DATA PROTECTION IN KENYA: A CASE OF WORLDCOIN
Recently, Kenya through its Ministry of Interior and Coordination of National government announced that it had suspended all activities of the iris biometric cryptocurrency project which was being conducted by Worldcoin (a company that is responsible for the platform that verifies a user’s identity by scanning their iris to create personal, secure identification codes which are saved on a decentralized blockchain which cannot be duplicated or spoofed to create false identities or engage in fraud). This follows a series of reports revealing that regulators from various countries have launched investigations on Worldcoin and how it collects and stores highly sensitive personal data.
Whereas Worldcoin claims that it is a digital identification platform that aims to provide each person on earth with a convenient way to verify that they are real human and not a bot or an AI algorithm. Questions have arisen as to the security and privacy of the sensitive personal data being collected by the entity. The constitution of Kenya, 2010 guarantees every citizen the right to privacy under article 31. The Data protection Act, 2019 also establishes the office of Data protection Commissioner (ODPC) and tasks the office with the responsibility of exercising oversight on data processing operations, either on its own motion or at the request of a data subject and verify whether the processing of data is done in accordance with the law.
The question that remains to be answered is what is the effect of registration as a Data controller or Processor?
Whereas Worldcoin is registered as a Data processor with the ODPC office, the registration does not give it freedom to process personal data outside the scope of the law. That is to say, in consideration of the rights of Data subjects. Data subjects have the following rights in relation to their personal data:
• Right to be informed of the use to which their personal data is to be put;
• Right to access their personal data in custody of data controller or data processor;
• Right to object to the processing of all or part of their personal data;
• Right to correction of false or misleading data; and
• Right to deletion of false or misleading data about them.
In the case of Worldcoin, it was not clear as to the use of personal data that was being collected, it was not clear where the information was being stored and how Data subject could access their personal data, it was also not clear how data subject could lodge complaint or requests for rectification of their personal Data. However, it was also a concern how Worlcoin got registered with ODPC given that as a matter of requirement for every applicant, there needs to be such safeguard measures being minimum requirements so as to be issued with a certificate. It is therefore a matter of all stakeholders to review and check if there exist any loophole in the Data protection laws in Kenya.
At A.O.WANGA ADVOCATES we are happy to assist you in all your Data protection concerns in Kenya.
All rights reserved for A.O.WANGA ADVOCATES
www.aowangaadvocates.com