Findings of the odpc in complaint no1394/ 2023; the suo moto investigation on the operations of the worldcoin project in Kenya
Background
Section 9(1) of the Data Protection Act 2019, provides the Office of the Data Protection Commissioner (ODPC) with the power to conduct investigations on its own initiative, or on the basis of a complaint made by a data subject or a third party. It is on this basis that the ODPC launched investigation number ODPC/INV/1394/ 2023 to investigate the operations of Tools for Humanity Corporation(TFH), Tools for Humanity GmbH and World Coin Foundation who generated public interest through the “Worldcoin” Project. This controversial project claimed that it aimed to create a globally inclusive identity and financial network, with the potential of considerably increasing economic opportunity, scaling a reliable solution for distinguishing humans from Artificial Intelligence online, while preserving online privacy, enabling democratic processes and showing a potential path to AI powered Universal Basic Income.
This would be conducted through providing a “World ID” to each person on earth utilizing biometric data to prevent duplication and fraud. The biometric data collected through a hardware known as the “Orb” included iris scans, facial images, feedback and correspondence inferred data such as age range, skin color and gender. The project also collected identifiable personal data such as names, email address, phone numbers, date of birth, country of residence, address book contacts, geolocation, and device information. The system would be accessed through the “World App,” which served as the interface for individuals to manage and use their cryptocurrency tokens, which would constitute the basic income.
In the course of their activities in April 2022, the ODPC contacted Worldcoin, raising concerns about the collection and transfer of sensitive personal data of Kenyans. Correspondence between the ODPC and Tools for Humanity (TFH) occurred between June 2022 and July 2023, as well as review of TFH’s data protection Impact assessment (DPIA) which had already been conducted. Certificates of registration as data controllers were issued to Tools for Humanity GmbH and Tools for Humanity Corporation in September 2022 and April 2023, respectively. TFH continued collecting sensitive personal data until May 2023, when the ODPC raised concerns and directed them to cease processing. TFH responded with clarification on the concerns raised by the ODPC and confirmed that they suspended collection of facial images and iris images from Kenyans for 14 days in June 2023. They then transferred controller responsibilities to Worldcoin Foundation.
Soon after, the Cabinet Secretary for Interior Security suspended the operations of the organization due to concerns over secure storage of data and that offering crypto in exchange for consent for data collection and processing. This in their opinion “bordered on inducement” a position which was later supported by the ODPC and Communications Authority of Kenya in a separate statement. The Ministry also decried inadequate information on Cyber Security safeguards and placing large amounts of private data in the hands of private business.
Issues for determination
In conducting the investigation, the ODPC identified the following key issues for determination:
- Whether TFH & Worldcoin were registered as Data Controllers in Kenya.
- Whether TFH and Worldcoin obtained proper Consent for the processing of sensitive personal data.
- Whether the transfer of personal data outside Kenya by TFH & Worldcoin was in compliance with Section 23(e) of the Data Protection (General) Regulations as read with Sections 48 and 49 and regulation 40 of the Data Protection (General) Regulations.
- Whether Worldcoin conducted a DPIA on the processing activities for which they were data controller as required under section 31 of the DPA as read with Regulations 49, 50, &51 of the Data Protection (General) Regulations, 2021.
Findings of the odpc
In regards to the first issue the ODPC insisted that its mandate was registration and not licensing of Data Controllers in Kenya. The used the definition of Registration in Black’s Law Dictionary which provides that it is the act of recording or enrolling, and it involves entering into a public registry. Section 18(1) of the DPA stipulates that no person can act as a data controller or data processor without being registered with the ODPC, resulting in the issuance of a certificate of registration and entry into the register of data controllers and data processors. TFH successfully registered as data controllers, as confirmed by their certificate of registration. However, Worldcoin Foundation, which assumed data controller responsibility from TFH, is not registered, contravening the Act since its involvement in the Worldcoin project began in July 2023.
