Happy POPIA day everyone! Yes, in case you didn’t know why your inbox, WhatsApp groups and other communication channels have become inundated with messages concerning the Protection Of Personal Information Act (POPIA) recently, POPIA became a law of the land today (1st July 2021).
As the name would suggest, POPIA essentially gives South Africans a constitutional right to privacy and provides legislative protection over personal data.
It also presents problems for certain entities.
Unless you’ve been locked in an isolation ward for the last twenty-one years, you’ll know that personal data is big business and the freedom to collect it unilaterally has led to the rise of tech behemoths that make billions by doing so (and then selling it) every year.
You’d think that sitting on a mountain of earnings that size would be satisfactory in itself. The giants in this industry, however, seem to be always looking for ways to increase the amount of data they can hoover up. And who can blame them? Data is more valuable than oil these days, apparently.
Which brings us neatly to WhatsApp and its parent company Facebook.
Is WhatsApp about to crash headlong into POPIA?
Anyone who uses WhatsApp will have heard about the stink it caused earlier this year when it not only announced a massive change to its terms and conditions, but also gave users very little option except to opt into them. This in turn led to an interesting series of events across the globe. To be brief, the move didn’t go down very well and the main issues centred around the T&C’s running afoul of privacy legislation in different nations and nation-blocs.
Now, in South Africa, WhatsApp and Facebook have POPIA to deal with. Does South Africa’s new law present the pair with some problems? According to Nathan-Ross Adams, an attorney at Michalsons who focusses on data protection and information security when it comes to emerging technologies, the answer is a most emphatic ‘yes’.
“As it is, it’s not so much about the content of the privacy policy. It’s more about how WhatsApp is approaching privacy,” he says.
One of the big elements of POPIA is that there must be a lawful ground for processing personal information and there are four of those grounds:
- There’s an empowering law
- To pursue information for a contract
- Consent has been given
- It’s in the public interest that this data be processed
The issue in South Africa, says Adams, is that although WhatsApp has asked for consent and sent an in-App consent notification requiring users to comply with its privacy policy, it essentially said that not giving this consent would cause users to lose some of the app’s functionality.
When it comes to privacy there are three concerns to keep in mind:
- Privacy: the personal information of an individual or entity
- Security: how secure that information is
- Governance: the owner of the platform the information is on
“WhatsApp has been focussing on the security of the data on its platform – it has confirmed that data is secure – but it’s focussing on the wrong issue,” says Adams.
“The issue WhatsApp has to deal with is privacy of the information and the concern is that WhatsApp is going to share that information with its parent company Facebook. Together WhatsApp and Facebook would like to create profiles on their users.”
“This information would include users’ phone numbers, locations, email addresses, the devices they access the app with, which would include device type, hardware model, battery life – all sorts of metadata – and combine that with the Facebook data already on hand to create profiles.”
The problem that POPIA creates for the pair, he says, is that in order to do this they’re now legally required to apply for authorisation from the Information Regulator (IR), which will review how the processing will take place and then make a decision on whether or not to give permission.
“As far as we currently know, WhatsApp hasn’t requested permission from the IR,” says Adams.
Parliament requested a meeting with Facebook this year in order to discuss (amongst other issues) these privacy aspects. Facebook initially agreed to attend, and then reversed its decision. Whether or not Facebook intends to reconvene with parliament at a later date is up in the air, but what it is certain is that the IR is taking legal advice about the best way in which to address this matter.
So what happens next?
Whether they like it or not, POPIA is now a reality Facebook and WhatsApp have to deal with. But a major issue facing South Africans is that the two platforms are now integrally interwoven into global communication networks. Beyond talking to mates and sharing memes on it, WhatsApp is used by governmental bodies to communicate vital information to citizens – about developments around the COVID-19 pandemic for example.
This puts WhatsApp – and by extension Facebook – in a very powerful position, but that doesn’t mean necessarily it’ll have its own way.
“[Facebook and WhatsApp] can’t force consent from any of us and the IR has taken a very bold and admirable position – even ahead of the POPIA deadline – of taking Facebook and WhatsApp to task,” says Adams. “There is a strong sense of protection of personal information in a South African context and I think it comes from the idea that we shouldn’t be treated differently from any other nation.”
So will WhatsApp adjust its T&C’s for South Africa? Will it just take the stance that, given the size of its local user base and how embedded it is in the way we communicate, South Africa can either like it or lump it?
“If the IR succeeds with its legal initiatives that it currently has in motion there’s the very strong chance that WhatsApp will have to change its privacy policy. If it doesn’t, it may be stuck in a legal battle for years to come, which doesn’t make sense, because they’d be in the media for frustrating our legal policy for years,” says Adams.
“In my opinion, WhatsApp will probably change its T&C’s,” he says.
