To WhatsApp or not to WhatsApp: Safeguard your data — the law is on your side
To WhatsApp or not to WhatsApp: Safeguard your data — the law is on your side
South Africa has implemented the Protection of Personal Information Act, according to which you have to give specific, wilful and informed consent for any party to use your personal information.
A number of cartoons in circulation feature Facebook’s Mark Zuckerberg secretly reading or listening to our WhatsApp messages and chats. At the heart of it is worldwide concern about WhatsApp (which Facebook owns) accessing and using personal information.
This was compounded by its recent, updated privacy policy which gives WhatsApp greater access to what it calls data, including transaction data and user details such as their email addresses and phone numbers. This sharing extends, by association, to all the products and services that Facebook, as a tech conglomerate, owns.
WhatsApp elicited global outrage over its perceived upping of invasion of privacy. Facebook responded by postponing the updated policy implementation from 8 February to 15 May 2021 while it negotiates with countries, including South Africa, on the regulations governing privacy of information.
WhatsApp said it does not have access to private information such as individual conversations and that these are end-to-end encrypted. It claims its new policy only gives it access to “data” as opposed to “personal information”. What is concerning, however, is its use of the term “data”, because the line between data and personal information is diffused, and both are very valuable commodities that can be shared and sold.
Personal information includes, but is not limited to:
- Contact details: email, phone, address, etc;
- Demographic information: age, sex, race, birth date, ethnicity, etc;
- History: employment, financial, educational, criminal, medical history;
- Biometric information: blood type, etc;
- Opinions of and about the person; and
- Private correspondence.
WhatsApp’s response is that it only uses data about data (metadata) which, inter alia, assist marketers (who pay them for online advertising) to more accurately and directly serve and market to the consumer, based on search and purchase patterns. However, WhatsApp has access to all of its subscribers’ personal information, including phone numbers, email addresses, avatars, account registration details and service information, which is very revealing personal information. There is conflict between its policy and the protection of personal information as well as consumer protection regulations.
Adding to the concern is that WhatsApp is not a standalone company. Facebook has a huge amount of power globally. It owns the four most downloaded apps of the decade — Facebook, Facebook Messenger, Instagram and WhatsApp — as well as a range of other companies, including a stake in the Indian tech company Jio Platforms. The potential for cross-pollination of data and information is virtually unlimited.
Having said this, it needs to be emphasised that WhatsApp is just one of a multitude of apps gathering data from you; they all do and they all routinely ask permission to access your location, photos and other personal information.
As consumers, we rely on legislation and the Information Regulator to protect us from the abuse of our personal information and data; the same applies worldwide. The EU has been vigilant about this for a while and has a strict policy in place with WhatsApp. The General Data Protection Regulation, adopted in the EU in 2016 by the 28 member states, protects the private information of EU citizens whereby there is an express prohibition on data matching. Data matching is used for various kinds of data mining to identify links between data sets for marketing, security and other uses.
The General Data Protection Regulation applies to all companies storing, using or selling personal information about citizens in Europe, including companies on other continents. Companies are expected to apply the same level of protection for things like an individual’s IP address or cookie data as they do for a person’s name, address or social security number. The General Data Protection Regulation is not watertight, but it offers the highest level of protection for personal information or data.
The question is, with this policy already in place between the EU and WhatsApp, why are they not using the same policy for all non-EU countries? Is WhatsApp trying its luck in other jurisdictions that are not as protected? Surely what is good for Europe is good for Africa?
South Africa has implemented the Protection of Personal Information Act (POPIA), which protects you from your personal information being used in an unlawful manner. Section 1 is clear that you have to give specific, wilful and informed consent for any party to use your personal information. The average consumer is not aware of the specific or wilful consent they are giving, and therefore freedom of contract falls by the wayside.
Without obtaining prior authorisation from South Africa’s Information Regulator, in terms of Section 57 of POPIA, WhatsApp cannot process the contact information of its users other than for the purpose for which it was originally collected. It may not link that information to information processed by other Facebook companies or share it with any others.
