Focus on: TRENDS AND DEVELOPMENTS IN IT LAW
Moroglu ArsevenView Firm Profile
I. PAYMENT SYSTEMS, DIGITAL BANKING AND CRYPTO ASSETS
Banking and payment systems are heavily regulated in Turkish Law. Banking Law No. 5411 (“Banking Law”) is the main legal document that regulates banking sector; and, the payment systems are regulated by Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions (“Payment Law”), with their secondary legislation.
Under the Payment Law, payment system and securities settlement system can only be operated with a license acquired from the Central Bank of the Republic of Turkey (“Central Bank”). Payment system is defined under the Payment Law as “the structure that has common rules and provides the infrastructure required for clearing and settlement transactions carried out in order to realize fund transfers arising from transfer orders among three or more participants” and securities settlement system is defined as “the structure that has common rules and provides the infrastructure required for the clearing and settlement transactions carried out in order to realize securities transfers arising from transfer orders among three or more participants”.
Moreover, the following activities are defined as payment services under Article 12 of the Payment Law:
- All the transactions required for operating a payment account including the services enabling cash to be placed on and withdrawn from a payment account,
- Execution of payment transactions, including transfers of funds on a payment account with the user’s payment service provider, direct debits, including one-off direct debits, payment transactions through a payment card or a similar device, credit transfers including standing orders,
- Issuing or acquiring payment instruments,
- Money remittance,
- Execution of payment transaction, where the consent of the payer to execute a payment transaction is given by means of any telecommunication, digital or IT device and the payment is made to the telecommunication,
- Corresponding services enabling bill payments.
- At the request of the payment service user, the payment initiation service related to the payment account at another payment service provider.
- Upon approval of the payment service user, the online provision of consolidated information of one or more payment accounts held at payment service providers by payment service users.
- Other transactions and services reaching the level to be determined by the Bank in terms of total size or impact in payments.
According to the Payment Law, payment institutions are legal persons authorized pursuant to the Payment Law to provide and execute payment services.
As an important step the Regulation on Payment Services, Electronic Money Issuance and Payment Service Providers (“PSR”) and the Communiqué on Information Systems of Payment and Electronic Money Institutions, and Data Sharing Services of Payment Service Providers in the Field of Payment Services (“DS Communiqué”) drafted by the Central Bank was published in Official Gazette numbered 31676 on 1 December 2021 and entered into force. With the PSR and Communiqué drafted based on the following amendments made in Payment Law, which was published in Official Gazette on 22 November 2019, Turkish legislation has been aligned with Directive (EU) 2015/2366 of European Commission, Payment Services Directive 2 (“PSD2”).
DS Communiqué first granted a transition period for the compliance of the market players until 28 February 2023. Thereafter this transition period was extended until 30 April 2023 with the Amendment Communiqué on the DS Communiqué published in the Official Gazette numbered 32118 and dated 28 February 2023.
Moreover, digital banks are regulated under the Turkish law for the first time.
Crypto assets are, on the other hand, mainly unregulated under Turkish law, and until 2021 there was no provision directly addressing crypto assets. The very first legal document, specifically regulating crypto assets, is the Regulation on the Use of Crypto-Assets in Payment promulgated in 2021, which prohibits the use of crypto assets in payments. Non-Fungible Token (“NFT”) usage and fan token issuance has rapidly grown in Turkey. Fan tokens especially became very popular among sport teams including major league football clubs such as Fenerbahçe and Altay providing additional income.
On a further note, blockchain on its own is not regulated, but rather, governed by the rules applicable to the area where it is used.
2. Recent Key Developments in Payment Systems, Digital Banking, Digital On-Boarding and Crypto Assets
2.1 The Regulation on Payment Services, Electronic Money Issuance and Payment Service Providers
The regulation aims to draw the procedures and principles regarding the authorization and activities of payment institutions and electronic money institutions (“Institutions”), the provision of payment services to payment service providers, and the issuance of electronic money.
The PSR regulates licensing conditions and proceedings of the Institutions One of the most critical regulations is that intangible assets that are only issued in exchange for a one-to-one fiat currency, created virtually and distributed over digital networks are considered as electronic money in case they are issued against funds accepted by the issuing institution, stored electronically, used to perform the payment transactions defined in Payment and accepted as a payment instrument by real and legal persons other than the issuing institution. The Central Bank will determine how the secondary regulations enacted pursuant to Payment Law will be applied to intangible assets that will be considered as electronic money within the scope of this paragraph, and other procedures and principles needed for such electronic money.
