South Africa
‘WhatsApp needs our permission,’ - SA’s Information Regulator─── 13:00 Thu, 04 Mar 2021
It’s not your consent that Whatsapp needs to share your contact data with third parties, it’s the government’s.
Tech giant Facebook Inc subsidiary Whatsapp’s new terms of service, announced to great unhappiness from consumers earlier this year, are not lawful in South Africa without the consent of the Information Regulator (IR), the body has confirmed.
This follows the IR’s initial reaction to the announcement in January, when it said it would investigate if the policy violated any South African laws.
The company gave users until May 15 to review and accept the new terms, prompting a wave of users to migrate to smaller competitors like Telegram and Signal. If the terms and conditions are not accepted by 15 May, WhatsApp users will temporarily be able to receive calls and notifications, but will be unable to read or send messages.
In response to this finding, the IR has invited Facebook SA to a “round table discussion” to “ensure there is full compliance” by WhatsApp with the provisions of the Protection Of Private Information Act (Popia) and other pertinent international legal instruments. Whatsapp needs to get the IR’s permission to mine and sell the personal data of South African users.
“It is the IR’s view that the processing of cellphone numbers as accessed on the user’s contact list for a purpose other than the one for which the number was specifically intended at collection, with the aim of linking the information jointly with the information processed by other responsible parties (such as Facebook companies) does not require consent from the data subject, but prior authorisation from the IR,” it said in a statement.
The IR has also written to Facebook SA explaining this and other concerns about the privacy policy of Facebook in South Africa. The IR also took offence at the fact Facebook cannot get away with these liberties in the European Union and operated with less restrictions in Africa.
The European Union (EU) imposes strong data use restrictions for Facebook in the European Union under the General Data Protection Regulation (GDPR). A number of high profile investigations into the activities of Google, Facebook and other American tech companies are before Ireland’s Data Protection Commission (IDPC), which oversees Facebook activities in the EU.
Neither the African Union nor the South African government has an equivalent to the IDPC, leaving these companies beholden to far less stringent regulation in some African countries. But the IR claims its rules have been modelled on the EU legislation. The EU is protected from several of Facebook’s activities outside the region by the GDPR.
IR chairperson Pansy Tlakula said the apparent double standard was concerning.
“We are very concerned about these different standards that apply to us; our legislation is very similar to that of the EU. It was based on that model deliberately, as it provides a significantly better model for the protection of personal information than in other jurisdictions. We do not understand why Facebook has adopted this differentiation between Europe and Africa,” she said.