On 03.09.2021 the Turkish Data Protection Authority (“DPA”), made a public announcement regarding the ex officio investigation of WhatsApp LLC (“Controller”) and published an important decision discussing the data processing and data transfer operations of the Controller. The Turkish Personal Data Protection Board’s (“Board”) decision w. no 2021/891 dated 03.09.2021 is very important and must be reviewed in detail since it shows the approach of the Board in international transfers and direct collection of personal data from Turkey by controllers that are not established in Turkey (“Foreign Controllers”).
Background
In January 2021, WhatsApp updated its privacy policy and terms and requested the users in Turkey to accept such updated terms by February 8th , 2021. WhatsApp also informed the users in Turkey that those who do not accept the updated terms by February 8th, 2021, would no longer be able to use the service. The updates consisted of WhatsApp to share data with other group companies. This update by WhatsApp has been discussed widely by the general public in Turkey, criticized by legal professional and discussed in live news tv shows.
As a result of such attention given to the updates of WhatsApp by the public, the DPA and the Competition Authority initiated ex officio investigations against WhatsApp in January 2021.
Announcement by DPA and Board’s Decision
In the announcement by the DPA, the DPA stated that an ex officio investigation on WhatsApp within the scope of paragraph 1 of Article 15 of the Law on the Protection of Personal Data numbered 6698 (“DPL”) was started to investigate the issues of data transfer abroad, the explicit consent presented as a pre-condition of service, compliance with general principles of the DPL and others.
As a result of the examination of the response and defense letters received from WhatsApp; Terms of Service and the Privacy Policy offered to the users by the data controller, the Board evaluated the following;
· Although it is stated by the Controller that the data processing is based on several statutory legal basis in the DPL and the explicit consent is only used in exceptional cases, because the Terms are defined as an agreement that is entered into with the user by requesting the approval of the user to the Terms, this means that Controller relies on the explicit consent obtained through the Terms. This explicit consent, on the other hand, is not in line with the DPL since a single explicit consent is obtained from the users for the processing of their personal data and transfer of their personal data abroad to third parties, without providing any option. The processing and transfer activities are presented to the data subject in a single text which damages the required free will element of the explicit consent.
· The terms regarding “transfer” in the Terms of Service and Privacy Policy by the data controller are non-negotiable, and the data subject is forced to provide a consent to the contract as a whole. Thus, transfer has become a pre-condition for providing the service, which is contrary to the “lawfulness and fairness” principle.
· Explicit consent is requested for all processed personal data however such data are not relevant, limited and proportionate to the purposes for which they are processed and the purposes for transfer of such data are not disclosed transparently in the relevant texts. In this respect, Controller’s acts are contrary to the principle of “being processed for specified, explicit and legitimate purposes” and “being relevant, limited and proportionate to the purposes for which they are processed”.
· The element of “free will “ of the explicit consent has been damaged since the processing of personal data is indicated as a part of the contract and is presented as a pre-condition of the service.
· All processing activities executed on personal data (such as recording, storing, transferring) after obtaining such data from data subjects in Turkey means that the personal data are being transferred abroad since the servers are not located in Turkey. Therefore, such transfer must be in compliance with Article 9 of the DPL which regulates the conditions for transferal of personal data.
· The Controller did not obtain explicit consent from the data subjects regarding the personal data processing activity to be carried out through cookies for profiling purposes, and the personal data processing activity carried out within this scope is also not in accordance with DPL.
In this regard, pursuant to Article 12/1 of the DPL, the Board decided that an administrative fine of TRY 1.950.000 (approx. USD 16.271.160), which is the highest possible administrative fine under the DPL, shall be imposed on the data controller for failing to take the necessary technical and administrative measures to prevent the unlawful processing of personal data.
Additionally, the Board instructed the Controller to;
· Comply with DPL in 3 months with regards to Terms of Service and Privacy Policy dated 04.01.2021 to inform data subject correctly as it has appeared that these documents are being presented to users as the valid version
· Inform data subjects by complying with DPL’s Article 10 and Communique on Principles and Procedures to Be Followed in Fulfillment of The Obligation to Inform, as the Privacy Policy is being used as a privacy notice and does not carry necessary elements of a valid privacy notice
· Inform the Board regarding stated processes.
WhatsApp has the right to object against the decision before a court of law in Turkey.
Important Lessons to be learned from the WhatsApp Decision
1- DPA’s approach on direct collection and subsequent processing by foreign controllers: Any subsequent processing operation (such as storing, transfer etc.,) on personal data collected from Turkey, if performed in servers located outside Turkey, is an international transfer of personal data and is subject to Art. 9 of the DPL.
Pursuant to Art. 9 of the DPL, personal data can be transferred from Turkey to abroad if;
– Explicit consent of the data subject is obtained
– An undertaking signed by Data Exporter and Data Importer that is subject to DPA’s approval is obtained
– Transfer to a country that is listed in the DPA’s safe countries list (The DPA is authorized to publish this list but has not done so).
– BCR – subject to DPA’s approval (The DPA did not approve any BCRs to this date)
Therefore, foreign controllers must comply with Art. 9 of the DPL prior to any subsequent processing.
2- Privacy Policies: The Board criticizes WhatsApp since the Privacy Policy of WhatsApp is not a Privacy Notice that is in line with the DPL Art. 10 and the relevant Communique.
Therefore we recommend that instead of using revised/edited Privacy Policies prepared under the GDPR or other legislation, a specific privacy notice should be prepared and used for Turkey.
3- Explicit Consent: The Board once again points out that explicit consent must be specific, and it should not be bundled and a blanked explicit consent must not be obtained (i.e. explicit consent for transfer to third parties and explicit consent to process personal data must be separate).
Further, explicit consent must be based on freewill of the data subject. Explicit consent must not be a pre-condition of provision of the service.