…we all need to make sure that our businesses and organisations have sufficient plans and policies in place, including in contracts, to ensure that data held by us on any platform are dealt with as prescribed by POPIA.
The regulator further states that companies operating in South Africa must comply with the new rules of POPIA by 1 July 2021. Companies now have to deal far more diligently with the personal information they collect and treat it with the utmost safety, confidentiality and respect. The buying and selling of personal information on the open market are no longer allowed and many data brokers will find themselves out of business.
Failure to comply with the POPIA rules may result in the regulator imposing an administrative penalty of up to R10-million or imprisonment of up to 10 years, or both.
WhatsApp and Facebook’s response is a “take it or leave it” approach — accept the terms and conditions they prescribe, which thus far includes use of your “data”, or choose not to use these platforms. There are other instant messaging platforms like Telegram or Signal, but they too have terms and conditions.
All these platforms are exceptionally useful and enabling, and we are deep into the era of big data and the Fourth Industrial Revolution where digital communication and cyber storage is commonplace. So what to do? In the same vein that we had to take as many privacy precautions as possible in the physical space of yesteryear, we need to do the same in the cyberspace of our current reality.
The fact is our personal information is being used and we need to be careful about what we share on any app, social media platform or email. If you discover your personal information has been breached, you can lay a complaint with the regulator. While we laud this development and the enforcement of POPIA, it will no doubt be a lengthy, difficult process to take an offending party to the regulator or to court.
The practical response is therefore to make sure that the devices we use or that employees use, have security settings and that employees are trained in basic cybersecurity and what to look out for, so that they become vigilant about their devices not being compromised.
During a webinar hosted by Nelson Mandela University in late January, titled WhatsApp Privacy Policy: Testing South African Data Protection Laws, attorney Lucien Pierce from PPM Attorneys, who has been in the cyber law space for the past 20 years, explained that an increasing number of business clients have been asking what the implications are for their businesses.
He said: “Once the documents are on your device, it is not WhatsApp’s fault if you are storing them in an insecure manner. It is up to you to ensure that as soon as you receive the information, the documentation that you are storing on the device is secure. Much like if I bring documents home and I put them on my desk. I should ensure that my windows and doors are locked so that somebody who is up to mischief cannot access them.”
Pierce went on to say: “We all know that breaches have occurred: we have heard about journalists in the Middle East having their WhatsApp messages accessed and prosecutions following as a result of that. The reality is that those breaches and accessing of WhatsApp messages occurred through other malware — other pieces of software that were placed on the phone, and the phone was then infected and taken control of. Once someone has control of your phone, we know they can access various parts of it, whether it be your camera, email or WhatsApp.”
To enhance their cyber security and information protection, he advises companies to look at enterprise software solutions like Office 365, which allow an administrator to delete certain portions of an employee’s phone or device. Other software can be implemented within an organisation to manage the use of instant messaging such as WhatsApp.
By the beginning of July, every business and organisation needs to have a POPIA-registered information officer and a data protection policy; we all have to make sure our employees are informed about POPIA, and the information officer (usually a suitable existing member of staff) needs to ensure our business processes protect all information and data according to the law.
Employees need to understand what they are and are not allowed to do when using company data, be it on WhatsApp, email or any service or platform. Highly confidential documents or information can be protected using technology; it can be password-protected when sent and the password can then be sent to the receiver via a different channel.
In summary, we all need to make sure that our businesses and organisations have sufficient plans and policies in place, including in contracts, to ensure that data held by us on any platform are dealt with as prescribed by POPIA.
We’ve addressed just the tip of the iceberg here, but in summary, whether you are an individual or an organisation, the watchword should always be caution first.
Note: The Information Regulator has published guidance for the registration of information officers on its website. The regulator is aiming to go live with an online portal for the registration of information officers by the end of April at this address. DM
Sizwe Snail ka Mtuze is adjunct professor and Stephen Newman a lecturer in the Faculty of Law at Nelson Mandela University.