Erdem & Erdem Law Office | View firm profile
In the announcement, WhatsApp stated that it will make significant changes in its procedures such as i) how user data is processed, ii) how businesses use Facebook-hosted services to store and manage WhatsApp chats, and iii) how they work with Facebook to offer integrations in Facebook Company Products. In addition, it was stated that users who do not accept this update, which includes important changes in the processing and transferring of personal data, will not be able to continue using the application as of February 8, 2021. Upon this announcement, many individuals and institutions, especially the competition law and personal data protection law authorities were alarmed, and announced that they have started an investigation on the issue.
In addition, it is regulated that others (third-parties) may also provide information about the user to WhatsApp and third party service providers, including Facebook. Accordingly, it was stated that a business may grant a third-party service provider access to its communications with users for the purpose of storing, reading, managing, or otherwise processing them.
WhatsApp has declared that they are one of the Facebook Companies, and will share data with third-party service providers and other Facebook Companies to help them operate, provide, improve, customize, support and market their services.
Data Processing and Transferring Purposes
It was stated that the above-mentioned data is to be processed and shared with third-party service providers and other Facebook Companies for purposes such as providing technical and physical infrastructure regarding applications, providing engineering, cyber security and operational support, providing location, map and location information, understanding how users utilize the services, marketing the services, helping to connect with businesses by using the services, having surveys and research performed, ensuring safety, security and integrity, providing customer service assistance, personalizing content, helping users to complete purchases and transactions, and displaying relevant offers and advertisements on Facebook Company Products.
Recent Developments upon the Change
The Statements of WhatsApp
Accordingly, chats with businesses that use the WhatsApp Business app or manage and store customer messages themselves are also end-to-end encrypted. Once the message is received, it will be subject to the business’s own privacy practices, and the business may designate a number of employees, or even other vendors, to process and respond to the message. As well, some businesses will be able to choose WhatsApp’s parent company, Facebook, to securely store messages and respond to customers. In this case, data transfer is performed.
While processing personal data, it is obligatory for data controllers to comply with the principles of lawfulness and fairness, being accurate and kept up to date where necessary, being processed for specified, explicit and legitimate purposes, being relevant, limited and proportionate to the purposes for which they are processed, being stored for the period laid down by relevant legislation, or the period required for the purpose for which the personal data are processed.
Apart from this, in accordance with Article 5 and Article 8 of the PDPL, it is only possible to process and transfer the general personal data domestically, with the existence of the legal grounds that are regulated numerus clausus, or -if they are not applicable in the concrete case- with the existence of the explicit consent of the data subject. Accordingly, personal data can be processed and transferred domestically without seeking the explicit consent of the data subject, only in cases where one of the following conditions are met:
- It is expressly provided for under the law;
- It is necessary forthe protection of life or physical integrity of the person himself/herself or of any other person, who is unable to explain his/her consent due to the physical disability or whose consent is not deemed legally valid;
- Processing of personal data of the parties of a contract is necessary, provided that it is directly related to the establishment or performance of the contract;
- It is necessary for compliance with a legal obligation to which the data controller is subject;
- Personal data have been made public by the data subject himself/herself;
- Data processing is necessary for the establishment, exercise or protection of any right;
- Processing of data is necessary for the legitimate interests pursued by the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.
In accordance with Article 9 regulating the transfer of personal data abroad, personal data can be transferred abroad with the explicit consent of the data subject. As well, personal data may be transferred abroad without the explicit consent of the data subject upon the existence of one of the abovementioned legal grounds and i) if the country where personal data is to be transferred to one of the countries that have been announced as having adequate protection by the Personal Data Protection Board, or ii) if the country is not announced as having adequate protection, then upon the existence of commitment for adequate protection in writing by the data controllers and authorisation of the Personal Data Protection Board regarding the related transfer.
As it can be understood from the points explained above, in most cases, the data subject must give explicit consent for the processing (including the transfer activity) activities to be performed. As is clearly regulated in Article 3/1,a of the PDPL, explicit consent refers to the consent that is declared i) with free will, ii) on a specific subject and iii) based on information. In addition to the aforementioned three validity conditions, in accordance with the Communiqué on the Procedures and Principles for Fulfilling the Obligation of Disclosure, which regulates the rules regarding explicit consent, the notice to be made, and the consent to be obtained regarding data processing, must be carried out separately. As well, in accordance with the established decisions and the published guidelines of the Personal Data Protection Board, binding the explicit consent to the condition of service means the impairment of free will, which is one of the basic validity conditions and, therefore, invalidates explicit consent. In addition, blanket consents of a general nature, which are not limited to a specific subject and involve many different processing activities, are also considered invalid.
Lastly, in accordance with the decisions of the Personal Data Protection Board, it is accepted that providing cloud services from data controllers/data processors whose databases are based abroad is also deemed as data transfer abroad.
Considering all of the points explained, above, the investigation of the Personal Data Protection Board may include evaluations as to whether i) the clarification performed by WhatsApp regarding data processing and the transfer activities meet the legal requirements, or not; ii) the clarification and taking explicit consent procedures was carried out, separately, or not; iii) the explicit consent was taken separately for transfers abroad, or not; iv) the explicit consent was taken as blanket consent, or not; v) by stating that the application cannot be used if the change is not approved means that explicit consent was subjected to service condition, or not; vi) the free will of the data subjects is void, or not; and vii) even if WhatsApp does not transfer data to service providers located abroad, including Facebook, data transfer abroad already exists due to the fact that WhatsApp’s servers are located abroad, or not. Upon the investigation and evaluation of the Personal Data Protection Board, WhatsApp LLC may be instructed to process data and transfer abroad in accordance with the law and may face administrative fines for some of its transactions.
Finally, WhatsApp does not fulfill the VERBIS registration obligation. The Personal Data Protection Board can also make an assessment on this issue in its examination.
(Authored by Idil Uz and first published by Erdem&Erdem on January 2021)
 Competition Board’s decision dated 11.01.2021 and numbered 21-02 / 25-M https://www.rekabet.gov.tr/tr/Guncel/rekabet-kurulu-facebook-ve-whatsapp-hakk-14728ae4f653eb11812700505694b4c6 (Access date: 21.01.2021).
 The Public Announcement of the Personal Data Protection Board dated 12.01.2021 on WhatsApp Application https://www.kvkk.gov.tr/Icerik/6856/WHATSAPP-UYGULAMASI-HAKKINDA-KAMUOYU-DUYURUSU (Access date: 21.01.2021).
 “End-to-end encryption ensures only you and the person you are communicating with can read or listen to what is sent, including no one in-between, not even WhatsApp. This is because with end-to-end encryption, your messages are secured with a lock, and only the recipient and you have the special key needed to unlock and read them.” https://www.whatsapp.com/security/?lang=en (Access date: 21.01.2021).
 Personal Data Protection Board’s Decision dated 16.02.2018 and numbered 2018/19 https://kvkk.gov.tr/Icerik/5412/Acik-Rizanin-Hizmet-Sartina-Baglanmasi; Personal Data Protection Board’s Decision dated 25.03.2019 and numbered 2019/81 https://www.kvkk.gov.tr/Icerik/5496/2019-81-165 (Access date: 21.01.2021).
 Points to Consider While Obtaining Explicit Consent.
https://www.kvkk.gov.tr/Icerik/2037/Acik-Riza-Alirken-Dikkat-Edilecek-Hususlar (Access date: 21.01.2021).