Members of Parliament on Thursday grilled Data Commissioner Immaculate Kassait over her role in protecting Kenyans from exposing their confidential data to Worldcoin.
The National Assembly Committee on Information and Communication told Ms Kassait that she had failed Kenyans in ensuring the safety of their data in the shady dealings of the Worldcoin company.
The committee was shocked by the revelation by Data Protection Commissioner Immaculate Kassait that her office was not aware of WorldCoin's operations at the Kenyatta International Convention Centre (KICC) until the matter became public.
Ms Kassait told MPs that her office had issued a cease and desist letter to Worldcoin to stop its operation of collecting personal data of Kenyans, adding that she was not aware of Worldcoin's activities until the public outcry and the long queue witnessed at KICC three weeks ago.
The data commissioner also told MPs that she was still unaware of the number of Kenyans who signed up to have their data collected in exchange for Sh7,000.
Ms Kassait further told the committee, chaired by Dagoretti South MP John Kiarie, that her duty as an office ended with the issuance of the registration certificate and that she was not responsible for granting Worldcoin the operating licence.
While absolving her office of blame, Ms Kassait said her office was only responsible for registration, which she explained was not a licence for a data collection company to collect and process personal data.
"Let's be clear, we register data controllers and data processors, but we don't register them to do their core business," Ms Kassait said.
She cited telecommunications companies such as Safaricom and Airtel, which she said are registered as data controllers and processors but still seek operating licences from the Communications Authority of Kenya.
She told MPs that the gaps in the Data Protection Act, 2019 need to be addressed to allay concerns raised by Parliament and the public.
"The law is not structured in a policing way. There are gaps in the law as far as the authorisation of registration is concerned," said Ms Kassait.
But Isiolo Woman Representative Mumina Bonaya said the responsibility of the Data Protection Unit should go beyond the certificate of registration and that due diligence should be done before a company is registered.
Lawmakers, however, berated Ms Kassait, saying that despite receiving huge budgetary allocations from taxpayers, the office failed to conduct background checks on the company, whose operations have been banned in both the United States of America (USA) and Germany.
Kisumu East MP Shakeel Shabir accused the commissioner of passing the buck to other agencies after failing in her duties.
"You seem to be completely in the dark about the operations of Worldcoin. The horse has bolted and now you are here to pass the buck," Mr Shabir said.
"We have determined that the information regarding WorldCoin's operations is insufficient to completely exonerate your office. You need to resubmit your answers as to who should be held responsible in this inquiry," Mr Kiarie said.
"We want to know what you did within your powers to stop Worldcoin from operating. If you issued a cease and desist letter, did you seek the assistance of law enforcement agencies to ensure that your order was carried out?" he added.
MPs pressed the commissioner on who allowed Worldcoin to use the KICC if the office of the data commission, which is also a government agency, had issued a cease and desist order on the company's operations in the country.
"If you have issued a cease and desist order, who then allowed WorldCoin to use KICC, which is a government body. Who is deceiving who here, one arm of the government issues an order and another gives permission," said Homa Bay Woman Representative Joyce Bensuda.
Ms Kassait told the committee that she did not know who authorised Worldcoin to use the KICC, despite her office banning the company's activities.
The government registered Worldcoin as a data controller under the Data Protection Act, 2019 and the Data Protection Registration of Data Controllers and Data Processors Regulation, 2021 (Registration Regulations), which require, among other things, that entities that process data should register with the office.
Registration signifies that the entity has complied with sections 18 and 19 of the Act and does not constitute an endorsement of an entity's compliance with the Data Protection Act or its subsidiary regulations, nor does it constitute a valid licence for an organisation to operate in Kenya or authorise the operations of an entity.