The Digital Migration: Unfounded or Warranted?


Telegram founder Pavel Durov recently called the move away from WhatsApp “the largest digital migration in human history” as millions of WhatsApp users migrated to “overnight” popular alternatives such as Signal and Telegram. This digital migration was precipitated by

the announcement made by WhatsApp on 4 January 2021 regarding the updating of their privacy policy that was meant to take effect on 8 February 2021. Users were advised to accept the updated policy by the 8th of February 2021 or be barred from the use of the platform. The backlash from users saw the messaging giant extending the deadline from the 8th of February 2021 to the 15th of May 2021.

It can be argued that the dramatic response by consumers to WhatsApp’s proposed changes is reflective of the increased awareness by consumers of their privacy rights. There is also an overall concern, one can say, regarding the abuse and increased infringements of privacy rights due to unauthorised collection of personal information.

It is important therefore to closely examine what the proposed changes will mean for the consumer.

Salient features of the previous WhatsApp privacy policy

WhatsApp introduced end-to-end encryption, which prevented WhatsApp from storing messages once they had been delivered. This enabled the privacy of chats to be protected by ensuring that messages and videos shared between users could not be read by WhatsApp or independent third parties.

However, WhatsApp still had access to information such as profile pictures, statuses and user contacts. Importantly, the policy required the express consent of the user to share information with the other entities in the Facebook group of companies, through ‘opt-out’ option. From a privacy perspective, this feature was important, as it allowed the consumer to retain the option not to share their WhatsApp user account information with Facebook without express prior consent.

The updated WhatsApp privacy policy

Some important changes requiring careful consideration by consumers and the Protection of Personal Information Act, 4 of 2013 (“POPIA”) regulator pertain to: (i) the intra-group sharing of information among the Facebook group of companies; and (ii) use of the shared information by the companies. Furthermore, WhatsApp will broaden the scope of the information to be collected to include device specific information, information about how users are messaging, calling, which WhatsApp groups users are part of, etc. and in countries where users are able to make payment via WhatsApp, information on transactions and payment data will also be collected. However, it is important for consumers to understand that chats between consumers will continue to be protected by end-to-end encryption.

With the exclusion of the opt-out option, it could be argued that the net effect is that consumers are being required to forfeit more and more personal information. In that sense, the ‘take-it-or leave it’ stance may have gone too far, pushing some consumers to seek more accommodating alternatives. More importantly, in the South African context, it remains to be seen whether the revised privacy policy will be in line with the rigorous data protection requirements set out in the POPIA.

For instance, the POPIA prohibits the unlawful processing of information and sets out specific grounds of illegality. In this regard, a question that immediately comes to mind is whether a consumer can still be said to have given their consent to the privacy policy voluntarily, if he or she consents only for reasons of not wanting to be removed from the platform (e.g. inconvenience of losing a valuable network). In another example, given that consumers have the right to enquire whether an organisation has their personal information and to request correction or deletion thereof where the legal reasons for the continued retention has fallen away, how would a consumer realistically enforce this right if the personal information is widely disseminated in a group of companies?

Accordingly, it would be necessary for the regulator to ensure that, at Facebook Group level, adequate systems will be in place to ensure the proper collection, processing, storage and sharing of personal information.

Noluthando Moledi and Lebogang George, Tumbo Scott Incorporated

Related Posts