Are you really giving your consent freely?

08 Feb 2021

In early January 2021, WhatsApp notified its users that it had updated its terms of service and privacy policy. It said that its users would have to agree to let its parent company, Facebook, and its subsidiaries collect WhatsApp data, including, amongst other things, user phone numbers, contacts’ phone numbers, and location information with no option to opt out. If users did not agree by 08 February 2021, they would lose access to WhatsApp.

On 13 January 2021, the South African Information Regulator (the “Regulator”) issued a statement informing South Africans that it had met to discuss the matter and that the Regulator had contacted Facebook South Africa and that engagements were on-going. The Regulator would be analysing whether the WhatsApp terms of service and privacy policy were compliant with the Protection of Personal Information Act, 2013 (“POPIA”).

On 17 January 2021 following an outcry on social media, WhatsApp subsequently announced that it would delay enforcing its new privacy terms until 15 May 2021 in an effort for WhatsApp to “clear up the misinformation around how privacy and security works on WhatsApp”.

Apart from the POPIA compliance questions with which the Regulator will no doubt need to satisfy itself, WhatsApp’s statement that if users fail to agree to the updated terms of service and privacy policy then they will lose access to the messaging service raises another interesting question. Have you freely given your consent if consent is a requirement for continued use of an important service?

On a daily basis, people use services such as WhatsApp, Facebook, and Instagram which require users to provide their consent for these applications to use all sorts of information which may not be strictly required for use of such service. However, if you do not give your consent and agree to the terms and conditions you are denied use of those services. This may be acceptable to some people who are able to carry on without these services or applications, but what happens where the service is an important aspect to a person’s everyday life?

WhatsApp, as a messaging service, has become deeply entrenched in many South African’s daily lives. In a country where airtime for phone calls and SMSs are just not affordable to many people the use of WhatsApp has become prevalent as an alternative mode of communication, to the extent that WhatsApp has a 96% penetration level in South Africa according to a Global Web Index report. This means that WhatsApp has become so prevalent in South Africa that many people are dependent on it for their day-to-day communications.

It appears to be a cunning strategy from WhatsApp’s parent company, Facebook. Provide a service upon which the majority of a population become reliant, without a well-established alternative, and then change the terms of service and privacy policy to ensure that all users must consent to the collection of their and their contacts’ data in order to continue using the service. Ethical questions of this strategy aside, the question is, without a well-established and viable alternative platform for consumers to migrate to, would WhatsApp be able to argue that its users have freely given their consent to the change in the terms of service and privacy policy?

POPIA defines consent as “any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information.”

This definition is similar to the consent requirements set out in the GDPR which provides that consent must be freely given, specific, informed, and unambiguous. However, the GDPR also provides that the element “free” implies a real choice by the data subject. It makes it clear that consent should not be bundled up as a condition of service unless it is necessary for that service. Any element of inappropriate pressure or influence which could affect the outcome of that choice renders the consent invalid.

So, what does this mean for the average South African consumer?

Well, if the Regulator determines that you have not freely given your consent to a service provider for them to collect the types of personal information as may be listed in their terms of service then, in order to remain compliant with POPIA, that service provider will only be entitled to collect and process your personal information if such processing is not excessive, and is necessary to for the service provider to perform the services which you, as the data subject, are using.

However, if consent is found not to have been freely given, service providers like WhatsApp will need to convince the Regulator that the information which it collects from a user is required to provide the service and that it will not be kept for longer than necessary to provide the services, and that its parent company has a need for such information.

If the Regulator follows the lead of the European and UK data regulators the consent requirement under POPIA may be interpreted to mean that unless consent is a necessary requirement to receive a service then it cannot be made to be a condition to receive that service. Currently, it seems that the Regulator will be focused on ensuring that WhatsApp’s new privacy terms are compliant with POPIA before it makes any further announcements regarding the service, and it may not even explore the question of freely given consent.

However, once POPIA comes into effect on 01 July 2021 this may be an interesting question which the Regulator will be called on to answer. If the Regulator finds that the answer to this question is “no” then this may have a big impact on how service providers engage with consumers using online services in future.

See also:

• Commencement of certain sections of the Protection of Personal Information Act
• Is your organisation POPIA ready?
• Snap, crackle and POPI
• Popia compliance – Cyber-attacks, ransomware and data breaches

(This article is provided for informational purposes only and not for the purpose of providing legal advice. For more information on the topic, please contact the author/s or the relevant provider.)