It is interesting to note that the ODPC explicitly provided that their mandate ends at registration of Data Controllers and not licensing. As long as the party meets the particulars of Section 19(2) of the DPA the ODPC are obliged to register them. The office does not give data controllers licenses or permission to operate in Kenya.
In regards to issue number 2, the ODPC reiterated the elements of consent provided for in Section 2 of the DPA that it must be express, unequivocal, free, specific, and informed. This section places the burden of proof on data controllers to establish consent and allows data subjects to withdraw consent at any time. The investigation revealed that TFH relied on consent for collecting biometric data and transferring it, as a condition for receiving Worldcoin tokens. This, however, created economic influence over data subjects’ free will, which undermined the validity of consent. Additionally, the consent mechanisms were found to be non-inclusive and out of context with Kenya’s socio-economic realities. Even though TFH attempted to address the issues, they continued processing data against the ODPCs directive further impeding its powers. Furthermore, third-party orb operators played a role in compromising the validity of consent, as they facilitated the registration process, often without providing users with enough knowledge about the data storage, cross border data transfers or its use. They there denied the data subjects a genuine opportunity to make informed and autonomous decisions regarding the collection of their biometric data. As a result, the consent obtained by TFH was deemed invalid for non-compliance with the DPA and requisite regulations.
In regards to issue number 3, the investigation found that Worldcoin Foundation did not meet its obligation to register as a data controller in Kenya. It also did not meet its obligation to notify data subjects of the third parties who their data will be transferred to and did not provide information on the safeguards adopted. TFH and Worldcoin transferred the data of Kenyan citizens to foreign countries and also placed it on the blockchain. Worldcoin foundation did not register as Data Controller and did not fulfil the requirements of Section 48 of the DPA and regulation 40 in regards to the conditions that must be met for cross border data transfers as well as the general principles which include; existence of appropriate safeguards, an adequacy decision by the Data Commissioner, necessity, or consent by the data subject.
It was found that TFH and Worldcoin did not fulfill the conditions for explicit consent. Consent was obtained in a way that did not meet the required standards, and the involvement of third-party orb operators further tainted the consent process. The cross border data transfer was therefore unlawful.
In regards to the final issue, Section 31(1) of the DPA requires that a DPIA is conducted when data processing activities pose high risks to the data subject rights and freedoms due to their nature, scope, context, and purposes. This DPIA report must be submitted to the ODPC at least 60 days prior to processing, as specified by Section 31(5).
The nature of processing activities by TFH and Worldcoin necessitated the execution and submission of a DPIA 60 days before processing commenced. Despite the fact that TFH had previously submitted a DPIA for their processing operations as data controllers, the subsequent transfer of controller responsibilities to Worldcoin Foundation ought to have been accompanied by another DPIA. This was necessary to show that a set of similar processing operations that presented similar high risks existed and that the technical and organizational measures implemented by Worldcoin Foundation were similarly designed to effectively implement the data protection principles. Failure to conduct a DPIA during the transition to controller responsibilities constituted a violation of Section 31 of the DPA.
Conclusion
This investigation by the ODPC provided a more in-depth understanding of the role of the Office as well as further insight on its powers and responsibilities. It further shed light on the necessary standards of consent when it comes to processing sensitive personal data as well as in conducting cross border data transfers. Finally, it emphasized on the need to follow regulatory procedures when there is a change in data controllers. Just because one controller had successfully conducted a DPIA outlining the risks in the data processing does not mean that the new controller can rely on that DPIA and should instead conduct their own. The investigation and its findings shed more light on the data protection regime in Kenya and shed more light on its practical applications for the protection of the rights of data subjects and the actualization of Article 31(c) and (d) of the Constitution of Kenya, 2010.
Date: November 3, 2023 By: Anne Gathirwa
For more insights pertaining to this matter, you can reach the writer at annegathirwalaw@gmail.com. You can also contact us at MMS Advocates, Lower Duplex Apartments, Lower Hill Road, or email us at info@mmsadvocates.co.ke