Judicial Review and Data Protection in Kenya: Analyzing the High Court’s Worldcoin Judgment

In a significant ruling concerning data privacy and the scope of judicial review in Kenya, the High Court at Nairobi recently delivered judgment in the case Republic v Tools for Humanity Corporation (US) & 8 others (Exparte Applicants). This judgment, spanning 84 pages, addresses a judicial review application brought by five applicants, including Katiba Institute and the Law Society of Kenya, against Tools for Humanity entities, Platinum De Plus Ltd, and various government regulators. The case revolved around the collection and processing of personal biometric data in Kenya by Worldcoin and its affiliates. This article delves into the core issues, arguments, and the court’s determination, providing valuable insights for legal practitioners navigating the intersection of data protection law and public interest litigation in Kenya.

The Applicants’ Case: Allegations of Data Protection Breaches

The ex parte applicants predicated their case on alleged violations of the Fair Administrative Actions Act, the Law Reform Act, Civil Procedure Rules, the Data Protection Act, 2019 (DPA), and the Constitution. Their central assertion was that the 1st and 2nd Respondents, Tools for Humanity Corporation (US) and Tools for Humanity GmbH, began collecting biometric data from Kenyans in July 2023 using the Orb device without conducting a proper Data Protection Impact Assessment (DPIA), as required by Section 31 of the DPA and Regulation 49 of the Data Protection (General) Regulations, 2021. This failure, they argued, violated the right to privacy under Article 31 of the Constitution.

Further claims included that the consent obtained from data subjects was invalid because it was induced by the offer of cryptocurrency (Worldcoin tokens worth approximately Kshs 7,000/= or USD 50), contrary to the requirement for informed, specific, and freely given consent under Section 2 of the DPA and Regulations 4(3) and 4(4). The applicants contended that “the data subjects could not refuse or withdraw their consent without detriment (losing out on the Worldcoin)” and that Worldcoin “merged several purposes for collecting and processing personal data without seeking specific consent for each purpose”. They also argued that fundamental rights conferred by the Constitution cannot be waived or bought.

The applicants also faulted the 3rd to 5th Respondents (Worldcoin Foundation, World Assets Limited, and Platinum De Plus Ltd, the Kenyan agent) for failing to register as data processors or controllers in Kenya, as required by Section 18 of the DPA. They asserted that cross-border transfer of data breached Section 25 of the DPA and Article 46(1) of the GDPR due to inadequate safeguards and lack of enforceable rights for data subjects. Misleading information during registration was also alleged.

Additionally, the applicants argued that Worldcoin’s actions constituted illegality and abuse of power under Article 47(1) of the Constitution and sections 4 and 7 of the Fair Administrative Action Act. They claimed Worldcoin failed to obtain mandatory type approval for the Orb device, contrary to Regulation 3(1) of the Kenya Information and Communications Regulations, 2010. Offering cryptocurrency in exchange for data was deemed an exploitation of vulnerabilities and a violation of human dignity (Article 28) and UN Guiding Principles on Business and Human Rights. Finally, they challenged the failure of the Cabinet Secretary and the Data Protection Commissioner to issue guidelines on the commercial use of personal data under Section 37(3) of the DPA.

Based on these grounds, the applicants sought orders of prohibition, certiorari, mandamus (to compel erasure of data and issuance of guidelines), and an order directing the Data Protection Commissioner (DPC) to cancel the registration of the 1st and 2nd Respondents.

The Respondents’ Defence: Locus Standi, Exhaustion, and Procedural Technicalities

The 1st to 4th Respondents, represented by Tools for Humanity Corporation’s Chief Legal Officer, primarily challenged the applicants’ standing (locus standi) and argued that the court lacked jurisdiction because the applicants failed to exhaust the available statutory dispute resolution mechanisms with the Data Protection Commissioner. They contended that complaints should have been referred to the DPC under Section 56 of the DPA. They noted that the DPC had already initiated an investigation (ODPC Complaint No. 1394 of 2023), which led to enforcement action and the cancellation of the 1st and 2nd Respondents’ registration certificates.

