Truecaller has more than 150 million daily users across the globe, 1.7 million of which are based in South Africa. The popular call screening app could however be in violation of South Africa’s incoming Protection of Personal Information Act (POPIA), according to two law firms who recently spoke to MyBroadband.

Contrary to popular belief, Truecaller does not actually automatically upload your address book or contact list to its servers when you download and install the app from the Apple App Store or Google Play Store. This is because both companies have strict data protection policies which prohibit the app from doing so.

However, this is not the case if the app is downloaded directly from the truecaller.com website. In this instance, Truecaller will prompt the user with an option to upload their full address book as part of its crowd-sourcing features. This information is then uploaded to the company’s database, which is stored in a foreign server. In addition, Truecaller allows users to manually submit the details of a number which was not yet available on its database.

According to law firms Werksmans Attorneys and Norton Rose Fulbright, there are several issues with these features under POPIA. Director at Werksmans Attorneys Ahmore Burger-Smidt said Truecaller failed to comply with POPIA in a number of areas.

“Without a doubt, concerns can be raised from a POPIA perspective in relation to the manner and the purposes for which personal data is collected and processed via the Truecaller app,” Burger-Smidt said.

She said that there were grave concerns in terms of POPIA regulations when the app is considered from the perspective of a person or business who has not registered for the service. The primary issue was that the app allowed full disclosure of a contact list, which could amount to confidential information being disclosed.

“From a data protection perspective, a responsible party, in this instance Truecaller, can only process the personal information of a data subject if he has a lawful basis to do so,” Burger-Smidt said.

“POPIA provides for lawful bases, which include: consent, compliance with a legal obligation, if there is a legitimate interest, and the performance of a contract. One can argue that there might indeed be a legitimate basis for processing the personal information of the individual that subscribes to the Truecaller service,” she stated.

“However, on what basis are they processing all the contact information that the subscriber holds?” Burger-Smidt asked.

“It is very difficult to motivate for this to be done on the basis of a legitimate interest. It is entirely possible that individuals do not have any knowledge of this use of their data at all. This means that they are being denied their rights as data subjects in terms of POPIA and that their privacy is being infringed,” Burger-Smidt stated.

Director in Competition Practice at Norton Rose Fulbright Rosalind Lake echoed these views. She said POPIA requires a responsible party, in this case Truecaller, to notify a data subject of how it will process: use, store, transmit, and access its personal information, even when it is not collected directly from the data subject.

“These notification requirements are usually fulfilled through a privacy policy,” Lake stated.

“However, it appears that Truecallers’ privacy policy places this obligation on the user,” Lake said.

According to its privacy policy, Truecaller says users must confirm with another party whose details they share with Truecaller before doing so.

Lake said this approach was problematic under POPIA.

“If you are reporting a number as spam, you are hardly going to phone them to tell them that their number has been added to the database,” Lake said.

“In this situation, the user of the app would not be considered a responsible party when it consents to provide access to its phone book. Truecaller is the one who requests access and use of the information and they are therefore responsible under POPI. The user of the app may be considered an ‘operator’ for Truecaller, but then POPI says there must be an agreement in place to impose certain obligations on the operator, but the liability still sits with the responsible party,” she said.

Lake warned that users should still think carefully before consenting to provide access to their address book and carefully peruse the privacy settings on the app.

“There have been some circumstances reported where a person’s safety may be compromised by their name being on the database – such as a journalist working undercover – or indeed, businesses may suffer losses in some way from being identified without their knowledge,” Lake cautioned.

Many South Africans may be familiar with the app, particularly given its usefulness in identifying unknown phone numbers and blocking unsolicited calls from telemarketers or scammers.

Truecaller is often able to show the owner of a number which a user does not yet have through its universal database which is supported by crowd-sourcing of data from its users.