Turkey: TMT

Regulatory regime for technology is constructed based on the subcategories of issues. Accordingly, Electronic Communications Law No.5809 (“Electronic Communications Law”) regulates the provision of electronic communications services and the construction and operation of the infrastructure and the associated network systems, as well as manufacture, import, sale, construction and operation of all kinds of electronic communications equipment and systems.

Law No. 5651 on Regulation of Publications on the Internet and Combating Crimes Committed by Means of Such Publication (“Internet Law”) regulates the obligations and responsibilities of content providers, location providers, access providers and mass use providers; and the fight against certain crimes committed on the internet.

Law No.6112 on the Establishment of Radio and Television Enterprises and Their Media Services, and especially Regulation on Radio, Television and On-Demand Broadcasting Provided Through the Internet Platforms (“RTUK Regulation”), extends the licensing, content and advertisement related regulation and supervision powers of Turkey’s Radio and Television Supreme Council (“RTUK”) to cover online service providers.

Law No. 6563 on Regulation of Electronic Commerce (“Electronic Commerce Law”) regulates principles and procedures regarding e-commerce, as well as direct marketing, responsibilities of service providers and intermediary service providers, and contracts with electronic communication tools.

The Law No. 7194 on Digital Services Tax and Amending Various Laws and the Statutory Decree numbered 375 (“DST Law”) regulates digital services tax to be applied to digital service providers, regardless of whether they are fully liable or limited taxpayers or whether the taxpayer performs activities through a workplace in Turkey or its permanent representatives.

Moreover, the Personal Data Protection Law No.6698 (“DPL”), Industrial Property Law No. 6769 (“Industrial Property Law”), and Law No.5846 on Intellectual and Artistic Works (“Intellectual Property Law”) also play critical role within the regulatory framework for technology.

Yes, Electronic Communications Law No.5809 regulates the provision of electronic communications services and the construction and operation of the infrastructure and the associated network systems.

In order to provide electronic communication services and/or to establish and operate an electronic communications network or infrastructure in Turkey, it is necessary to be authorized by the Information Technologies and Communication Authority (“ICTA”). Authorization by the ICTA can be granted to companies by following one of these two methods: (i) only via notification or (ii) notification and granting the right of use.

ICTA is the regulator for communications-related services.

ICTA is a public institution with an administrative and financial autonomy. The ICTA is independent in performing its duties; and no organ, authority, or person can give orders and instructions to the ICTA. On the other hand ICTA is affiliated with the Ministry of Transportation and Infrastructure which means they are in close collaboration while determining macro strategies and preparing long term projections for nationwide roadmaps.

Yes, the Internet Law regulates the responsibilities of the access providers, content providers, mass use providers, hosting providers that operate on the Internet, and covers access blocking requests and measures to be taken regarding violations of the internet. However, the information search engines are not specifically regulated under this law.

Moreover, on July 29, 2020, the Bill Amending the Law No. 5651 on Regulation of Publications on the Internet and Combating Crimes Committed by Means of Such Publication (“Bill Amending the Internet Law”), the proposal of which was submitted to the General Assembly by AK Party on July 21, 2020, has been accepted by the Parliament, which introduces a new actor “social network providers”, which is defined as “natural persons or legal entities that enable users to create, display or share content such as texts, image, voice, location, over the internet for purposes of social interaction”, and broadens and aggravates the scope of liable parties and their obligations under the Internet Law.

Yes, the Internet Law does not make any distinction between the resident and non-resident actors of the internet.

Moreover, in order to ensure that obligations arising from the Internet Law are fulfilled and there is an addressee in Turkey to whom the requests will be delivered, the Bill Amending the Internet Law obliges the social network providers that have more than one million access from Turkey per day to appoint a representative in Turkey, to take necessary actions on notice, declaration or requests to be sent by the ICTA, the Access Providers Union, judicial or administrative authorities and to respond to applications made by individuals in accordance with the Internet Law. Additionally, with the Bill Amending the Internet Law, the notifications relating to the administrative fines imposed under the Internet Law to those, who are residing outside of Turkey, may be served to the e-mail addresses as well as to the other contact information discovered through the website, IP address or relevant means, without being required to consummate international notification procedures.

Yes, companies applying for authorization (for serving communication services) before the ICTA must be established as a joint-stock or limited liability company in accordance with the Turkish laws, in order to carry out only the activities that are subject to the authorization or the activities required, and/or relevant while performing the service subject to the authorization.

No, however, as we have stated above, the telecom operators must be a joint-stock or limited liability company established in Turkey, in accordance with the Turkish laws.

Yes. Network-to-network interconnection and access is regulated by the Electronic Communications Law and Regulation on Access and Interconnectivity (“Interconnectivity Regulation”).

