Kenya’s Data Commissioner Immaculate Kassait on Wednesday, August 2 revealed that the Worldcoin Cryptocurrency Company only has a certificate from the Office of the Data Protection Commission (ODPC).
Appearing on KTN News, Kassait said the certificate is not a confirmation of compliance to the Data Protection Act (DPA) of 2019.
Further, Kassait pointed out that out of the seventy sections of the Act, the Worldcoin complied with only section 18 which focuses only on Registration.
“We have had conversations with Worldcoin in the past trying to understand what legal basis they have.
We have never at any point given them a go ahead to operate,” she said.
Further, Kassait explained there are many institutions which her office issued with certificates and recalled them after they violated the law.
“The certificate is absolutely not a licence to process sensitive data especially when you have been told to cease operation on sensitive information,” she stated.
Also Read: Kenyans Cautioned Over WorldCoin Risks
In addition, Kassait noted that the emerging issues on Artificial Intelligence require a round table discussion since some of the issues are beyond the control of ODPC.
“This process a multi-ministerial approach because data protection is one, there are other issues like clarity in terms of storage of data, cyber security, cryptocurrency which don’t fall only at the desk of the Data Commissioner and it requires as round table discussion as a country on how we can deal with these emerging issues,” she said.
According to AI Kags, Executive Director at National ICT Innovation Hub, it is only the government that has the powers to take the biometrics of citizens for the sake of identification.
“The moment a private sector entity ican collect people’s biometrics and give them a world identification or of any kind, it means that there is a governance danger, and we should pay attention,” he explained.
ODPC and CAK Worldcoin Statement
In a statement Communications Authority of Kenya (CA) and the ODPC noted several legitimate regulatory concerns on the operations of Wolrdcoin that require urgent attention.
First, the regulatory bodies stated that there is lack of clarity on the security and storage of the collected sensitive data (facial recognition and iris scans).
Further, they criticized Worldcoin for obtaining consumer (data subject) consent in exchange for monetary reward which borders on inducement.
CA and ODPC pointed out the uncertainty regarding consumer protection on cryptocurrency and related ICT services.
Moreover, they stated that it is inappropriate for massive citizen data to be in the hands of private actors without an appropriate framework.
“Controversies around Worldcoin are not new. Similar concerns have been raised in other countries such as Germany, France, the United Kingdom, and India.
Consequently, and as directed by the Government, Worldcoin must cease its data collection activities in Kenya until further notice,” read part of the statement.
Government Suspends Worldcoin
The government on Tuesday August 2, suspended operations of World Coin days after questions emerged about its digital recruitment process.
Before the intervention, Kenyans lined up in the streets to scan their eyeballs for Ksh.7,000 from the Cryptocurrency Company.
In a statement, Interior Cabinet Secretary Prof Kithure Kindiki said relevant government agencies have launched investigations into the activities of Worldo Coin, including harvesting of personal data.
“The Government is concerned by the ongoing activities of an organization calling itself ‘World Coin’ which is involved in the registration of citizens through collection of eyeball/iris data.
Relevant security, financial services and data protection agencies have commenced inquiries and investigations to establish the authenticity and legality of the aforesaid activities, the safety and protection of the data being harvested, and how the harvesters intend to use the data,” he said.
Also, it exercises oversight on data processing operations, either of own motion or at the request of a data subject and verify whether the processing of data is done in accordance with the Act.
ODPC also promotes self-regulation among data controllers and data processors.
Further, it conducts an assessment, on its own initiative of a public or private body, or at the request of a private or public body for the purpose of ascertaining whether information is processed according to the provisions of the Act or any other relevant law.
In addition, ODPC receive and investigate any complaint by any person on infringements of the rights under DPA 2019.
The Data Controller carries out inspections of public and private entities with a view to evaluating the processing of personal data.
Again, the law mandates ODPC to promote international cooperation in matters relating to data protection and ensure a country’s compliance on data protection obligations under international conventions and agreements.
It also undertakes research on developments in data processing of personal data and ensures that there is no significant risk or adverse effect of any developments on the privacy of individuals.