South Africa’s Information Regulation is taking legal advice on WhatsApp’s updated privacy policy, which gives more disclosure about use of their personal information to users in the EU than outside it
On 13 May 2021, the Information Regulator (Regulator) released a statement indicating that it would seek legal advice on possible next steps regarding WhatsApp's updated privacy policy, which came into effect in South Africa on 15 May 2021.
The Regulator's primary concern is that WhatsApp has adopted two distinct privacy policies, one to be implemented in the European Union (EU) (EU Policy) and the other to be implemented in jurisdictions outside the EU (non-EU Policy). The Regulator notes that WhatsApp's adoption of the non-EU Policy in South Africa is regardless of the fact that South Africa's Protection of Personal Information Act 4 of 2013 (POPIA) contains minimum standards that govern the processing of personal information. These standards are substantively similar to those in the General Data Protection Regulation 2016/679 (GDPR) which regulates the protection of personal information in EU member countries.
Broadly, the EU Policy gives WhatsApp users substantially more information about how and when WhatsApp will use their personal information. For example, and unlike the non-EU Policy, the EU Policy informs users that WhatsApp may use their personal information for its own legitimate interests, a concept which is the topic of ongoing discussion as to the scope of its application. There are also discrepancies in the extent to which users under the EU Policy and those under the non-EU Policy are notified how they can exercise their rights under data protection law.
While the distinction is understandable from a legal compliance perspective, as the GDPR contains more prescriptive provisions about the information that WhatsApp should provide to users, it is potentially the principle adopted by WhatsApp which raises concern. It is important to note that the spirit of data protection law is that data subjects should be given enough information to make an informed decision on whether they consent to sharing their personal information with the relevant controller (WhatsApp). It is not clear why WhatsApp has adopted an approach that, while presumably resulting in similar if not identical uses of personal information across the world, provides data subjects that are not in the EU with considerably less information about what WhatsApp (and the Facebook group of companies) intends to do with their personal information.
The backdrop of the updated WhatsApp policy is the acquisition of WhatsApp by Facebook in 2014 which resulted in Facebook becoming WhatsApp's parent company. Facebook stated that its intention was to, among other things, gain access to additional consumer data that it could monetize (mainly through advertising-related revenue channels). The changes to the WhatsApp policy must be viewed in this context.
Notably, other jurisdictions are also looking closely at the impact of the privacy policy updates on users. Specifically, the German Information Regulator has banned Facebook from accessing and using WhatsApp user data, despite the fact that the more comprehensive EU Policy applies to WhatsApp users in Germany. In a statement, the German Information Regulator stated that the ban was intended to "safeguard the rights and freedoms of the many millions of users" who give their consent to the WhatsApp privacy policy. It remains to be seen whether, having considered legal advice, the Regulator will adopt a similar approach.
