[UPDATE] Information Regulator says Facebook needs authorisation before obtaining WhatsApp user data

UPDATE: We have received comment from a WhatsApp spokesperson following this week’s statement from the Information Regulator. We have added their comment to the bottom of this story.

The ongoing saga involving WhatsApp and its new privacy policy continues, as the Information Regulator of South Africa has requested clarity on several elements of the practices that the messaging service’s parent company, Facebook, plans to put into action come 15th May.

The Information Regulator (IR) laid out its concerns at the beginning of the year, but the organisation is still in the dark as to what data will be collected after the aforementioned policy change date.

“The IR has written to Facebook South Africa and provided an analysis of some of the concerns that it has about the privacy policy of Facebook as it relates to South Africa,” it explained in a statement earlier this week.

“For example, it is the IR’s view that the processing of cell phone numbers as accessed on the user’s contact list for a purpose other than the one for which the number was specifically intended at collection, with the aim of linking the information jointly with the information processed by other responsible parties (such as Facebook companies) does not require consent from the data subject, but prior authorisation from the IR,” it added. 

As such, the Regulator says that Facebook South Africa cannot collect user data without its authorisation, regardless of what terms and conditions WhatsApp has in place.

The organisation specifically cites section 57 of Protection of Personal Information Act (POPIA), where the collection and processing of user contact information may not happen outside of the scope at the time it was consented to. According to the Regulator, Facebook’s 15th May update for WhatsApp would infringe on section 57, which is why it has requested greater clarity from the big tech firm.

Another aspect highlighted by the IR is the fact that users in the European Union appear to have wider ranging protections in terms of data collection compared to those in South Africa.

“We are very concerned about these different standards that apply to us, our legislation is very similar to that of the EU. It was based on that model deliberately, as it provides a significantly better model for the protection of personal information than that in other jurisdictionsm” noted IR chairperson, advovcate Pansy Tlakula.

“We do not understand why Facebook has adopted this differentiation between Europe and Africa,” the chairperson added.

The Regulator has confirmed that Facebook South Africa has expressed willingness to have a roundtable discussion on the matter and ensure that it is fully compliant come 15th May. For now though, this saga is far from over.

Comment from WhatsApp: “We are reviewing a letter from the Information Regulator in South Africa, which relates to our privacy policy. To be clear, this update does not expand our ability to share data with Facebook and does not impact the privacy of your messages with friends or family wherever they are in the world. WhatsApp does not share your contacts with Facebook and that policy applies to users everywhere, including in South Africa. We remain fully committed to delivering secure and private communications for everyone.”

[Image – Photo by AARN GIRI on Unsplash]

Exit mobile version