South Africa’s Information Regulator has taken decisive action against WhatsApp, accusing the messaging giant of violating key sections of the country’s Protection of Personal Information Act (POPIA). The enforcement notice, served in September 2024 and only recently made public, gives WhatsApp 60 days to address the breaches or risk a fine of up to R10 million, jail time, or both.
The regulator found that WhatsApp’s privacy policy for South African users falls short of the standards offered to users in Europe, despite similar legal protections under POPIA and the EU’s GDPR. Specifically, WhatsApp was cited for:
Failing to obtain proper, freely given consent from users, instead forcing acceptance of terms without real choice.
Not clearly stating why it collects certain types of data, such as device and usage information.
Sharing collected data with Meta and third parties for purposes not aligned with the original reason for collection, breaching POPIA’s rules on data use.
Lacking transparency and adequate documentation about its data processing activities, as required by law.
Not providing sufficient evidence of technical and organisational safeguards to protect user information.
WhatsApp was ordered to update its privacy policy, conduct a thorough personal information impact assessment, and improve communication with users in clear, simple language. The company must also comply with South Africa’s Promotion of Access to Information Act (PAIA), a requirement it previously argued did not apply due to its global operations-an argument the regulator rejected.
If WhatsApp fails to comply, it could face severe penalties, marking a significant moment for data privacy enforcement in South Africa and setting a precedent for how global tech companies handle user data on the continent. As of now, the public is still waiting to see if WhatsApp has met the regulator’s demands.
