Suo Motu Investigation into Worldcoin Project Operations in Kenya
1. Introduction
This case involves a comprehensive investigation by the Office of the Data Protection Commissioner into the operations of Tools for Humanity Corporation, Tools for Humanity GmbH, and Worldcoin Foundation under the Worldcoin Project in Kenya. The investigation focused on the collection and processing of biometric and other personal data from Kenyan citizens.
Table of Contents
2. Nature of Investigation
The investigation examined:
- Collection and processing of biometric data (iris scans and facial images) from Kenyan citizens
- Transfer of sensitive personal data outside Kenya
- Consent mechanisms for data collection
- Compliance with registration requirements as data controllers
- Conduct of Data Protection Impact Assessments
3. Key Findings
Data Collection Practices
- Worldcoin collected iris scans, facial images, names, contact details, and other personal data from approximately 508,569 Kenyans
- Data was stored in various international locations including the US, EU, and South Africa
- Continued data processing despite cease-and-desist orders from ODPC
Consent Mechanisms
- Consent was obtained through offering cryptocurrency rewards, creating potential coercion
- Operators frequently assisted users in accepting terms without proper explanation
- Consent forms were complex and not appropriately adapted for Kenyan context
Regulatory Compliance
- Worldcoin Foundation operated as unregistered data controller
- Inadequate safeguards for international data transfers
- Failure to conduct proper Data Protection Impact Assessment for all project phases
4. Issues for Determination
- Whether respondents were properly registered as data controllers
- Whether valid consent was obtained for processing sensitive personal data
- Whether international data transfers complied with Kenyan law
- Whether proper Data Protection Impact Assessments were conducted
- Whether respondents continued processing data despite regulatory orders
5. Final Determination
The Data Commissioner found:
- Worldcoin Foundation operated as unregistered data controller in violation of Section 18(1) of the Act
- Consent mechanisms were invalid due to economic inducement and inadequate information
- International data transfers lacked proper safeguards and authorization
- Incomplete Data Protection Impact Assessments conducted
- Continued processing of data despite regulatory orders
Orders:
- Tools for Humanity Corporation and Tools for Humanity GmbH found liable for violations
- Enforcement Notice issued against all respondents
- 12-month suspension of Worldcoin operations in Kenya
- Cancellation of TFH registration certificates
- Parties retain right to appeal
6. Significance and Impact
Biometric Data Protection
- Sets precedent for handling of biometric data collection projects
- Establishes requirements for proper consent in biometric systems
Cryptocurrency and Data
- Clarifies boundaries between cryptocurrency offerings and data collection
- Addresses concerns about economic inducement for sensitive data
International Data Transfers
- Reinforces requirements for cross-border data transfers
- Highlights need for proper documentation of data storage locations
Regulatory Enforcement
- Demonstrates ODPC’s authority to conduct suo motu investigations
- Shows consequences for non-compliance with regulatory orders
Broader Impact: This case establishes important precedents for handling large-scale biometric data collection projects, particularly those involving cryptocurrency incentives and international data flows. It underscores the need for proper regulatory compliance and data subject protections in emerging digital identity systems.
For full determination, click 🗃️
