Thousands of Kenyans queued up at registration centres to get the currency tokens worth about $49. (Ksh. 7,232.40) by having their iris scanned which event sparked social conversations with the government coming under fire to explain how Worldcoin operations were allowed in the country in the first place.
The Communication Authority of Kenya raised its concerns about how the biometric data was stored, offering money in exchange for data and the issue of having public data in the hands of a private company. This prompted the ministry of interior to launch an investigation into Worldcoin and called on security services and data protection agencies to establish the authenticity and legality of Worldcoin operations in Kenya.
The Worldcoin operations took the country by storm with many skeptical of how the cryptocurrency works and where or how the universal basic income is sourced. The company claimed on its website to creating the world’s largest identity and financial network as a public utility, giving ownership to everyone and establishing universal access to the global economy regardless of country or background.
From the noted concerns, Kenya’s Office of the Data Protection Commissioner (ODPC) called for scrutiny and vigilance from the public when using Worldcoin saying the process requires “demonstration of proper safeguards under the Data Protection Act, 2019”. This was also echoed by the Capital Markets Authority (CMA) which stated its concerns about the ongoing registration and notified Kenyans that Worldcoin was not regulated in Kenya.
Given Kenyan law providing individuals the right not to have any personal information unnecessarily required or revealed, this sparked the debate surrounding Worldcoin and prompted the government to step in.
Worldcoin operations halted
Subsequently, this led to an investigation of Worldcoin operations in Kenya by the National Assembly Committee which kicked off its inquiry on 29th August, 2023. The Office of the Director of Computer and Cyber Crime revealed to the committee that since November 2022, the cryptocurrency firm had engaged 11 companies in Kenya with the Head of Cyber-security Standards and Policy warning that the collection of data collected from more than 250,000 Kenyans is not safe. This was after the platform confirming that the data collected from the iris scan will be transferred to Amazon servers based in the United States. This was highlighted to poses a great risk due to the sovereignty of the information whose safety is not guaranteed, recommending a thorough investigation.
The Committee interviewed the ODPC who confirmed that it had revoked the cryptocurrency’s firm license in June 2023 as a result of failure of the company to stop data collection despite a cessation order. Eventually, the Data Commissioner was found to have registered the firm despite raising issues on its operations. The Commissioner had raised concerns on the consent to transfer personal data, as well as impact assessment report submitted by the firm. The ICT Cabinet Secretary appeared before the ad hoc committee where a finger pointing melee was witnessed between the CS and the ODPC.
The Worldcoin saga was probed by the ODPC in collaboration with the Communications Authority of Kenya, the Central Bank of Kenya, the Ministry of ICT and the National Computer and Cybercrime coordination committee. The ad hoc parliamentary committee finally suggested that Worldcoin operators seek approval from CMA which will run tests on its products, solutions and services before rollout to the Kenyan market.
It was further agreed that all WorldApps be taken down from all App stores within Kenyan region for one year pending the approval of the company. On legal reforms, the Taskforce has mandated the ODPC to impose administrative fines on companies doing commercial activities on data collection which is a threat opt national security and the economy.
The Attorney General, Capital Markets Authority and Central Bank of Kenya have been tasked with spearheading regulations of digital assets and cryptocurrency.
In coming up with the recommendations, the team according to the ODPC established that consent obtained from Kenyans was insufficient and did not comply with provisions of the Data Protection Act.
The Worldcoin saga comes as a major test to Kenya’s preparedness to cyber threats and primarily testing the scope of our data protection laws. The saga exposed various weaknesses captured above and highlighted the need for reforms of the current data protection and cyber use regime.
It should be interesting to see Worldcoin operations return to the country and how reforms made will have aligned Kenya’s view on cryptocurrency, data protection and cyber management.