Intellectual Property, Information Technology & Cybersecurity

The Change in WhatsApp Privacy Policy and Evaluation of this Change within the Framework of the Personal Data Protection Law

Author: Idil Uz 

Introduction

On January 4, 2021, the most preferred online messaging application worldwide, WhatsApp, announced that it will change its privacy policy. In the announcement, WhatsApp stated that it will make significant changes in its procedures such as i) how user data is processed, ii) how businesses use Facebook-hosted services to store and manage WhatsApp chats, and iii) how they work with Facebook to offer integrations in Facebook Company Products. In addition, it was stated that users who do not accept this update, which includes important changes in the processing and transferring of personal data, will not be able to continue using the application as of February 8, 2021. Upon this announcement, many individuals and institutions, especially the competition law and personal data protection law authorities were alarmed, and announced that they have started an investigation on the issue.

In this article, the changes announced by WhatsApp in its privacy policy and recent updates, together with the statements of WhatsApp on this matter will be addressed, and this change will be evaluated within the framework of the personal data protection legislation and the decisions of the Personal Data Protection Authority.

What Does the Change in WhatsApp's Privacy Policy Include[1]?

Differences in the Data Controller and Privacy Policy According to the User's Region

According to the newly published privacy policy, users residing outside of the European Region will be served by WhatsApp LLC as the data controller, subject to this updated privacy policy. However, if the user lives in the European Region, it has been announced that the service will be provided by WhatsApp Ireland Limited, instead of WhatsApp LLC as the data controller, subject to another privacy policy. Therefore, it can be said that the update has not been implemented in countries that are subject to the European General Data Protection Regulation (GDPR).

Processed Data

Through the updated privacy policy, WhatsApp declared that along with the information on usage and log, location, device and connection, WhatsApp account, - in certain cases - messages, users' connections, user status, cookies and customer support, which are automatically collected, it will also process information regarding transactions and payments, information provided by others (third-parties) about the user, and user reports.

According to the updated privacy policy, if the payment services, or services meant for purchases or other financial transactions to be provided by WhatsApp are being used, some additional information, including payment account and transaction information, will be processed. It was stated that the payment account and transaction information includes information necessary for using this service and the completion of the payment transaction, such as payment method, shipping details and transaction amount.

In addition, it is regulated that others (third-parties) may also provide information about the user to WhatsApp and third party service providers, including Facebook. Accordingly, it was stated that a business may grant a third-party service provider access to its communications with users for the purpose of storing, reading, managing, or otherwise processing them.

Data Transfer

WhatsApp has declared that they are one of the Facebook Companies, and will share data with third-party service providers and other Facebook Companies to help them operate, provide, improve, customize, support and market their services.

Data Processing and Transferring Purposes

It was stated that the above-mentioned data is to be processed and shared with third-party service providers and other Facebook Companies for purposes such as providing technical and physical infrastructure regarding applications, providing engineering, cyber security and operational support, providing location, map and location information, understanding how users utilize the services, marketing the services, helping to connect with businesses by using the services, having surveys and research performed, ensuring safety, security and integrity, providing customer service assistance, personalizing content, helping users to complete purchases and transactions, and displaying relevant offers and advertisements on Facebook Company Products.

Recent Developments upon the Change

Following WhatsApp's announcement regarding the change in its privacy policy on January 4, 2021, the Competition Board has ex officio decided to initiate an investigation on Facebook Inc., Facebook Ireland Ltd., Whats App Inc. and Whats App LLC to determine whether there has been a violation of Article 6 of Law on Protection of Competition numbered 4054 regarding the obligation to share data imposed on WhatsApp users, with its decision dated 11.01.2021 and numbered 21-02 / 25-M[2]. Thereupon, the Personal Data Protection Authority made a public announcement on 12.01.2021 that it has started an ex officio investigation regarding the WhatsApp Privacy Principles and data transfer to Facebook Companies within the framework of Personal Data Protection Law numbered 6698 ("PDPL"), and has shared the result of its pre-evaluation[3].

The Statements of WhatsApp

Upon all of these ex-officio investigations and speculations that have created public debates, WhatsApp released statements in response to the discussions titled, Answering your questions about WhatsApp’s Privacy Policy[4], and About new business features and WhatsApp’s Privacy Policy update[5]. In the statement, WhatsApp announced that the content of users' personal messages and calls (communications) could not be seen/intercepted by them and Facebook, and that the user's connections were not transferred to Facebook. It was stated that personal messages are protected by an end-to-end encryption mechanism (E2E, Signal encryption protocol)[6]. According to the relevant statements, data processing and transfer activities that have changed with the update in the privacy policy will be valid for communication with the businesses during the use of the new service to be offered.

Accordingly, chats with businesses that use the WhatsApp Business app or manage and store customer messages themselves are also end-to-end encrypted. Once the message is received, it will be subject to the business’s own privacy practices, and the business may designate a number of employees, or even other vendors, to process and respond to the message. As well, some businesses will be able to choose WhatsApp’s parent company, Facebook, to securely store messages and respond to customers. In this case, data transfer is performed.

Evaluation of the Change in Privacy Policy within the Framework of Personal Data Protection Legislation

While processing personal data, it is obligatory for data controllers to comply with the principles of lawfulness and fairness, being accurate and kept up to date where necessary, being processed for specified, explicit and legitimate purposes, being relevant, limited and proportionate to the purposes for which they are processed, being stored for the period laid down by relevant legislation, or the period required for the purpose for which the personal data are processed.

