Subscribe
About

WhatsApp privacy policy fails POPIA compliance, says watchdog

Simnikiwe Mzekandaba
By Simnikiwe Mzekandaba, IT in government editor
Johannesburg, 11 Sep 2024
SA’s Information Regulator reads WhatsApp the riot act.
SA’s Information Regulator reads WhatsApp the riot act.

South Africa’s Information Regulator (InfoReg) has issued messaging app WhatsApp with an enforcement notice.

This, after the data privacy enforcer’s preliminary report found WhatsApp “adopts different terms of service and privacy policies for users in the European region compared to users outside Europe, including South African users”.

During its media briefing earlier today, the InfoReg provided an update on matters being investigated in regards to the Protection of Personal Information Act (POPIA) and Promotion of Access to Information Act (PAIA).

InfoReg chairperson advocate Pansy Tlakula said since April, the regulator has issued four enforcement notices. The other notices were issued to the Electoral Commission, Blouberg Municipality and Lancet Laboratories.

Noting the “very lengthy” and “complex” nature of the matter involving WhatsApp, Tlakula said: “The privacy safeguards for users in the European region appeared to be better than those for users in South Africa, even though the General Data Protection Regulations (GDPR) and POPIA have similar standards and protections.

“The regulator deemed it appropriate to conduct a compliance assessment in terms of Section 89 of POPIA, given the insufficiency of WhatsApp’s privacy policy in demonstrating compliance with the provisions of POPIA.

“The regulator has issued an enforcement notice in which it directed WhatsApp to comply with all conditions of lawful processing by updating their privacy policy, to conduct a personal information impact assessment, and to comply with the provisions of PAIA in so far as it relates to its obligation to maintain the documentation of all processing operations it is responsible for.

“In this regard, the regulator dismissed WhatsApp’s argument that PAIA does not apply to it as a social network is extraterritorial.”

WhatsApp sparked a public outcry across the globe when it updated its privacy policy in January 2021. The new policy allows the Facebook-owned messaging app to share certain data with Facebook – an option that users previously had a chance to opt out of.

In March 2021, the InfoReg wrote a letter to Facebook South Africa, outlining concerns about the social media giant’s privacy policy as it relates to SA. In the letter, the regulator said it had prohibited Facebook from sharing any contact information it collects from WhatsApp users without its authorisation.

The privacy watchdog had also expressed concern that for users who live in the European Union region, WhatsApp provides the services under different terms of service and privacy policy to the rest of the world – due to the region’s stringent data protection law, the GDPR.

After receiving no response from Facebook SA, the InfoReg vowed to take further action, culminating in the enforcement notice announced today.

Advocate Pansy Tlakula, chairperson of the Information Regulator.
Advocate Pansy Tlakula, chairperson of the Information Regulator.

The Information Regulator, headed by Tlakula, is mandated to ensure organisations put in place measures to protect the data privacy of South Africans in terms of POPIA.

Under POPIA, organisations must inform the InfoReg if they expose the personal information of data subjects to unauthorised third-parties without their approval.

The Act sets down firm frameworks that companies have to abide by to avoid fines, criminal persecution and potential reputation loss. Perpetrators can face fines of up to R10 million or 10 years of imprisonment, depending on the seriousness of the breach.

During the briefing, Tlakula raised concerns about the alarming number of security compromise incidents that have been reported to the regulator since falling under the enforcement powers of the regulator in July 2021.

Since the beginning of April, the regulator has received 980 security compromise notifications, she noted.

“This tells us that public and private bodies may not have adequate organisational and technical measures to ensure the integrity and confidentiality of personal information in their possession or under their control. We have since ensured that in all compliance assessments that we conduct, we look into the security safeguard measures that public and private bodies have put in place.”

In terms of ongoing high-profile investigations, the regulator is investigating alleged interference with the protection of the personal information of data subjects by the South African Police Service (SAPS).

The personal information was processed by SAPS in the course of an investigation of a crime, said Tlakula.

“The personal information was disseminated by the SAPS through WhatsApp messages. Due to the sensitivity of the case and considering that this a similar matter where personal information was leaked, the regulator has embarked an own initiative investigation into the alleged interference with personal information. The matter has been referred to the Enforcement Committee.”

On direct marketing through unsolicited electronic communications, the InfoReg has taken note of the plight of members of the public on the growing frustration because of spam calls as a result of direct marketing, she added.

Earlier this year, the regulator revealed it had drafted a guidance note on direct marketing, which seeks to guide public and private bodies on how to comply with POPIA when processing the personal information of data subjects for direct marketing.

“In July, we shared the draft guidance note with stakeholders in the direct marketing organised structures and the big industry players who largely use direct marketing as part of their business practices.

“We are at the final stages of considering their intricate inputs, and on 25 September, we will hold a stakeholder engagement on the final version of the guidance note ahead of its publication.”

Share