According to the PSR payment order refers to the instruction given by the customer to the payment service provider for the purpose of realizing the payment transaction, and in accordance with Law No. 6493, the institutions have the right to issue a payment order initiation service (“PIS”). In case of initiations of payment through the PIS provider, the institution holding the sender’s payment account will promptly return the unfulfilled or incorrectly executed part of the payment transaction to the sender and restore the payment account if the amount has been deducted from the payment account. In such transactions, the obligation to prove that the payment order has been received by the institution where the payment account is held, the transaction has been approved by the customer, is recorded correctly, processed into the accounts and is not affected by a technical failure or problem in the services under its responsibility will belong to the PIS provider.
The procedures and principles regarding the execution of transactions related to the PIS and the account information service (“AIS”) and the technical and operational requirements to be complied with by the parties are determined by the Central Bank. Compliance with the technical and operational requirements of the Central Bank is audited through technical control and evaluation process to be carried out by Interbank Card Center (“BKM”). Parties who complete this technical control and evaluation process without any problems are registered by BKM and publicly announced on the website and are accepted as authorized PIS and AIS providers after the necessary permissions are given by the Central Bank by Institutions operating as of the date of entry into force of the PSR are obliged to harmonize with the PSR within one year from the date of publication of the PSR. PSR mainly granted a transition period for the compliance of the payment and electronic money institutions operating as of the date of the entry into force of the PSR until 1 February 2022 to comply with the requirements set forth under the PSR. This transition period was first extended until 28 February 2023 with the Amendment Regulation on the PSR published in the Official Gazette numbered 32024 and dated 25 November 2022. Thereafter, the second extension was made with the Amendment Regulation on the PSR published in the Official Gazette numbered 32118 and dated 28 February 2023 and the transition period was finally extended until 30 April 2023.
2.2 Digital Banking Regulation
As a result of the amendments made in article 76 of the Banking Law, and with entry into force the Regulation on the Establishment of a Contractual Relationship in the Electronic Environment and the Remote Identity Detection Methods to be Used by Banks; establishing contractual relations between banks and their customers in electronic environment became possible. With these developments, Banking Regulation and Supervision Agency (“BRSA”) has aimed to construct the foundations of the digital banking model, which operates only in the digital environment. Therefore, BRSA published the Regulation on the Operating Principles of Digital Banks and Service Model Banking (“DBR”)
The DBR aims to determine the operating principles of branchless banks that serve exclusively through digital channels and the conditions for the provision of banking as a service model (banking as a service, “BaaS”) to businesses and innovative enterprises – in other words, start-ups.
The DBR defines digital banks as “credit institutions that provide banking services mainly through electronic banking services distribution channels instead of physical branches”. Unlike the branchless banking application in Europe, the DBR allows neo banks to obtain a license to operate directly over the BaaS infrastructure, without the requirement to have a licensed sponsor bank.
Unless otherwise stated in the DBR or the relevant legislation, digital banks can perform all the activities that credit institutions can perform, depending on whether they are deposit or participation banks. Digital banks are obliged to comply with the provisions of the DBR in addition to all the legislative provisions that credit institutions are obliged to comply with within the framework of the Banking Law and related legislation.
The DBR sets forth certain restrictions for the activities of digital banks. According to the DBR, customers of digital banks can only be financial consumers and small and medium enterprises (“SMEs”). In this respect, digital banks were prevented from carrying out commercial banking activities exceeding the SME size. The total of unsecured cash loans that digital banks can make available to a certain financial consumer cannot exceed four times the average monthly net income of the relevant customer, and if the customer’s average monthly net income cannot be determined, the total of unsecured cash loans that can be extended for such customer cannot exceed ten thousand Turkish Liras.
The DBR defines the BaaS as “a service model in which customers can perform banking transactions through the service bank by connecting directly with the systems of service banks via open banking services by the interface offered by the interface providers.” The service bank can only provide service model banking services to domestically resident interface providers and only within the framework of their own operating permits.
2.3 Regulation on the Use of Crypto-Assets in Payment
Regulation on the Use of Crypto Assets in Payments has been published on 16 April 2021 to be effective as of 30 April 2021 and became the first legal document specifically regulating crypto assets under Turkish Law.