Apart from this, in accordance with Article 5 and Article 8 of the PDPL, it is only possible to process and transfer the general personal data domestically, with the existence of the legal grounds that are regulated numerus clausus, or -if they are not applicable in the concrete case- with the existence of the explicit consent of the data subject. Accordingly, personal data can be processed and transferred domestically without seeking the explicit consent of the data subject, only in cases where one of the following conditions are met:

  1. It is expressly provided for under the law;
  2. It is necessary forthe protection of life or physical integrity of the person himself/herself or of any other person, who is unable to explain his/her consent due to the physical disability or whose consent is not deemed legally valid;
  • Processing of personal data of the parties of a contract is necessary, provided that it is directly related to the establishment or performance of the contract;
  1. It is necessary for compliance with a legal obligation to which the data controller is subject;
  2. Personal data have been made public by the data subject himself/herself;
  3. Data processing is necessary for the establishment, exercise or protection of any right;
  • Processing of data isnecessary for the legitimate interests pursued by the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.

In accordance with Article 9 regulating the transfer of personal data abroad, personal data can be transferred abroad with the explicit consent of the data subject. As well, personal data may be transferred abroad without the explicit consent of the data subject upon the existence of one of the abovementioned legal grounds and i) if the country where personal data is to be transferred to one of the countries that have been announced as having adequate protection by the Personal Data Protection Board, or ii) if the country is not announced as having adequate protection, then upon the existence of commitment for adequate protection in writing by the data controllers and authorisation of the Personal Data Protection Board regarding the related transfer.

As it can be understood from the points explained above, in most cases, the data subject must give explicit consent for the processing (including the transfer activity) activities to be performed. As is clearly regulated in Article 3/1,a of the PDPL, explicit consent refers to the consent that is declared i) with free will, ii) on a specific subject and iii) based on information. In addition to the aforementioned three validity conditions, in accordance with the Communiqué on the Procedures and Principles for Fulfilling the Obligation of Disclosure, which regulates the rules regarding explicit consent, the notice to be made, and the consent to be obtained regarding data processing, must be carried out separately. As well, in accordance with the established decisions and the published guidelines of the Personal Data Protection Board, binding the explicit consent to the condition of service means the impairment of free will, which is one of the basic validity conditions and, therefore, invalidates explicit consent[7]. In addition, blanket consents of a general nature, which are not limited to a specific subject and involve many different processing activities, are also considered invalid[8].

Lastly, in accordance with the decisions of the Personal Data Protection Board, it is accepted that providing cloud services from data controllers/data processors whose databases are based abroad is also deemed as data transfer abroad[9].

Conclusion

Considering all of the points explained, above, the investigation of the Personal Data Protection Board may include evaluations as to whether i) the clarification performed by WhatsApp regarding data processing and the transfer activities meet the legal requirements, or not; ii) the clarification and taking explicit consent procedures was carried out, separately, or not; iii) the explicit consent was taken separately for transfers abroad, or not; iv) the explicit consent was taken as blanket consent, or not; v) by stating that the application cannot be used if the change is not approved means that explicit consent was subjected to service condition, or not; vi) the free will of the data subjects is void, or not; and vii) even if WhatsApp does not transfer data to service providers located abroad, including Facebook, data transfer abroad already exists due to the fact that WhatsApp's servers are located abroad, or not. Upon the investigation and evaluation of the Personal Data Protection Board, WhatsApp LLC may be instructed to process data and transfer abroad in accordance with the law and may face administrative fines for some of its transactions.

Finally, WhatsApp does not fulfill the VERBIS registration obligation. The Personal Data Protection Board can also make an assessment on this issue in its examination.

 

[1] WhatsApp Privacy Policy https://www.whatsapp.com/legal/updates/privacy-policy/?lang=en (Access date: 21.01.2021).

[2] Competition Board’s decision dated 11.01.2021 and numbered 21-02 / 25-M https://www.rekabet.gov.tr/tr/Guncel/rekabet-kurulu-facebook-ve-whatsapp-hakk-14728ae4f653eb11812700505694b4c6 (Access date: 21.01.2021).

[3] The Public Announcement of the Personal Data Protection Board dated 12.01.2021 on WhatsApp Application https://www.kvkk.gov.tr/Icerik/6856/WHATSAPP-UYGULAMASI-HAKKINDA-KAMUOYU-DUYURUSU (Access date: 21.01.2021).

[4] Answering your questions about WhatsApp’s Privacy Policy https://faq.whatsapp.com/general/security-and-privacy/answering-your-questions-about-whatsapps-privacy-policy?lang=en (Access date: 21.01.2021).

[5] About new business features and WhatsApp’s Privacy Policy update https://faq.whatsapp.com/general/security-and-privacy/about-new-business-features-and-whatsapps-privacy-policy-update?lang=en (Access date: 21.01.2021).

[6]End-to-end encryption ensures only you and the person you are communicating with can read or listen to what is sent, including no one in-between, not even WhatsApp. This is because with end-to-end encryption, your messages are secured with a lock, and only the recipient and you have the special key needed to unlock and read them.” https://www.whatsapp.com/security/?lang=en (Access date: 21.01.2021).

[7] Personal Data Protection Board’s Decision dated 16.02.2018 and numbered 2018/19 https://kvkk.gov.tr/Icerik/5412/Acik-Rizanin-Hizmet-Sartina-Baglanmasi; Personal Data Protection Board’s Decision dated 25.03.2019 and numbered 2019/81 https://www.kvkk.gov.tr/Icerik/5496/2019-81-165 (Access date: 21.01.2021).

[8] Points to Consider While Obtaining Explicit Consent.

https://www.kvkk.gov.tr/Icerik/2037/Acik-Riza-Alirken-Dikkat-Edilecek-Hususlar (Access date: 21.01.2021).

[9] Personal Data Protection Board’s Decision dated 31/05/2019 and numbered 2019/157 https://www.kvkk.gov.tr/Icerik/5493/2019-157

< Back