On the merits, they claimed a DPIA was submitted and updated, participation was voluntary with informed consent, and no fiat currency was exchanged for data. They also asserted the Orb device did not require type approval. They argued the application was premature and issues were subject to review of the DPC’s enforcement notice.

The 5th Respondent (Platinum De Plus Ltd) echoed the arguments on locus standi (applicants not being natural persons/data subjects) and exhaustion of remedies under the DPA. They claimed their role was limited to marketing and not data collection or processing. They also argued that judicial review was not available against private entities like themselves. They disputed the necessity of a DPIA in their case and the claims regarding consent validity.

The 6th Respondent (Data Protection Commissioner – ODPC) presented a detailed account of its engagement with TFH entities dating back to March 2022. The ODPC discovered sensitive data collection and transfer and initiated inquiries. Concerns were raised about the legal basis for processing, adequacy of the DPIA, consent validity for cross-border transfers, and lack of registration. Despite directives to restrict processing, TFH US indicated they would proceed. The ODPC confirmed issuing registration certificates to TFH GmbH and TFH US in September 2022 and April 2023, respectively, after they submitted documentation. However, the ODPC later found TFH US and TFH GmbH were still processing sensitive data based on inadequate legal bases.

Crucially, the ODPC supported the applicants’ standing, arguing that its jurisdiction under Section 56 of the DPA is limited to “data subjects,” defined as “an identified or identifiable natural person,” and thus the applicants, not being natural persons, could not use the internal complaint mechanism. Therefore, the exhaustion doctrine did not apply to them. The ODPC also argued against the procedural objection on service, noting the respondents’ active participation waived any irregularity. The ODPC submitted that the 1st-5th Respondents’ actions in collecting and processing sensitive data without an adequate DPIA and with flawed consent violated the DPA and the right to privacy. The ODPC confirmed its investigation found that Platinum De Plus acted as an Orb operator and collected data, contradicting its claim of merely marketing. The ODPC argued that the consent obtained was invalid due to bundling of purposes and the financial inducement (cryptocurrency tokens), which “deprived users of the ability to freely consent”.

The 8th Respondent (Communications Authority – CA) confirmed it was unaware of the 1st to 5th Respondents’ activities prior to the suspension. It stated that no application for type approval for the Orb device was received, violating the relevant regulations. The CA noted its involvement in a multi-agency taskforce reviewing the device and the Worldcoin project. The CA agreed that the respondents violated the DPA by not conducting a DPIA and using broad consent forms.

The Court’s Analysis and Determination

The court framed the key issues as jurisdiction (locus standi and exhaustion), service upon foreign entities, availability of judicial review against private entities, and entitlement to reliefs.

1. Jurisdiction, Locus Standi, and Exhaustion of Remedies: The court agreed with the applicants and the ODPC that the exhaustion doctrine, while generally mandatory under Section 9(2) of the Fair Administrative Action Act, did not apply here. The court emphasized that the DPC’s complaint mechanism under Section 56 of the DPA is strictly limited to “data subjects,” who are defined as “an identified or identifiable natural person”. Since the applicants are not natural persons, they lacked standing to utilize this mechanism. The court held that “a party cannot be told to exhaust alternative remedies which are not available to them” and that “To do so would impede access to justice and occasion a miscarriage of justice where a statutory remedy is, in substance, unavailable”.

Drawing on Articles 22 and 258 of the Constitution and the landmark case of Mumo Matemu v. Trusted Society of Human Rights Alliance, the court affirmed the broad interpretation of locus standi in Kenya’s 2010 Constitution, which permits public interest litigation. The court stated, relying on the Mumo Matemu case: “The Constitution of Kenya, 2010 has liberalized the concept of standing. It is now enough that the person bringing the suit is acting in the public interest”. Given the case’s subject matter, which “involves the public, not just the individual data subjects…but also the potential Kenyan residents who may be motivated to submit themselves to the impugned processes,” the court found the applicants had the necessary standing. The objection was dismissed.

