Background

After the World Coin craze a few months ago, the National Assembly established an Ad hoc committee on August 15, 2023, to inquire into its activities and operations in the country. The committee investigated several issues that they dubbed Terms of Reference of the Inquiry, these being to:

1.     Inquire into the operations and ultimate objectives of the activities of World Coin in Kenya.
2.     Inquire into the legal and regulatory compliance of operations of World Coin and its agents in Kenya.
3.       Inquire whether due diligence was undertaken by the relevant government agencies before World Coin started its operations in Kenya.
4.       Inquire into the nature, use and safety of data collected by World Coin in Kenya.
5.       Inquire into the organisational structure and activities of World Coin.
6.       Inquire into the source of money or consideration if any paid to the members of the public who presented themselves for registration and potential beneficiaries.
7.       Inquire whether Kenyans were exposed to any health hazards because of the activities of World Coin in the country.
8.       Inquire into the legal and regulatory gaps that permitted operations of World Coin in Kenya
9.       Recommend necessary legislative intervention.

It was from these issues that the committee drew its findings and observation and made recommendations as well to bridge the disparities in the legal framework and give insight of virtual assets in Kenya henceforth.

 Legal framework

In sequestering these issues, two categories were considered: Data Protection and Virtual Assets. Data Protection is now an ongoing discussion globally, however, virtual assets may be a not-so-new phenomenon that can be described as a value that is digitally represented and can be used for payment. Whether a virtual asset is a digital asset is a discourse for another time.

The Kenyan Constitution in Article 31(c) and (d) upholds the privacy rights of the Kenyan people. The Data Protection Act was enacted to implement this Article with a bid to safeguard and regulate personal data processing. In Section 4(a), processing of the said data covers both automated or non-automated means by a data processor or controller whether based in this jurisdiction or outside the Kenyan borders.

Registration of the said data processors or controllers is governed by Section 18(2) of the Act in that there are standards to be held by considering:

1.       The nature of the industry
2.       The volumes of data processed
3.       Whether sensitive personal data is being processed
4.       Any other criteria the Data Commissioner may specify

Section 19 describes requirements that are designed to provide a comprehensive understanding of the intended data processing activities and ensure compliance with the data protection thresholds. Upon satisfaction of these requirements, the certificate of registration is awarded for a certain period. This certificate can, however, be cancelled or varied as per Section 22 and 23 of the same Act. Additionally, the Act highlights the principles of data protection and guidelines of how to collect, process, retain, rectify, erase, and transfer personal data.

Foreign countries are prohibited from conducting business in Kenya unless registered under Section 974 (1) of the Company Act while providing for the activities that entail carrying out business in the country. Such companies must have at least one local representative that meets the requirements prescribed in Section 979(1), failure to which an offense will be deemed committed. In the findings of the committee, the operations of Tools for Humanity Corporation (the company behind World Coin) had Kenyan partners such as Sense Marketing but this does not equate to a local representative.

It is also stated in the Kenya Information and Communications (Importation, Type Approval and Distribution of Communications Equipment) Regulation No. 24 that it is an offense to deal in or use communication equipment without type approval or acceptance.

The institutions mandated to oversee the implementation of these applicable laws and regulations are the Office of the Data Protection Commissioner (ODPC), Communication Authority of Kenya, and the Central Bank of Kenya.

 Best practices from other jurisdictions

In drafting the report, the committee explored several jurisdictions that have made an effort to regulate personal data processing and virtual assets.

•       USA

The data protection law has integrated the general federal legislative and policy framework that impact data protection on data protection. This includes the Federal Trade Commission Act, the Health Insurance Portability and Accountability Act, the Gramm-Leach-Bliley Act and the Children’s Online Privacy Protection Act as well as state laws such as the California Consumer Privacy Act.

The Securities and Exchange Commission, Treasury’s Financial Crimes Enforcement Network, Federal Reserve Board and Commodity Futures Trading Commission have been issued with an Executive Order by the White House to collaborate and coordinate their interpretation and guidance on cryptocurrency-related matters.

The Internal Revenue Service has also issued tax guidance that require cryptocurrency investors to report their annual cryptocurrency activities on their tax returns.

•         Brazil

The privacy law provides for extraterritorial jurisdiction, meaning that data obtained in Brazil has its processing regulated by this law irrespective of the location of the processing firm. In comparison to Kenya’s data privacy laws, both provide for data protection clauses when it comes to research activities, further, Brazil’s law protects data privacy in relation to processing for credit score activities.

Legislators have proposed a chain of regulations on cryptos and adaption of a sandbox. A regulatory framework for the virtual currency market was created so as to reduce the risks of virtual currencies against the financial stability of the economy, reducing the possibility of them financing illegal activities and to protecting the consumer against possible abuses.

