Cryptocurrency entity WorldCoin did not need a licence to operate as a business in Kenya to be registered as a data controller, a parliamentary committee has heard.
The Office of the Data Protection Commissioner (ODPC) yesterday said there was no law that required WorldCoin to be registered under the Companies Act, citing it as a legal gap that needed to be addressed.
Data Protection Commissioner Immaculate Kassait further told the National Assembly ad-hoc committee of inquiry into the WorldCoin controversy that her office suspended the firm's activities for violating Kenya's data laws.
Defending the ODPC against claims of "reacting" to public outcry as opposed to conducting due diligence, Kassait said that she flagged WorldCoin's activities in April last year after learning they had been operating without approvals.
The said alarm, Kassait added, was raised by American media outlet BuzzNews which she said wrote to it inquiring about WorldCoin's collection of personal data.
Her office would write to Tools for Humanity (TFH), the parent firm, over the breach, a move she said saw them seek a registration certificate to operate as a data controller and processor from the ODPC.
"I wish to point out that between April 2022 and August 2022, Worldcoin had not applied to be registered as a data controller or processor and hence the steps taken by ODPC were largely proactive measures having received information that Worldcoin was collecting personal data," she told the committee.
Kassait's office awarded TFH a two-year certificate in April this year after the firm submitted all statutory documents. "The certificate is not a license, and neither it is an endorsement by the ODPC that the entity is compliant with the law."
On Wednesday, WorldCoin executives also asserted that they did not require certification as a business to operate, saying through the collection of biometric data, their activities were limited to ensuring their users were human.
Kassait said that she later issued a notice to WorldCoin to cease operations in May this year after noticing law breaches, which she noted WorldCoin ignored.
She said that the firm was collecting "sensitive personal data", iris biometrics, contrary to the Data Protection Act, and that the consent sought from Kenyans did not meet the legal threshold.
"We cancelled their registration because they failed to cease operations and because they transferred data to WorldCoin Foundation, which was never registered with us," said Kassait.
She wants WorldCoin apps pulled down from all appstores operating in Kenya as she also called for a government audit of the data collected by WorldCoin.