The High Court has ruled that Worldcoin’s collection of Kenyans’ biometric data was unconstitutional, ordering the company to erase all such data under the watch of the Office of the Data Protection Commissioner (ODPC).

In a judgement delivered on Monday, the court found that Worldcoin, a global cryptocurrency and digital identity platform, failed to conduct a mandatory Data Protection Impact Assessment (DPIA) and did not register as a data processor before launching its data collection activities in Kenya.

The court barred Worldcoin from further processing biometric data without first carrying out a DPIA or obtaining valid user consent.

According to the ruling, Worldcoin must now delete all biometric data it gathered unlawfully using its iris-scanning orb devices.

The ODPC has been tasked to oversee the deletion process to ensure compliance with Kenyan law.

Read More

  1. Sh13.6 billion lifeline for Kwa Jomvu–Mariakani road as upgrade begins
  2. Zuku to pay former client Sh500,000 for spamming him with promotional texts
  3. CBK seeks global coin minting tenders in its push for transparency in procurement

This judgement follows months of legal battles led by ICJ Kenya, Katiba Institute, and the ODPC, who filed a petition accusing Worldcoin of violating Kenyans’ rights by collecting and transferring sensitive personal data without proper safeguards.

The petitioners argued that the absence of a DPIA left citizens vulnerable to data breaches, identity theft, and misuse of their immutable biometric identifiers.

Worldcoin entered the Kenyan market by offering cryptocurrency worth about Sh7,150 (converted from USD 55) in exchange for users’ iris scans and facial data.

The project operates across multiple jurisdictions, including the Cayman Islands, Virgin Islands, and Kenya, complicating the enforcement of Kenya’s data protection laws.

Globally, Worldcoin has faced mounting regulatory pressure.

Spain banned its iris data collection in March 2024, Brazil followed with a ban in January 2025, and South Korea fined the company in September 2024 for transferring sensitive data without consent.

Germany, in December 2024, ordered the deletion of data collected in violation of its privacy laws.

The petitioners had also called on the court to direct the government to publish clear guidelines on the commercial use of personal data in Kenya within 12 months to strengthen regulatory oversight.

The ruling has been seen by local rights groups as a pivotal moment for data privacy enforcement in Kenya, reinforcing the country’s commitment to safeguarding citizens’ personal information as digital technologies expand.