voluntarily submits to the jurisdiction of the court by participating in proceedings without promptly raising objections as to service of court process is deemed to have waived any such irregularities.
147.This court in the case of Paulina Wanza Maingi v Diamond Trust Bank Limited & another [2015] KEHC 548 (KLR) held as follows:
35.In my humble view, since the purpose of summons to enter appearance is to notify the defendant and or invite them to defend the suit, and the 1st defendant having filed a notice of appointment of advocates and statement of defence which was not even filed under protest, and six years having elapsed since this suit was instituted, it would be a traversity of justice to dismiss the suit for want of summons when the 1st defendant has actively been participating in the suit. Albeit the 1st defendant alleges that its key witnesses left employment and that it shall be prejudiced by the delay, this court notes that the 1st defendant has not sought for dismissal of this suit for want of prosecution as is required under order 17 rule 35 of the Civil Procedure Rules. They have invoked very specific provisions of the law and it would be unfair and unjust if this court were to dismiss this suit for delay in its prosecution when no such application is before it for determination and or when the court has not heard the parties on a notice to show cause why the suit should not be dismissed for inaction. I am in total agreement with Honourable Jeanne Gacheche J ( as she was then) in Fredrick Kibet Chesire v Paymond W Bomet (supra) case (2006) eKLR- that the sole purposes of summons to enter appearance is to notify the defendant that a suit has been filed against him in a particular court, particulars of which are contained in the plaint, which should be served together with the said summons. The summons to enter appearance also serve as a notice to inform a defendant of the mode of action to take and the time within which he should enter appearance and file his defence. It also informs him of the consequences for failure to comply.”
148.The Court of Appeal in the case Diamond Trust Bank Kenya Limited v Maingi & another [2023] KECA 712 (KLR) while upholding this court’s decision finding on the same question of service of court process observed as follows:In Industrial and Commercial Development Corporation v Sum Model Industries Limited [2007] eKLR, the court held:“…whether or not a valid summons to enter appearance was served on the appellant does not, on the facts and circumstances of this case, vitiate the proceedings subsequent to such service. The appellant without any hesitation or protestation filed a written statement of defence and participated in the proceedings of the case without any complaint.”
36.It is our considered view that, where a defendant has entered appearance or appointed counsel, and has proceeded to file a defence to the suit without protest, the purpose of the summons is spent or considerably diminished, and that any defect in the summons must be considered as having been waived or acquiesced by the defendant. Subsequently, the defendant cannot be heard to complain about delay or failure by the plaintiff to serve summons to enter appearance. It is vain pedantry to do so.
37.We agree with the 1st respondent that rules of procedure are the hand maidens of justice. This court in Peter Obwogo O & 2 others v HO Suing as Next Friend of PO (Minor) & another [2017] eKLR while dealing with an application brought under rule 84 of the Rules of this Court stated thus:Whereas the rules for procedure are handmaidens of justice and play an important role in the administration of justice, they should not, in appropriate cases, impede the administration of substantial justice. Article 159(2)(d) of the Constitution of Kenya 2010, now requires that: “justice shall be administered without undue regard to procedural technicalities.” The court has a discretion under Rule 84 to strike out a notice of appeal or appeal where an essential step has not been taken in the proceeding or has not been taken within a prescribed time. However, the discretion should be exercised judicially having regard to all the circumstances of the case.” [Emphasis added]
149.Order 5 rule 21 of the Civil Procedure Rules does provide for service outside Kenya. This rule states that no summons or notice shall be served outside Kenya without the leave of the court. This prohibition typically applies where the defendant/respondent is physically outside Kenya, and the plaintiff /applicant wants to effect direct service abroad.
150.On the other hand, order 5 rule 17 of the Civil Procedure Rules provides for service on Agent. The provision allows for service to be made on an agent in Kenya if the agent is carrying on business or acting on behalf of the defendant, and the court is satisfied that service on the agent will amount to sufficient notice to the defendant. Thus, if a foreign party has an authorized agent in Kenya, leave of court may not be required, provided the agent's authority is established.
