It was quite interesting to see a South African regulator take on an international giant like Whatsapp, setting out its terms for implementation of what appeared to be a very highhanded approach to users of the app.
An article on the Eversheds Sutherland International website explained it as follows:
“In early January 2021, the messaging service WhatsApp notified its users that it had updated its privacy terms and conditions. It said that its users will have to agree to let its parent company, Facebook, and its subsidiaries collect WhatsApp data, including, amongst other things, user phone numbers, contacts’ phone numbers, and location information. If users do not agree by 08 February 2021, they will lose access to WhatsApp. After having received swift backlash from its users, who noted privacy concerns, WhatsApp has extended the deadline for users to agree to its new terms to 15 May 2021.”
“Following news of the updated WhatsApp privacy terms and conditions, the South African Information Regulator (Regulator) wrote to Facebook South Africa and provided an analysis of some of the concerns which it has with the privacy terms and conditions and how it relates to South Africa. It is the Regulator’s view that “the processing of cellphone numbers as accessed on the user’s contact list for a purpose other than the one for which the number was specifically intended at collection, with the aim of linking the information jointly with the information processed by other responsible parties (such as Facebook companies) does not require consent from the data subject, but prior authorisation from the [Regulator].”
Most of the provisions of the Protection of Personal Information Act, 2013 (POPIA) kicks in on 30 June 2021. The Regulator has issued a Guidance Note on the Application for Prior Authorisation for responsible parties “who are currently processing or intend to process personal information which is subject to prior authorisation”. A responsible party is required, in terms of Section 57 of POPIA, to obtain prior authorisation from the Regulator if the responsible party plans to, amongst other things, process any unique identifiers (which includes cellphone numbers) of data subjects for:
- a purpose other than the one for which the identifier was specifically intended at collection; and
- with the aim of linking the information together with information processed by other responsible parties.
The Eversheds Sutherland article provides the following example: if you were to buy a car from a dealership and the dealership in turn gives your personal information to a car insurer for the purposes of allowing that insurer to sell you insurance this would fall foul of Section 57 unless the dealership has received prior authorisation from the Regulator.
The article further notes that, “In addition to setting out the processes which a responsible party must follow, the Guidance Note also notes that it is an offence, in terms of POPIA, if a responsible party either fails to notify the Regulator of any processing that is subject to prior authorisation, or, after having notified the Regulator, continues to process personal information which is subject to prior authorisation without having obtained approval from the Regulator. A responsible party who is convicted of an offence may be liable to a fine or imprisonment for a period not exceeding 12 months, or to both a fine and imprisonment. Additionally, the Regulator notes that a failure to comply with a statement issued by the Regulator regarding prior authorisation is also an offence which may lead a responsible party, upon conviction, to be liable for a fine or imprisonment of up to 10 years, or both a fine and imprisonment.”
The Eversheds Sutherland article concludes: “The Regulator has previously expressed the view that international corporations need to pay more heed to the privacy demands of South African legislation as they appear to do with European legislation and prior to the Guidance Note being issued, many people have speculated how the Regulator intends to enforce POPIA compliance against international organisations.
It is good to see that the Regulator is taking the protection of our personal information seriously, and is not afraid to take on the large multi-national corporations.”
As with all new legislation, it will take a while for everything to fall into place. It would be wise to stay abreast of developments, and ease yourself into the obligations, rather than wait till the final moment
One of the first steps will be to register. The Information Officer Registration Portal to do so is now live.
We suggest that you download and study the Guidance Note prior to doing so.