Crypto asset is defined under Article 3 as “intangible assets that are created virtually using distributed ledger technology or a similar technology and distributed over digital networks but are not qualified as fiat money, dematerialized money, electronic money, payment instrument, security or another capital market instrument”. As per Article 3, crypto assets may not be used directly or indirectly in payments. Article 4 prohibits payment service providers to develop business models or provide services regarding those business models where crypto assets are used in the provision of payments services and issuance of electronic money. Article 4 also prohibits payment and electronic money institutions to mediate platforms and fund transfers from the platforms offering trading custody, transfer, or issuance services for crypto assets.
2.4 Regulations Allowing IBAN Issuance by Payment Service Providers
Communiqué numbered 2021/5 (“Amendment Communiqué”), published in Official Gazette dated 5 August 2021, numbered 31559, amends Communiqué number 2008/6 on International Bank Account Numbers to allow payment service providers to issue international bank account numbers (“IBAN”).
Amendment Communiqué provides that (i) payment service provider codes for use in issuing IBAN will be determined by the Central Bank, and (ii) non-bank payment service providers can issue IBAN for customer accounts subject to money transfers but are obligated to do so only where applicable payment system rules established pursuant to Payment Law so require.
2.5 Regulation on Remote Identity Verification and Remote Contract Execution
The Regulation on Remote Identification Methods to be Used by Banks and Establishment of Contractual Relations in Electronic Environment was published in the Official Gazette No. 31441, dated April 1, 2021. With the regulation, it became possible to perform identity verification proceedings by video calls online without the need for the customer representative and the customer to be physically present at the same environment. In addition, after identity verification was made remotely or through branches, it became possible to establish remote banking contracts
2.6 General Communiqué of Financial Crimes Investigation Board No. 19 on Remote Identity Verification
General Communiqué of Financial Crimes Investigation Board No. 19, effective as of 1 May 2021, on remote identity verification (“Communiqué 19”), was published in Official Gazette No. 31470 of 30 April 2021.
The Communiqué 19 allows, in accordance with extant applicable law, remote consumer identity verification to facilitate establishment of a commercial relationship. The method designed and utilized by the parties must minimize the risk of unauthorized publication of protected data. Notably, a signature sample need not be obtained in the process.
2.7 Crypto Asset Service Providers’ Obligations Regarding Anti Money Laundering and Terrorist Financing
The Regulation on Amendment of Regulation on the Measures for Prevention of Laundering Proceeds of Crime and Terrorist Financing, effective as of 1 May 2021 (“Crypto AML Regulation”), was published in Official Gazette numbered 31471 of even date.
The Crypto AML Regulation expands the definition of obligated entities under article 4 of the Regulation on the Measures for Prevention of Laundering Proceeds of Crime and Terrorist Financing (“AML Regulation”), – published in Official Gazette numbered 26751 of 9 January 2008 – with the following subparagraphs:
- (ü) crypto asset service providers,
- (v) savings financing companies.
Accordingly, as of 1 May 2021, crypto-asset service providers, savings financing companies, their branches, agents, representatives, commercial agents, and affiliated entities are required to comply with the AML Regulation.
2.8 Digital On-Boarding
The BRSA has issued Circular numbered 2022/2 Regarding the Criteria to be Provided for Authentication and Transaction Security in the Establishment of Agreements in Electronic Banking Services and in Electronic Environment. The circular aims to clarify the application of the Regulation on Banks’ Information Systems and Electronic Banking Services, the Regulation on Remote Identification Methods to be Used by Banks and Establishment of Agreements in Electronic Environment and the Regulation on Operating Principles of Digital Banks and Service Model Banking, in a uniform manner without compromising transaction security.
2.9 Recent Developments on Equity Requirement for Payment Institutions
The Communiqué Regarding the Redetermination of Minimum Equity Amounts of Payment and Electronic Money Institutions (“Equity Communiqué) has been published by the Central Bank of the Republic of Türkiye, in the Official Gazette dated 28 January 2023 and numbered 32087, in order to update the minimum equity amounts of payment institutions and electronic money institutions regulated in the Regulation on Payment Services and Electronic Money Issuance and Payment Service Providers.
The Equity Communiqué will enter into force on 30 June 2023. Updated minimum equity amounts with the Equity Communiqué are as follows:
- In the event of services for mediation of invoice payments being offered, the minimum equity amount, which was TRY 5,500,000 in 2022, will be TRY 7,000,000 as of the second half of 2023.
