WhatsApp Inc., which has made an overwhelming impression, has recently been the subject of various investigations of data protection boards. In the previous days, the Irish Data Protection Commission (DPC) has announced that it has completed its investigation and the relevant data controller company has been charged with 225 Million Euro administrative fine on the grounds that it does not comply with the transparency, disclosure and information obligations in its data processing activities. This investigation was conducted in a very technical way and focused on how WhatsApp processes its user’s data and whether their privacy policies are clear enough. The fine imposed as a result of this investigation is the largest to date and the second highest fine according to GDPR rules.
After that, another record fine for WhatsApp came from the Turkish Personal Data Protection Board (“the Board”). In early 2021, with the update of WhatsApp, which caused intense public debate, the application announced that its Terms of Service and Privacy Policy were renewed. In this context, WhatsApp demanded its users to give explicit consent to the processing of their personal data and transfer it to third parties abroad in order to continue using the application. Otherwise it announced the new terms of use, which included the information that they would no longer be able to use WhatsApp and their accounts would be deleted. This statement was met with great public reaction and users stopped using WhatsApp and turned to other alternative applications. Upon this update, the Board also initiated an ex officio investigation on the subject within the scope of Article 15 of the Law on the Protection of Personal Data No. 6698 (“Law” or “KVKK”) and requested defense and information on the subject from WhatsApp.
As a result of the investigation carried out in this context; the Board published an announcement and decision on the WhatsApp application on September 3, 2021. In this decision, the Board announced that the investigation was completed and as a result of this examining, it was decided to impose an administrative fine of 1.950.000 TL on WhatsApp.
According to the decision, the Board states briefly as follows:
The Terms of Service are in the nature of a contract between WhatsApp and the user, with the approval of this contract, express consent to the processing of personal data and transfer it to third parties abroad is obtained without giving any optional rights to the user. It is not possible to accept that the processing and transfer are approved if a provision is made in the contract stating that the transfer will be made abroad and the user approves this contract. In this case, it is stated that the element of “Disclosure with Free Will” of express consent was infringed.
The terms of “transfer” in the Terms of Service and Privacy Policy are presented to the user in a non-negotiable manner and people are compelled to give consent to the contract as a whole, however, it is stated that acting without considering the interests and reasonable expectations of the persons concerned constitutes a violation of the principle of “Lawfulness and Conformity with Rules of bona fides.” in Article 4 of the Law.
Explicit consent is requested from the users regarding the transfer of all personal data processed, but these data are not proportional and limited information for the purpose for which they are processed, and it is not clearly stated in the texts that which data will be transferred for what purpose, and in this regard, it is stated that the principles of “Being Processed for Specific, Explicit and Legitimate Purposes” and “Being Relevant with, Limited to and Proportionate to the Purposes for Which They Are Processed” in the Article 4 of the Law were violated.
All kinds of processing activities such as saving, storing, changing, transferring the personal data obtained by the data controller from the relevant persons in Turkey after obtaining this data mean the transfer of personal data abroad as long as the servers are not located in Turkey, therefore, it is obligatory for the said transfer to be made in accordance with Article 9 of the Law titled “Transfer of Personal Data Abroad”. However, it has been declared by the data controller that no express consent is applied for transferring, additionally, considering that the data controller did not apply for a letter of undertaking to the Board, it did not act in accordance with the Article 9 of the Law.
It is stated that the data controller did not obtain explicit consent from the relevant persons regarding the personal data processing activity to be carried out through cookies for profiling purposes, and that the personal data processing carried out within this scope is not in accordance with the Law.
As a result of all these evaluations, the Board decided to impose a fine of 1.950.000 TL on the grounds that WhatsApp did not take the necessary technical and administrative measures to ensure the appropriate level of security in order to prevent the unlawful processing of personal data in accordance with Article 12/1 of the KVKK.
In addition to the fine, the Board issued a legal warning WhatsApp to bring its Terms of Service and Privacy Policy compatibly with the Law within 3 (three) months and inform data subjects by the decision dated 03.09.2021 and numbered 2021/891.