Data breach: Kassait under fire over WorldCoin registration debacle

Data Commissioner Immaculate Kassait when she appeared before the National Assembly's Communication ,Information and Innovation committee over the WorldCoin data mining saga on  August 15, 2023. [Elvis Ogina,Standard]

Members of Parliament have faulted Data Commissioner Immaculate Kassait for registering controversial cryptocurrency WorldCoin.

The MPs, drawn from the National Assembly’s ad-hoc committee of inquiry into the WorldCoin controversy, wondered how the data commissioner could have certified the entity to mine biometric data from Kenyans despite not being registered in the country.

Tools for Humanity, WorldCoin’s parent firm, was registered in April this year as a data controller and processor by the Office of the Data Commissioner (ODC).

But neither the company nor its subsidiary WorldCoin had been registered under the Company’s Act by the Business Registration Service (BRS), a body falling under the Office of the Attorney General (OAG).

Attorney General Justin Muturi told the Narok West MP Gabriel Tongoyo-led committee that Tools for Humanity ought to have furnished the data commissioner with establishment documents before it’s registration as a data controller and processor.

“The law states that a foreign company shall not carry out business in Kenya unless it is registered,” Mr Muturi said, admitting inadequacies in law that complicate the regulation of cryptocurrency operators.

The law prescribes a fine not exceeding Sh5 million for foreign companies convicted of operating illegally in Kenya. But Muturi noted that Sense Marketing, a firm owned by a Kevin Odumbe and associated with WorldCoin, was duly registered in 2013 by the BRS.

Principal State Counsel Karen Ndegwa said the State Law Office could not establish a nexus between Sense, Tools for Humanity and WorldCoin, even as she revealed that Sense was registered with a “wide object clause”.

“It was registered in the previous law regime and could be in business for anything that is legal. But cryptocurrency was nascent in 2014. I doubt it was among the businesses in the memorandum of association,” she said.

The Data Protection Act defines a data controller as “a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data”.

“Data processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller,” the Act adds. Kassait is among the witnesses expected to appear before the committee over the WorldCoin controversy.

Officials from the OAG were hard-pressed to explain how WorldCoin had carried out its activities unhindered despite its “illegal” status and essentially blamed Kassait for failing to conduct sufficient due diligence on the cryptocurrency platform.

“The business that is currently under investigation is data mining. The data commissioner cannot register a company to do data mining unless it is registered in Kenya,” said Homa Bay Town MP Peter Kaluma, citing regulations he argued instructed the ODC to ensure the company’s registration status.