Change the world

05/07/2022

South Africa’s Protection of Personal Information Act (POPIA) was designed to prevent our private data being used unlawfully. But how much protection do we really have?

Nelson Mandela University’s cyberlaw adjunct professor Sizwe Snail ka Mtuze and the Faculty of Law’s Stephen Newman investigated.

The pair have been researching key aspects of cyberlaw, notably POPIA and the Cybercrimes Act.

On popular apps such as WhatsApp, the potential for cross-pollination of data and information is virtually unlimited, says Prof ka Mtuze – and it’s just one of a multitude of apps gathering data from us. All apps collect information and routinely ask permission to access location, photos and other personal data.

At the heart of worldwide concern about WhatsApp – which Facebook owns – is the access and use of personal information, particularly in light of the app’s updated privacy policy, which gives them greater access to data.

“WhatsApp states that they do not have access to private information such as individual conversations; that these are end to end encrypted. They claim their new policy only gives them access to ‘data’ as opposed to ‘personal information’.

“What is concerning, however, is their use of the term ‘data’, because the line between data and personal information is diffused, and both are very valuable commodities that can be shared and sold.”

WhatsApp has responded that it only uses data about data (metadata) which, inter alia, assists marketers – who pay for online advertising – to more accurately and directly serve and market to the consumer, says Newman.

“However, WhatsApp has access to all of its subscribers’ personal information, including phone numbers, email addresses, avatars, account registration details and service information, which is very revealing personal information.

“There is conflict between their policy and the protection of personal information, as well as consumer protection regulations.”

Dealing with data bullies

Adding to the concern, they explain, is that WhatsApp is not a stand-alone company. Facebook has a huge amount of power globally: it owns the four most downloaded apps of the decade – Facebook, Facebook Messenger, Instagram and WhatsApp.

South Africa’s response to these growing concerns has been to implement the Protection of Personal Information Act (POPIA), which prevents our personal information being used in an unlawful manner.

“In terms of POPIA, without obtaining prior authorisation from South Africa’s Information Regulator (IR),  WhatsApp cannot process the contact information of its users other than for the purpose for which it was originally collected,” Prof ka Mtuze explains. “It may not link that information to information processed by other Facebook companies or share it with any others.

“Companies operating in South Africa were obliged to comply with the POPIA by 1 July last year (2021). They now have to deal far more diligently with the personal information they collect and the buying and selling of personal information on the open market is no longer allowed.

“Failure to comply with the POPIA rules may result in the IR imposing an administrative penalty of up to R10-million or imprisonment of up to 10 years, or both.”

Roles and responsibilities

During a webinar hosted by Nelson Mandela University in January 2021 titled WhatsApp Privacy Policy: Testing South African Data Protection Laws, attorney Lucien Pierce from PPM Attorneys, who has been in the cyberlaw space for the last 20 years, explained that an increasing number of business clients have been asking what the implications of POPIA are for their businesses.

“Once the documents are on your device, it is not WhatsApp’s fault if you are storing them in an insecure manner. It is up to you to ensure that the documentation that you are storing on the device is secure. Much like if I bring documents home and I put them on my desk, I should ensure that my windows and doors are locked so that somebody who is up to mischief cannot access them.

“By the beginning of July 2021, every business and organisation was required to have a POPIA-registered information officer and a data protection policy; we all have to make sure our employees are informed about the POPIA, and the information officer needs to ensure our business processes protect all information and data according to the law.

“Employees need to understand what they are and are not allowed to do when using company data, be it on WhatsApp or email or any service or platform. Highly confidential documents or information can be protected using technology.

“In synopsis, we all need to make sure that our businesses and organisations have sufficient plans and policies in place, including in contracts, to ensure that data that is held by us on any platform, is dealt with as prescribed by the POPIA. And, whether you are an individual or an organisation, the watchwords should always be ‘caution first’.”

Contact information
Mr Stephen Newman
Lecturer
Tel: +27 (0)41 504 2582
stephen.newman@mandela.ac.za