- For other payment institutions, except for those that exclusively provide the service of presenting consolidated information regarding one or more payment account of the payment service user held by payment service providers on online platforms, the minimum equity amount, which was TRY 9,000,000 in 2022, will be TRY 15,000,000 as of the second half of 2023.
- For electronic money institutions, the minimum equity amount, which was TRY 25,000,000 in 2022, will be TRY 41,000,000 as of the second half of 2023.
E-commerce is regulated under Turkish law especially regarding e-commerce platforms and electronic commercial messages. Law on Regulation of Electronic Commerce No. 6563 is the main legislative document that governs e-commerce along with the Law on Protection of Consumer No. 6502 (“Consumer Law”) for the B2C side. In accordance with the E- Commerce Law; with certain exceptions, commercial electronic messages can be sent to recipients by service providers, only with recipient’s prior consent. Service providers, wishing sending commercial electronic messages, must register with and transfer their consent records to the commercial electronic communication management system before carrying out any commercial communication. A draft has been brought to Turkish parliament for the amendment of Consumer Law. The proposed amendments, if passed, will bring certain aggravated obligations to the intermediary service providers and stricter regulations regarding remote contracts.
2. Recent Key Developments in E-Commerce
2.1 Competition Authority’s Preliminary Findings on E-Marketplace Sector
On 7 May 2021, the Turkish Competition Board made public certain preliminary findings (“Report“) from its e-marketplace sector inquiry, commenced 11 June 2020 (“Inquiry”), by publishing same on the Turkish Competition Authority’s (“TCA”) website.
The Inquiry was intended to, in the interest of general consumer and merchant protection, identify anti-competitive practices within the e-marketplace sector. In light of the Inquiry findings, the Report, inter alia, recommends implementing certain ameliorative measures. To that end, the Report contains the following recommendations:
- strengthen applicable secondary legislation,
- implement a code of conduct applicable to e-marketplace platforms in order to eliminate current imbalances in bargaining power between merchant and e-marketplace platform operator,
- promulgate standards for e-marketplace conduct of gatekeeper enterprises.
2.2 Licence Requirement
Electronic commerce intermediary service providers with a net transaction volume over ten billion and number of transactions over 100,000 excluding cancellations and returns in a calendar year shall obtain a license from the Ministry of Commerce and renew such license annually. The provisions regarding the obligation to obtain a license will enter into force on 1 January 2025.
2.3 Content Management
Regarding intellectual and industrial property rights, the e-commerce intermediary service provider is obliged to unpublish the product of the e-commerce service provider, which is the subject of the complaint, and notify the e-commerce service provider and the right owner, upon a complaint based on information and documents regarding intellectual and industrial property rights violations. The product subject to the complaint may be republished upon e-commerce service provider’s submission of the information and documents refuting the complaint to the intermediary service provider. With the relevant regulation, the complaint and takedown procedure to be followed in case of violation of intellectual and industrial property rights of the content is regulated.
III. INTERNET – SOCIAL MEDIA AND DIGITAL PUBLICATIONS
All internet contents including online media services are regulated under the Law no.5651 on the Regulation of Publications on the Internet and the Suppression of Crimes Committed by Means of Such Publications (aka Internet Law) by Information and Communication Technologies Authority (“ICTA”) The Internet Law regulates obligations of content providers, hosting providers, internet providers and social network providers.
As per the Internet Law;
- The content provider is responsible for any kind of content it makes available on the internet. Yet, hosting providers are not responsible for checking the hosted content or researching whether such content constitutes an unlawful activity.
- Access providers are required to block alternative access methods and provide information to the ICTA if requested;
- Social network providers are under the obligation to respond individual requests within forty-eight hours, complying with content removal and access prevention measures, and providing regular reports including statistical and categorical information containing the foregoing.
- The social network providers abroad that has more than 1 million daily access from Turkey are required to appoint local representatives. The local representatives are responsible from accepting notices, notifications, and requests from administrative and judicial authorities in Turkey, responding to individual applications and fulfilling other obligations under the Internet Law.
2. Recent Key Developments in Internet/Social Media
2.1 Bans Advertising on Twitter, Periscope, and Pinterest
Turkey has brought a set of amendments on the Internet Law and the amendment law was published in the Official Gazette on 31 July 2020. With the amendments, series of obligations were set forth for the local and foreign domiciled social network providers operating in Turkey including appointing a local representative.
