South Africa’s Information Regulator has received a complaint that caller ID and spam blocking app Truecaller is violating “multiple sections” of the Protection of Personal Information Act (Popia), TechCentral has learnt.

Following an anonymous tipoff, TechCentral queried the regulator, and it confirmed it had received the complaint.

Get breaking news from TechCentral on WhatsApp. Sign up here

“We are still within the timeframe to process the complaint and allocate it to an investigator, who will then engage further with the complainant and the responsible party against whom the complaint was lodged,” Information Regulator spokeswoman Nomzamo Zondi said. “Therefore, we are unable to respond to the other questions at this time.”

The regulator did not name the complainant.

Truecaller utilises user-supplied data to identify callers and block spam calls and messages. When a user downloads the app and registers, they give their name and phone number to the platform, allowing other Truecaller users to identify them on incoming calls. This action does not fall foul of any data privacy laws since the primary data subject has agreed to their data being used in this way.

Where Truecaller may have a problem is when users consent to the app downloading their phone’s address book and making it part of the Truecaller database. This means that mobile subscribers who are not on Truecaller can have their personal information ingested by the app because a third party – namely a contact of theirs – consented to their name and phone number being uploaded.

Under Popia, Truecaller may be required to notify each person added to its database via a third party that it has done so.

GDPR

A 2022 report by corporate watchdog Viceroy Research accused Truecaller of being an adware and spyware app that would eventually be made redundant by legislation such as Europe’s General Data Protection Regulation (GDPR). Viceroy accused Truecaller, a Swedish company, of deliberately moving its servers from Europe to India prior to the implementation of GDPR.

“GDPR threatened Truecaller’s spyware features, which feed the spam detection service. In response, Truecaller moved all its data servers and substantially all of its operations to India where management appear to believe it is safe from legislation designed protect the privacy of its customers. This is not the case,” Viceroy Research said in its report.

Read: Spam robocall epidemic in South Africa

If the allegations of Truecaller’s Popia violations have merit, the Information Regulator may be faced with a catch-22 situation: uphold data privacy laws on one hand or empower users to fight spam calls on the other. Whatever its shortcomings may be, Truecaller has proven to be one of the most effective spam detection and rejection methods available to users to fight the scouge of robo-calls.