Advocate Pansy Tlakula, chairperson of the Information Regulator.
South Africa’s Information Regulator is in a legal “battle” with Google and Meta after the tech giants refused to hand over records, claiming South African law doesn’t apply to them despite doing business in the country.
This is according to advocate Pansy Tlakula, chairman of the Information Regulator, who updated the media on various enforcement matters this morning.
Tlakula says Meta and Google, two of the world’s most valuable companies, have refused to provide access to records they hold on the basis that the Promotion of Access to Information Act (PAIA) doesn’t apply to them, despite them conducting business in South Africa.
The regulator has sought a legal opinion on jurisdictional issues when it comes to its enforcement powers on companies registered offshore, but doing business in South Africa, to “resolve this sticky question”.
The matter arose after Digital Platform Transparency lodged a complaint against both companies for information on how they assessed risks to South Africa’s electoral integrity, and how global policies had been applied locally. In September last year, the regulator said this complaint was under investigation.
See also
Ahead of last year’s elections – which saw the ANC lose its majority for the first time in three decades – Google and Meta partnered with Africa Check and Media Monitoring Africa to tackle election misinformation.
Google also pledged to prioritise high-quality search results linking to IEC sites, remove policy-violating YouTube content through AI and human review, and make ads more transparent by disclosing their funders.
“We are of the firm view that PAIA applies to foreign persons or companies doing business with South Africans and those who live in it, even if they are physically located elsewhere,” Tlakula says.
This matter is among one of 88 other activities recently undertaken, including enforcement and infringement notices as well as investigations.
Another issue involving a mega tech company, WhatsApp, has been resolved through an out-of-court settlement, which quashes the potential of a legal battle between the two over WhatsApp’s failure to comply with several sections of the Protection of Personal Information Act (POPIA).
Tlakula says because the settlement has yet to be made an order of the court, which would happen in the next few days, she was unable to provide additional details.
“We are very careful not to reveal too much because the settlement agreement that we have entered into still has to be made an order of court. And because of that, we really do not want to jeopardise this, because we are approaching the court very soon, in the next few days,” Tlakula says.
WhatsApp, owned by Meta, which is the eighth most valuable company in the world at a market cap of $1.5 trillion, was found to have breached POPIA when it updated its privacy policy in 2021. Following an April enforcement order, WhatsApp initiated legal action to review the regulator’s decision and have it set aside.
Under the settlement agreement, the instant messaging service has agreed to introduce a number of enhancements to the transparency of information that it makes available to South African users, says Tlakula.
In April, the regulator issued an enforcement order stating that WhatsApp had breached several provisions of the law and ordered that it take corrective action. Among the issues the Information Regulator found with its updated privacy policy is that it did not clearly state the lawful basis for processing personal information, using vague wording that prevented proper scrutiny.
WhatsApp, which has more than 10 million users in South Africa, was also found to have forced subscribers to accept the revised policy so that they could continue using the service, which translated into forced consent.
“Consequently, our considered view is that WhatsApp’s approach to obtaining consent amounted to coercion and is deemed invalid in terms of POPIA,” the enforcement notice said.
The company also failed to explain what data it collects or why, shared user information with Meta and other third-parties for unrelated purposes and could not prove that it has adequate security measures in place – refusing to provide evidence of its safeguards to the regulator.
Among the orders made by the regulator was that WhatsApp must align its local operations with the law and develop an updated policy that must be shared with the Information Regulator.
In addition, the Meta-owned company was told to clearly set out what information it collects, how it is processed, and for what purposes, which includes device, use, log and connection data.
WhatsApp was also instructed to show that personal information is used only for its original purpose and that any data shared with Meta or other third-parties complies with POPIA.
In addition, it was required to maintain proper documentation of its processing activities and implement security policies that protect personal data through appropriate technical and organisational safeguards.