2. Service upon Foreign Entities: The court dismissed the 1st to 4th Respondents’ objection regarding the lack of leave to serve them outside Kenya. The court noted that the respondents, foreign entities, had authorized agents (the law firm Coulson Harney LLP) in Kenya who accepted service and actively participated in the proceedings without protest. Relying on case law (e.g., Paulina Wanza Maingi v Diamond Trust Bank Limited), the court reiterated the principle that “a party who voluntarily submits to the jurisdiction of the Court by participating in proceedings without promptly raising objections as to service of court process is deemed to have waived any such irregularities”. The court also invoked Article 159(2)(d) of the Constitution, stating, “Justice shall be administered without undue regard to procedural technicalities,” and found that insisting on rigid, old-age procedures for service abroad, especially when local agents accepted service and no prejudice was shown, would undermine substantive justice.

3. Judicial Review Against Private Entities: The court firmly rejected the 5th Respondent’s argument that judicial review orders cannot issue against a private entity. The court held that judicial review is a constitutional remedy applicable to private entities performing public functions, exercising public authority, or violating constitutional rights, particularly under the Bill of Rights. Citing Articles 20(1) & (2), 22, 23, and 165(3)(b) of the Constitution and Section 3(1) of the Fair Administrative Action Act, the court found that the Bill of Rights binds all persons, including private actors, and courts are mandated to enforce rights against both the State and private persons. The court concluded that the 1st to 5th Respondents were “culpable of violating fundamental rights and acted with illegality and procedural impropriety and irrationality and as such, the judicial orders sought by the Applicants apply to them”.

4. Entitlement to Reliefs Sought (Merits): On the substantive issues, the court agreed with the applicants and the 6th and 8th Respondents that the 1st to 5th Respondents breached multiple provisions of the Data Protection Act and Regulations and violated constitutional rights.

• Registration: The court noted the 1st to 5th Respondents commenced data collection without first securing valid registration, contrary to Section 18 of the DPA.
• DPIA: The court found evidence that the respondents failed to conduct a DPIA as required by Section 31 of the DPA.
• Consent: The court found uncontroverted evidence that the offer of cryptocurrency tokens in exchange for biometric data raised concerns about the voluntary nature of consent. “The evidence supports this Court’s finding that the consents purportedly obtained from data subjects was neither free, specific, nor informed as defined under Section 2 of the Data Protection Act”. The court highlighted that bundling processing activities with incentives “clearly indicates that consents were not given freely, as the data subjects might feel they need to agree to the data collection in order to receive the reward”. This practice was deemed an attempt “to bypass the spirit of data protection laws by using incentives to sidestep the true essence of informed consent by luring desperate and poor Kenyans with cryptocurrency tokens”.
• Cross-Border Transfer: The court found no evidence of compliance with Section 48 of the DPA regarding the transfer of personal data outside Kenya to jurisdictions with adequate protection.
• Type Approval: The court agreed with the 8th Respondent that the use of the Orb device without obtaining type approval violated Regulation 3(1) of the KICA Regulations.

The court concluded that the 1st to 5th Respondents’ actions were unlawful and breached the constitutional right to privacy under Article 31.

The Orders Issued

Based on its findings, the court granted the following judicial review orders:

• Prohibition: Prohibiting the 1st to 5th Respondents and their agents from further collecting, processing, or transferring biometric data collected in Kenya using the Orb without undertaking an adequate DPIA contrary to Section 31 of the DPA or using consent obtained through cryptocurrency inducement. It also prohibited the 3rd to 5th Respondents from doing so without registering as data processors or controllers.
• Certiorari: Quashing Worldcoin’s decision to collect, process, or transfer biometric data collected in Kenya using the Orb without an adequate DPIA contrary to Section 31 of the DPA and by consent obtained through cryptocurrency inducement.
• Mandamus: Compelling the 1st to 5th Respondents to, within 7 days, permanently erase and destroy the personal biometric data collected from Kenyan data subjects using the Orb, for having been obtained unlawfully, under the supervision of the Data Protection Commissioner.

The court declined the prayer seeking cancellation of registration certificates as it noted the ODPC had already cancelled them on 5th September 2023. The prayer compelling the Cabinet Secretary and Data Protection Commissioner to issue guidelines on the commercial use of personal data was also declined, as the 6th Respondent demonstrated efforts towards this and cited challenges requiring legislative amendments.