Katiba v Tools for Humanity and others is Kenya’s landmark High Court decision on biometric privacy. Worldcoin-linked entities violated Kenya’s Data Protection Act by collecting iris and facial scans in exchange for cryptocurrency. The court halted the project and ordered the destruction of biometric records. This case signifies the strict enforcement of data protection standards in Kenya.

Who should care about the judgment and why?

This judgment impacts a wide range of individuals and entities, both within Kenya and internationally. Data subjects must stay vigilant when using biometric imaging devices and disclosing their personal or sensitive information.

This case delivers a strong warning to organisations handling biometric data, highlighting the legal risk of inadequate privacy safeguards. Companies collecting personal data across borders, especially with incentives, must comply with local data protection laws. Regulators will act against non-compliance, halting operations and imposing fines or jail time.

What could you do about it?

  • Conduct a data protection impact assessment (DPIA) before initiating any high-risk data processing activities.
  • Strengthen consent mechanisms to ensure informed and voluntary consent. Avoid relying on financial or other coercive incentives to collect or process personal information.
  • Register your organisation as a data controller or processor with the local data protection authority.
  • Secure cross-border data transfers with adequate technical and organisational safeguards. Ensure that you have the correct data sharing and transfer agreements in place, and that the country you are transferring data to has equivalent measures.
  • Engage proactively with data protection regulators to avoid non-compliance and enforcement actions.

Our insights on the judgment

  • You cannot “buy” biometric consent. The court held that consent loses its legal basis when a company offers a meaningful reward (in this case, cryptocurrency) as a condition for providing sensitive data. Any organisation that gathers biometric data or other high-risk data should therefore remove financial carrots, unbundle each processing purpose, and provide a genuine opt-out that carries no penalty.
  • High-risk processing demands visible governance. The Data Commissioner in Kenya expect detailed records (such as the results of the DPIA) before launching or even testing a biometric system. DPIAs, local registration and cross-border transfer assessments are not box-ticking exercises.  Tech companies and their corporate customers should embed these checks into their project milestones and treat them as pre-deployment blockers, not retrospective clean-ups.
  • Public-interest scrutiny extends to private tech projects. The court accepted that the large-scale collection and processing of biometric data raises public law concerns. This means NGOs and trade unions can challenge questionable data practices without waiting for individual data subjects to complain. If your organisation’s product uses biometrics at scale, be prepared to justify every step of your compliance programme in court.

Digest

Facts

Worldcoin, through its parent company, Tools for Humanity and related entities, began operations in Kenya in 2022. It enrolled over 300,000 people by scanning their irises and faces with the “Orb”, a silver biometric scanner. In exchange, each person received cryptocurrency worth 7,000 Kenyan Shillings (KES).

This large-scale biometric data collection raised serious privacy concerns. Katiba Institute, along with other human rights groups, challenged the operation in court. They argued that Worldcoin failed to conduct a mandatory DPIA under the Data Protection Act. They also said the consent was not valid because people were influenced by the offer of free crypto rather than making a clear, informed decision. Further concerns included that some of the Worldcoin-linked entities were not registered as data controllers with the Office of the Data Protection Commissioner (ODPC).  The applicants also raised claims that the biometric data was sent out of Kenya without proper legal safeguards or approval from the ODPC. The applicants argued that these actions violated both the Data Protection Act and the constitutional right to privacy.

Reasoning

The court agreed with the applicants and found Worldcoin’s biometric data harvesting to be unlawful. The court held that the respondents violated multiple provisions of the Act by processing sensitive personal data without obtaining informed consent, failing to conduct a Data Protection Impact Assessment (DPIA), and disregarding Kenya’s regulatory controls. As a result, the court ordered an immediate stop to the data collection program and imposed strict remedial measures to address the violations. In essence, the court made it clear that Worldcoin’s operations in Kenya had no lawful basis and could not continue in their then-current form.

Order

  • The court issues an order restraining the respondents and their affiliates from further collecting or processing biometric data in Kenya unless they comply with all the required safeguards.
  • The court retroactively nullifies all prior biometric data collection in Kenya, thereby invalidating any past authorisation for Worldcoin’s data harvesting.
  • The court issues an order of mandamus compelling the Worldcoin entities to permanently delete all biometric data collected from the Kenyan residents. This deletion must occur within seven days of the judgment and under the supervision of the Data Protection Commissioner.

Details of Katiba v Tools for Humanity and others

  • Universal citation: [2025] KEHC 5629 (KLR) 
  • Case number: Judicial Review Application E119 of 2023
  • Full name: Republic v Tools for Humanity Corporation (US) & 8 others; Katiba Institute & 4 others (Exparte Applicants); Data Privacy & Governance Society of Kenya (Interested Party) [2025] KEHC 5629 (KLR)