by Ahmore Burger-Smidt, Director and Head of Data Privacy and Cybercrime Practice and member of Competition Law Practice; and Nyiko Mathebula, Candidate Attorney

I hereby give my permission to the inhabitants of Middle Earth, Agents Mulder and Scully, the Goonies, all the Storm Troopers and Darth Vader, the Mad Hatter, Chuck Norris, S.H.I.E.L.D., The Avengers, The Illuminati, The Men in Black, X-Men, Ghost Busters, The Justice League, Gandalf and Dumbledore, Santa Claus, The Easter Bunny and all the members of Van Halen (even Sammy), Volton, the Thunder Cats, Dr. Who, Hart to Hart, Mystery Inc. (Scooby Doo), James Garner, the WWF, Magnum P.I., He-Man, Cheech and Chong, Neo, Blade and the Boondock Saints to view all the amazing and interesting things that I publish on Facebook and Instagram.

I’m aware that my privacy ended the very day that I started Facebook, Instagram. I know whatever I post can and usually does get shared, tagged, copied and posted elsewhere.

If I don’t want anyone else to have it I DON’T POST IT!!!!!

Original author unknown

1. In a manner, strangely similar to the flurry of communication that went around about the arrival of the end of the world based on the 2012 Mayan Calendar, there was a lot of concern and uncertainty surrounding 1 July 2021, the date on which the Protection of Personal Information Act No. 4 of 2013 (“POPIA/the Act“) came into full effect. But, much like the predicted end of the world, the 1^st of July was spectacularly uneventful. The Information Regulator did not descend upon organisations with hefty fines nor was there an influx of data subject complaints, least of all concerning neighbourhood and family WhatsApp groups. So why then have you been receiving notices from the group admins on your WhatsApp groups and emails from organisations asking you to “opt‑out” to the use of your information?
2. The simple answer is misinformation, misunderstanding and lack of knowledge.
3. In this article, we address three salient issues. The first being the processing of personal information in the course of a purely personal or household activity, and the second being the exclusion for journalistic, literary or artistic purposes. We also briefly address the issue of consent and what it actually entails in light of POPIA.
4. In the days leading up to 1 July 2021, and indeed subsequent thereto, people have been receiving messages or general announcements on their family and friends WhatsApp groups stating that the group administrators are required by law to obtain the group participants’ consent to being members of the group. But why is this required?
5. POPIA provides for certain processing activities to be excluded from its application. This includes the processing of personal information in the course of a purely personal or household activity as set out in section 6(1)(a) of POPIA. Although “purely personal” and “household” are not defined in the Act, we can take their ordinary meanings and apply them to the WhatsApp context. Where a WhatsApp group is created to facilitate family related or personal matters, as in between family, friends or acquaintances, then POPIA will not apply. However, the situation may be different where the WhatsApp group is operated by a business for the purposes of marketing its products and/or services. In such a context, if the person is not a customer of the business, the business will be required to obtain consent before adding the relevant person to the WhatsApp group. Equally, where a business makes use of a contact list or mailing list to disseminate broadcast messages through WhatsApp or SMS, consent from those individuals who do not constitute existing customers of the business would be required.
6. The issue of consent has also been misinterpreted in the frenzy of trying to be POPIA compliant, or the pretence of POPIA compliance.
7. In particular, businesses seeking consent often overlook the fact that consent must be a voluntary, specific and informed expression of will in terms of which permission is given by a data subject. As such, one cannot simply send an email or WhatsApp/SMS notice to a data subject stating that should they not respond to the communication or confirm the details therein, their consent will be assumed. Such an approach would not meet the requirements of voluntariness nor will it constitute an expression of will by the data subject. Consequently, business should be careful when seeking to rely on consent as a lawful basis for processing personal information. It should first be confirmed that such consent has been obtained properly and in accordance with the prescripts of the legislation. In other words does the business actually clearly understand what it is seeking consent for?
8. The other exclusion from the application of POPIA relates to the processing of personal information for the purpose of journalistic, literary or artistic expression. This is contained in section 7(1) of POPIA which further provides that such use or expression must be to the extent that the exclusion thereof is necessary to reconcile, as a matter of public interest, the right to privacy with the right to freedom of expression. We are all reminded that the right to privacy is not an absolute right. In other words it does not trump all other rights provided for in the Constitution.
9. In light of the above, we see that people need not worry about POPIA when it comes to the use of WhatsApp groups in circumstances where such use constitutes personal or household activity. Further, we see that the personal information of individuals may be used, without their consent, by those involved in journalism, literary or artistic works insofar as such usage is in the public interest and reconciles the right to privacy with the right to freedom of expression. Where POPIA does apply and consent is relied upon as a lawful basis for processing, due regard must be had to ensure that the consent is in accordance with the legislation whilst keeping in mind that POPIA is not consent driven and provides for other lawful bases upon which personal information may be processed.

Find out more: The Information Regulator – Both a POPIA And PAIA Regulator, Extension granted for PAIA manuals to be available