151.In Kenya Shell Limited v Kobil Petroleum Limited [2006] eKLR, the court allowed service on a foreign party through a Kenyan-based agent where there was sufficient connection between the agent and the dispute. The court held that what matters is effective notice, not rigid procedural formality.
152.In Raytheon Aircraft Credit Corporation v Air Al-Faraj Ltd [2005] eKLR, the court noted that leave is required where service is to be effected outside Kenya, but not necessarily where the defendant has an address or agent in Kenya that can receive service on their behalf.
153.This matter is now at an advanced stage and indeed, at the tail end of proceedings. The issue of service was raised in the submissions. There was no protest by the agent who was served and received the application on behalf of the 1st to 4th respondents. Allowing the 1st to 4th respondents to raise a technical objection at this juncture would not only be prejudicial to the applicants but would also undermine the overriding objective of the law that parties and their advocates must aid the court and facilitate the just, expeditious, proportionate and affordable resolution of disputes under sections 1A and 1B of the Civil Procedure Act.
154.Additionally, article 159(2)(d) of the Constitution of Kenya, 2010 states that:Justice shall be administered without undue regard to procedural technicalities.”This provision is a powerful affirmation of substantive justice over formalism and seeks to balance procedural fairness with substantive justice.
155.Although article 159(2)(d) of the Constitution does not excuse non-compliance with fundamental legal requirements and neither is it a panacea for all procedural shortcomings and therefore a party seeking shelter under it must show honest effort, diligence, and absence of prejudice to the other side, courts are called upon to look beyond mere form and ensure that the essence of justice is delivered, provided the failure is not fundamental or abusive. This provision which has become a cornerstone of transformative constitutionalism in my view, is applicable in the circumstances of this case.
156.The 1st to 4th respondents have not demonstrated what prejudice they have suffered and indeed there is none, by dint of the applicants not serving them with the application outside of Kenya, when in fact, they had advocates in Kenya with express instructions to receive any court process on their behalf and to act in their best interest. The bottom line is that service was not effected outside Kenya without leave of court. The application was served upon their agents residents in Kenya and the agents accepted service on behalf of the said respondents.
157.I hasten to add that courts should not be held to insist rigidly on old-age procedures for the service of court processes outside the country, especially in an era where digitization and online communication methods like email offer faster, more reliable, and often more secure alternatives. However, any shift toward modernizing these procedures must be balanced with key legal principles such as due process, fairness, international comity, and enforceability of judgments.
158.Accordingly, this court finds that the respondents, by their conduct, waived any objection to the mode of service upon them. They have also not shown before the court that they have suffered any prejudice from the failure to serve them with the initial court process in the manner provided for in order 5 rule 21 of the Civil Procedure Rules. I therefore find that objection to service is devoid of merit and is hereby dismissed.
159.On whether the applicants are entitled to the orders sought, this court having concluded the discussion on jurisdictional and other related issues in the preceding sections of this judgment. The next issue is whether the applicants are entitled to the orders sought in the notice of motion dated August 25, 2023.
160.The applicants seek judicial review orders of certiorari, prohibition and mandamus. The grounds upon which judicial review orders can issue were discussed in the case of Republic v Public Procurement Administrative Review Board & 2 others ex parte Kemax Trading Company Limited [2018] KEHC 3847 (KLR) as follows:In other words, the grounds upon which judicial review jurisdiction is predicated are incapable of exhaustive listing.( see Nyamu J in Republic v The Commissioner of Lands ex parte Lake Flowers Ltd Nairobi HC Miscellaneous Application 1238/1998 wherein the Learned Nyamu ( as he then was) stated:“Availability of other remedies is no bar to the granting of the Judicial review relief but can however be an important factor in exercising the discretion whether or not to grant relief…The courts must resist the temptation to try and contain Judicial Review in a straight jacket….Although Judicial Review has been bequeathed to us with defined interventions namely, illegality, irrationality and impropriety of procedure the intervention has been extended using the principle of proportionality……The court will be called upon to intervene in situations where authorities and persons act in bad faith, abuse of power, fail to take into account relevant considerations in the decision making or take into account irrelevant considerations or act contrary to legitimate expectations….Even on the important principle of standing for the purpose of judicial review the courts must resist being rigidly chaired to the past defined situations of standing and look at the nature of the matter before them……Judicial Review is a tool of Justice, which can be made to serve the needs of a growing society on a case to case basis….The court envisions a future growth of Judicial Review in the human rights arena where it is becoming crystal clear that human rights will involve and grow with the society.”
