Analysis of Whatsapp Decision of the Personal Data Protection Board dated 12.01.2021

Although the terms of use-contract update of the WhatsApp application dated 04.01.2021 (hereinafter referred to as the ‘update’) and it is clear that this update does not constitute a fundamental change in terms of the data processing activities currently implemented by WhatsApp, firstly the Competition Authority and then the Personal Data Protection Authority (hereinafter referred to as the ‘Board’ as the implementing decision-making mechanism) initiated an ex officio investigation against WhatsApp Inc. due to the public reflection and the violation of the law and fundamental rights of certain procedural-technical changes to be implemented.

Indeed, the subject matter concerns the fields of Competition Law and Data Protection Law, and although the investigation decision taken by the Competition Authority -at least in terms of the current competition practice area in our country- comes as a surprise, the Board decision signals some ‘firsts’ in some aspects. In this review, the Board’s decision will be analysed in accordance with the reference points. The international competition dimension of the issue cannot be addressed in this study due to its volume and content.

Board’s WhatsApp Decision dated 12.01.2021 – Illegality References

The key-points of the relevant Board decision are as follows

Whether the process of obtaining consent from users for the processing and transfer of their personal data to third parties located abroad is not differentiated, but considering that users may not consent to the transfer of their personal data to another data controller abroad while consenting to the processing of their personal data, considering the widespread use of the application in question, whether this situation constitutes a violation in terms of ‘disclosure of free will’, one of the elements of explicit consent determined in the Law,
Whether allowing the use of the application provided that the transfer is made to another company abroad causes a violation in terms of the principles of ‘compliance with the law and good faith’, ‘processing for specific, explicit and legitimate purposes’ and ‘being connected, limited and proportionate to the purpose for which they are processed’ among the principles listed in Article 4 of the Law,
Considering that the condition that the service offered is conditional on explicit consent may cripple the explicit consent given, which may result in unlawful processing of personal data, whether the update made by Whatsapp Inc. has resulted in the condition that the service is conditional on consent,
Whether there is a violation of the provisions of Article 9 of the Law regarding the transfer to be made by WhatsApp Inc. to data controllers residing abroad.

Payment by Data ~ PayData / Payment by Data ~ Price of Data

As it is known, concepts such as ‘personal data’, ‘consent’, ‘privacy’ and ‘disclosure’ have started to come to the agenda more frequently with the enactment of the Law No. 6698 on the Protection of Personal Data (‘Law’) in our country and have created many areas of discussion in this field. One of these areas of debate is the issue of whether ‘explicit consent’, the three basic elements of which are ‘consent regarding a specific subject, based on information and expressed with free will’, can be linked to the prerequisite of a product or service. Pursuant to the decisions announced by the Board, it has been known almost since the effective date of the Law that consent cannot be conditioned on the service, and today, data controllers are trying to make the ‘freely given’ consent an established practice on the grounds that ‘obtaining explicit consent in the presence of other personal data processing conditions would mean misleading and misguiding the data subject and thus abuse of the right by the data controller, and the condition of the service on explicit consent would cripple the explicit consent’. However, there may be such situations that data controllers cannot or do not resort to obtaining consent with free will. For example

With the update announced by WhatsApp, the sanction that can be summarised as ‘either give consent or do not use the application’ constitutes one of the best examples of binding consent to the service condition. WhatsApp, which has been providing ‘free’ service since its establishment, has established the elements of illegality with its update, especially in terms of the fact that the free service can only be used by giving consent (payment by data), and accordingly, users are obliged to give consent to Facebook and other third party partners regarding data transfer. In the relevant excerpt of the Board’s decision above, it is seen that this contravention is referred to in subparagraphs (a) and (c).

Payment by Data – Is it Possible Now?

Previously, it would not be wrong to interpret the Board’s decision regarding the notifications and complaints regarding the loyalty card application of a supermarket chain as signalling that explicit consent may be conditioned on the service in terms of applications that are not the ‘main element of the service’ and constitute ‘ancillary/additional’ nature. Likewise, another recent regulation on the subject is the regulation known as ‘Directive (EU) 2019/770’ in the European Union, which allows the main subject of performance of the contract to be ‘the data itself’ within certain procedures and principles. It is known that studies on how to coordinate the directive with the General Data Protection Regulation (‘GDPR’) are ongoing in the European Union.

In the WhatsApp decision, there is a remarkable detail regarding the contractual performance being the data itself. In the relevant excerpt of the Board’s decision, the concrete situation expressed as ‘taking into account the prevalence of use’ in subparagraph (a) regarding this contradiction will play an important role in the Board’s decision on whether consent can be conditioned on service. In other words, the answer to the question ‘whether consent conditional on a service with a 99% prevalence of use in the society can lead to consent impairment’ will be analysed free from all legal debates. Of course, at this point, where the basic principles in Article 4 of the Law and the theoretical data protection law should be interpreted to the concrete case, in our opinion, it is highly likely that a decision will be made by taking into account the elements of prevalence and monopoly.

