10 March 2021 by Corporate & Commercial Alert

Information Regulator weighs in on WhatsApp Privacy Policy

In January 2021, WhatsApp sparked a public outcry with a proposed update to its Privacy Policy to enable it to share information with its parent company, Facebook. As a result of the public response to these proposed changes, WhatsApp later announced that these updates would be delayed until later in the year. On 3 March 2021, the Information Regulator (IR), who is a new regulator tasked with (amongst other things) monitoring and enforcing compliance with the Protection of Personal Information Act 4 of 2013 (POPIA) issued a statement about WhatsApp’s proposed changes to its Privacy Policy and its compliance with POPIA.

The IR’s statement says that it has a number of concerns about how this revised policy applies to South Africa, giving the following as an example:

… it is the IR’s view that the processing of cell phone numbers as accessed on the user’s contact list for a purpose other than the one for which the number was specifically intended at collection, with the aim of linking the information jointly with the information processed by other responsible parties (such as Facebook companies) does not require consent from the data subject, but prior authorisation from the IR”.

In simple terms, the IR’s view is that its consent is required for the implementation of the updated privacy policy, regardless of whether users of WhatsApp specifically agree to this.

The IR also expressed concerns about differences in the approach WhatsApp have taken in respect of users in Europe and Africa, with European users receiving “significantly higher privacy protection” than people in Africa and South Africa, notwithstanding that the South African legislation is modelled on, and very similar to, privacy legislation in the EU.

On 1 July 2020 the majority of the dormant sections of POPIA came into force and, in terms of the transitional arrangements under section 114 of POPIA, responsible parties are given until 1 July 2021 to ensure that all processing of personal information complies with its provisions.

Relevantly, section 57 of POPIA came into effect and requires a responsible party (i.e. WhatsApp) to procure prior consent from the IR if it intends to process any unique identifiers of data subjects (i.e. WhatsApp users):

  • for a purpose other than the purpose for which the unique identifier was specifically intended at collection; and
  • with the intention of linking the information together with information processed by other responsible parties (i.e. Facebook).

A unique identifier is defined as:

any identifier that is assigned to a data subject and is used by a responsible party for the purposes of the operations of that responsible party and that uniquely identifies that data subject in relation to that responsible party”.

In the present context, unique identifiers would likely include cell phone numbers, usernames and email addresses. POPIA is a new piece of legislation and, as such, our courts have not had much opportunity to interpret its key terms and provisions. 

To further complicate matters, an abundance of misinformation has been disseminated about the proposed amendments to WhatsApp’s Privacy Policy since they were first published in January 2021. In response to this, WhatsApp created a webpage to specifically address questions about its Privacy Policy. Pertinently, WhatsApp makes it very clear that it does not share its user’s contacts or contact lists with Facebook which is seemingly in contrast with the main issue raised by the IR in its statement. The IR says that it will be having round-table discussions with Facebook SA regarding the newly proposed Privacy Policy.

Non-compliance with section 57 of POPIA is an offence and, under section 107(b) of POPIA, any person convicted of such an offence is liable to a fine or to imprisonment for a period not exceeding 12 months, or to both a fine and imprisonment.

Given that WhatsApp (as a responsible party who determines the purpose of and means for processing its users’ personal information) is required to ensure compliance with POPIA by 1 July 2021, we are likely to hear about the outcome of the IR’s concerns and hopefully obtain greater certainty on the matter, and the status of the new Privacy Policy, within the coming months.

download PDF

The information and material published on this website is provided for general purposes only and does not constitute legal advice.

We make every effort to ensure that the content is updated regularly and to offer the most current and accurate information. Please consult one of our lawyers on any specific legal problem or matter.

We accept no responsibility for any loss or damage, whether direct or consequential, which may arise from reliance on the information contained in these pages.

Please refer to the full terms and conditions on the website.

Copyright © 2021 Cliffe Dekker Hofmeyr. All rights reserved. For permission to reproduce an article or publication, please contact us cliffedekkerhofmeyr@cdhlegal.com

You may also be interested in