The regulator’s primary concern is that WhatsApp has adopted two distinct privacy policies: one to be implemented in the EU and the other to be implemented in jurisdictions outside the EU, said Wendy Tembedza, a senior associate at Webber Wentzel.
“The regulator notes that WhatsApp’s adoption of the non-EU Policy in South Africa is regardless of the fact that South Africa’s Protection of Personal Information Act (POPIA) contains minimum standards that govern the processing of personal information.
“These standards are substantively similar to those in the General Data Protection Regulation (GDPR) which regulates the protection of personal information in EU member countries.”
Broadly, the EU policy gives WhatsApp users substantially more information about how and when WhatsApp will use their personal information, said Tembedza.
“For example, and unlike the non-EU Policy, the EU Policy informs users that WhatsApp may use their personal information for its own legitimate interests, a concept which is the topic of ongoing discussion as to the scope of its application.
“There are also discrepancies in the extent to which users under the EU Policy and those under the non-EU Policy are notified how they can exercise their rights under data protection law.”
While the distinction is understandable from a legal compliance perspective, as the GDPR contains more prescriptive provisions about the information that WhatsApp should provide to users, it is potentially the principle adopted by WhatsApp which raises concern, said Tembedza.
“It is important to note that the spirit of data protection law is that data subjects should be given enough information to make an informed decision on whether they consent to sharing their personal information with the relevant controller (WhatsApp),” she said.
“It is not clear why WhatsApp has adopted an approach that, while presumably resulting in similar if not identical uses of personal information across the world, provides data subjects that are not in the EU with considerably less information about what WhatsApp, and the Facebook group of companies, intends to do with their personal information.”
The backdrop of the updated WhatsApp policy is the acquisition of WhatsApp by Facebook in 2014 which resulted in Facebook becoming WhatsApp’s parent company.
Facebook stated that its intention was to, among other things, gain access to additional consumer data that it could monetize mainly through advertising-related revenue channels.
The changes to the WhatsApp policy must be viewed in this context, said Tembedza.
“It remains to be seen whether, having considered legal advice, the Regulator will adopt a similar approach.”