Truecaller and POPIA
Truecaller warning in South Africa
Truecaller says it does not want to speculate on the personal opinions of specialist regulatory lawyers who say that it was likely violating South Africa’s Protection of Personal Information Act (Popia).
“Every individual has an inherent fundamental right to know who is calling them, and we enable our users to exercise it,” a Truecaller spokesperson told MyBroadband.
“Like any other similarly placed global service, we are subject to varying requirements across jurisdictions,” they continued.
“Our service and policies are designed to comply with local laws and varying global requirements in a coherent, conducive, and harmonised manner.”
Several legal experts have said that Truecaller was probably breaking the law because it allows users to feed other people’s numbers from their contacts into its database.
Truecaller attempts to shift the responsibility onto subscribers in terms and conditions, which stipulate that users must obtain consent before providing the data.
However, Ahmore Burger-Smidt warns that this potentially violates Popia in two specific ways.
Firstly, the law states that personal information may not be transferred outside of South Africa unless the foreign entity has binding corporate rules or agreements that comply with Popia.
Secondly, Burger-Smidt highlighted that it was entirely possible that non-subscribers did not know their data had been uploaded and that Truecaller was using it.
She said that although Truecaller’s terms and conditions try to pass the buck to users, it remains the party determining the mandate and process for collecting the personal information.
Therefore, Truecaller was still the “responsible party” in Popia parlance and cannot be absolved of its responsibilities simply because it collected the information from a subscriber.
She acknowledged that Truecaller does provide a function that allows non-users to unlist their numbers, but said the problem is how those users would know their data had been collected in the first place.
“To this end, Truecaller should notify, by SMS or email, each person who is added to its database,” Burger-Smidt argued.
That person may then be directed to the Truecaller privacy policy and be informed of their ability to delist.
Truecaller sidestepped a question about whether it would consider implementing such a notification system.
Instead, it explained that it tried to balance people’s right to know who’s calling them with their right to privacy.
It emphasised that non-users could unlist their numbers, that users sharing their contacts was their choice, and that obtaining the necessary consent was up to them.
“This way, the inherent fundamental right of users to know who is calling them is balanced with any person’s desire to be unlisted,” Truecaller said.
“This way, we endeavour to make users’ communication safe and trustful and help them to save themselves from potential fraud and other crimes.”
Truecaller said its privacy-first approach was further demonstrated in its ability to let users edit their profile, rectify and download their data, and deactivate their accounts from within the app.
Burger-Smidt praised Truecaller’s functionality and said the strides being made in techno-globalisation are something to be embraced and celebrated.
However, she said the wonders of our technocentric world should always be scrutinised in the context of whose personal information is collected, how the data is accessed, and what it is used for.
Furthermore, individuals should take more accountability when it comes to the manner in which they allow others’ personal information in their care to be accessed via mobile apps.
Burger-Smidt said people should remember that the consent they provide to such apps affects not just them but potentially everyone in their contacts list.
“Irrespective of the various levels of accountability that exist in using apps such as Truecaller, the overarching theme that should always be borne in mind is the inability of a responsible party to shift its responsibilities to users,” she added.
“After all, when was the last time a friend, colleague, or even an acquaintance obtained your consent to share or provide access to your personal information via an app on their mobile?”