South African WhatsApp users cannot be forced to accept new privacy policy – Regulator
The Information Regulator (IR) of South Africa said it has concerns about Facebook’s new privacy policy which forces WhatsApp users to accept the policy by 15 May or face losing functionality.
Last month, WhatsApp said will go ahead with its planned privacy policy changes despite a global backlash.
WhatsApp said it previously encountered a great deal of misinformation about this update and it continued to work hard to clear up any confusion.
It will continue to proceed with privacy policy changes, but it will now communicate the consequences of these changes more effectively.
“We’ve spent the last several weeks reviewing feedback from users and we spent time (virtually) with people from many countries,” WhatsApp said.
“This was a great opportunity for us to hear about people’s concerns and learn what we could have done better.”
The company stressed that WhatsApp and Facebook cannot read or listen to personal conversations as they are end-to-end encrypted.
This announcement did not sit well with South Africa’s Information Regulator, which said disabling functionality of users which do not accept the new policy is unacceptable.
South Africa’s privacy law requires a company to get consent from the owner of the data – i.e. users – before they further process this data.
“The consent in terms of our law is specific – it is a voluntary expression of will on what you are consenting to,” Advocate Pansy Tlakula, chair of the Information Regulator of SA, said.
“On the face of it, the new WhatsApp privacy policy requires involuntary consent because it says you should leave the platform if you do not give consent. That can never be voluntary consent.”
It has written to Facebook South Africa and provided an analysis of the concerns that it has about the privacy policy of Facebook as it relates to South Africa.
“It is our view that the processing of cellphone numbers as accessed on the user’s contact list for a purpose other than the one for which the number was specifically intended at collection, with the aim of linking the information jointly with the information processed by other responsible parties (such as Facebook companies) does not require consent from the data subject, but prior authorisation from the IR,” it said.
Accordingly, WhatsApp cannot without obtaining prior authorisation from the IR in terms of section 57 of Protection of Personal Information Act (POPIA), process any contact information of its users for a purpose other than the one for which the number was specifically intended at collection.
Facebook can therefore not use WhatsApp users’ information and link it with information processed by other Facebook companies without approval from the IR.
The regulator has also raised a central concern that citizens of the European Union will receive significantly higher privacy protection than people in South Africa.
Tlakula said they are concerned about these different standards that apply to South Africa as our legislation is very similar to that of the EU.
“It was based on that model deliberately, as it provides a significantly better model for the protection of personal information than that in other jurisdictions,” she said.
She also raised concerns that there is different treatment of users in Europe and those outside of Europe.
“We do not understand why Facebook has adopted this differentiation between Europe and Africa.”
The regulator told Facebook SA it is willing and committed to have a round-table discussion regarding the issues raised to ensure that there is full compliance by the WhatsApp Privacy Policy with the provisions of POPIA and other pertinent international legal instruments.