Turkey fines WhatsApp $235,000 over data breach

Turkey fines WhatsApp $235,000 over data breach

ANKARA

Turkey on Sept. 3 joined a host of other countries in fining Facebook's ubiquitous WhatsApp messaging service for failing to sufficiently protect user data.

The 1,950,000-lira ($235,000, 200,000-euro) penalty was imposed after months of confusion over whether WhatsApp had introduced its controversial new data-sharing rules in Turkey.

The popular messaging platform updated its Terms of Service and Privacy Policy to include explicit consent to the processing of personal data of users who want to use the app and transfer it to third parties located abroad, Personal Data Protection Authority (KVKK) said in a statement.

For this, the company found that users who do not have explicit consent cannot use the app and their accounts will be deleted, the statement said.

As part of the relevant decisions by KVKK, it was decided to officially launch an examination of WhatsApp, especially on data transfer abroad, binding the service to an explicit consent requirement and compliance with general principles.

Although it is stated that the application is based on different data processing conditions in terms of various personal data processing activities and that the explicit consent requirement for personal data processing is a condition referred to as an exception, it was found that the way to obtain the explicit consent of persons concerned was taken by giving consent to the contract due to the definition of the Terms of Service as a contract with the user.

Considering that a single explicit consent is obtained from users for the processing of their data and transfer to third parties residing abroad, without providing an optional right, and the processing and transfer activities are presented to the data subject inseparably in a single text by making a provision regarding the transfer in the contract, it was stated that the “free-will disclosure” element was damaged.

When it is taken into account that people were forced to approve the contract as a whole, explicit consent was tried to be eliminated, the use of the application was subject to the transfer requirement, and in this context, it was determined that the application of the data controller was contrary to the principle of "compliance with the law and the rules of honesty."

It was stressed that the platform is acting contrary to the principles of "processing for specific, clear and legitimate purposes" and "being connected, limited and restrained to the purpose for which they were processed".

All kinds of processing activities such as saving, storing, modifying, transferring personal data obtained by the data controller from the relevant persons in Turkey mean the transfer of personal data abroad unless the servers are located in Turkey, said KVKK.

It was stated that expressed consent was not obtained from relevant persons regarding the personal data processing activity to be carried out through cookies for profiling purposes, and the personal data processing activity carried out within this scope is also not in accordance with the law.

The decision came one day after Ireland - which houses the European headquarters of Facebook - fined WhatsApp 225 million euros for similar data offenses. 

Moscow fined the two services and Twitter in August for failing to store data of Russian users on local servers.