The IR’s statement says that it has a number of concerns about how this revised policy applies to South Africa, giving the following as an example:
“… it is the IR’s view that the processing of cell phone numbers as accessed on the user’s contact list for a purpose other than the one for which the number was specifically intended at collection, with the aim of linking the information jointly with the information processed by other responsible parties (such as Facebook companies) does not require consent from the data subject, but prior authorisation from the IR”.
The IR also expressed concerns about differences in the approach WhatsApp have taken in respect of users in Europe and Africa, with European users receiving “significantly higher privacy protection” than people in Africa and South Africa, notwithstanding that the South African legislation is modelled on, and very similar to, privacy legislation in the EU.
On 1 July 2020 the majority of the dormant sections of POPIA came into force and, in terms of the transitional arrangements under section 114 of POPIA, responsible parties are given until 1 July 2021 to ensure that all processing of personal information complies with its provisions.
Relevantly, section 57 of POPIA came into effect and requires a responsible party (i.e. WhatsApp) to procure prior consent from the IR if it intends to process any unique identifiers of data subjects (i.e. WhatsApp users):
- for a purpose other than the purpose for which the unique identifier was specifically intended at collection; and
- with the intention of linking the information together with information processed by other responsible parties (i.e. Facebook).
A unique identifier is defined as:
“any identifier that is assigned to a data subject and is used by a responsible party for the purposes of the operations of that responsible party and that uniquely identifies that data subject in relation to that responsible party”.
In the present context, unique identifiers would likely include cell phone numbers, usernames and email addresses. POPIA is a new piece of legislation and, as such, our courts have not had much opportunity to interpret its key terms and provisions.
Non-compliance with section 57 of POPIA is an offence and, under section 107(b) of POPIA, any person convicted of such an offence is liable to a fine or to imprisonment for a period not exceeding 12 months, or to both a fine and imprisonment.