Popular call screening app Truecaller could be in violation of South Africa’s incoming Protection of Personal Information Act (POPIA), according to two law firms who recently spoke to MyBroadband.
Many South Africans may be familiar with the app, particularly given its usefulness in identifying unknown phone numbers and blocking unsolicited calls from telemarketers or scammers.
The app has more than 150 million daily users across the globe – 1.7 million of which are based in South Africa.
Truecaller is often able to show the owner of a number which a user does not yet have through its universal database which is supported by crowd-sourcing of data from its users.
Contrary to popular belief, Truecaller does not actually automatically upload your address book or contact list to its servers when you download and install the app from the Apple App Store or Google Play Store.
This is because both companies have strict data protection policies which prohibit the app from doing so.
However, this is not the case if the app is downloaded directly from the truecaller.com website. In this instance, Truecaller will prompt the user with an option to upload their full address book as part of its crowd-sourcing features.
This information is then uploaded to the company’s database, which is stored in a foreign server.
In addition, Truecaller allows users to manually submit the details of a number which was not yet available on its database.
According to law firms Werksmans Attorneys and Norton Rose Fulbright, there are several issues with these features under POPIA.
No lawful basis for data processing
Director at Werksmans Attorneys Ahmore Burger-Smidt said Truecaller failed to comply with POPIA in a number of areas.
“Without a doubt, concerns can be raised from a POPIA perspective in relation to the manner and the purposes for which personal data is collected and processed via the Truecaller app,” Burger-Smidt said.
She said that there were grave concerns in terms of POPIA regulations when the app is considered from the perspective of a person or business who has not registered for the service.
The primary issue was that the app allowed full disclosure of a contact list, which could amount to confidential information being disclosed.
“From a data protection perspective, a responsible party, in this instance Truecaller, can only process the personal information of a data subject if he has a lawful basis to do so,” Burger-Smidt said.
“POPIA provides for lawful bases, which include: consent, compliance with a legal obligation, if there is a legitimate interest, and the performance of a contract.”
“One can argue that there might indeed be a legitimate basis for processing the personal information of the individual that subscribes to the Truecaller service,” she stated.
“However, on what basis are they processing all the contact information that the subscriber holds?” Burger-Smidt asked.
“It is very difficult to motivate for this to be done on the basis of a legitimate interest.”
“It is entirely possible that individuals do not have any knowledge of this use of their data at all. This means that they are being denied their rights as data subjects in terms of POPIA and that their privacy is being infringed,” Burger-Smidt stated.
Shifting the blame to the user
Director in Competition Practice at Norton Rose Fulbright Rosalind Lake echoed these views.
She said POPIA requires a responsible party – in this case Truecaller – to notify a data subject of how it will process – use, store, transmit, and access – its personal information, even when it is not collected directly from the data subject.
Lake said this approach was problematic under POPIA.
“If you are reporting a number as spam, you are hardly going to phone them to tell them that their number has been added to the database,” Lake said.
“In this situation, the user of the app would not be considered a responsible party when it consents to provide access to its phone book. Truecaller is the one who requests access and use of the information and they are therefore responsible under POPI.”
“The user of the app may be considered an ‘operator’ for Truecaller, but then POPI says there must be an agreement in place to impose certain obligations on the operator, but the liability still sits with the responsible party.”
Lake warned that users should still think carefully before consenting to provide access to their address book and carefully peruse the privacy settings on the app.
“There have been some circumstances reported where a person’s safety may be compromised by their name being on the database – such as a journalist working undercover – or indeed, businesses may suffer losses in some way from being identified without their knowledge,” Lake cautioned.
What Truecaller can do
Burger-Smidt said that Truecaller ought to consider how it collects personal information from non-subscribers.
She said that POPIA requires a responsible party to take reasonably practicable measures to notify the data subject of the collection and processing of their personal information.
However, this could introduce another problem under POPIA, Lake added.
“A tricky issue is that the responsible party is required to disclose where it is collecting the personal information from if it is not collecting it directly from the data subject,” Lake said.
“It is not clear yet whether stating that it is collected from users of the app will be sufficient or whether the particular individual from whom the information is collected has to be disclosed.”
“It seems unlikely to be the latter as this may also be unnecessary processing of the user’s personal information.
Truecaller not anticipating any issues
Truecaller told MyBroadband that the POPIA offered a good opportunity for companies to review their practices and think more deeply about the importance of privacy of their users.
“We are continuing to look at changes we can make to align with the evolution of privacy laws in different jurisdictions, including South Africa,” the company said.
However, it said it did not anticipate any disruption to the services or features its app offers due to the implementation of POPIA.
Both Burger-Smidt and Lake submitted that Truecaller is beneficial in its ability to identify and screen unsolicited calls.
Lake added that POPI in and of itself would also help restrict direct marketing, which will hopefully reduce the volume of spam calls in South Africa.