Data Protection & Privacy 2024 - Part 3

3. Law Enforcement and National Security Access and Surveillance

3.1 Laws and Standards for Access to Data for Serious Crimes

The following activities are among those excluded from DP Law coverage:

- processing of personal data by judicial authorities or execution authorities regarding the investigation, prosecution, judicial or execution proceedings; and

- processing of personal data by public institutions and organisations duly authorised and assigned by law regarding maintaining national defence, national security, public security, public order or economic security within the scope of preventative, protective and intelligence activities.

The Turkish Law of Criminal Procedure is the primary source with respect to law enforcement’s access to data for the investigation of serious crimes.

Other relevant laws are as follows:

- the Law on Police Duty and Authority;

- the Law on Gendarmerie Organisation Duty and Authority;

- the Law on Governmental Intelligence Services and National Intelligence Agency; and

- the Internet Law.

Law enforcement authorities may request information on personal data when investigating criminal offences.

However, in certain situations, an independent judicial decision is necessary for public prosecutors and law enforcement officers to interfere with IT systems or intercept communications.

In the case of peril in delay, the public prosecutor or law enforcement officer may interfere with IT systems or intercept communications by the public prosecutor’s order, which must be approved by a court afterwards.

3.2 Laws and Standards for Access to Data for National Security Purposes

Similar rules to those discussed in 3.1 Laws and Standards for Access to Data for Serious Crimes apply in the national security realm. In these cases, the authorities can demand information if it is necessary for the prevention of imminent threats.

The National Intelligence Agency is authorised to request any information within its powers and duties, including any personal data. Those who fulfil these requests cannot be held legally or criminally liable.

Although there have been no practical implications at the time of writing, Türkiye is also a signatory state to the OECD’s Declaration on Government Access to Personal Data Held by Private Sector Entities dated 14 December 2022.

3.3 Invoking Foreign Government Obligations

The provisions of the DP Law do not provide a clear legitimate basis for invoking a foreign government’s request for collecting or transferring data. However, since the fulfilment of a foreign government’s request may lead to data transfer abroad, the rules on data transfer abroad set forth in the DP Law must be complied with (see 4.2 Mechanisms or Derogations That Apply to International Data Transfers).

Furthermore, Türkiye is a signatory to many bilateral or multilateral agreements which aim to promote co-operation between states, especially on issues related to judicial co-operation and extradition requests. Personal data-processing activities that arise from these obligations are not exempted from the scope of the DP Law, and public institutions are also obliged to comply with the DP Law (see 2.1 Omnibus Laws and General Requirements, 2.2 Sectoral and Special Issues and 4.2 Mechanisms or Derogations That Apply to International Data Transfers).

Türkiye does not participate in a Cloud Act agreement with the USA.

3.4 Key Privacy Issues, Conflicts and Public Debates

A key privacy issue is inadequate and uncertain regulations about governmental access to data. Although the DP Law is applicable to data processing activities of governmental bodies, the broad exceptions outlined within it are criticised. As this causes the application of the DP Law within governmental bodies to be interpreted as extenuated, which does not facilitate accurate implementation.

Compared to the GDPR, many issues are completely left out of the scope of the DP Law. This is criticised in Turkish data protection practice.

4. International Considerations

4.1 Restrictions on International Data Issues

International transfer of personal data is subject to the DP Law (see 4.2 Mechanisms or Derogations That Apply to International Data Transfers).

The DP Law states that provisions on data transfer abroad in other laws are reserved. On the other hand, sector-specific regulations may impose further restrictions regarding data transfer abroad (see 4.4 Data Localisation Requirements).

Based on its decisions, the DPB also seems to consider direct collection of personal data by controllers located abroad as data transfer abroad, which is, in the authors’ view, a debatable approach.

4.2 Mechanisms or Derogations That Apply to International Data Transfers

According to the DP Law, the transfer of personal data abroad is permissible if the data subject’s explicit consent is obtained for such transfer.

If the exporter relies on any legal basis other than explicit consent, the following applies.

- The foreign country to which the personal data will be transferred must have an adequate level of protection for personal data. Such countries will be determined and announced by the DPB (ie, the “Whitelist”).

- If there is not an adequate level of protection, an exporter controller in Türkiye and data importer abroad must execute a written undertaking to commit to providing an adequate level of protection, similar to Standard Contractual Clauses in GDPR practice (ie, undertaking). Then, such undertaking must be submitted to the DPB, for the approval of the relevant data transfer.

- If the data transfer abroad is only within multinational group companies, a data exporter located in Türkiye may obtain approval from the DPB for binding corporate rules (BCR).

As a Whitelist has not yet been announced by the DPB, only consent, undertakings and BCR remain for controllers to transfer data abroad. However, in several decisions the DPB states that “the provision of a service cannot be made conditional upon consent”. This principle is based on the argument that if the provision of a service is made conditional upon obtaining consent for data processing (including transfer), such consent is deemed to be not freely given, and hence may be considered as invalid.

Although obtaining valid explicit consent has its own challenges, obtaining regulatory approval from the DPB is just as challenging. Only seven controllers have managed to obtain regulatory approval by executing an undertaking since the enactment of the DP Law.

The set of rules governing international data transfers has been revised with the DP Law Amendments. These amendments will come into effect on 1 June 2024. However, controllers have the option to rely on explicit consent for the transfer of personal data abroad until 1 September 2024 (see 1.8 Significant Pending Changes, Hot Topics and Issues).

4.3 Government Notifications and Approvals

As mentioned in 4.2 Mechanisms or Derogations That Apply to International Data Transfers, undertakings and BCRs require the DPB’s approval.

