Truecaller, the popular app for identifying spam calls, is facing serious privacy concerns in South Africa. The Information Regulator has received a formal complaint alleging that the app violates South Africa’s Protection of Personal Information Act (POPIA) by harvesting users’ contacts without proper consent.
The complaint, which was reviewed by MyBroadband, claims that Truecaller collects the address books of its users through a feature known as “Enhanced Search.” This functionality, which is enabled by default, allegedly allows Truecaller to access and upload users’ contact lists, even from non-users, without their knowledge or consent. According to the complaint, this data is then processed and made publicly available, violating individuals’ privacy rights.
Nomzamo Zondi, senior communications manager for the Information Regulator, confirmed that the complaint had been received. “We are still within the timeframe to process the complaint and allocate it to an investigator,” Zondi explained. “The investigator will then engage further with the complainant and the responsible party.”
Concerns Over POPIA Violations
Legal experts have raised alarms about the potential breach of POPIA by Truecaller, particularly regarding the collection and transfer of personal data outside South Africa. Ahmore Burger-Smidt, head of regulatory practice at Werksmans Attorneys, pointed out that POPIA mandates that personal information should not be transferred abroad unless the foreign company complies with the necessary privacy laws.
Furthermore, Burger-Smidt argued that many users might be unaware that their contacts had been uploaded to Truecaller’s platform. While Truecaller’s terms and conditions state that users are responsible for obtaining consent from those in their address books, it is still the company that determines how the data is collected, processed, and used. This makes Truecaller the “responsible party” under POPIA, meaning they cannot simply shift the burden to users.
Privacy Policy and Data Storage Concerns
Truecaller’s global head of corporate communications, Hitesh Bhagat, denied any wrongdoing, arguing that the app does not require users to upload their contacts during the sign-up process. He explained that Truecaller only requests access to contacts for its call screening feature, which helps determine whether a caller is already in the user’s contact list.
However, Bhagat’s statement did not address the Enhanced Search feature, which allows users to search for unknown numbers by accessing a broader database of contacts. While this feature has been removed from the official versions of the app on Google and Apple’s app stores, users who downloaded the app directly from Truecaller’s website may still have access to it by uploading their contacts.
Another significant concern raised in the complaint is the automatic labelling of users as “spammers” by Truecaller’s algorithm. The complainant noted that the app sometimes incorrectly marks people as spammers based on previous owners of their phone numbers. This has led to potential harm for individuals who may be unfairly classified, especially if they are unaware of the label.
Truecaller’s Data Handling Practices
In addition to the issues around contact uploads, the complaint highlighted that Truecaller’s privacy policy states that all user data is transferred and stored in India, which may also conflict with POPIA’s requirements. The transfer of personal information to countries outside South Africa is only permissible if the recipient country has adequate privacy protections in place, which might not be the case with India.
Potential Investigation and Enforcement
The complaint filed with the Information Regulator could lead to an investigation into Truecaller’s practices in South Africa. If violations are found, the company could face an enforcement notice, which could have serious implications for its operations in the country.
Truecaller’s controversial data handling practices, particularly the upload of users’ contact lists and the labeling of phone numbers as spam, are now under the microscope. As the Information Regulator processes the complaint, Truecaller’s future in South Africa could depend on the outcome of the investigation and whether the company can prove that it complies with POPIA’s strict privacy standards.
Comments