Warning over Truecaller and other spam-blockers in South Africa
The popular spam call identification app Truecaller is being scrutinized in South Africa amid concerns that its practices may violate the Protection of Personal Information Act (POPIA).
While South Africa’s Information Regulator has not formally investigated the app, legal experts argue that Truecaller’s methods of collecting and handling data could breach the law.
Truecaller, on the other hand, insists its practices are lawful and prioritise user privacy.
Truecaller allows users to identify unknown callers by accessing a global database of phone numbers.
However, its functionality depends on users granting access to their contact lists, potentially exposing others’ personal information without their knowledge or consent.
This practice has drawn criticism from legal experts like Ahmore Burger-Smidt, head of the regulatory practice at Werksmans Attorneys, who contends that Truecaller’s approach contravenes POPIA in two key ways.
Firstly, South African law prohibits the transfer of personal information outside the country unless the recipient entity adheres to binding corporate rules or agreements that comply with POPIA.
Truecaller, a global service, processes and stores data on international servers, raising concerns about compliance with this requirement.
Secondly, Burger-Smidt highlights the issue of non-subscribers—individuals whose information may be uploaded to Truecaller’s database without their consent.
According to her, while Truecaller shifts responsibility to its users through terms and conditions requiring them to obtain consent, the company remains the “responsible party” under POPIA.
As such, it cannot absolve itself of accountability simply because the data is collected via user actions.
Burger-Smidt also raises a practical concern: how would non-users become aware that their information is in Truecaller’s database?
While the app offers an “unlist” function, its effectiveness is questionable if individuals do not know their data has been collected.
She suggests that Truecaller notify individuals via SMS or email whenever their numbers are added, providing them with information about its privacy policy and steps to delist themselves.
Truecaller has declined to implement such a notification system, stating that it aims to balance individuals’ rights to know who calls them with their privacy.
Truecaller defends its practices by emphasising its commitment to privacy and user rights.
A spokesperson for the company stated, “Every individual has an inherent fundamental right to know who is calling them, and we enable our users to exercise it.”
Truecaller insists that its policies comply with local laws across jurisdictions and are designed to harmonize global requirements.
The company points to features such as enabling users to edit profiles, download their data, and deactivate their accounts as evidence of its privacy-first approach.
However, Truecaller’s explanations have not fully addressed concerns about its practices.
Critics, including Burger-Smidt, argue that the app’s reliance on user-uploaded contacts puts it at odds with POPIA, regardless of its terms and conditions.
She cautions that users who grant apps access to their contacts should consider the broader implications for those whose data they inadvertently expose.
Truecaller’s global head of corporate communications, Hitesh Bhagat, has attempted to clarify misconceptions about the app.
Speaking to CapeTalk, Bhagat stated that Truecaller does not require access to users’ contacts during signup.
He explained that access is requested later for specific features, such as screening calls or using the app as a dialer.
Bhagat also emphasised that the app does not upload phonebooks for users who download it from Google Play or the Apple App Store.
However, he acknowledged that users who download the app directly from Truecaller’s website could opt into an “Enhanced Search” feature, which involves uploading their contacts after obtaining consent.
Despite the reassurances, Truecaller has not fully dispelled the legal and ethical questions surrounding its data practices.
The Information Regulator of South Africa has confirmed to MyBroadband that it has not received any complaints about Truecaller.
However, spokesperson Nomzamo Zondi encouraged individuals to lodge complaints if they believe their privacy rights have been violated.
“We encourage people to lodge complaints in this regard so that the regulator can attend to this matter,” she said.
While Truecaller has not faced formal action from South Africa’s regulatory bodies, the debate highlights the tension between technological innovation and privacy rights.
Legal experts argue that global services like Truecaller must prioritise compliance with local laws, especially in jurisdictions with stringent data protection regulations like South Africa.
Until these concerns are resolved, the app’s operations remain under scrutiny, and South African users are urged to consider the implications of sharing their contacts with such platforms.
Read: Big trouble for couriers and delivery drivers in South Africa