Last week, there were reports that over 350,000 Kenyans had enrolled on Worldcoin, a cryptocurrency company collecting iris data.
Worldcoin intends to be the world’s most prominent identity and financial public network, open to everyone regardless of country, background or economic status.
So far, its website claims to have enrolled 2.18 million people. Although the Ministry of Interior suspended data collection pending an assessment by the government, the State’s initial response was mixed at Cabinet and regulator levels, with the ICT ministry on Tuesday endorsing it whilst Foreign Affairs and Interior denounced it.
In a joint statement, the Communications Authority of Kenya (CAK) and the Office of the Data Protection Commissioner (ODPC) raised concerns regarding security and storage and uncertainty and lack of information on consumer protection.
Iris imaging, among other biometric data sets, is sensitive because they are personal data resulting from specific technical processing relating to the unique physical, physiological, or behavioural characteristics of a natural person, which allows or confirms the unique identification of that natural person such as facial images or fingerprint data.
The willingness of Kenyans to hand over such sensitive data is not surprising. However, it may indicate a need for more data protection understanding by Kenyans and how one’s right to privacy, among other rights, can be negatively affected. Biometric data is highly personal and permanent, meaning that once compromised, it cannot be changed, as is the case with passwords.
Another primary concern is that the technology is not as accurate or foolproof as often suggested. For instance, many countries are rethinking and outlawing the use of facial recognition for specific applications because of the high risk of false positives, especially of minorities such as black people, who aren’t part of the training of the systems that process them.
Since Worldcoin is a foreign private entity, there may be an issue with cross-border data sharing, especially since no one is clear on whose laws would apply regarding data protection. Sharing biometric data across borders can run into legal and regulatory conflicts as different countries have varying data protection laws and standards.
This will also pose a challenge if one wants their data deleted or any other form of control of one’s data if it is in another jurisdiction. Many jurisdictions have specific regulations for handling biometric data. For instance, in Kenya, data controllers and processors are required to conduct data protection impact assessments in high-risk situations under the Data Protection Act.
To address these concerns, Kenya should ensure that personal data being collected, including biometrics, has strong security measures, obtain explicit and informed consent, minimise data retention periods, adhere to relevant regulations, and ensure transparency about data usage and storage practices.
While it has now emerged that “Tools For Humanity”, the creators of Worldcoin, are registered Data Controllers with the ODPC, several issues still need to be solved; registration with ODPC is not the only compliance demand.
While the lawful basis seemingly being used by Worldcoin for processing is ‘consent’, it is unclear whether they have obtained free and informed consent based on the lengthy consent form and the privacy notice and the lack of appreciation of data protection as a valid concern by the average Kenyan. The other side of the coin is that Kenyans have a penchant for making risky investments and decisions.
First published in The Standard on 04 Aug 2023. Kindly reproduced here with permission from The Standard.
Demas Kiprono is a human rights lawyer and a member of Amnesty International Kenya. He writes in his personal capacity. Email: [email protected]