161.In the instant case, the applicants' case prompting them to seek judicial review is primarily founded on the claim that Worldcoin’s collection and processing of biometric data from Kenyan residents, specifically through iris scans using the Orb device, was in violation of the right to privacy as guaranteed under article 31 of the Constitution. The applicants argue that Worldcoin failed to comply with the Data Protection Act 2019, by neglecting to conduct a Data Protection Impact Assessment (DPIA), not obtaining valid and informed consents of the data subjects and not registering key entities involved in data processing such as Worldcoin Foundation and World Assets Ltd as data controllers or processors in Kenya.
162.The applicants further assert that the consents allegedly obtained were not freely given but were instead induced through monetary incentives in the form of cryptocurrency, thereby violating the principles of fairness and transparency under Kenyan data protection laws and the General Data Protection Regulation (GDPR). The applicants also cite official communications from regulatory bodies, including a cautionary note from the Data Protection Commissioner and a joint statement with the Communications Authority, which raised concerns over the legality and safeguards surrounding Worldcoin’s data collection practices.
163.In addition to the alleged privacy and data protection violations, the applicants argue that Worldcoin’s actions amount to illegality and abuse of power in administrative actions under article 47 of the Constitution and sections 4 and 7 of the Fair Administrative Action Act. The applicants avow that the failure to obtain type approval for the Orb device, the lack of clear and distinct processing purposes across the Worldcoin ecosystem (Worldcoin, WorldID, and WorldApp) and the cross-border data transfers which was being undertaken without adequate safeguards, contravened statutory and constitutional standards regarding data privacy.
164.The applicants also claim that Worldcoin exploited vulnerable Kenyan populations by offering them inducements in the form of cryptocurrency in exchange for sensitive biometric data, thereby violating rights to human dignity and autonomy as guaranteed under articles 28 and 21 of the Constitution. The applicants further challenge the alleged inaction by public authorities specifically the Cabinet Secretary in charge of ICT and Digital Economy and the Data Protection Commissioner for failing to issue mandatory guidelines on the commercial use of personal data as mandated by section 37(3) of the Data Protection Act. The applicants in that case seek an order of mandamus compelling such issuance of mandatory guidelines on the commercial use of personal data under section 37(3) of the Data Protection Act within a specific timeframe.
165.In response, the 1st to 4th respondents contend that a Data Protection Impact Assessment was submitted and updated, that participation in the Worldcoin project was voluntary and informed and that the Orb device does not require type approval under the current regulatory frameworks.
166.The 5th respondent on the other hand contends that the applicants lack standing under the Act and that judicial review is not available against private entities like itself. The 5th respondent also disputes the claims regarding consent and the need for a DPIA, and argues that judicial review orders cannot lie in the circumstances presented. These respondents ultimately urge the court to dismiss the application for want of jurisdiction and for procedural impropriety.
167.The 6th respondent, the Office of the Data Protection Commissioner (ODPC), states that it commenced inquiries into TFH US and TFH GmbH’s data processing activities after discovering in March 2022, that these entities were collecting and transferring sensitive personal data from Kenyans without proper registration or legal basis.
168.There is material on record that the ODPC engaged TFH US through correspondence from April to September 2022, raising concerns over unclear legal bases, inadequate consent procedures and missing documentation during their attempts to register as data controllers. That despite a directive to restrict data processing until compliance was achieved, TFH US continued processing data, prompting further regulatory action.
169.The 6th respondent argues that TFH US and its affiliates failed to meet the legal threshold for a valid Data Protection Impact Assessment (DPIA) as stipulated in regulation 49 of the Data Protection Regulations. It submits that consents obtained were neither informed nor specific and that the collection of biometric data from the data subjects by agents such as Platinum De Plus amounted to unlawful data processing. The ODPC maintains that its actions were lawful and within its mandate under the Data Protection Act 2019. The 6th respondent thus supports the judicial review proceedings and urges the court to find that the 1st to 5th respondents breached Kenyan data protection laws.