Moreover, as per Article 9(5) of the DP Law, without prejudice to the provisions of international agreements, in cases where the interest of Türkiye or the data subject shall be seriously harmed, personal data may only be transferred abroad upon permission of the DPB. The DPB must obtain the opinions of relevant public institutions and organisations before it grants its permission.

It should be noted that sector-specific regulations may seek further notifications or approvals regarding data transfer abroad (see 2.2 Sectoral and Special Issues).

4.4 Data Localisation Requirements

Even though there is no data localisation requirement in the DP Law, there are certain sector-specific regulations in Türkiye.

Banking and Finance Entities

The following entities must keep their primary and secondary information systems in Türkiye:

- banks;

- payment institutions and electronic money institutions;

- insurance and private pension companies (except for services such as email, teleconference or videoconference);

- certain public companies, as well as certain capital markets institutions; and

- financial lease, factoring and finance companies.

Electronic Communications Providers

In principle, electronic communications providers cannot transfer traffic data and location data abroad, for national security reasons. However, in certain cases, such data may be transferred abroad by obtaining the explicit consent of the data subject.

Social Network Providers (SNPs)

SNPs whose daily access is more than one million must take necessary measures to retain data of their Turkish users in Türkiye.

4.5 Sharing Technical Details

Public or private institutions that will use coded/encrypted electronic communication within their electronic communications services must apply to the ICTA and obtain permission in order to be authorised in accordance with the ICTA’s regulations. A copy of the code/encryption must be provided to the ICTA with this application.

4.6 Limitations and Considerations

There are no specific limitations or considerations that apply to an organisation for collecting or transferring data in connection with foreign government data requests and foreign litigation proceedings.

See 3.3 Invoking Foreign Government Obligations and 4.2 Mechanisms or Derogations That Apply to International Data Transfers.

4.7 "Blocking" Statutes

Türkiye does not have specific “blocking” statutes, but there are general statutory provisions that prevent the disclosure of matters relating to national interests.

5. Emerging Digital and Technology Issues

5.1 Addressing Current Issues in Law

The DPA issued its Recommendations on AI in September 2021. It is noteworthy that the Recommendations on AI do not provide a detailed view on AI technologies, even though they succeed in covering certain fundamental topics.

Biometric data has been a point of further discussion in the field of data protection, and the processing of biometric data has been assessed extensively in both DPA-issued documents and DPB decisions (see 2.4 Workplace Privacy for the use of biometric data in an employment context).

5.2 “Digital Governance” or Fair Data Practice Review Boards

Establishing protocols for digital governance and fair data practice review boards or committees to address the risks of emerging or disruptive digital technologies is not a mandatory and/or common practice in Türkiye.

5.3 Significant Privacy and Data Protection Regulatory Enforcement or Litigation

In a landmark decision dated 15 December 2023, the Constitutional Court examined a Magistrates’ Court’s assessment of a DPB decision and asserted that the DPB decisions weren't adequately reviewed by the Magistrates’ Court's as the appellate authority.

5.4 Due Diligence

Conducting due diligence over a target entity is considered to be on the legal basis of “legitimate interest”.

When requesting and sharing personal data during a due diligence process, “proportionality” and “data minimisation” principles must be taken into consideration.

If a due diligence process requires data transfer abroad, the controller must comply with provisions regarding transferring data abroad. It should be noted that using virtual data rooms, whose servers are located abroad, would constitute a data transfer abroad (see 4.2 Mechanisms or Derogations That Apply to International Data Transfers).

5.5 Public Disclosure

VERBIS is an online public registry, which shows the personal data processing inventory of controllers who have registered with, and submitted information to, VERBIS (see 2.1 Omnibus Laws and General Requirements).

The information, which is submitted to VERBIS and is hence publicly available, is as follows:

- the categories of personal data;

- the data-processing purposes for each data category;

- retention periods of each data category;

- data subjects for each data category;

- data transferees;

- information on data transfer abroad, for each data category; and

- technical and organisational measures.

The relevant capital markets regulations impose an obligation on companies which will make a public offering to state the risks of the business before such public offering. Although there is no specific requirement to state the risks on data protection and cybersecurity, since these may also include risks regarding data protection, such risks should be mentioned during a public offering.

5.6 Digital Technology Regulation/Convergence of Privacy, Competition and Consumer Protection Laws (Including AI)

In 2022, the E-Commerce Law and its secondary legislation was amended with the aim of maintaining an effective and fair competition environment on e-commerce platforms.

These amendments impose significant obligations on e-marketplaces and e-sellers. Some of these obligations reflect certain principles brought in by the Digital Services Act.

According to these amendments, e-marketplaces shall:

- remove unlawful content submitted by the seller;

- not lower the seller’s position in the ranking or recommendation system without any objective criteria set forth in the agreement executed with the seller;

- not use the data obtained from sellers and buyers with a purpose other than providing intermediary services, in particular to compete with sellers; and

- provide technical facilities, free of charge, to the seller for transferring the data they collected through their sales and for accessing the processed metadata.

The amendments have adopted an incremental system based on total transaction number and net transaction volume per year for the obligations, and non-compliance with these obligations is subject to administrative monetary fines. These fines vary between TRY10,000 and TRY40 million, and certain fines are calculated on a percentage basis, varying between 0.0005% and 10% of the net sales amount of the preceding year.

Although not yet ratified, significant amendments are anticipated in the Law on Protection of Competition No 4054 to enhance alignment with the European omnibus model. Most of the amendments introduced by the draft amendment reflect the ex-ante approach of the Digital Markets Act, and include certain definitions introduced thereby.

5.7 Other Significant Issues

There are no other significant issues.