WhatsApp Saga – a reminder of the importance of POPIA in South Africa

The recent announcement by Facebook, which is the parent company of WhatsApp, regarding the modification of their data collection structure to its terms and conditions, was met with caution and cynicism the world over.

The protection and privacy of personal information has been a much-debated issue in the past decade. The alleged data breaches at Cambridge Analytica and Yahoo! in the United States are quickly brought to the fore by proponents of stricter data protection policies, in light of the fact that in the case of Yahoo! a class action had to be settled eventually.

Subsequently, privacy policies of entities that collect personal data (responsible parties) have undergone major revamps with governments putting in place measures that encourage responsibility and transparency in the handling of personal information. The General Data Protection Regulation (GDPR), which came into effect in May 2018 in Europe, is one such measure.

South Africa enacted the Protection of Personal Information Act 4 of 2013 (POPIA), which provides in s 2, that it seeks to ‘give effect to the constitutional right to privacy, by safeguarding personal information when processed by a responsible party, subject to justifiable limitations’. POPIA came into effect on 1 July 2020 with a grace period of 12 months, although some of its sections had commenced in 2014.

To comply with POPIA in the processing and gathering of personal information, responsible parties must adhere to POPIA in general and, in particular to the eight conditions provided in its regulations, namely:

  • The achievement of ‘accountability’ involves the alignment of data collection procedures and measures to be solely aimed in line with compliance.
  • ‘Processing limitation’ is aimed at the gathering of information for the purpose it was collected for, coupled with consent for such particular purpose.
  • The data subject must know the exact and explicit purpose why personal information is required for the responsible party to comply with the condition of ‘purpose specification’.
  • ‘Further processing limitation’ places an obligation on the responsible party to request further authorisation should the purpose for which the information was collected for initially, substantially alters. Further authorisation is, however, not necessary for ancillary purposes, which fall within the ambit of the originally authorised purpose.
  • The collected information is to be validated so that it is accurate, complete and not misleading. This is what is provided for in compliance with the condition of ‘information quality’.
  • ‘Openness’ requires that the data subject be awake to the fact that their information is being collected and given clear reasons why.
  • Unauthorised access, disclosure, modification and destruction of the gathered information must be avoided at all costs. The responsible party must put ‘security safeguards’ in order to achieve such.
  • ‘Data subject participation’ demands that the data subject be involved in the collection, amendment or obliteration of the data.

POPIA is applicable in the workplace too, whereby the employees’ personal information must be collected in compliance with the conditions set out above for operational reasons.

It is imperative that responsible parties put measures in place to fully comply with POPIA on or before 30 June 2021, prior to the lapse of the 12-month grace period. The Act aims to eradicate the unlawful processing of personal information and it remains to be seen how successful it will be.

In the meantime, companies must ensure that their terms and conditions, particularly their privacy policies, comply with POPIA.

Romeo Tsusi