On 5th May 2025, the High Court of Kenya delivered its judgment in Judicial Review Application No. E119 of 2023 – Republic v Tools for Humanity Corporation & Others (Ex-Parte Katiba Institute & Others), effectively declaring that the operations of Worldcoin and its affiliates in Kenya had contravened Constitutional and Data Protection laws, and granted a series of judicial review orders aimed at halting the unlawful processing of sensitive personal data. We had the privilege of representing the Communications Authority of Kenya, the 8th Respondent in the proceedings.
Background.
The ex-parte Applicants filed this suit challenging the operations of the 1st to 5th Respondents (Worldcoin and its affiliates) in Kenya. The Applicants stated that the Respondents had engaged in the collection, processing, and handling of sensitive personal data belonging to Kenyan citizens in a manner that violated Constitutional guarantees and the provisions of the Data Protection Act, 2019. At the heart of the dispute were concerns around the lack of informed consent, absence of proper regulatory compliance-including registration as data controllers or processors-and failure to conduct mandatory Data Protection Impact Assessments prior to deploying biometric data collection tools in the country.
The 1st to 5th Respondents argued that the Applicants lacked locus standi as they were not data subjects; that the doctrine of exhaustion applied, requiring the Applicants to first lodge a complaint with the Office of the Data Protection Commissioner (ODPC); that service upon them was improper; and that judicial review was inapplicable to them as private entities.
Key takeaways from the Court’s determination:
- Whether the complaints mechanisms under the data protection act apply to legal persons.
One of the issues raised by the 1st to 5th Respondents was the jurisdiction of the Court to hear the judicial review application. The Respondents argued that the Court lacked jurisdiction on account of the doctrine of exhaustion. The Respondents stated that the applicants failed to exhaust their administrative remedies with the Office of the Data Protection Commissioner (ODPC).
The court observed that the Data Protection Act’s complaints mechanism is designed only for natural persons (described as data subjects), and therefore not available to the ex parte Applicant organizations acting in the public interest. It also referenced Articles 22 and 258 of the Constitution, which allowed any person, including public interest litigants, to approach the court for enforcement of constitutional rights.
The Court held that legal persons, do not fall within the definition of data subjects and cannot lodge complaints under Section 56 of the Data Protection Act. Accordingly, the doctrine of exhaustion was held not to apply, as the ex parte Applicants, being legal persons, had no recourse through the office of the Data Protection Commissioner.
- Whether the Worldcoin’s practices complied with the statutory requirements for processing sensitive personal data
The Court held that Worldcoin’s process of collecting sensitive personal data was marred by illegality, irrationality, and procedural impropriety.
It found that the 1st to 4th Respondents had been processing sensitive data without a legally recognized basis, in violation of Section 30 of the Data Protection Act (DPA). Furthermore, the Respondents failed to conduct a mandatory Data Protection Impact Assessment (DPIA), as required under Section 31 of the DPA.
The Court also found that the consent obtained by Worldcoin was neither fully informed nor freely given. It noted that consent was induced through monetary incentives in the form of cryptocurrency tokens. Additionally, the consent process was primarily conducted in English, a language not fluently spoken by a significant portion of the Kenyan population, thereby hindering participants’ understanding of the terms and implications related to the collection of their sensitive personal data.
Moreover, the Court held that the Respondents failed to ensure that the consents obtained were valid for multiple data processing requests, contrary to Regulation 4(3)(c) of the Data Protection (General) Regulations, 2021.
Orders
Having found that Worldcoin and its affiliates were in violation, the court proceeded to grant the judicial review orders as follows:
- A Judicial Review Order of Prohibition was issued, restraining Worldcoin and its affiliates from further collecting, processing, or transferring biometric data using the Orb device in Kenya unless a valid Data Protection Impact Assessment (DPIA) is undertaken in compliance with Section 31 of the Data Protection Act, 2019; Consent was obtained without inducement and the offending Respondents were properly registered as data controllers or processors in Kenya.
- A Judicial Review Order of Certiorari was granted, effectively quashing the offending respondent’s decision to collect and process biometric data in Kenya using the Orb, as it was undertaken without a lawful or adequate DPIA and through consent obtained by inducement.
- A Judicial Review Order of Mandamus was issued, compelling the offending respondents to permanently erase and destroy all biometric data collected from Kenyan data subjects using the Orb; within seven (7) days under the supervision of the Data Protection Commissioner.
Conclusion
This judgment reinforces the necessity for organizations operating in Kenya to adhere strictly to data protection laws, ensuring that consent for data collection is obtained through transparent, comprehensible, and voluntary means. The decision sets a precedent for the enforcement of data privacy rights and underscores the importance of respecting individuals’ autonomy in the digital age.
This alert is for information purposes only and is provided for general purposes only and does not constitute legal advice. Should you have any questions or need legal advice, please contact us on info@jkkibicho.co.ke.
Contributors:
Susan Rigaga – Principal Associate
Docxl Oguta – Trainee Advocate
