WhatsApp ordered to make changes in South Africa

The Information Regulator has published details regarding WhatsApp’s breach of various sections of the Protection of Personal Information Act (POPIA), resulting in the watchdog issuing the company an enforcement notice.

While the full notice was only uploaded to the watchdog’s website this month, it was already served on WhatsApp in September 2024.

The Information Regulator instructed WhatsApp to provide a report within 60 days of receiving the notice as proof of its compliance with its directives.

Failure to comply could result in the issuance of a fine of up to R10 million, imprisonment for a period not exceeding 10 years, or a combination of both.

MyBroadband asked the watchdog whether WhatsApp has complied with its instructions within the specified timeframe, but it didn’t immediately respond to our query.

The Information Regulator listed various directives for the company to comply with POPIA. It determined that WhatsApp breached Section 8, Section 9, Section 11, Section 13, Section 15, Section 17, and Section 19 of the act.

Regarding its breach of Section 8, the watchdog instructed WhatsApp to demonstrate that its Revised Privacy Policy complies with all conditions for the lawful processing of personal information in POPIA. It must also submit said policy to the regulator.

Section 9 of POPIA relates to processing limitations for personal information. The regulator noted that WhatsApp’s Revised Privacy Policy for Europe included various reasons for how it processes personal data.

However, the same provisions are not included in the Revised Privacy Policy for users in South Africa.

The watchdog said the excluded provisions include principles entrenched in POPIA. Personal information may only be processed if:

• Data subjects give consent;
• Processing is necessary to carry out actions for the conclusion for performance of a contract to which the data subject is a party;
• Processing protects a legitimate interest of the data subject; or,
• Processing is necessary to pursue the legitimate interests of the responsible party or a third party to whom the information is supplied.

Section 11 relates to consent, which is defined as any voluntary, specific, and informed expression of will through which permission is given to process personal information.

The watchdog explained that WhatsApp forces users to accept certain terms and conditions or policy provisions without a lawful basis or other grounds for lawful processing.

“Such consent would be deemed invalid and any processing that is conducted pursuant to it would be in contravention of POPIA,” it stated.

“WhatsApp is ordered to ensure that its Revised Privacy Policy referred to above entrenches the conditions of lawfulness and consent stipulated in POPIA.”

Section 13 of POPIA stipulates that personal information must be collected for a specific, explicitly defined, and lawful purpose.

According to the Information Regulator, WhatsApp has failed to explain the purposes for personal information collection in its Revised Privacy Policy.

“The Revised Privacy Policy referred to above must include the purpose for processing device operation information, usage and log information, and device connection information,” it added.

WhatsApp is also allegedly in breach of POPIA Section 15. The section specifies that collected information can only be used for the purpose for which it was collected.

However, the watchdog said WhatsApp shares collected information with other companies, including those owned by Meta Platforms and third parties.

“This is clearly indicative of further processing activities from WhatsApp. If the new purpose is significantly different from the original purpose, then it is incompatible with the original purpose,” it said.

Sections 17 and 19 relate to openness and security safeguards, respectively.

Section 17 states that a responsible party, in this case WhatsApp, must maintain documentation of all processing operations in accordance with the Promotion of Access to Information Act (PAIA).

However, WhatsApp believes PAIA provisions don’t apply as it isn’t based in South Africa.

“It is the considered view of the Regulator that this interpretation of PAIA by WhatsApp is incorrect,” the watchdog stated.

“WhatsApp is therefore required to maintain the documentation of the processing activities under its responsibility as referred to in Section 51 of PAIA.”

Regarding the provisions in Section 19, the Information Regulator said WhatsApp has failed to demonstrate that it has documented enterprise information security policies or issue specific security policies.

“WhatsApp is essentially stating that it should be taken on its word that it has adequate safeguards in place without demonstrating this to the Regulator,” it stated.

The watchdog has ordered WhatsApp to ensure that its Enterprise Information Security Policy or Specific Information Security Policies have appropriate, reasonable, technical, and organisational measures to prevent the loss of, damage to, or unauthorised destruction of personal information.

The Information Regulation also specified additional instructions, including:

• Undertake a Personal Information Impact Assessment (PIIA) and submit said assessment to the regulator;
• Ensuring that it communicates with data subjects in an easy-to-understand manner that promotes transparency; and,
• Implement enhancements to various FAQ documents.

The enforcement notice was issued on 10 September 2024 and gave WhatsApp until 10 November 2024 to comply with its instructions. We will update the article if the Information Regulator provides feedback to our query.