Definitions Data Controller Resident Abroad Transferring Abroad

As it is known, WhatsApp’s EU processes are managed and administered by WhatsApp Ireland Limited, which was established specifically for EU services. WhatsApp has not implemented the relevant update in the countries where it provides services within the European Union (‘EU’). Of course, there are a number of reasons why the update has not been implemented in the EU. In our opinion, the main reasons for this are the very harsh and strict data protection legislation in the EU and the high fines of €20 million and eventually up to 4% of the annual turnover, as well as the cancellation of Safe Harbor and the steps taken by the EU for data localisation, which virtually prohibit the transfer of data outside the EU. For whatever reason, as a result, WhatsApp has been able to enter into controversial unlawfulness processes with many countries, including our country, which it could not afford to enter with the EU in terms of both consent fiction and data transfer abroad.

Causes

The fact that the EU regulations on data transfer abroad are quite strict, clear and regulated, the fact that the Board, which is the current legislation shaper, has not yet made any progress on the safe countries and foreign transfer undertakings included in the Law, or has not been able to do so for various reasons (?)[9], the fact that the transfer abroad can only be carried out with explicit consent and the risky illusion of perception that ‘those who have explicit consent can do anything’ may have encouraged WhatsApp’s legal struggle with Turkey. However, in response to this courage, the Board has initiated an ex officio investigation against WhatsApp without a data breach, constituting an exception and a first among the foreign-based data controllers that it has opened an investigation based on ‘data breach’ to date. In this respect, it can be said that WhatsApp Inc. is the first data controller residing abroad to initiate an ex officio investigation.

Data Collection < Data Transfer ~ Data Collection > Data Transfer

With the WhatsApp decision, the term ‘data controller resident abroad who transfers abroad’, which entered the legal literature, was defined for the first time. At this point, it should be noted that, although the data controller residing abroad cannot actually make an overseas transfer due to the fact that he/she is not in Turkey, when evaluated from the Board’s point of view, it is seen that the personal data obtained/collected ‘in some way’ is accepted to be transferred abroad ‘remotely through the application’ even if WhatsApp does not have a natural person or legal person authorised representative in Turkey, and thus, it is accepted within the scope of the overseas transfer regulated under Article 9 of the Law, as seen in subparagraph (d) of the relevant excerpt of the Board decision.

Another leg of the issue is that the process of obtaining consent for the processing and transfer of personal data to third parties residing abroad, as explained in subparagraph (a) of the relevant excerpt of the Board decision, is not differentiated, and this is one of the main points where the update constitutes a contradiction. An institution that takes consent as a ‘sanction’ cannot be expected to separately obtain the consents that should be separated specific to the process and activity. In this regard, our opinion is that a standard sanction decision should be applied regarding this unlawful part of explicit consent.

VERBIS

Although this issue is not mentioned in the Board decision, as it is known, data controllers residing abroad are obliged to register with the Data Controllers Registry Information System – VERBIS. In this context, data collection and data transfer, which are explained under the upper heading, and ultimately ‘data processing’ activities are definitely present with the Board’s opinion, and it seems highly likely that administrative sanctions will be imposed at the highest limit due to the violation of the VERBIS registration and notification obligation, which is one of the fundamental misdemeanours under the Law (Art. 18/1/ç).

Manipulation – Metadata Profiling

After the update, it was realised upon the public and various social authorities’ actions that, apart from the benefits of the update, WhatsApp cannot view the chat contents thanks to the cryptographic key called ‘end-to-end encryption protocol’. It is known that other programmes using the same protocol are also unable to view chat content. However, how the data processing points, the scope of which has been expanded with the update, will be used remains a matter of curiosity both legally and technically. As a result, it is unclear how and with which statistical or algorithmic processing methods Facebook and other recipient groups will use data such as being online, not being online, device information, which may not be as important as chat content for some people. At this point, the Cambridge Analytica and Facebook scandals that ‘won elections’ with political manipulation in recent years will come to mind.

The methods of obtaining economic, social, private or even political benefits from certain personality, character or completely different characteristics of persons, which are considered to be completely irrelevant, defined as profiling, can be considered among the elements that the Law wants to prevent in the first place. A person can be profiled and analysed based on demographic, psychological, sociological and geographical factors, including the person’s level of sociability, ethnic cultural values, decision-making mechanisms, outlook on life, positive or negative personality, normative connections, and peace with oneself. Whether it causes a violation in terms of the principles of ‘being in accordance with the law and good faith’, ‘being processed for specific, explicit and legitimate purposes’ and ‘being relevant, limited and proportionate to the purpose for which they are processed’ as explained in subparagraph (b) of the relevant excerpt of the Board decision is closely related to the ‘profiling’ criterion evaluated under this heading.

In our opinion, ‘metadata’ data, which is defined as ‘metadata or metadata, information describing the elements of a source or data, data/information about data’, is one of the basic inputs that the Facebook group, whose history is not very bright, needs and cannot give up in order to continue its profiling practices. Therefore, although the public perception and data processing focus is ultimately directed towards ‘chat content’, it should never be forgotten that this information, which can be used for profiling purposes, can be used very effectively in favour of or against those concerned in mass studies.

Last Word

While the Board’s subsequent assessment is eagerly awaited, it is now indisputable that ‘data protection law’ has evolved into a completely different world. Data-based economies have started to create data-based contracts, and data-based contracts have started to create legal systematics in which the contractual acts regarding the manner, method, procedures and principles of the use of data are ‘the data itself’. What should not be forgotten is the extent to which ‘humanitarian’ values and rights, which are the basic principles of the Law and which are the basic pillars of human rights or the institution of law, will be touched and how these values and rights will be affected while creating these systematics.