A Review on WhatsApp’s Updated Privacy Policy

08.02.2021 - Att. Ekin Dolgun, Att. Melda Yılmaz

In its announcement on January 4, 2021, WhatsApp LLC, (“WhatsApp”) a company acquired by Facebook Inc., (“Facebook”) announced to its users that the "Terms of Service and Privacy Policy" will be updated on February 8, 2021.

Important change brought to attention in accordance with the “Terms of Service and Privacy Policy” highlights that certain data can be shared with Facebook and its affiliates for the users who accept the changes, and the application will no longer be available for the users who reject the changes.

WhatsApp’s update notification has caused question marks to arise regarding the personal data security of its users. Later on the announcement titled “Giving More Time For Our Recent Update”, it was announced that WhatsApp has postponed and extended the period for acceptance to its users from February 8, 2021 until May 15, 2021. 

In the announcement, it was stated that WhatsApp would like to “clear up the misinformation around how privacy and security works” until May 15, 2021, contrary to previous explanations, the accounts of users who did not accept the change by February 8, 2021 will not be suspended or deleted. With this article, we present to your attention our evaluations regarding the aforesaid update of WhatsApp.

In accordance with the "Privacy Principles" offered by WhatsApp, conversations made through the application are protected by the "end to end encryption" method, which is an encryption system that only enables the parties on the sending and receiving ends to read the contents. With end-to-end encryption, the contents such as photographs, audio recordings, videos, messages that the sender transmitted via WhatsApp can only be seen by the sender and the recipient, and third parties who are not part of the conversation must have a code called the “key” to be able to decrypt and read these contents.

To summarize, this method involves encryption of the content of the message sent by the sender and until it reaches the recipient, the content cannot be read by any third party or institution, except for the sender and receiver, including WhatsApp itself. However, WhatsApp does not encrypt metadata and its backups. Therefore, meta-data and backups pose great danger of being shared with Facebook and its affiliates. With the share of such data, these companies will be able to track and monitor the behavioral movements and daily habits of people. 

The said update is highly regarded due to the simple fact that WhatsApp is used extensively in both social and business communication and has been touching every part of our lives. The very root of the problem in terms of our legal system, which is the collection of certain data by WhatsApp to be later shared with Facebook, has drawn attention to the concept of "personal data" entered into our legislation with the Personal Data Protection Law No. 6698 (the "Law"), entered into force after being published in the Official Gazette dated April 7, 2016 and numbered 29677.

The purpose of the Law is defined as “[…] protecting fundamental rights and freedoms of persons, particularly the right to privacy, with respect to processing of personal data and to set forth obligations, principles and procedures which shall be binding upon natural or legal persons who process personal data.” Based on the update made by WhatsApp, it is deemed useful to summarize some of the principles stipulated by the Law.  According to the 5th, 8th and 9th Articles of the Law; explicit consent of the data subject must be obtained in order to process and transfer (domestic and abroad) personal data. The definition of “explicit consent” is described in the 3rd Article of the Law. Taking into consideration the provisions of the Article; it is necessary that the explicit consent being expressed is specific, informed and freely given. 

We would like to highlight that one of the elements of explicit consent is that it is expressed through freewill. Since explicit consent shall be expressed with the freewill of the data subject, obtaining explicit consent of the data subject shall not be presented as a prerequisite for the delivery or providing the use of a product or service. Therefore, as WhatsApp is unilaterally dictating that the accounts of the users who do not accept the terms will be suspended or deleted, this situation appears to be serving a prerequisite to benefit from the products and services offered. According to the Personal Data Protection Authority (“Authority”), explicit consent obtained in this way constitutes a violation of the principle of freewill. As a matter of fact, the Authority has initiated an ex officio investigation on WhatsApp through its Decision dated 12th January 2021 and numbered 2021/28. 

An important example in which explicit consent appears as a prerequisite for benefiting from products and services is present in the Decision of Germany's Federal Cartel Office (Bundeskartellamt) regarding Facebook's data collection activities. In its decision dated 6th February 2019; the Federal Cartel Office examined Facebook’s data collection, data usage and data consolidation activities and concluded that Facebook was in a dominant position considering its share in the markets and was abusing its dominant position in terms of its data collection activities. Although Facebook in its defense used the explicit consent of its users as a base, it was stated that explicit consent was not expressed through freewill as users could only benefit from the services provided that they accept the data sharing conditions. 

On the other hand, it should be reminded that there are various discussions about the legal nature of the concept of "personal data" and determining the legal nature of the personal data concept is incredibly important regarding the framework in which the personal data will be protected.

Within the framework of comparative law approaches, personal data is valued as a social value in the Continental European legal system, so the concept of personal data is evaluated within scope of human rights and personal rights. In the Turkish legal system approach, the right to demand protection of personal data has been protected with a similar perspective. Turkish Constitution Article 20 paragraph 3. reads as follows: “Everyone has the right to request the protection of his/her personal data. This right includes being informed of, having access to and requesting the correction and deletion of his/her personal data, and to be informed whether these are used in consistency with envisaged objectives. Personal data can be processed only in cases envisaged by law or by the person’s explicit consent. […] ” It is therefore observed that personal data protection is protected as a fundamental right. In the American legal system, it is observed that the concept of personal data is evaluated from an economic perspective. In this context, personal data has been adopted as a product of the owner's personality and evaluated within the scope of property rights.  

In Turkish law, there is no explicit principle in that leads to evaluating personal data within the scope of "property rights", personal data rights are among the rights that are strictly bound to the person. However, to interpret this matter within the framework of property rights, in case of sharing personal data with WhatsApp, WhatsApp is only given the “right to use” in terms of the contractual framework; and if WhatsApp shares this personal data with its affiliated companies and obtains an economic benefit from this activity, it can be considered that the limits of the “right to use” are abused, it can be concluded that the right to "abuse/consume" will come to the agenda.

It is not possible to ignore the fact that considering the market share of WhatsApp inevitably leads to its dominant position in the market. In the light of the decision of the Federal Cartel Office mentioned above; WhatsApp as a company of Facebook, is a messaging platform in Turkey with the most users therefore has a dominant position. Following the regulation in Article 6 titled “Abuse of Dominant Position” of the Law on the Protection of Competition No. 4054 (the “Competition Law”), “it is illegal and prohibited for one or more undertakings to abuse their dominant position in the market of goods or services in the whole or part of the country, either alone or through agreements or joint behaviors with others. regulation prohibited abuse of dominant position.” With this provision, abuse of dominant position is prohibited. 

As a matter of fact, the Competition Authority initiated an investigation on Facebook and WhatsApp on January 11, 2021 to determine whether there has been a violation of Article 6 of the Competition Law and suspended the obligation to share data with WhatsApp.