Pursuant to the Interconnectivity Regulation, upon an access request by another operator, operators have the obligation to negotiate interconnection with each other with an aim to reach an agreement within a reasonable time. In this case, if an operator denies interconnection or imposes unreasonable terms not to make a negotiation, and if the ICTA decides that the actions of that operator damages the competition or the interests of end-users, such operator may be required to settle an agreement to provide an interconnection.

Yes, the ICTA may require operators with significant market power to provide interconnection or to make available the technical specifications, network specifications, terms and conditions regarding supply and usage, fees and similar information. In such cases, operators are obliged to provide interconnection on a non-discriminatory basis to the other operators.

Regulation on Consumer Rights in the Electronic Communications Sector is the main regulation for consumer protection that applies especially to telecoms services. Accordingly, rights such as protection against discrimination, right to enter into contract with the operator, right to ask for a detailed bill, right to request information on the scope of service, right to access updated information and being informed regarding changes in the tariff, the right to easily withdraw from the services are provided to the consumers of telecom services.

Moreover, the Law on the Procedure of Execution Proceedings for the Collection of Monetary Receivables Arising out of Subscription Agreements regulates the initiation and execution of proceedings in the electronic environment regarding the receivables arising from the invoice of the goods or services, which are presented to the consumer for the purpose of performing the subscription contracts and the subscription contracts regulated in the relevant laws and regulations.

The computer software is regulated as “work” under the name of computer programs in Article 2 of the Law No. 5846 on Intellectual and Artistic Works (“Law No. 5846”). In addition, Article 6 of the Law No. 5846 states that the adaptation, editing or making any changes to a computer program is also considered as a “work”.

Pursuant to the Law No. 5846, the owner of a work is the person who creates it, and thus, the developer, who creates a new software or development, is accepted as the owner of the work. The owner of the work will own both the intangible and financial rights on the developed work.

To give an example to intangible rights, the owner of the work can exclusively determine the representation, timing, and the means of the promulgation of a work. Besides, abbreviations, additions or other changes cannot be made on the work or the name of its owner without the permission of the owner of the work. Also, the right to make use of a work not yet publicised in any way whatsoever belongs exclusively to the owner of the work.

Under the scope of financial rights, the right to partially or wholly duplicate the original or adaptations of a work belongs exclusively to the owner of the work. The right to disseminate, lease, lend or sell or make a subject of trade in any way whatsoever a work and its copies obtained by duplication from the original or adaptation of it and to benefit from this way belongs only to the owner of the work.

Under the Intellectual Property Law, databases obtained by the selection and compilation of data and materials according to a specific purpose and a specific plan, which are in a form that can be read by a device or in any other form are deemed as adaptations. However, it is stated that this protection cannot be extended to the data and materials contained in the database.

On the other hand, the Intellectual Property Law recognizes that the maker of a database who has made qualitatively and/or quantitatively substantial investment in either creation, verification or presentation of the contents shall have the right of permitting or prohibiting (i) permanent or temporary transfer to another medium by any means and in any form, and (ii) distribution or sale, rental or communication to the public in any way, of all or a substantial part of the content of the database contents with the exceptions specified in this Law and required by purposes of public security and administrative and judicial procedures.

The protection of personal data is recognized as a fundamental right under Article 20(3) of the Constitution of the Republic of Turkey as of its amendment in 2010. Since the aforementioned Article requires the principles and procedures regarding the protection of personal data to be laid down in law; the constitutional guarantee for the protection of personal data is intended to manage the processing of personal data on a regulatory level. In this respect, Law on the Protection of Personal Data No. 6698 (“DPL”), which constitutes the main legislative instrument that specifies the principles and procedures concerning the processing and protection of personal data, has been published in the Official Gazette on 7 April 2016 and is in effect as of this date.

The DPL provides almost the same definitions as GDPR and for sets forth the legal grounds on which personal data may processed fairly. We can say that the majority of the legal grounds are same while there are some divergences from EU’s regulations (see question 12). In addition to the legal grounds, providing clear information to data subjects about data processing purposes and respective data categories is obligatory.  Also, similarly, the DPL provides a general requirement for taking technical and administrative measures for data controllers alongside with a mandatory data breach notification within 72 hours. Finally, we can say that most important and problematic issues are related to cross border data flow (see questions 10 and 13), divergencies from EU’s regulations (see question 12) and administrative fines (see question 11).

DPL provides an enhanced set of rules to be followed when transferring personal data from Turkey to abroad. In this respect, the DPL shall not be comprehended as wholly or directly prohibiting the transfer of personal data, but rather necessitating the existence of pre-determined conditions, and subsequently prescribing the cross-border data transfer regime.

