Information Regulator seeking legal advice on WhatsApp privacy policy updates

​​South Africa’s Information Regulation is taking legal advice on WhatsApp’s updated privacy policy, which gives more disclosure about use of their personal information to users in the EU than outside it

On 13 May 2021, the Information Regulator (Regulator) released a statement indicating that it would seek legal advice on possible next steps regarding WhatsApp's updated privacy policy, which came into effect in South Africa on 15 May 2021.

The Regulator's primary concern is that WhatsApp has adopted two distinct privacy policies, one to be implemented in the European Union (EU) (EU Policy) and the other to be implemented in jurisdictions outside the EU (non-EU Policy).  The Regulator notes that WhatsApp's adoption of the non-EU Policy in South Africa is regardless of the fact that South Africa's Protection of Personal Information Act 4 of 2013 (POPIA) contains minimum standards that govern the processing of personal information. These standards are substantively similar to those in the General Data Protection Regulation 2016/679 (GDPR) which regulates the protection of personal information in EU member countries.

Broadly, the EU Policy gives WhatsApp users substantially more information about how and when WhatsApp will use their personal information.  For example, and unlike the non-EU Policy, the EU Policy informs users that WhatsApp may use their personal information for its own legitimate interests, a concept which is the topic of ongoing discussion as to the scope of its application.  There are also discrepancies in the extent to which users under the EU Policy and those under the non-EU Policy are notified how they can exercise their rights under data protection law.

While the distinction is understandable from a legal compliance perspective, as the GDPR contains more prescriptive provisions about the information that WhatsApp should provide to users, it is potentially the principle adopted by WhatsApp which raises concern.  It is important to note that the spirit of data protection law is that data subjects should be given enough information to make an informed decision on whether they consent to sharing their personal information with the relevant controller (WhatsApp).  It is not clear why WhatsApp has adopted an approach that, while presumably resulting in similar if not identical uses of personal information across the world, provides data subjects that are not in the EU with considerably less information about what WhatsApp (and the Facebook group of companies) intends to do with their personal information.

The backdrop of the updated WhatsApp policy is the acquisition of WhatsApp by Facebook in 2014 which resulted in Facebook becoming WhatsApp's parent company. Facebook stated that its intention was to, among other things, gain access to additional consumer data that it could monetize (mainly through advertising-related revenue channels). The changes to the WhatsApp policy must be viewed in this context.

Notably, other jurisdictions are also looking closely at the impact of the privacy policy updates on users.  Specifically, the German Information Regulator has banned Facebook from accessing and using WhatsApp user data, despite the fact that the more comprehensive EU Policy applies to WhatsApp users in Germany.  In a statement, the German Information Regulator stated that the ban was intended to "safeguard the rights and freedoms of the many millions of users" who give their consent to the WhatsApp privacy policy. It remains to be seen whether, having considered legal advice, the Regulator will adopt a similar approach.


These materials are provided for general information purposes only and do not constitute legal or other professional advice. While every effort is made to update the information regularly and to offer the most current, correct and accurate information, we accept no liability or responsibility whatsoever if any information is, for whatever reason, incorrect, inaccurate or dated. We accept no responsibility for any loss or damage, whether direct, indirect or consequential, which may arise from access to or reliance on the information contained herein.

© Copyright Webber Wentzel. All Rights reserved.

Webber Wentzel > News > Information Regulator seeking legal advice on WhatsApp privacy policy updates
Johannesburg +27 (0) 11 530 5000
Cape Town +27 (0) 21 431 7000
Validating email against database, please wait...
Validating email: please wait...
Email verified: Please click the confirmation link sent to your mailbox, also check junk/spam folder. If you no longer have access to this email address or haven't received the verification email then email
Email verified: You are being redirected to manage your subscription
Email could not be verified: Please wait while you are redirected to the Subscription Form
Unanticipated error: Saving your CRM information Subscription Form