In Decision no. 2021/891 dated 3 September 2021, the Turkish Data Protection Board (the “Board”) imposed an administrative fine in the amount of TRY 1,950,000 (approx. USD 235,000) on WhatsApp LLC (“WhatsApp”) for its failure, as a data controller, to obtain valid consent from its users to the processing and transfer of their personal data.

This decision takes a rather tough stance towards application providers, and touches upon quite a number of important principles for companies to comply with when it comes to consent-based processing and cross- border data transfers.

The Board held that, when obtaining explicit consent from the users of its application, WhatsApp had failed to comply with (i) the principle that consent should be freely given, (ii) the principle of good faith, and (iii) the principle that the processing of personal data should be relevant, limited and proportionate to the purpose for which the data is processed.

The Board also considered that all data processing activities conducted by WhatsApp after collecting personal data from users in Turkey should be deemed a cross-border data transfer, since the servers of WhatsApp are located outside Turkey, and should thus be subject either to specific consent from users or a prior approval of the Board. It further criticised the absence of specific consent to the use of cookies for profiling purposes.

The Board finally held that WhatsApp’s Terms of Service and Privacy Policy were insufficient to constitute a valid privacy notice under Turkish law, and ordered that the document be revised within three months to comply with the obligation to inform.

Freely given consent

The Board decided that the explicit consent obtained by WhatsApp could not be considered as freely given by its users, since (i) it was obtained through a provision in a service contract, and (ii) it was used as consent both to the processing of personal data and to the transfer of data outside Turkey, without providing any other option.

Although WhatsApp claimed to be processing personal data on the basis of legal exceptions to consent, the Board considered that the process of agreeing to the contract by nature amounted to obtaining explicit consent. Because such consent was incorporated into a service contract and imposed as a condition of service, the Board found that it lacked the element of free will and was thus invalid.

Good faith principle

According to the Board, the fact that the “data transfer” provisions were presented in a non-negotiable manner in the service contract, thus forcing users to approve the contract as a whole, meant that explicit consent was not validly obtained for the purpose of data transfers.

In addition, the fact that consent to the transfer of data was made a condition to the use of the application, without considering the interests and reasonable expectations of the users, was considered by the Board as a breach of the principle of good faith.

Obligation for the processing to be relevant, limited and proportionate to its purpose

The Board noted that WhatsApp requested consent to the transfer of all collected personal data, and determined that such data transfer was not proportionate and limited to the purpose for which the data is processed. Moreover, WhatsApp’s legal notices did not clearly identify which data would be transferred and for what purpose.

Data processing activities through servers located outside Turkey

In its decision, the Board held that all processing activities conducted after personal data was collected from users in Turkey, such as saving, storing, modifying and transferring the data, must be considered a transfer of personal data abroad to the extent WhatsApp servers are not located in Turkey. Therefore, such data transfers should comply with the rules applicable to international data transfers under Law No. 6698 on the Protection of Personal Data (the “Law”).

Since WhatsApp did not either obtain valid explicit consent for such data transfers, or enter into a written undertaking to protect the data and apply for prior approval of the Board to the cross-border data transfer, the Board concluded that the data transfers were not performed in compliance with the Law.

Use of cookies for profiling purposes

The Board finally determined that no explicit consent had been obtained from WhatsApp users regarding the processing of their personal data through cookies for profiling purposes, and that such data processing activity was not therefore compliant with the Law.

As result of its findings, the Board imposed an administrative fine in the amount of TRY 1,950,000 (approx. USD 235,000) on WhatsApp on the basis of Article 12 of the Law (failure to take the necessary technical and organisational measures to ensure data security).

The Board also ordered that WhatsApp’s Terms of Service and Privacy Policy be revised in accordance with the Law within three months. It further held that the Privacy Policy was intended to function as a privacy notice, but did not contain the mandatory elements to constitute a valid privacy notice under the Law, and should be thus be revised in accordance with Article 10 of the Law and the Communiqué on the Principles and Procedures to be Followed to Comply with the Obligation to Inform.