Kenya should emulate some of the strides taken by Brazil such as: Bitcoin for instance was declared as an asset and therefore is subject to Capital Gains taxes; the Anti-Money Laundering laws extend to virtual currencies; and discussing the issuance of digital currencies by central banks.

•         South Africa

In the Protection of Personal Information Act, biometrics have been defined to mean a technique of personal identification that is based on physical, physiological, or behavioral characterisation. This means that the Act recognises retinal scanning as a part of personal biometric information and provides specific rights of the data subjects.

As for virtual assets, the Intergovernmental Fintech Working Group of South Africa recapitulates the sentiments of policymakers, regulators, and central banks that crypto assets are not ‘money’ in the legal tender sense of the word. In regulating Crypto Asset Service Providers (CASPs), there are principles that have been proposed to promote responsible innovation and regulate the conduct of such providers.

•       United Arab Emirates

The Emirate of Dubai enacted law on the Regulation of Virtual Assets and established the Dubai Virtual Assets Regulatory Authority to promote Dubai as a regionals and international hub for Virtual Assets and related services to boost its competitive edge at the local and international levels and to develop Dubai’s digital economy.

 Findings

The National Computer & Cyber Crimes Coordination Committee (NC4), Attorney-General, Kenya International Convention Centre, Communications Authority of Kenya, Central Bank of Kenya, members of the public who participated in World Coin activities are just a few of the witnesses who made their submissions during the committee’s investigation.

Based off witness submissions and research from the committee, some interesting unearthings were:

1.       World Coin is an ecosystem including a privacy-preserving digital identity network built on proof of personhood, World Coin Token and Application wallet.
2.       The project operates in 34 other countries apart from the US and China due to lack of a clear regulatory framework.
3.       Data collected was moved to World Coin Foundation which was not a registered data controller or processor in Kenya.
4.       The Orb used to capture data subjects’ iris is a telecommunication device with a capability to transmit real-time iris images converted into digital code to their third-party servers hosted outside the country and not a biometric scanner as claimed to have been declared at import station.
5.       Members of the public who participated in the data collection process were issued with 25 World Coin Tokens which were converted to USDt (a virtual US dollar on a cryptocurrency exchange) then converted to Kenyan currency.
6.       The marketing strategy used to collect personal data contravenes Section 12 of the Consumer Protection Act and it cannot be verified the age of the data subjects thus minors may have been exposed to this.
7.       World Coin Foundation submitted that their aim is to realise a more inclusive, fair, and just institution of governance and of the global digital economy; however, in contradiction to this, the committee concluded that the real intention is inclined on decentralisation of the global monetary system.
8.       The source of money or inducement given to those who completed the Orb verification process was not certified and there was no fiat currency compensation paid to Kenyans.
9.       Kenyans rank first on the adoption and use of cryptocurrency globally for peer-to-peer trading volume.

Recommendations by the committee

Conclusively, the following are some of the exhortations that have been made to the relevant authorities:

1.       Develop a comprehensive oversight framework, policies, regulations and enforcement infrastructure on virtual assets and virtual assets providers in Kenya within six months. It is key to engage all the necessary stakeholders for this.
2.       Investigations and legal action by the Director of Criminal Investigations of all parties involved within three months.
3.       Disable all the virtual platforms by World Coin as well as blacklisting Internet Protocol (IP) addresses of related websites and suspend physical presence in Kenya until a legal framework is established. Question is, exactly how viable is this considering the existence of the dark web and use of Android Package Kit file format.
4.       Harmonize the Data Protection Act and Companies Act to ensure that foreign companies provide proof of registration under the latter legislation before registering as a data processor or controller.
5.       Full disclosure on how data controllers and processors will utilise, and store personal data collected in Kenya.
6.       Amend Section 63 of the Data Protection Act to align to global standards.
7.       Provide a clear tax remittance procedure on taxes imposed on transactions involving virtual assets under Section 12F of the Income Tax ACT and include Virtual Asset Service Providers as Reporting Institutions under the Proceeds of Crime and Anti-Money Laundering Act.
8.       Co-opt the ODPC as a member of the NC4.
9.       Develop a regulatory sandbox to regulate data-based projects that rely on new and emerging technologies as well as collection of biodata.
10.   Audit of all data processors and controllers in the next six months.

It can be stated these recommendations are highly essential in providing for the safety of personal data in the country. However, it is key that the timelines are respected, and implementation affected accordingly.

“It’s important to have a sound idea, but the really important thing is the implementation

Wilbur Ross (United States Secretary of Commerce 2017-2021)