South Africa’s Information Regulator confirmed it received a complaint against Swedish app Truecaller for alleged violations of the country’s Protection of Personal Information Act (POPIA). The investigation threatens to expose how millions of phone numbers end up in Truecaller’s database without owners knowing about it.
The complaint centers on Truecaller’s “Enhanced Search” feature, which automatically uploads users’ entire contact lists to company servers. This means your phone number could be on Truecaller even if you never downloaded the app, simply because someone in your contacts did.
Truecaller Harvests Millions of Phone Numbers Through Contact Lists
When users install Truecaller and register, they provide their name and phone number voluntarily. This basic registration poses no privacy issues since users consent to sharing their own information. However, problems arise when the app requests access to users’ phone contact lists.
The Enhanced Search feature, enabled by default, uploads complete address books to Truecaller’s servers in India. This creates database entries for people who never agreed to have their information collected or processed.
Information Regulator spokeswoman Nomzamo Zondi confirmed the complaint is under review. “We are still within the timeframe to process the complaint and allocate it to an investigator, who will then engage further with the complainant and the responsible party,” she stated.
Legal expert Ahmore Burger-Smidt from Werksmans Attorneys explained that POPIA requires companies to obtain direct consent before collecting personal data. Truecaller cannot shift responsibility to users by claiming they should get permission from their contacts first.
App Secretly Stores South African Data in India Without Adequate Protection
Truecaller’s privacy policy reveals all user data transfers to and stores in India, potentially violating POPIA’s cross-border data transfer rules. South African law permits international data transfers only when the receiving country provides adequate privacy protections.
The complaint also highlights Truecaller’s automatic spam labeling system, which sometimes incorrectly marks legitimate phone numbers as spam based on previous owners’ activities. This creates potential harm for individuals who may face communication barriers without knowing why.
Corporate watchdog Viceroy Research previously accused Truecaller of deliberately relocating data servers from Europe to India before GDPR implementation in 2022. Their report claimed: “GDPR threatened Truecaller’s spyware features, which feed the spam detection service. In response, Truecaller moved all its data servers and substantially all of its operations to India.”
Information Regulator Faces Difficult Choice Between Privacy and Spam Protection
The investigation puts South Africa’s Information Regulator in a challenging position. They must balance strict data privacy enforcement against public interest in combating spam calls and robocalls, which have become a persistent problem for mobile users.
Truecaller serves approximately 425 million users globally and has proven effective at identifying and blocking unwanted calls. Many South Africans rely on the app as their primary defense against telephone spam and scam attempts.
However, this effectiveness comes at the cost of privacy for millions of non-users whose information ends up in Truecaller’s database through third-party uploads.
Truecaller’s global head of corporate communications, Hitesh Bhagat, denied wrongdoing, claiming the app doesn’t require contact uploads during registration. He stated Truecaller only requests contact access for call screening purposes, to determine if callers are already in users’ address books.
Multiple Countries Investigate Truecaller’s Data Collection Methods
South Africa joins other countries scrutinizing Truecaller’s privacy practices. Nigeria’s National Information Technology Agency investigated the company in 2019 for alleged privacy violations under the Nigeria Data Protection Regulation.
In 2022, cybersecurity firm Cyble reported that millions of Indian Truecaller records appeared for sale on the dark web, though the company disputed any data breach occurred.
The South African complaint specifically targets multiple POPIA sections, though the Information Regulator has not disclosed which provisions Truecaller allegedly violated. POPIA requires companies to process personal information lawfully, obtain proper consent, and implement adequate security measures.
If investigators find violations, Truecaller could face enforcement notices that might restrict its operations in South Africa. The company has not responded to requests for comment about the formal complaint.
The investigation outcome could establish important precedents for how international apps must handle South African users’ data and obtain consent for information collection practices that affect non-users.
