Turkey's Personal Data Protection Board (KVKK) on Friday imposed an administrative fine of TL 1.95 million ($235,000) on WhatsApp for not taking the necessary technical and administrative measures to prevent the unlawful processing of personal data.
The watchdog said in a statement that it had been determined that the Terms of Service and Privacy Policy had been updated to include express consent to the processing of personal data of users who want to use the application and consent to transfer that data to third parties abroad by WhatsApp LLC. Users who do not give express consent would not be able to use the application and would have their accounts deleted.
Making the application’s services subject to the precondition of explicit consent is against the law on the protection of personal data in Turkey.
Furthermore, obtaining a single explicit consent from users for the processing of their personal data and its transfer to third parties abroad, without providing an optional right, and that this was presented inseparably in a single text, muddled the "disclosure with free will" of express consent.
The terms of "transfer" in the Terms of Service and Privacy Policy are presented by the data controller in a non-negotiable manner, where the data subjects are forced to give consent to the contract as a whole, the watchdog said, "thus trying to exclude express consent."
The use of the application is tied to the transfer condition, and in this context, it was determined that this practice of the data controller violates the principle of "compliance with the law and honesty rules" in Article 4 of the Law, taking into account that the data controller acts without taking into consideration users’ interests.
The statement noted that the data controller acted against the principles of "processing for certain, clear and legitimate purposes" and "being connected, limited and proportional to the purpose for which they were processed" in Article 4 of the Law.
All kinds of processing activities such as the saving, storing, changing, and transferring of the personal data obtained by the data controller from the data subjects in Turkey took place abroad unless the servers were located in Turkey. It was noted that, thus, the responsible person did not act per Article 9 of the Law.
Explicit consent was not obtained from the relevant persons regarding the personal data processing activity to be carried out through cookies for profiling purposes, and the personal data processing activity carried out within this scope was also not under the law, the statement also noted.
In addition, since it was determined that the messaging app’s privacy policy dated January 4, 2021, which was said to have not been implemented by the data controller, is currently presented to the users as the application’s current version, the watchdog said, the relevant texts should be brought into compliance with the Law within three months to inform the relevant persons correctly.
Earlier on Thursday, WhatsApp was fined a record €225 million ($267 million) by Ireland’s data privacy watchdog for breaching EU data protection rules.
The Data Protection Commission (DPC) Thursday handed down the penalty on the Facebook-owned messaging service after a three-year investigation that found WhatsApp committed "severe" and "serious" violations of the EU’s General Data Protection Regulation (GDPR).
"This decision contained a clear instruction that required the DPC to reassess and increase its proposed fine based on several factors contained in the EDPB's decision and following this reassessment the DPC has imposed a fine of €225 million on WhatsApp," the commission said in a statement."In addition to the imposition of an administrative fine, the DPC has also imposed a reprimand along with an order for WhatsApp to bring its processing into compliance by taking a range of specified remedial actions."
The investigation, launched in December 2018, examined whether WhatsApp had fulfilled its GDPR transparency obligations regarding the provision of information and transparency of that information to users and non-users of the service.