170.The 8th respondent on its part contends that it had no prior knowledge of the activities of the 1st to 5th respondents and did not receive any application for type approval of the Orb device under the relevant regulations. It submits that the use of the Orb device without approval violated the Kenya Information and Communications (Importation, Type Approval and Distribution of Communication Equipment) Regulations, 2010.
171.Further, that following the suspension of Worldcoin’s operations, the Communications Authority of Kenya, (CAK) joined a multi-agency taskforce to investigate the matter and is now reviewing the Orb device. It further supports claims that the 1st to 5th respondents violated data protection laws by processing sensitive personal data without a valid DPIA and using broad, unspecific consent forms, contrary to the Data Protection Act and related regulations.
172.Based on the 6th respondent’s detailed account and supporting evidence, I am persuaded that the 1st to 5th respondents failed to comply with the mandatory legal requirements for processing sensitive personal data under the Data Protection Act 2019, and its attendant regulations as highlighted in this judgment. I am in agreement with the 6th respondent’s position that this failure constitutes not only a breach of statutory duties but also a violation of the data subjects' constitutional right to privacy as guaranteed by article 31 of the Constitution.
173.It is also clear and this has not been adequately controverted that the 1st to 5th respondents commenced the collection and processing of sensitive personal data including biometric identifiers such as iris and facial scans of data subjects without first securing valid registration as data controllers or processors, contrary to section 18 of the Data Protection Act.
174.Section 18 of the Data Protection Act requires that a data controller or processor must register with the Data Protection Commissioner (DPC) before processing personal data. The section mandates that such processing can only occur once registration is obtained, ensuring that the entity complies with the law.
175.This Court notes with great concern that, despite repeated directions given by Office of the Data Protection Commissioner (ODPC) to halt and restrict data processing pending by the 1st to 4th respondents’ compliance with the law, the respondents illegally and unprocedurally continued their operations.
176.Surprisingly, the 1st to 4th respondents’ counsel vide an email dated September 14, 2022, informed ODPC that in utter defiance of the Data protection Commissioners’ directive of June 23, 2022 to restrict their data processing until either 60 days lapsed or a lawful basis was provided, its Clients would proceed with processing sensitive personal data!
177.The 1st to 4th respondents were thus processing sensitive data without a legally cognizable basis, as required under section 30 of the Data Protection Act. Section 30 of the Data Protection Act stipulates that personal data may only be processed if the processing is necessary for the performance of a contract, compliance with a legal obligation, protection of vital interests or for other lawful purposes.
178.Additionally, there is evidence which clearly show that the respondents failed to conduct a Data Protection Impact Assessment (DPIA) as required under section 31 of the Data Protection Act.
179.Further uncontroverted evidence on record is that the 1st to 5th respondents were also offering the data subjects monetary incentives, including cryptocurrency tokens, in exchange for the biometric data, which raises concerns about the voluntary nature of the data subjects' consents. The evidence supports this court’s finding that the consents purportedly obtained from data subjects was neither free, specific, nor informed as defined under section 2 of the Data Protection Act. Section 2 of the Data Protection Act defines consent as “any manifestation of express, unequivocal, free, specific and informed indication of the data subject's wishes by a statement or by a clear affirmative action, signifying agreement to the processing of personal data relating to the data subject”.
180.Regulation 4 of the Data Protection (General) Regulations, 2021 emphasizes that consent must be obtained without any coercion and it must be informed, meaning, the data subject must be fully aware of what data is being collected and the purpose of the processing of such data.
181.This court notes that, as observed by the applicants and the 6th and 8th respondents, that the processing activities were bundled with incentives (cryptocurrency tokens), were based on vague or insufficient disclosures and often executed by agents or Orb operators such as Platinum De Plus who installed Apps and accepted terms on behalf of users. Such actions are no doubt, a foul the statutory standard for lawful consent and manifestly prejudicial to the rights of the data subjects.
