News analysis
- South Africa's Information Regulator is activating its power, under a 2013 law, to ban the processing of some kinds of personal information without prior permission.
- The ban kicks in on 1 July, along with many other parts of the Protection of Personal Information Act (Popia).
- But the process of turning it on started just weeks after the Information Regulator issued a stern warning to Facebook around its WhatsApp service.
- The ban happens to cover exactly what the regulator feared: Facebook using personal information it previously gathered in new ways.
South Africa's Information Regulator is activating powers that have long laid dormant in South African legislation, powers that may come in handy if it picks a fight with Facebook – as seems increasingly likely.
The regulator's chair, Pansy Tlakula, on Thursday gazetted the necessary notice to turn on a relatively obscure sub-section of the Protection of Personal Information Act (Popia) on 1 July, when more headline-grabbing provisions of the 2013 law also come into force.
The effect is a ban on the processing of some types of personal information: from 1 July companies will be automatically prohibited from going ahead with covered processing endeavours until they get specific permission from the Information Regulator.
And one of the areas the ban covers is processing related to "any unique identifiers" – a telephone number for instance – "for a purpose other than the one for which the identifier was specifically intended at collection".
That happens to be exactly what the regulator has warned Facebook not to do with the telephone numbers of South Africans collected by its Whatsapp service.
In early March the Information Regulator very publicly took Facebook to task around the controversial Whatsapp privacy policy update.
It had warned Facebook not to take information submitted to Whatsapp and processing it "with the aim of linking that information jointly with information processed by other Facebook companies," the regulator said in a statement.
WhatsApp requires a mobile phone number on signup. It also offers a "contact upload" service, harvesting the address books of users so that it can notify those users when pre-existing contacts of theirs start using Whatsapp.
Whatsapp says it does not share user contacts with the rest of Facebook, and it creates a cryptographic hash of the phone numbers of people not yet on its network, while discarding their actual telephone numbers.
But its privacy update is intended to integrate the WhatsApp messaging service with business services offered by the broader Facebook group, including shopfronts. Should you interact with such a third-party shop, Whatsapp says, some of your information will be shared with Facebook.
Such integration could mean trouble. Under the powers Tlakula activated with her notice on Friday, a company such as Whatsapp will also require prior authorisation before it may use any unique identifier "with the aim of linking the information together with information processed by other responsible parties", as the law refers to those in control of information.
The Information Regulator also has the ability to broaden the scope of application to any kind of information processing it deems "carries a particular risk for the legitimate interests of the data subject".
Those powers come into effect on 1 July thanks to a proclamation published on 1 April. But the proclamation was signed earlier, just two weeks after the regulator publicly put Facebook on notice.
The regulator has previously expressed its frustration that the likes of Facebook do not pay more heed to the privacy demands of South African legislation, while carefully abiding by similar European provisions.
