On 3 September 2021 the Turkish Data Protection Authority (DPA) made a public announcement regarding its ex officio investigation of WhatsApp LLC (the controller) and published an important decision discussing WhatsApp's data processing and data transfer operations. The Turkish Personal Data Protection Board's (the Board's) decision(1) is important and must be reviewed in detail since it demonstrates the Board's approach to international transfers and the direct collection of personal data from Turkey by controllers that are not established in Turkey (foreign controllers).
In January 2021, WhatsApp updated its privacy policy and terms and requested users in Turkey to accept the updated terms by 8 February 2021. WhatsApp also informed users in Turkey that if they failed to accept the updated terms by 8 February 2021, they would no longer be able to use the service.
The updates consisted of WhatsApp sharing data with other companies in the same group. The updates were widely discussed by the general public in Turkey, criticised by legal professionals and even featured on TV news shows. As a result of this attention, the DPA and the Competition Authority initiated ex officio investigations against WhatsApp in January 2021.
In its announcement, the DPA stated that an ex officio investigation against WhatsApp within the scope of article 15(1) of the Law on the Protection of Personal Data (Law No. 6698) (DPL) had been initiated to look into the following issues, among others:
- data transfers abroad;
- explicit consent presented as a precondition of service; and
- compliance with the general principles of the DPL.
The Board examined:
- WhatsApp's response and defence letters; and
- the terms of service and the privacy policy offered to users by WhatsApp.
As a result, the Board held as follows:
- The controller had stated that the data processing was based on several statutory legal bases in the DPL and that explicit consent had been used only in exceptional cases. However, because the terms had been defined as an agreement that the user had entered into – by requesting the user's approval of the terms – this meant that the controller had relied on the explicit consent obtained through the terms. This explicit consent, however, was not in line with the DPL, since a single explicit consent had been obtained from users for the processing of their personal data and its transfer abroad to third parties without providing any options. The processing and transfer activities had been presented to the data subjects as a single text, which damaged the required free-will element of the explicit consent.
- The terms regarding "transfer" in the controller's terms of service and privacy policy had been non-negotiable and the data subjects had been forced to consent to the contract as a whole. Thus, such transfers had become a precondition for providing the service, which was contrary to the "lawfulness and fairness" principle.
- Explicit consent had been requested for all processed personal data; however, such data was not relevant, limited or proportionate to the purposes for which they had been processed and the purposes for the transfer of such data had not been disclosed transparently in the relevant texts. In this respect, the controller's acts were contrary to the principles of "being processed for specified, explicit and legitimate purposes" and "being relevant, limited and proportionate to the purposes for which they are processed".
- The free-will element of the explicit consent had been damaged since it had been indicated that the processing of the personal data was part of the contract and it had been presented as a precondition of the service.
- All of the processing activities that the controller had executed on the personal data (eg, recording, storing and transferring it) after obtaining such data from data subjects in Turkey constituted transferring the data abroad since the servers were not located in Turkey. Therefore, such transfers had to comply with article 9 of the DPL, which regulates the conditions for transfers of personal data.
- The controller had failed to obtain explicit consent from the data subjects regarding the personal data processing activities to be carried out through cookies for profiling purposes. Further, the personal data processing activities carried out within this scope were not in accordance with the DPL.
In this regard, pursuant to article 12(1) of the DPL, the Board decided that an administrative fine of 1,950,000 lire (approximately $216,298.29) – the highest possible administrative fine under the DPL – would be imposed on the data controller for failing to take the necessary technical and administrative measures to prevent the unlawful processing of personal data.
Additionally, the Board instructed the controller to:
- comply with the DPL within three months with regard to the terms of service and privacy policy dated 4 January 2021 and to inform data subjects that the new documents presented are the valid versions;
- inform data subjects in compliance with article 10 of the DPL and the Communique on Principles and Procedures to Be Followed in Fulfilment of The Obligation to Inform. The privacy policy had been used as a privacy notice but had not included the necessary elements of a valid privacy notice; and
- keep the Board informed of these processes.
WhatsApp has the right to object to the decision before a Turkish court.
DPA's approach on direct collection and subsequent processing by foreign controllers
Any subsequent processing operations (eg, storing or transferring data) on personal data collected from Turkey, if performed in servers located outside Turkey, constitute an international transfer of personal data and are subject to article 9 of the DPL.
Pursuant to article 9 of the DPL, personal data can be transferred from Turkey abroad if:
- the explicit consent of the data subject is obtained;
- an undertaking signed by the data exporter and the data importer, subject to the DPA's approval, is obtained;
- the transfer is to a country that is on the DPA's safe countries list (the DPA has been authorised to publish this list but has not done so); and
- the DPA's approval of a set of binding corporate rules (BCRs) is obtained (so far, the DPA has not approved any BCRs).
Therefore, foreign controllers must comply with article 9 of the DPL prior to any subsequent processing.
Privacy policies
The Board criticised WhatsApp since its privacy policy was not a privacy notice in line with article 10 of the DPL and the relevant communique.
Therefore, it is recommended that instead of using a revised or edited privacy policy prepared under the EU General Data Protection Regulation or other legislation, a specific privacy notice is prepared and used for Turkey.
Explicit consent
The Board once again pointed out that explicit consent must be specific – consent for different activities should not be bundled together and blanket explicit consent must not be obtained (ie, the explicit consent for transfers to third parties and the explicit consent for processing personal data must be separate).
Further, explicit consent must be based on the free will of the data subject. Explicit consent must not be a precondition of the provision of the service.
For further information on this topic please contact Burak Özdağıstanli, Sümeyye Uçar or Bensu Özdemir at Özdağıstanli Ekici Attorney Partnership by telephone (+90 216 230 07 48) or email ([email protected], [email protected] or [email protected]). The Özdağıstanli Ekici Attorney Partnership website can be accessed at www.ozdagistanliekici.com/.
Endnotes