The Information Regulator of South Africa and Meta have announced an agreement over concerns that WhatsApp‘s updated policy contravenes several provisions of the Protection of Personal Information Act (POPIA).
Speaking at a media briefing on 13 November 2025, the Chairperson of the South African Information Regulator, Pansy Tlakula, said the agreement brings finality to the issue, following an “enforcement notice” served on WhatsApp, which Meta, the owner of Facebook and Instagram, owns.
WhatsApp had been instructed to provide proof of compliance within 60 days. Failure to do so exposed the platform to sanctions, including an administrative fine of up to R10 million, imprisonment of up to 10 years, or both.
WhatsApp subsequently filed a legal challenge, which Tlakula said had now been settled.
WhatsApp’s privacy policy forced users who wanted to continue using the service to agree to several changes.
The update violated Sections 8, 9, 11, 13, 15, 17, and 19 of the POPIA.
According to South African law, and in alignment with global frameworks such as the General Data Protection Regulation (GDPR), personal information may only be processed if:
- Data subjects give consent.
- Processing is necessary to carry out actions for the conclusion for performance of a contract to which the data subject is a party.
- Processing protects a legitimate interest of the data subject and
- Processing is necessary to pursue the legitimate interests of the responsible party or a third party to whom the information is supplied.
The Information Regulator stated that the WhatsApp policy compels users to accept certain terms and conditions or policy provisions without a lawful basis or other grounds for lawful processing.
Such consent would be considered invalid, and any processing carried out under it would breach POPIA.
In addition, the platform’s practice of sharing user data with other Meta companies and external third parties constituted further processing inconsistent with the original purpose for which the data was collected.
This development follows a similar matter in Nigeria earlier this year, where the Nigerian Data Protection Commission (NDPC) imposed a $32.8 million fine on Meta in February for alleged violations, including unauthorised data transfers, unsolicited advertisements, and failure to file mandatory audit reports.
This had initially sparked a legal standoff, with Meta at one point threatening to withdraw its operations in Nigeria. The matter was concluded through an out-of-court settlement in October.
Taken together, these cases reflect an important shift, where the Global South is increasingly asserting its own model of platform accountability. Kenya also provides interesting examples, illustrating this emerging trend.
However, a critical concern persists.
Platforms may increasingly rely on settlement agreements as a risk-containment strategy rather than a catalyst for meaningful behavioural change.
In both the South African and Nigerian cases, the specific terms of the settlements have not been made public. For accountability to be meaningful, citizens must know what compliance measures Meta has undertaken and what changes, if any, users should expect.
As Africa confronts the broader struggle for digital sovereignty, platform regulation must become a continental priority. While national efforts are valuable, they cannot match the scale and influence of global tech platforms.
Hence, the need for the African Union to be repurposed to prioritise this broader mandate of setting continental standards and consolidate the African voice in data governance and digital sovereignty.
In that regard, MISA welcomes the adoption of Resolution 630 (ACHPR/Res.630 (LXXXII) 2025), in March this year, by the African Commission on Human and Peoples’ Rights (ACHPR).
Resolution 630 mandates the development of guidelines to assist states in monitoring technology companies and uphold information integrity through independent fact-checking.
It is encouraging to note that a multi-stakeholder consultative process across various African countries is already underway to develop inclusive guidelines that reflect the continent’s unique online contexts.
This represents an important step toward coordinated, continent-wide platform accountability.
Only through collective action can Africa influence the rules of its digital future and guarantee that those rules protect the rights, safety, and dignity of all Africans.
MISA Regional Communique
