Kenyans who scanned their irises for Sh,7000 may have a reason to worry as fresh details filed before the High Court indicate that the firms behind the exercise are not registered as data controllers or processors.
The case filed before Justice Jairus Ngaah now raises questions about how the government let Kenyans troop to scan their irises as the fine print of the agreement that Worldcoin had for Kenyans’ data is rather an e-atomic bomb.
One of the curious but shocking revelations before the court is that by Kenyans agreeing to have their irises scanned, they signed an agreement that in case of a dispute, they can only pursue the firms behind the project outside Kenya.
The privacy agreement filed before Justice Ngaah indicates that in the fine print, Worldcoin has a clause on data transfer, which disclosed that the data could be transferred outside Kenya.
Further, it also indicates that the information could be shared to specialist software developers, legal specialists, tax advisors, banks, law enforcement officials, or other third parties.
“If the processing of personal data is based on your consent, you are entitled under Arti. 7 GDPR to revoke your consent to the use of your personal data at any time with effect for the future, whereby the revocation is just as easy to declare as the consent itself. Please note that the revocation only takes effect in the future. Processing that took place before the revocation is not affected,” the document continues.
It also reads that the data captured can only be deleted after two years of inactivity.
However, the information stored on blockchain is not guaranteed to be foolproof.
“Blockchains are decentralized third-party networks that we do not control or operate. Due to the public and immutable nature of blockchain technology, we cannot amend, erase, or control the disclosure of data that is stored on blockchains,” the deal reads.
Nevertheless, the agreement also states that Worldcoin could share the personal data it collected with or during negotiations concerning any merger or sale of company assets, financing, or acquisition of all or a portion of its business.
Those who shared their data also gave away their right to have their information shared with Worldcoin lawyers or other professional advisors to obtain advice or the protect and manage its business.
Blockchains are public ledgers of transactions that are maintained on decentralised networks operated by third parties that are not controlled or operated by Worldcoin.
From the case, it has emerged that the mother company - Worldcoin Foundation - is based in Cayman Island while its subsidiary that issues Worldcoin tokens is based in the Virgin Islands.
Cayman and the British Virgin Islands are known for being tax evasion and money laundering havens.
The details are contained in a case filed by the Law Society of Kenya (LSK), Katiba Institute, Kenya Human Rights Commission (KHRC), International Commission of Jurists (ICJ) Kenya, and Africa Center For Open Governance Society of Kenya (Africog).
According to lawyer Dudley Ochiel, the other firms in the Worldcoin technology project- Tools for Humanity Corporation (US) and Tools for Humanity GmbH (Germany) are only registered as data controllers.
He states that the processing therefore is supposed to be done by other persons. Judge Ngaah heard that the Worldcoin Foundation holds the patents to the Orb technology and all user data and issues all Worldcoin tokens through its subsidiary World Assets Limited.
However, Ochiel argues that the Worldcoin Foundation is not registered as a data controller or data processor in Kenya.
At the same time, he says that Platinum De Plus Limited, the local agent contracted by Worldcoin is also not registered.
The lobbies accuse Worldcoin of dangling money to Kenyans in order to get the data. Lawyer Ochiel argues that consent cannot be obtained on the promise of money or a gift.
“Worldcoin exploited data subjects’ autonomy, needs, and vulnerability by inducing them with cryptocurrency payment.
“This inducement violated the data subject’s right to dignity under Article 28 of the Constitution,” says Ochiel.
Justice Ngaah has barred the firms from collecting, processing, or transferring data collected in Kenya without conducting a data protection impact assessment and without the firms registering as data controllers and processors in Kenya.
At the same time, the Judge ordered ICT Cabinet Secretary Eliud Owalo, in consultation with the Data Commissioner to formulate practice guidelines for the commercial use of personal data in Kenya and file the same within 12 months.