Social media giant Facebook cannot share any contact information it collects from WhatsApp users in South Africa with its other business without obtaining authorisation from the country’s Information Regulator (IR), the watchdog has ruled.

It acted after becoming concerned about a much-publicised change to WhatsApp’s privacy policy which included mandatory sharing of details, including users’ phone numbers, with other Facebook services such as Instagram and Messenger.

The IR takes the view it is the one who needs to authorise the practice, not the data subject.

In a 3 March ruling, it wrote: “WhatsApp cannot without obtaining prior authorisation from the IR … process any contact information of its users for a purpose, other than the one for which the number was specifically intended at collection, with the aim of linking that information jointly with information processed by other Facebook companies.”

The IR has told Facebook it is willing to discuss the matters to ensure WhatsApp’s privacy policy fully complies with the Protection of Personal Information Act (Popia), and related international regulations.

WhatsApp in February announced a three-month delay to the changes to its privacy policy following concerns over the mandatory data-sharing with parent company Facebook.

The messaging platform had previously announced that from 8 February users would need to agree to some of their data being shared with Facebook if they wish to continue using the service.

This included account registration information (including phone numbers), transaction data, service-related information, information on how users interact with others when using the platform’s services, mobile device information and IP addresses.

However, WhatsApp later moved the date by which people need to accept the terms and conditions to 15 May. It was later announced that the change would not be mandatory for European Union (EU) customers.

IR also raised the issue of European Union residents receiving “significantly higher” privacy protection from Facebook than South Africans.

In February WhatsApp said the privacy policy update is intended to make it easier for users to message businesses through WhatsApp, as businesses would be able to access Facebook’s secure hosting services. It said personal messages would not be affected.

It said: “The privacy and security of your personal messages and calls do not change. They are protected by end-to-end encryption, and WhatsApp and Facebook cannot read or listen to them. We will never weaken this security and we label each chat so you know our commitment.”

PrivSec Global, a live streaming event, takes place on 23-25 March featuring more than 200 speakers and 64 sessions on privacy, data protection and cyber-security.