On 3 March 2021, South Africa’s Information Regulator (IR) said that it has a number of concerns about how whatsapp revised policy applies to South Africa.

WhatsApp sparked a public outcry in January with a proposed update to its privacy policy to enable it to share information with its parent company Facebook.

As a result of the public response to these proposed changes, WhatsApp later announced that these updates would be delayed until later in the year.

On 3 March 2021, South Africa’s Information Regulator (IR) said that it has a number of concerns about how WhatsApp revised policy applies to South Africa.

It specifically raised concerns around the processing of cell phone numbers as accessed on the user’s contact list ‘for a purpose other than the one for which the number was specifically intended at collection’

In simple terms, the IR’s view is that its consent is required for the implementation of the updated privacy policy, regardless of whether users of WhatsApp specifically agree to this, said legal experts at Cliffe Dekker Hofmeyr.

The IR also expressed concerns about differences in the approach WhatsApp have taken in respect of users in Europe and Africa, with European users receiving ‘significantly higher privacy protection’ than people in Africa and South Africa – notwithstanding that the South African legislation is modelled on, and very similar to, privacy legislation in the EU.

“On 1 July 2020 the majority of the dormant sections of Protection of Personal Information Act (POPIA) came into force and, in terms of the transitional arrangements under section 114 of POPIA, responsible parties are given until 1 July 2021 to ensure that all processing of personal information complies with its provisions,” Cliffe Dekker Hofmeyr said.

The firm specifically pointed to section 57 of POPIA which came into effect and requires a responsible party (i.e. WhatsApp) to procure prior consent from the IR if it intends to process any unique identifiers of data subjects (i.e. WhatsApp users):

  • For a purpose other than the purpose for which the unique identifier was specifically intended at collection; and
  • With the intention of linking the information together with information processed by other responsible parties (i.e. Facebook).

In the present context, ‘unique identifiers’ would likely include cell phone numbers, usernames and email addresses. POPIA is a new piece of legislation and, as such, our courts have not had much opportunity to interpret its key terms and provisions, said Cliffe Dekker Hofmeyr.

“To further complicate matters, an abundance of misinformation has been disseminated about the proposed amendments to WhatsApp’s Privacy Policy since they were first published in January 2021.”

In response to this, WhatsApp created a webpage to specifically address questions about its Privacy Policy.

“Pertinently, WhatsApp makes it very clear that it does not share its user’s contacts or contact lists with Facebook which is seemingly in contrast with the main issue raised by the IR in its statement. The IR says that it will be having round-table discussions with Facebook SA regarding the newly proposed Privacy Policy.”

The firm noted that non-compliance with section 57 of POPIA is an offence and, under section 107(b) of POPIA, any person convicted of such an offence is liable to a fine or to imprisonment for a period not exceeding 12 months, or to both a fine and imprisonment.

“Given that WhatsApp -as a responsible party who determines the purpose of and means for processing its users’ personal information – is required to ensure compliance with POPIA by 1 July 2021, we are likely to hear about the outcome of the IR’s concerns and hopefully obtain greater certainty on the matter, and the status of the new Privacy Policy, within the coming months.”


Originally Published by BUSINESSTECH