Kenya: High Court Orders Worldcoin to Halt Biometric Data Collection and Processing

Sameer Ahirrao -

In a landmark decision reaffirming the importance of data protection, the High Court of Kenya has ordered Worldcoin and its affiliated entities to cease all collection, processing, and transfer of biometric data within the country. This ruling comes after months of scrutiny over the company’s practices involving iris scans in exchange for cryptocurrency tokens.

A Breach of Kenya’s Data Protection Act

At the heart of the court’s decision is Worldcoin’s failure to comply with critical provisions of Kenya’s Data Protection Act, 2019. The court found three major violations:

1) Absence of a Data Protection Impact Assessment (DPIA):

Worldcoin conducted large-scale biometric data processing without submitting a DPIA, a legal requirement for high-risk data activities under Kenyan law. A DPIA evaluates the risks posed to individuals and outlines measures to mitigate them, especially when sensitive data such as biometrics is involved.

2) Consent Obtained Through Inducement:

The court ruled that the so-called "consent" collected by Worldcoin was invalid, as it was influenced by the offer of free tokens, a practice that compromised the element of free will, a cornerstone of lawful consent under data protection principles.

3) Unlawful Cross-Border Data Transfers:

Biometric data was reportedly transferred outside Kenya without implementing adequate legal safeguards or obtaining approval from the Office of the Data Protection Commissioner (ODPC), further breaching data localization and international transfer regulations.

What the Court Ordered

The High Court's directive is clear and firm:

  • Immediate suspension of all biometric data collection, processing, and transfers.
  • Erasure of all biometric data collected within Kenya within seven days of the ruling.
  • Compliance with all legal requirements, including a proper DPIA and valid consent, before any resumption of operations.

Why This Matters: Broader Implications

1) Reinforcing Regulatory Oversight

This ruling demonstrates the Kenyan judiciary’s willingness to hold powerful tech companies accountable and uphold citizens' digital rights.

2) Setting a Regional Precedent

As one of the data privacy laws in Africa, Kenya’s DPA is seen as a model for other nations. This case could influence future regulatory actions in Nigeria, South Africa, Ghana, and other countries where Worldcoin or similar projects are active.

3) Highlighting Ethical Tech Deployment

The case highlights the ethical dilemma of offering financial rewards in exchange for sensitive data in economically disadvantaged communities, raising questions about informed consent, data exploitation, and digital colonialism.

A Wake-Up Call for Tech Companies

This ruling sets a significant precedent not just in Kenya, but across emerging markets where tech companies are increasingly collecting sensitive personal data. It reinforces that innovation must not outpace legal and ethical responsibilities.

Kenya’s judgment echoes the global shift toward responsible data governance, a reminder that even in rapidly evolving fields like cryptocurrency and AI, fundamental rights to privacy cannot be ignored.

What Should Businesses Learn from This?

Tech companies operating in emerging markets must:

  • Conduct DPIAs before launching data-driven projects.
  • Avoid consent practices, especially in vulnerable communities.
  • Implement cross-border safeguards when transferring personal data internationally.

Importance of Transfer Impact Assessment (TIA)

  • Risk Identification: Helps identify risks related to government surveillance, weak legal safeguards, or potential data breaches.
  • Business Continuity: Ensures cross-border data transfers remain lawful, avoiding operational disruptions.
  • Accountability & Transparency: Demonstrates responsible data handling, building trust with regulators and customers.

Engage local data protection authorities to ensure legal and cultural compliance.

Final Thoughts

Worldcoin's suspension in Kenya sends a powerful message: compliance with data protection laws is non-negotiable. Organizations, especially those handling sensitive biometrics, must prioritize transparency, user autonomy, and risk mitigation. This case also highlights the growing assertiveness of regulators and courts in Africa in safeguarding digital rights.

As countries continue to develop their data protection frameworks, businesses must ensure that their operations are not just technologically innovative but also legally sound and ethically grounded.

How Ardent Privacy Helps

Ardent Privacy offers end-to-end solutions that help organizations comply with data protection laws like Kenya’s Data Protection Act. With Ardent’s TurtleShield platform, businesses can perform automated Data Protection Impact Assessments (DPIAs), manage consent intelligently, and monitor cross-border data to ensure compliance. Ardent also provides real-time risk visibility and audit trails, enabling organizations to detect unlawful processing, validate consent mechanisms, and securely handle sensitive data such as biometrics, all in one centralized platform.