182.I must emphasize that Informed consent, in the context of data privacy and protection, means that individuals (data subjects) must fully understand what they are agreeing to when providing their personal data. They must be made aware of:i.What data is being collected.ii.Why the data is being collected.iii.How the data will be used, and if relevant, shared with third parties.iv.The potential risks involved.v.The ability to withdraw consent at any time.
183.In Google Spain v AEPD (2014), the European Court of Justice (ECJ) clarified the right to be forgotten, but it also touched on the nature of consent for processing personal data. The judgment highlighted the need for clear and specific consent for the processing of personal data, especially in relation to online search engines. It emphasized that consent should not be ambiguous.
184.Again, for consent to be valid under the Data Protection Act and Regulations, it must be freely given, affirmative, specific, informed and unambiguous. This includes not being coerced, manipulated or tricked into providing consent.
185.In the instant case, the use of Incentives (Cryptocurrency Tokens), in exchange for data collection and processing from the data subjects raises questions about whether the consents were freely given.
186.This is because, If the tokens are offered as a reward for participation, there may be concerns that individuals feel pressured to consent to data collection because the offer of tokens could be seen as an irresistible incentive, especially for vulnerable people who have no information and knowledge of their rights to privacy and data protection. This in essence, clearly indicates that consents were not given freely, as the data subjects might feel they need to agree to the data collection in order to receive the reward.
187.In addition, even if data subjects are aware of the offer, they may not fully understand the potential long-term implications of sharing their biometric or personal data in exchange for tokens. Informed consent requires that individuals not only understand what is happening but are also aware of the potential risks (e.g., misuse of their data, loss of privacy, etc.). there is no evidence that WorldCoin's offer of tokens adequately addressed these risks.
188.There are also ethical questions about whether it is appropriate for organizations to use financial or material incentives to induce individuals into providing highly sensitive personal data, especially if the data subjects lack a full knowledge and understanding of the implications of sharing their sensitive personal data as was the case herein.
189.For consent to be meaningful, organizations must foster trust by being transparent about how the data will be used and by offering clear, understandable explanations. If incentives like cryptocurrency tokens are used without adequate transparency, it could compromise the trust and effectiveness of consent.
190.The use of cryptocurrency tokens to gather personal data is in my humble view, an attempt to bypass the spirit of data protection laws by using incentives to sidestep the true essence of informed consent by luring desperate and poor Kenyans with cryptocurrency tokens.
191.Moreover, the 1st to 4th respondents also failed to ensure that consents given by the data subjects was valid for multiple requests- for processing of personal data. According to regulation 4(3)(c) of the Data Protection (General) Regulations, 2021, consent must be provided specifically for each separate processing operation. A single consent cannot be presumed to apply to a broad and indefinite range of data processing activities.
192.Further, the applicants have highlighted that the 1st to 5th respondents transferred or caused the transfer of the collected biometric data to servers outside Kenya, contrary to the provisions of section 48 of the Data Protection Act. Section 48 of the Data Protection Act prohibits the transfer of personal data to countries or organizations outside Kenya unless the Data Protection Commissioner has determined that the receiving country provides an adequate level of protection for the data. This provision is designed to ensure that data subjects' rights and the protection of their personal information are not compromised by international data flows to jurisdictions with inadequate data protection laws.
193.There is no evidence that the respondents complied with these requirements, making the transfer of data a breach of the Act and an infringement on the data subjects' privacy rights.
194.Given the gravity of these violations, this court finds that the 1st to 5th respondents' actions in processing personal data without the proper safeguards and informed consent of the data subjects are unlawful and in breach of the constitutional right to privacy under article 31 of the Constitution of Kenya.
195.Further, regulation 3(1) of the Kenya Information and Communications (Importation, Type Approval, and Distribution of Communication Equipment) Regulations, 2010, requires type approval for communication equipment before it is imported, distributed, or used in Kenya. The material on record clearly show that the offending respondents used the Orb device without obtaining type approval, contrary to the provisions of the law and this has been confirmed by the 8th respondent. Accordingly, the court, finds that the 1st to 5th respondents used the Orb device without obtaining the necessary type approval which constitutes a clear violation of the regulations.