ICTA banned advertising on Twitter, Periscope, and Pinterest for failure to appoint a local representative. The advertisement bans have been withdrawn later after appointment of such representatives.
2.2 Guidelines applicable to Social Media Influencer Advertising
To clarify the current state of the law on social media advertising governed by Consumer Law and the Regulation on Commercial Advertisement and Unfair Commercial Practices (“Advertising Regulation”), Turkey’s Advertisement Board published its Guideline on Commercial Advertisement and Unfair Commercial Practices of Social Media Influencers, effective 4 May 2021 (“Guideline”).
Social media posts by influencers deriving financial or other material benefit are commercial in nature under the Law and the Advertising Regulation; and with it such ads must fully comply. Accordingly, the Guideline, on top of certain other requirements, obliges social media influencer posts to be disclosed as commercial advertising.
2.3 Amendments to the Regulation on Presentation of Radio, Television, and On-Demand Internet Broadcasts
The Regulation Amending the Regulation on Presentation of Radio, Television, and On-Demand Internet Broadcasts (“Amendment Regulation”) was published in Official Gazette dated 10 April 2021 and numbered 31450. Amendment Regulation introduced certain amendments affecting the financial obligations of licensed broadcasters which are as follows:
- Broadcasters wishing to pay their licensing fees in installments were obliged to pay the first installment to the Radio and Television Supreme Council (“RTÜK”) up-front and in cash, and guaranty payment by providing to the RTÜK a guarantor letter(s) operative for a period of at least 10 years and amounting to 6 installments. The Amendment Regulation revised the amount as 9 installments and allowed broadcasters to obtain guarantor letters from more than one bank.
- A broadcaster wishing to renew its license must apply online to the RTÜK at least 2 months before expiration of its then current license.
- Guarantor letter covering a broadcaster’s internet broadcast transmission authorization fee must be in an amount equal to such fee and operative for a period of 1 year.
2.4 Amendments on Social Media Platforms
Law Amending the Press Law and Certain Laws numbered 7418 (“Law No. 7418”) was published in the Official Gazette dated 18 October 2022 and numbered 31987. Accordingly, certain amendments introduced to Law No. 5651 (aka Internet Law) with regards to the regulations related to social network providers.
Notable amendments brought by the Law No. 7418 within the scope of the Internet Law are as follows:
- The legal entity or real person appointed as the representative of a foreign based social network provider with more than ten million daily access from Turkey, will be fully competent and liable for all technical, administrative, legal and financial matters of the social network provider, the liabilities of the social network provider are reserved.
- If the appointed representative is a legal entity, it is mandatory for this legal entity to be a branch incorporated by the social network provider as a stock company.
- If the representative of the social network provider is a real person, this person must be a resident in Turkey and also a Turkish citizen.
- The obligations of social network providers have been extended, as listed below:
- Both domestic and foreign based social network providers with more than one million daily access from Turkey have been put under the duty to submit a Turkish report in every 6 months to the Authority, reflecting their compliance with the Authority’s notified decisions in relation to removing of content and/or blocking access and/or statistical and categorical information regarding such requests addressed to them by the persons claiming the violation of their personal rights.
- The article further regulates that such reports must include information regarding header labels, algorithms related to the contents highlighted or underemphasized and social network providers’ advertisement and transparency policies.
- Within the scope of the social network providers duty to treat their users equally and impartially, the report must also include all precautions taken in this sense.
- It is also an obligation for the social network providers to publish this report on their websites.
- The obligation to ensure that the viewers clearly and easily access the parameters used when the social network providers are recommending them other contents has been brought.
- In addition, social network providers must take all necessary precautions to ensure that the users can change their preferences regarding the recommended contents and limit the use of their personal data on their websites and include this in their report.
- Furthermore, social network providers also need to establish an advertisement library containing information regarding contents, advertisers, durations of advertisements and target audience, publish this library in their websites and include it in their report.
- Social network providers must take all precautions in their systems and algorithms in order to not publish contents and header titles about the crimes within the scope of the Internet Law, reflect these in their reports and cooperate with the ICTA accordingly.
- Social network providers are put under the obligation to take necessary precautions regarding services specifically addressed to children.
- Last but not least, social network providers have become obliged to draw their crisis management plans in relation to unordinary conditions which may affect public safety and health and submit it to the ICTA.
