SA takes on WhatsApp
INFO REGULATOR: CHALLENGING SHARING OF DATA WITH THIRD PARTIES
Agency invites Facebook SA to roundtable discussion.
It is not your consent that WhatsApp needs to share your contact data with third parties – it’s the government’s. Tech giant Facebook Inc subsidiary WhatsApp’s new terms of service, announced to great unhappiness from consumers earlier this year, are not lawful in South Africa without the consent of the Information Regulator (IR), the body has confirmed.
This follows the IR’s initial reaction to the announcement in January, when it said it would investigate if the policy violated any South African laws.
The company gave users until 15 May to review and accept the new terms, prompting a wave of users to migrate to smaller competitors like Telegram and Signal.
If the terms and conditions are not accepted by 15 May, WhatsApp users will temporarily be able to receive calls and notifications, but will be unable to read or send messages.
In response to this finding, the IR has invited Facebook SA to a “roundtable discussion” to “ensure there is full compliance” by WhatsApp with the provisions of the Protection of Private Information Act (Popia) and other pertinent international legal instruments.
WhatsApp needs to get the IR’s permission to mine and sell the personal data of South African users. “It is the IR’s view that the processing of cellphone numbers as accessed on the user’s contact list for a purpose other than the one for which the number was
specifically intended at collection, with the aim of linking the information jointly with the information processed by other responsible parties [such as Facebook companies] does not require consent from the data subject, but prior authorisation from the IR,” it said in a statement.
The IR has also written to Facebook SA explaining this and other concerns. The regulator also took offence at the fact that Facebook cannot get away with these liberties in the European Union and operated with less restrictions in Africa.
The EU imposes strong data use restrictions for Facebook under the General Data Protection Regulation (GDPR). A number of high-profile investigations into the activities of Google, Facebook and other American tech companies are before Ireland’s Data Protection Commission (IDPC), which oversees Facebook activities in the EU.
Neither the African Union, nor the SA government has an equivalent to the IDPC, leaving these companies beholden to far less stringent regulation in some African countries. But the IR claims its rules have been modelled on the EU legislation. The EU is protected from several of Facebook’s activities outside the region by the GDPR.
IR chairperson Pansy Tlakula said the apparent double standard was concerning.
“We are very concerned about these different standards that apply to us; our legislation is very similar to that of the EU. It was based on that model deliberately, as it provides a significantly better model for the protection of personal information than in other jurisdictions. We do not understand why Facebook has adopted this differentiation between Europe and Africa,” she said.
We’re concerned about double standards