196.Another pertinent issue raised by the 5th respondent is that judicial review orders cannot issue against it as it is not a public entity. This is far from the truth as judicial review is now firmly established as a constitutional remedy. Judicial review orders can issue against a private entity where the entity is performing a public function or exercising public authority, or; the private entity has violated constitutional rights, particularly under the Bill of Rights.
197.The Constitution of Kenya (2010) and relevant statutes do not limit judicial review to state actors alone, especially where human rights violations are alleged. Article 20(1) & (2) on application of the Bill of Rights is clear that the Bill of Rights applies to all law and binds all persons, including private actors. Courts are mandated to enforce rights against both the State and private persons or entities
198.Under article 22 on enforcement of the Bill of Rights, any person may institute proceedings against the State or another person, claiming a right or freedom has been violated.
199.On the other hand, article 23 on the authority of court, the Constitution empowers the High Court to grant appropriate reliefs, including: Judicial review orders (mandamus, prohibition, Certiorari), Declarations, injunctions and damages. These orders can issue against any person, body, or authority, including private actors where there is violation of fundamental human rights and freedoms.
200.Further, article 165(3)(b) confers on the High Court Jurisdiction to determine the question whether a right or fundamental freedom in the Bill of Rights has been denied, violated, infringed or threatened. Violations of rights can be committed either by individuals, bodies, authorities, whether public or private entities.
201.Additionally, the Fair Administrative Action Act, 2015 which implements article 47 of the Constitution that guarantees the right to fair administrative action defines "administrative action" broadly to include decisions made by both public and private bodies that affect legal rights. Further, section 3(1) of the Fair Administrative Action Act provides that the Act applies to private persons where they exercise administrative authority or quasi-public functions and 3(1) (c) whose action, omission or decision affects the legal rights or interests of any person to whom such action, omission or decision relates.
202.Caselaw in support of this position include Mumo Matemu v Trusted Society of Human Rights Alliance & others (CA Civil Appeal No 290 of 2012) where the Court of Appeal held that judicial review is no longer confined to the narrow realm of public law, and that where a constitutional issue or rights violation is raised, any person or entity may be subject to judicial review.
203.In the instant case, the 1st to 5th respondents are culpable of violating fundamental rights and acted with illegality and procedural impropriety and irrationality and as such, the judicial orders sought by the applicants apply to them.
204.Finally, a reminder to the 1st to 5th respondents that article 19 of the Constitution of Kenya declares that the Bill of Rights is an integral part of Kenya’s democratic state. Its purpose is to preserve the dignity of individuals and communities and to promote social justice and the realization of the potential of all human beings.
205.Under article 21, on implementation of Rights and Fundamental Freedoms, the fundamental obligation placed on the State and every State organ as far as human rights protection is concerned is to observe, respect, protect, promote and fulfill the rights and fundamental freedoms in the Bill of Rights.
206.The right to privacy and therefore to the protection of personal data is a fundamental right guaranteed by the Constitution of Kenya at article 31. Further, the state is required to take legislative, policy and other measures, including setting standards, to achieve the progressive realization of economic and social rights.
207.Having said that, this court finds and holds that the orders sought by the applicant are merited to the extent stated in this judgment and given the violations of data protection laws by the 1st to 5th respondents as seen above, the court makes the following orders:a.Judicial review order of Prohibition is hereby issued prohibiting the 1st to 5th respondents and their agents from further collecting, processing or transferring the personal biometric data collected in Kenya using the Orb, without undertaking (or using an inadequate) Data Protection Impact Assessment contrary to section 31 of the Data Protection Act 2019 or using consent obtained through inducement of a cryptocurrency—Worldcoin. And in the case of the 3rd to 5th respondents, without registering as data processors or controllers in Kenya.b.Judicial review order of Certiorari is hereby issued bringing into this court for purposes of quashing and I hereby quash Worldcoin’s decision to collect, process, or transfer biometric data collected in Kenya using the Orb, without undertaking (or using an inadequate) Data Protection Impact Assessment contrary to section 31 of the Data Protection Act 2019 and by consent obtained through inducement of a cryptocurrency—Worldcoin.c.Judicial review order of Mandamus is hereby issued compelling the 1st to 5th respondents to, within 7 days of this order, permanently erase and destroy (under the supervision of the Data Protection Commissioner) the personal biometric data collected by the 1st to 5th respondents from Kenya data subjects using the Orb, for having been obtained unlawfully.d.As regards prayer (c) of the motion seeking cancellation of the Certificates of registration, this court notes that the said Certificates of Registration were cancelled by the Office of the Data Protection Commissioner on September 5, 2023. The prayer is therefore overtaken by events. It is declined.e.This court declines to grant prayer (e) of the motion as the 6th respondent has demonstrated to this court of the efforts of the Office of the Data Protection Commissioner to have commercial use of personal data legislated. The respondent has also indicated the challenges being faced which include-that the current Data Protection Act 2019 requires amendments to align with emerging challenges and technological advancements in the processing of personal data.f.Each party shall bear their own costs of these proceedings, the matter being of immense public interest.g.This file is closed.
