With less than 100 days to go until POPIA kicks in, the Information Regulator may be starting to flex its muscles

• South Africa

• Technology, Media and Telecoms - Technology

14-04-2021

In early January 2021, the messaging service WhatsApp notified its users that it had updated its privacy terms and conditions. It said that its users will have to agree to lets its parent company, Facebook, and its subsidiaries collect WhatsApp data, including, amongst other things, user phone numbers, contacts’ phone numbers, and location information. If users do not agree by 08 February 2021, they will lose access to WhatsApp. After having received swift backlash from its users, who noted privacy concerns, WhatsApp has extended the deadline for users to agree to its new terms to 15 May 2021.

Following news of the updated WhatsApp privacy terms and conditions, the South African Information Regulator (Regulator) wrote to Facebook South Africa and provided an analysis of some of the concerns which it has with the privacy terms and conditions and how it relates to South Africa. It is the Regulator’s view that “the processing of cellphone numbers as accessed on the user’s contact list for a purpose other than the one for which the number was specifically intended at collection, with the aim of linking the information jointly with the information processed by other responsible parties (such as Facebook companies) does not require consent from the data subject, but prior authorisation from the [Regulator].”

Subsequent to the Regulator’s engagement with Facebook South Africa, and with just over 100 days left before the provisions of the Protection of Personal Information Act, 2013 (POPIA) become enforceable, the Regulator issued a Guidance Note on the Application for Prior Authorisation which seeks to guide responsible parties “who are currently processing or intend to process personal information which is subject to prior authorisation”. A responsible party is required, in terms of Section 57 of POPIA, to obtain prior authorisation from the Regulator if the responsible party plans to, amongst other things, process any unique identifiers (which includes cellphone numbers) of data subjects for: (i) a purpose other than the one for which the identifier was specifically intended at collection; and (ii) with the aim of linking the information together with information processed by other responsible parties. For example, if you were to buy a car from a dealership and the dealership in turn gives your personal information to a car insurer for the purposes of allowing that insurer to sell you insurance this would fall foul of Section 57 unless the dealership has received prior authorisation from the Regulator.

In addition to setting out the processes which a responsible party must follow, the Guidance Note also notes that it is an offence, in terms of POPIA, if a responsible party either fails to notify the Regulator of any processing that is subject to prior authorisation, or, after having notified the Regulator, continues to process personal information which is subject to prior authorisation without having obtained approval from the Regulator. A responsible party who is convicted of an offence may be liable to a fine or imprisonment for a period not exceeding 12 months, or to both a fine and imprisonment. Additionally, the Regulator notes that a failure to comply with a statement issued by the Regulator regarding prior authorisation is also an offence which may lead a responsible party, upon conviction, to be liable for a fine or imprisonment of up to 10 years, or both a fine and imprisonment.

The Regulator may also impose an administrative fine of up to R10 million on a responsible party who is alleged to have committed any of the above offences.

The Regulator has previously expressed the view that international corporations need to pay more heed to the privacy demands of South African legislation as they appear to do with European legislation and prior to the Guidance Note being issued, many people have speculated how the Regulator intends to enforce POPIA compliance against international organisations.

It is good to see that the Regulator is taking the protection of our personal information seriously, and is not afraid to take on the large multi-national corporations.