2.5 Digital Publications
Law No. 7418 significantly amends a wide range of different legislations and includes amendments to Press Law numbered 5187 (“Press Law”), Law on the Establishment of the Press Advertising Agency numbered 195 (“Law No. 195”) and Turkish Criminal Code numbered 5237 (“Criminal Code”).
Notable amendments brought by the Law No. 7418 within the scope of the Press Law are as follows:
- Online websites have been added within the scope of periodical publications in the article regulating the scope of the Press Law.
- The scope of the mandatory information required on the homepages of online news websites have been extended and it has become an obligation to include more specific information such as their workplace addresses, commercial titles and e-mail addresses. This information will also need to be available under the websites’ “Contact” section. The unfulfillment of such duty will be subject to fines amounting from TRY 500 to TRY 20,000. In addition, websites are obliged to include all updates and changes made to their contents with their relevant dates available to their viewers, specified on the content.
- In line with the duty of the responsible manager of periodical publications to publish the correction and reply within the scope of the Press Law, it has become obligatory for the responsible manager of an online news website to publish the correction and reply written by the person harmed by the published content to publish this text on the following day of the publication the latest. This text will be published on the page and column of the original content, providing the URL, in the same font. Failure to fulfill these duties will lead to the judge’s decision for this text to be published in two online news websites and two newspapers with print run over 100,000. All expenses will be paid by the owner of the publication.
IV. CLOUD COMPUTING
In Turkey; although there is no specific regulation regarding cloud computing, certain rules prescribed in several laws and secondary legislation concerning cloud computing apply in most cases. These rules are mainly concentrated on the notification requirement and data localization.
As stated above, hosting providers should notify ICTA before providing hosting services.
Hosting provider is defined under the Internet Law as “natural or legal persons who operate or provide systems which stores the services and contents”. As such, cloud providers are regarded as hosting providers with respect to the Internet Law.
As per the Internet Law, hosting providers are required to retain traffic data for 1 year and ensure the integrity, accuracy and privacy of this data. However, as per Electronic Communication Law No. 5809 (“ECL”), traffic data cannot be transferred abroad without the data subject’s explicit consent. This is an important challenge for cloud computing providers servers of which are located in foreign countries. The Personal Data Protection Board (“DP Board”) has previously concluded with the “Gmail Decision” numbered 2019/157 dated 31 May 2019 that in case of the usage of Gmail services provided by Google, mails are being held at the data centers all around the world, therefore, it constitutes transferring personal data abroad.
2. Recent Key Developments in Cloud Computing
2.1 DP Board’s Decision Regarding Cloud Use
In the DP Board’s decision numbered 2021/359 dated 13 April 2021, the data controller employer has been sanctioned for the use of cloud services to store employees’ personal data without obtaining first the employees’ explicit consent. The employee data was stored in a cloud database with servers abroad, which could only be accessed by relevant authorized persons. As the servers of the cloud database were abroad, the DP Board ruled that the data was transferred abroad.
2.2 BRSA’s Regulation Regarding Cloud Use in Banking
Regulation on Information Systems and Electronic Banking Services of Banks (“BRSA Regulation”) has entered into force which governs cloud computing usage of banks. The use of cloud systems is not prohibited under the BRSA Regulation. However, certain conditions should be fulfilled for the use of cloud systems. According to BRSA Regulation, the primary and secondary systems of the Institutions should be kept in Turkey. If cloud computing services are used, the information systems of cloud computing service providers and their back-ups are also regarded as primary and secondary systems of the Institutions. In such cases, these data, hardware and software and their back-ups should also be kept in Turkey. Moreover, in case cloud computing services are used for primary and secondary systems, the hardware and software used should be dedicated to a single institution. However, the use of community clouds is permitted for banks and financial institutions in certain conditions. In the presence of BRSA approval, community cloud can be used by the banks and financial institutions, on condition that the software and hardware are dedicated to BRSA regulated institutions and logical separation is provided for each company. In addition, for the financial institutions, in the presence of BRSA’s approval, financial institutions may use the same dedicated software and hardware on condition that logical separation is provided for each company.
V. Artificial Intelligence (“AI”)
AI is not specifically regulated under Turkish law; however, use of it may trigger certain control mechanism under various laws and regulations. For instance, use of AI for automatic decision making can be challenged by data subject if the use of it results in negative impact on the data subjects and they can request human intervention for decision making. Product liability and tort provisions of Turkish law also apply to damages incurred due to use of AI.