DATED, SIGNED AND DELIVERED AT NAIROBI VIRTUALLY THIS 5TH DAY OF MAY, 2025R.E. ABURILIJUDGE
▲ To the top

Cited documents 47

Judgment 35
1. Matemu v Trusted Society of Human Rights Alliance & 5 others (Civil Appeal 290 of 2012) [2013] KECA 445 (KLR) (26 July 2013) (Judgment) Explained 493 citations
2. Macharia & another v Kenya Commercial Bank Ltd & 2 others (Application 2 of 2011) [2012] KESC 8 (KLR) (23 October 2012) (Ruling) Explained 466 citations
3. Speaker of the National Assembly v Karume (Civil Application 92 of 1992) [1992] KECA 42 (KLR) (29 May 1992) (Ruling) Explained 453 citations
4. Muthinja & another v Henry & 1756 others (Civil Appeal 10 of 2015) [2015] KECA 304 (KLR) (30 October 2015) (Judgment) Mentioned 327 citations
5. Republic v Independent Electoral and Boundaries Commission (IEBC); Al Ghurair Printing and Publishing LLC & 5 others (Interested Parties); The National Super Alliance (NASA) Kenya (Ex parte Applicant) (Judicial Review 378 of 2017) [2017] KEHC 4663 (KLR) (Judicial Review) (7 July 2017) (Judgment) Explained 81 citations
6. Kenya Ports Authority v Modern Holdings [E.A] Limited [2017] KECA 293 (KLR) Explained 68 citations
7. Mutanga Tea & Coffee Company Limited v Shikara Limited & another (Civil Appeal 54 of 2014) [2015] KECA 469 (KLR) (31 July 2015) (Judgment) Mentioned 56 citations
8. Krystalline Salt Ltd v Kenya Revenue Authority (Judicial Review 359 of 2018) [2019] KEHC 6939 (KLR) (Judicial Review) (10 June 2019) (Ruling) Explained 37 citations
9. Keroche Industries Ltd v Kenya Revenue Authority & 5 others (Miscellaneous Civil Application 743 of 2006) [2007] KEHC 3680 (KLR) (6 July 2007) (Judgment) Mentioned 36 citations
10. Rich Productions Limited v Kenya Pipeline Company & another [2014] KEHC 4539 (KLR) Explained 22 citations
Act 7
1. Constitution of Kenya Interpreted 45099 citations
2. Civil Procedure Act Interpreted 30920 citations
3. Fair Administrative Action Act Interpreted 3276 citations
4. Law Reform Act Interpreted 2214 citations
5. Kenya Information and Communications Act Interpreted 683 citations
6. Data Protection Act Interpreted 180 citations
7. Capital Markets Act Cited 126 citations
Legal Notice 5
1. Civil Procedure Rules Interpreted 5088 citations
2. The Data Protection (Complaints Handling Procedure and Enforcement) Regulations Cited 7 citations
3. The Data Protection (General) Regulations Interpreted 5 citations
4. The Data Protection (Registration of Data Controllers and Data Processors) Regulations Interpreted 1 citation
5. The Kenya Information and Communications (Importation, Type Approval and Distribution of Communications Equipment) Regulations Interpreted 1 citation

Documents citing this one 0