Most people have heard about the WhatsApp controversy regarding its new privacy policy. According to social media posts that circulated at the beginning of 2021, a new revised WhatsApp privacy policy was going to enable WhatsApp to access all of your private data which it would then share with Facebook. Many decided to delete the popular messaging app and to turn to alternatives such as Telegram and Signal. In this article we will have a look at what exactly this new WhatsApp privacy policy entails, how the Protection of Personal Information Act No. 4 of 2013 (“POPI Act”) protects your personal information from being processed and finally what is being done by the Information Regulator (South Africa) (“Regulator”) to address these concerns.

WhatsApp Privacy Policy Concerns

On or about the 4th of January 2021 WhatsApp prompted users to accept a new privacy policy which would enable them to share all of the users’ data with Facebook by the 8th of February 2021 and should the user not accept the terms of the privacy policy they would no longer be able to use the app. The personal data WhatsApp would collect and send to Facebook included, inter alia, the following:

  • users phone number;
  • other user’s numbers stored in the address books;
  • features the user uses;
  • type of phone;
  • mobile network and IP address; and
  • location information.

One of the biggest concerns to WhatsApp users was the possibility that their personal messages would also be shared along with their other personal data.  WhatsApp has however clarified the issue and reiterated that all messages will stay fully encrypted. Full end-to-end encryption of messages ensures that only the data subject and the person they are communicating with can read or listen to what is sent, and nobody in between, not even WhatsApp. With end-to-end encryption, messages are secured with a lock, and only the recipient and the data subject have the special key needed to unlock and read them. All of this happens automatically.

What is the POPI Act

The POPI Act, which was signed into law on the 19th of November 2013, is South Africa’s comprehensive data protection law which regulates the processing of data subjects, both natural and juristic persons, personal information. It’s designed to protect data subjects from data breaches, cybercrime, theft and discrimination. The POPI Act enforces how responsible parties may collect, process, store and share the data subjects personal information by holding them accountable should they abuse or compromise the personal information they hold in any way.

The risks of non-compliance include reputational damage, fines and imprisonment, and paying out damage claims to data subjects.

How is the Information Regulator (South Africa) addressing your concerns

The Regulator met, on or about the 13th of January 2021, to discuss the matter regarding the revised WhatsApp privacy policy. The Regulator also made contact with Facebook South Africa which provided the Regulator with the revised WhatsApp privacy policy. The Regulator had confirmed that continued engagements with Facebook South Africa are taking place.

In terms of the revised WhatsApp privacy policy, it appears that there are different terms of service and privacy policies for users in European countries and in non-European Countries. Analysis is underway in order to determine whether the revised WhatsApp privacy policy obtained from Facebook South Africa indeed differs from the terms of service and the privacy policies applicable to users in European countries, and whether or not the revised WhatsApp privacy policy is in compliance with the POPI Act.

VDMA’s team of experts will continue to monitor and report on the developments of the WhatsApp investigations and are available to assist you and your business with any POPI requirements you may have.

Publsihed 18 February 2021