2. Recent Key Developments in AI
2.1 Artificial Intelligence Strategy
The Circular numbered 2021/18 on the National Artificial Intelligence Strategy was published in the Official Gazette dated 20 August 2021 and numbered 31574, and the National Artificial Intelligence Strategy Document (“Strategy”) on Digital Transformation Office of the Presidency’s website on 24 August 2021.
The high-level targets foreseen for 2025, which is the end of the implementation period of the Strategy, are as follows:
- The contribution of AI to GDP will be increased to 5%.
- Employment in the field of AI will be increased to 50,000 people.
- Employment in the field of AI in central and local government public institutions and organizations will be increased to 1,000 people.
- The number of graduate level graduates in the field of AI will be increased to 10,000.
- AI applications developed by the local ecosystem will be prioritized in public procurement and commercialization will be supported.
- An active contribution will be made to the regulatory studies and standardization processes of international organizations in the field of cross-border data sharing with reliable and responsible AI.
Telecommunication (telco) is a highly regulated sector under Turkish Law. The ECL, which is prepared based on Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 Establishing European Electronic Communications Code (“EECC”), is the main legislative document that governs the telecommunication sector. ICTA is the national regulatory agency for the supervision of the sector and execution of the ECL. The telco sector is regulated by licensing, authorization, notification and other control mechanisms regarding establishment, conduct and structure of the telco companies. Electronic communication services can only be provided by obtaining a license from ICTA. On the other hand, electronic communication services and/or networks or infrastructure established within the immovables of a real or legal person and not exceeding the borders of each immovable, used exclusively for personal or corporate needs, not used to provide any electronic communication service to third parties, not intended for any commercial purpose in its provision and not made available to the public and those established by public institutions and organizations in accordance with their special laws regarding the services they provide exclusively are not subject to authorization. Unlike EECC, the ECL does not contain a provision to expressly scope the communication medium between individuals which are provided for a price.
2. Recent Key Developments in Telco
2.1 Regulation on Verification Process of the Applicant’s Identity in the Electronic Communications Sector
Regulation on Verification Process of the Applicant’s Identity in the Electronic Communications Sector (“RIR”) introduced in the Official Gazette dated 26 June 2021 and numbered 31523.
According to the RIR, only following channels can be used for identification verification:
- e-Government gateway,
- Visual verification by artificial intelligence or authorized person, together with the document with near field communication feature in accordance with the ICAO 9303 standard,
- Creating PAdES with Republic of Turkey ID Card,
- Taking video footage to be specific to the process with the applicant’s identity document in face-to-face channels.
The Regulation allows artificial intelligence to make the comparison of the face in the live image and the photograph in the identity document.
2.2 Communiqué on the Amendment of the Communiqué on the Processes and Technical Criteria Regarding Electronic Signatures
Communiqué on the Amendment of the Communiqué on the Processes and Technical Criteria Regarding Electronic Signatures (“Electronic Signatures Communiqué”) has entered into force on 28 December 2022 upon its publication in the Official Gazette numbered 32057.
With the published Electronic Signatures Communiqué, the validity of the algorithms and parameters specified in Article 6/1 of the Communiqué on Processes and Technical Criteria Regarding Electronic Signature that was published in the Official Gazette dated 6 January 2005 and numbered 25692 has been extended from 31 December 2022 to 31 December 2025.
2.3 Regulation on Protection of Personal Data in Electronic Communication Sector
ICTA’s long-awaited Regulation on Process of Personal Data and Protection of Privacy in Electronic Communication Sector (“DPR”) has been published on the Official Gazette numbered 31324 and dated 4 December 2020.
In the DPR, contrary to its predecessor, explicit consent requirement for the cross-border data transfer is not regulated for all personal data categories. The communication and location data are regarded as important for national security so that cross-border transfer of these data is prohibited unless user’s explicit consent is obtained.
The DPR obliges the operators to implement all necessary technical and administrative measures to ensure the security of the services provided with the user’s personal data. The minimum requirements are also provided in the DPR, such as determining policies, protection of personal data against all breaches including disruption, loss, alteration, recording to another environment; and implementing necessary measures to prevent unauthorized access to these data. The operators are also obliged to save the log records to the systems containing personal data for two years.
