Are you really giving your consent freely?
Provided by Eversheds Sutherland
Eversheds Sutherland represents the coming together of two firms with a shared ethos and commitment to client service excellence. We are known for our business savvy and industry intelligence and for providing innovative and ... more
By Tyron Fourie and Matthew Anley
08 Feb 2021
On 17 January 2021 following an outcry on social media, WhatsApp subsequently announced that it would delay enforcing its new privacy terms until 15 May 2021 in an effort for WhatsApp to “clear up the misinformation around how privacy and security works on WhatsApp”.
On a daily basis, people use services such as WhatsApp, Facebook, and Instagram which require users to provide their consent for these applications to use all sorts of information which may not be strictly required for use of such service. However, if you do not give your consent and agree to the terms and conditions you are denied use of those services. This may be acceptable to some people who are able to carry on without these services or applications, but what happens where the service is an important aspect to a person’s everyday life?
WhatsApp, as a messaging service, has become deeply entrenched in many South African’s daily lives. In a country where airtime for phone calls and SMSs are just not affordable to many people the use of WhatsApp has become prevalent as an alternative mode of communication, to the extent that WhatsApp has a 96% penetration level in South Africa according to a Global Web Index report. This means that WhatsApp has become so prevalent in South Africa that many people are dependent on it for their day-to-day communications.
POPIA defines consent as “any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information.”
This definition is similar to the consent requirements set out in the GDPR which provides that consent must be freely given, specific, informed, and unambiguous. However, the GDPR also provides that the element “free” implies a real choice by the data subject. It makes it clear that consent should not be bundled up as a condition of service unless it is necessary for that service. Any element of inappropriate pressure or influence which could affect the outcome of that choice renders the consent invalid.
So, what does this mean for the average South African consumer?
Well, if the Regulator determines that you have not freely given your consent to a service provider for them to collect the types of personal information as may be listed in their terms of service then, in order to remain compliant with POPIA, that service provider will only be entitled to collect and process your personal information if such processing is not excessive, and is necessary to for the service provider to perform the services which you, as the data subject, are using.
However, if consent is found not to have been freely given, service providers like WhatsApp will need to convince the Regulator that the information which it collects from a user is required to provide the service and that it will not be kept for longer than necessary to provide the services, and that its parent company has a need for such information.
If the Regulator follows the lead of the European and UK data regulators the consent requirement under POPIA may be interpreted to mean that unless consent is a necessary requirement to receive a service then it cannot be made to be a condition to receive that service. Currently, it seems that the Regulator will be focused on ensuring that WhatsApp’s new privacy terms are compliant with POPIA before it makes any further announcements regarding the service, and it may not even explore the question of freely given consent.
However, once POPIA comes into effect on 01 July 2021 this may be an interesting question which the Regulator will be called on to answer. If the Regulator finds that the answer to this question is “no” then this may have a big impact on how service providers engage with consumers using online services in future.
- Commencement of certain sections of the Protection of Personal Information Act
- Is your organisation POPIA ready?
- Snap, crackle and POPI
- Popia compliance – Cyber-attacks, ransomware and data breaches
Tyron Fourie is a partner in the commercial department in Johannesburg. He acts for a range of clients including those in the IT, telecoms, consumer, banking and insurance sectors. His... Read more about Tyron Fourie
Matthew is a senior associate in Eversheds Sutherland's commercial department based at the Campus Office in Bryanston. He has experience as both external counsel and internal legal counsel. Matthew obtained... Read more about Matthew Anley