Africa's New Blue Ocean. See our 2023 outlook. Download PDF

Blog

Privacy Compliance or Breach? High Court weighs in on the importance of proper Consent Mechanisms and Data Protection impact assessments

The Data Protection Act, (Cap. 411C), Laws of Kenya (the Data Protection Act), under Section 41, requires data controllers and processors (data handlers) to implement appropriate organisational and technical safeguards to protect the right to privacy. This obligation is known as data protection by design and by default. “By design” connotes that data protection principles should be considered from the outset when developing any data processing activity, while “by default” means the highest privacy standards apply automatically to all such activities.

Data protection by design and by default may involve conducting a Data Protection Impact Assessment (DPIA) to identify and mitigate risks associated with a processing activity. It may also entail assessing whether appropriate measures exist before transferring personal data to another jurisdiction, or whether consent obtained from data subjects meets the threshold under the Data Protection Act. Overall, data protection by design and by default ensures that data handlers achieve their objectives in the least privacy-intrusive way possible.

Enter the now infamous Worldcoin Project fiasco, which propelled concerns about data protection in Kenya into a frenzy. The Applicants in Republic v. Tools for Humanity Corporation (US) & 8 others; Katiba Institute & 4 others (Ex parte Applicants); Data Privacy & Governance Society of Kenya (Interested Party) [2025] eKLR applied for judicial review Orders to prohibit the data handlers therein from processing biometric personal data collected from Kenyan citizens without conducting a DPIA or from obtaining consent through financial inducement.

In its Judgment, the High Court considered the place of DPIAs in the data processing activities and the effect of offering financial incentives to obtain consent from data subjects.

In seeking to persuade the Court, the Applicants argued, first, that the 1st – 5th Respondents had processed biometric personal data without conducting an adequate DPIA. Second, they contended that although the said Respondents had obtained consent from data subjects, such consent was induced through financial incentives in the form of cryptocurrency tokens. Finally, they argued that the cross-border data transfers by 1st – 5th Respondents were contrary to the procedures prescribed under the Data Protection Act and its subsidiary legislation.

 

Implications of the Judgment to Data Handlers

  1. When should a data handler conduct a DPIA?

    The Court was tasked with determining whether the 1st – 5th Respondents were required to conduct a DPIA under Section 31 of the Data Protection Act, following their decision to process the biometric details of data subjects, that is, their iris and facial scans, which constitute sensitive personal data requiring a higher degree of protection due to their very nature. The Court found that the 1st – 5th Respondents had not carried out a DPIA prior to processing the biometric personal data, in contravention of the Data Protection Act. Consequently, the Court, inter alia, prohibited any further processing of biometric personal data collected in Kenya for the Worldcoin Project without first undertaking a DPIA.It is noteworthy that the Office of the Data Protection Commissioner (ODPC), in its Guidance Note on DPIAs (the DPIA Guidance Note), describes a DPIA as an accountability tool that enables data handlers to identify, assess, and mitigate risks to the rights and freedoms of data subjects during data processing activities. This begs the question, what constitutes an adequate DPIA, and when should a data handler carry out one?

    Section 31 of the Data Protection Act and regulation 49 of the Data Protection (General) Regulations provide a checklist that data handlers should consider when assessing whether to carry out a DPIA. For any data processing exercise that is likely to pose a high risk to the rights and freedoms of data subjects, a data handler is required to conduct a DPIA and submit a DPIA report sixty (60) days before processing personal data.

    Additionally, regulation 49 of the Data Protection (General) Regulations exhaustively enumerates high-risk instances in which a data handler is required to conduct a DPIA. Some of these high-risk instances include where – a) personal data collected on a large-scale is used for a purpose different from the original purpose; b) biometric or genetic data is processed; and c) there is large scale processing of personal data.

    DPIAs, therefore, enable data handlers to assess whether a data processing activity poses high-level risks to data subjects and to determine the safeguards necessary to mitigate such risks.

    In delving deeper into what constitutes an adequate DPIA, we refer to the DPIA Guidance Note for further direction. The DPIA Guidance Note provides that, for a DPIA to meet the minimum requirements of the Data Protection Act and its subsidiary legislation, it must address the amount of personal data processed; the extent of processing; the storage and accessibility of the personal data; the state of technological development available for processing; the specific risks attendant to the processing of personal data; a systematic description of the intended processing operations; the purpose of processing; the necessity and proportionality of the processing operations; the risks to the rights and freedoms of data subjects; the measures envisaged to address the identified risks; and the safe guards implemented to ensure the protection of personal data.

  2. Can a data handler incentivise a data subject to give their consent?

    The Court determined that offering cryptocurrency tokens in exchange for biometric personal data cast an aspersion on whether the consent obtained from the data subjects was valid. The Court observed that, “The use of cryptocurrency tokens to gather personal data is, in my humble view, an attempt to bypass the spirit of data protection laws by using incentives to sidestep the true essence of informed consent by luring desperate and poor Kenyans with cryptocurrency to kens.

    Regarded as the cornerstone of data protection, consent must be express, unequivocal, freely given, specific, and an informed indication of the data subject’s wishes. It should be expressed through a statement or a clear affirmative action, signifying agreement to the processing of personal data relating to that data subject.

    In examining the Worldcoin Project case, we are of the considered view that the consent sought by the 1st – 5th Respondents was invalid, not only for the reason cited by the Court, that is, that the data subjects were not informed of the data processing activity, but also because the data subjects were not given a free choice to agree to the processing. In its Guidance Note on Consent, the ODPC stipulates that, for a data handler to satisfy the element of “free” choice, a data subject must have real choice and control over their personal data, with the liberty to withdraw consent at any time. The Guidance Note on Consent provides that a data subject must not feel compelled to give consent or fear negative consequences should they exercise their right of withdrawal. In the Worldcoin Project case, it is arguable that, since the data subjects were offered a financial incentive of approximately KES 7,000 (USD 50) in cryptocurrency for their personal data, they may have felt constrained from withdrawing their consent for fear of being asked to refund the cryptocurrency.

  3. What must a data handler comply with prior to transferring personal data to another jurisdiction?

    This decision reinforces the need for data handlers to ensure that cross-border transfers of personal data comply with the provisions of the Data Protection Act and its subsidiary legislation. The Court determined that the 1st – 5th Respondents transferred personal data outside Kenya without adhering to the requirements under Section 48 of the Data Protection Act and Part VII of the Data Protection (General) Regulations, which outline the conditions under which personal data may be transferred outside Kenya.

    Before effecting a cross-border transfer of personal data, the trans fer must be based on

  • Appropriate safeguards, i.e., a binding legal instrument with the recipient or upon an assessment of the transfer exercise.
  • Adequate decision from the ODPC, which has been afforded wide latitude to determine whether the recipient country has adequate data protection measures.
  • Necessity – that the cross-border transfer is necessary to achieve the purposes outlined under Section 48 of the Data Protection Act, including the performance of a contract between the data subject and the data handler.
  • Consent – in the absence of appropriate safeguards adopted by the recipient, an adequacy decision, or necessity, the Data Protection (General) Regulations prescribe that a data subject may give their consent to the transfer upon being duly informed of the risks associated with such a transfer to their personal data

 

Conclusion

This Judgment rings true to the growing need to create a privacy-centric culture, one where data protection is by design and by default. While the Judgment underscored key areas of data protection compliance, particularly the importance of carrying out a DPIA where necessary, what amounts to valid consent, and the lawful bases for cross-border transfers, it ultimately serves as a clarion call to entities engaged in data processing activities to build with privacy compliance, not breach, in mind.