In article 8 of the Regulation, specific provisions were brought regarding explicit consent. The provisions are generally in line with the Law on Protection of Personal Data number 6698 (“DP Law”). As with the DP Law, the explicit consent must be specific to a certain data processing activity and must be given in a free will, thus cannot be a condition for the service. It is, however, stated in the Regulation that explicit consent may be requested by providing additional benefits such as extra minutes or SMS rights. An obligation to inform is also implemented with the regulation as to the processed personal data, traffic, and location data. This information must be in 12 font size if made in writing. Operators are also obliged to inform the users that their data is processed based on their explicit consent in the third quarter of the year. Otherwise, the data processing activity of the Operators within the scope of the express consent given before is suspended until the privacy notice is submitted.
2.4 Increase in Direct Carrier Billing Usage
Direct Carrier Billing (“DCB”) has been used in Turkish market already widely for especially payment of electric, gas and water subscription bills. The pandemic, however, emerged the need for alternative payment methods to the card and cash. DCB use in Turkey during the Covid-19 pandemic has increased
VII. PERSONAL DATA PROTECTION
Privacy and protection of personal data is primarily regulated by the Law on Protection of Personal Data No. 6698 (“DP Law”). The DP Law set forth certain obligations of data controllers including comply with general principles of data processing, base data processing activities on a valid and legal ground, inform data subjects as to determined aspects of the data processing, respond to data subjects for their applications with regards to their rights under the DP Law, comply with prohibitions of domestic/cross border transfer, comply with erasure, destruction, and anonymization of personal data requirements, take adequate security measures for the protection of personal data, notify data breaches and register with data controllers registry.
2. Recent Key Developments in Personal Data Protection Law
2.1 Personnel Certification
The Communiqué on the Procedures and Principles Regarding the Personnel Certification Mechanism (“Certification Communique”) was published. With the Certification Communique, in accordance with the standard numbered EN ISO/IEC 17024 (ISO17024), the procedures and principles have been determined regarding the certification of persons with regards to DP Officer Program.
According to the Certification Communique, those who acquired a certificate by participation in the program, principles and procedures of which is determined by the Authority and has been successful in the respective exam will be entitled to use the title of “data protection officer”. Organizations accredited by the Turkish Accreditation Agency within the scope of ISO17024 standard will be authorized to certify those who are successful in the relevant exams related to certification.
In accordance with the Certification Communique, a data protection officer is assumed to have sufficient knowledge in terms of personal data protection legislation within the scope of the program for which they are certified. It is also regulated that the data protection officer can only use this title during the validity period of their certificates.
Finally, it is emphasized in the Certification Communique that employing a data protection officer will not remove the responsibility of the data controller and data processor to comply with the DP Law.
2.2 Personal Data Categories in Privacy Notices
Regarding the obligation to inform, the most important decisions in 2021 were the DP Board’s decisions regarding the need to include the personal data categories processed in the privacy notice. In Article 4 of the Communique on Principles and Procedures to be Followed In Fulfillment Of The Obligation To Inform, the information required to be included in the privacy notice is determined as the identity of the data controller and, if any, its representative, the purpose for which personal data will be processed, to whom and for what purpose personal data can be transferred. In the Board’s decision dated 8 October 2020 and numbered 2020/765, however, stated that the categories of personal data processed in the privacy notice should also be included.
2.3 Guideline Regarding Good Practices on Protection of Personal Data in the Banking Sector
Guideline Regarding Good Practices on Protection of Personal Data in the Banking Sector (“Good Practices Guideline”) has been published on 5 August 2022 by the Personal Data Protection Authority. The purpose of the Good Practices Guideline is to guide the data controller banks to realize their personal data processing activities in accordance with the DP Law and the secondary legislation issued by the DP Board and to establish good practices examples within this framework.
The Good Practices Guideline includes the general explanations on the procedures and principles that the banks must comply with for the protection of the personal data and it underlines that the banks’ compliance obligation to the DP Law and the secondary legislations still continues.
The Good Practices Guideline sets out the principles regarding the relationship between the data controller and the data processor and explains which criteria should be considered for their identification.
The Good Practices Guideline also establishes the minimum content recommended to be included in a data processing agreement between a data controller and a data processor and recommends that a data processing agreement contains the obligation / indefinite responsibility of the data controller to delete or return the data following the termination of the contract and/or the purpose for which the personal data was obtained.