The High Court of Kenya has ruled against Worldcoin Foundation and ordered the company to delete all biometric data it collected from Kenyan citizens. The decision follows a petition by Katiba Institute, a civil society organisation that questioned Worldcoin’s data practices.
According to the court, Worldcoin breached Kenya’s Data Protection Act, 2019 by collecting sensitive biometric data – including iris scans and facial information – without conducting a Data Protection Impact Assessment (DPIA. Justice Roselyne Aburili who presided over the case noted that this was a breach of the country’s privacy laws.
Crucially the court found that the company’s method of obtaining user consent – by offering cryptocurrency incentives – was unlawful and invalid, describing it as consent obtained through inducement rather than informed and voluntary agreement.
The court ordered:
All prior approvals that allowed Worldcoin to process personal data in Kenya be invalidated.
No further collection of biometric data by the company unless it does a DPIA.
Worldcoin to delete all data collected within seven days under the supervision of the Office of the Data Protection Commissioner (ODPC).
This ruling will send shockwaves across the tech industry especially for international companies looking to expand into African markets. It shows Kenya’s commitment to upholding digital rights and personal data privacy and that even global players must be accountable to local laws.
As the regulatory heat intensifies, businesses operating in Kenya or planning to must comply with the Data Protection Act or face similar consequences.