Client Alert: Kenya’s High Court Orders Worldcoin to Delete Biometric Data

Why the biometric data deletion order raises a crucial regulatory challenge — verifying deletion in global tech

On 5th May 2025, Kenya’s High Court handed down a significant ruling in the Worldcoin case, ordering the permanent deletion of biometric data (iris and facial scans) collected from Kenyans, under the supervision of the Office of the Data Protection Commissioner (ODPC), within seven days.


It’s a powerful affirmation of privacy rights. But the most important and unresolved question is this:

How do we verify deletion in today’s tech landscape?

The Illusion of Deletion: Why “Erasure” Is Now the Most Difficult Privacy Right to Enforce

In theory, the right to erasure is straightforward. In practice, it’s messy, global, and technical.

Let’s pause for a moment: What does deletion really mean when we’re dealing with cloud-based infrastructure, global data pipelines, AI training datasets, and backup redundancy systems?


In the Worldcoin case:

  • The data was not stored in Kenya.
  • It was likely backed up, possibly multiple times.
  • It may have already been used to train or enrich machine learning models.

So when the court says “delete,” we must ask: from where? From what layers of infrastructure? And how can we be sure it’s gone?


To genuinely verify deletion in 2025, regulators need:

  • Access to backend logs that show when, where, and how data was deleted
  • Audit trails of data handling and replication processes
  • Evidence that backups, including offsite and automated backups, were purged
  • Disclosures on whether the data was ever used to train AI models (and if so, how it was removed or obfuscated)
  • Independent technical verification from digital forensics professionals or compliance certifiers

Let’s be honest, that level of scrutiny would challenge even the best-resourced privacy regulators globally. For a young regulator like the ODPC, this ruling is precedent-setting, but it’s also an enormous operational test.


Why This Ruling Should Matter to Every International Business in Kenya

If you’re a global tech company, digital platform, or data-intensive business operating in or entering Kenya, this is not just a Worldcoin story. This is a clear signal that:

  • Kenya expects full compliance with its Data Protection Act (2019)
  • Consent must be real, not gamified or incentivized
  • Public interest litigants can enforce digital rights even before the regulator acts
  • You are accountable for your infrastructure and model design decisions, even when hosted offshore

If your teams are still treating Kenya or African markets as “pilot zones” or less-regulated environments, this ruling changes that narrative.


A Deletion Order Is Not a Deletion Outcome and the ODPC Now Faces a New Type of Challenge

There’s something quietly radical about this case. For the first time, the ODPC is being called to supervise global data deletion. But the Act doesn’t currently define what that supervisory process should involve and technical capacity remains a real challenge.


Practical steps that regulators globally use to supervise deletion include:

  • Deletion certificates from independent third parties
  • Model audit reports when biometric data was used in AI training
  • Automated trace tools to detect digital fingerprints
  • Cross-border enforcement cooperation frameworks

These steps require relationships, tools, and time and time is exactly what the High Court’s seven-day window doesn’t offer.


Why Did This Go to Court – Not Through the ODPC?

The Worldcoin case wasn’t initiated by the ODPC. It came through a judicial review application filed by public interest litigants. This is significant. It confirms that in Kenya, data protection is also a constitutional issue. Rights-based enforcement is now a growing pillar of our regulatory ecosystem and companies must prepare for it.


The Real Takeaway: You Need a Strategy, Not Just a Policy

If your company handles sensitive or large-scale data in Kenya or anywhere in Africa here’s what this ruling means for you:

  • Register with the ODPC as a data controller or processor
  • Conduct a proper Data Protection Impact Assessment (DPIA)
  • Design systems with privacy by design and by default
  • Prepare for court-level scrutiny, not just regulator audits
Privacy compliance is no longer a checklist. It’s a strategic risk and a competitive differentiator.

How Cavendrys Can Help

At Cavendrys, we advise clients on:

  • Registration as a data controller or processor in Kenya
  • Data Protection Impact Assessments (DPIAs) and privacy audits
  • ODPC engagements, enforcement responses, and regulatory litigation
  • Cross-border compliance strategies and AI governance frameworks
Leave a Comment on Client Alert: Kenya’s High Court Orders Worldcoin to Delete Biometric DataLawyer

About the Author

Fred dev

Leave a Reply

Your email address will not be published. Required fields are marked *

You may also like these

GET IN TOUCH

Ready to Work With Legal Experts Who Know Your Sector?

Cavendrys advises tech-driven businesses through every stage of growth, from market entry and licensing to tech M&A, data compliance, commercial structuring, and IP protection

CALL US NOW

Have A Question

+254711657310

Subscribe for updates

Sign up to receive timely legal and regulatory updates from Cavendrys on the issues shaping Kenya’s and East Africa’s digital economy.

Cavendrys

Cavendrys is a specialist law firm based in Kenya and serving East Africa, advising on Tech, Telecoms, Data Protection, Fintech, Intellectual Property and Innovation law.

Twitter Youtube Linkedin

Quick Links

Contact Info

3rd Floor Upper Level, Kalamu House Grevillea Groove, off Brookside P.O.Box 52623-00100 Nairobi, Kenya

Expertise

Copyright © 2026 Cavendrys Law Firm. Desisned by TechHost

Call Now