The transfer regime foreseen under Article 9 of the Law No. 6698 requires adherence to the either one of the following transfer mechanisms:

• Explicit consent: In the event that the data exporting party obtains explicit consent from the related data subjects, for the cross-border transfer of personal data, the cross-border transfer operation is permitted.
• Adequate level of personal data protection: In the event that (i) the conditions specified for the due processing of personal data are deemed applicable, and that (ii) the recipient country is considered to ensure an adequate level of personal data protection, the cross-border transfer operation is permitted.
• Ad hoc approval of the Board: In the event that the recipient country is unable to provide an adequate level of personal data protection, the cross-border transfer operation is permitted provided that (i) a written privacy undertaking agreement between the data transferring parties is concluded, and that (i) the Board’s approval is obtained following the submission of such undertaking to Board’s clearance.

On the other hand, while the DPL allows cross-border of personal data by introducing mechanisms in this regard, we would like to underline that as of July 2020, the list of countries providing an adequate level of personal data protection has not been published by the Board.

The maximum fine, which can be applied to i) those, who do not fulfill the obligations related to data security, ii) those who do not fulfill the decisions issued by the Board, iii) those who act contrary to the obligations for registry with the Data Controllers’ Registry and for notification, is determined as TRY 1,000,000, which is updated evert year based on the be subject to the reevaluation rate announced by the state (for year 2020, this fine is calculated as TRY 1,802,636.)

First of all, the DPL is prepared based on the Directive 95/46/EC of the European Parliament, which was repealed by the GDPR; therefore, although the Personal Data Protection Authority follows the implementation of GDPR in many areas, the exact comparison is not possible.

In the DPL, stricter regime is applied for processing of personal data concerning health and sexual life. Accordingly, these data may only be processed, without seeking explicit consent of the data subject, by persons, who are subject to secrecy obligation or competent public institutions and organizations, for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as their financing. While DPL increases the protection level of the personal data concerning health and sexual life by way of restricting the people that may process them, which is a narrower scope compared to GDPR, this results in difficulties in practice.

Moreover, GDPR and DPL also differ in terms of the regime that they stipulate for cross-border transfer of personal data. While GDPR introduces multiple alternatives facilitating the transfer of personal data, due to cyber security concerns and economic interest of the retention of data, DPL introduces  a more controlled and authority-centered structure for the transfer, when the personal data is not transferred with the explicit consent of the data subject. In this regard, higher level of protection for personal data is aimed, while it results in a block and/or restriction on use of certain services, including cloud services.

There is no specific regulation governing the provision and procurement of cloud services in Turkey. In the absence of a specific legislative framework, the DPL is considered to function as the main legislative instrument governing cloud-related practices. The provisions thereunder concerning the cross-border transfer of personal data is deemed as having a significant and direct impact on the procurement of cloud-based services which are hosted outside Turkey.

In addition to the data protection regulations, there are certain sector specific regulations scattered amongst a variety of legislations which, in general, require entities operating in such sectors to refrain from procuring cloud-based services which are hosted outside Turkey. Said sectoral restrictions are mainly intended to localize information systems and to allow for on-premise audits to be conducted by the respective regulatory and supervisory authorities. In this respect, said sector-specific regulations mainly concentrate on heavily regulated sectors, such as financial services, capital markets, and public sector.

In this regard, it should be specifically noted that the Presidential Circular No.2019/12 on Information and Communication Security Measures explicitly states that critical data relating to public institutions and organizations shall not be retained within cloud storing services, other than institutions’ own systems or systems which are controlled by such and local service providers. Additionally, while the Regulation on the Information System of Banks and Electronic Banking Services allows banks to use cloud computing services as an outsourced service provided that certain conditions are met (which restricts the use of public cloud systems), it also introduces system localization by saying that if cloud computing services fall under the definition of primary or secondary systems, the on-soil requirement will be applicable and such systems may only be hosted on Turkish territory.

Yes. While contracts executed online are valid in Turkey, the effect of an online/electronic contract as an evidence may be questioned, due to the Turkish Civil Procedure Code. The Code requires a contract executed with a handwritten signature or secure electronic signature for proving the transactions with a value exceeding TRY 4,480. It should be noted that this issue does not regard the validity of the agreement but its quality as a proof (especially in the event of a dispute), in case of a dispute before Turkish courts regarding an electronic contract. In this context, under the E-Signature Law, a secure electronic signature shall be a signature that;

• is exclusively assigned to the signature owner,
• is generated with the secure electronic signature creation device which is kept under the sole control of the signature owner,
• enables the identification of the signature owner based on the qualified electronic certificate,
• enables detection as to whether signed electronic data has or has not been altered or not subsequent to the signature being applied.

In principle, an electronic signature, which meets the conditions stated above, shall have the same legal effect as that of a handwritten signature. However, a secure electronic signature cannot be used for legal proceedings subject to a special procedure or an official form pursuant to laws and warranty contracts.

No, automatic transfer of employees, assets or third-party contracts to the outsourcing supplier is not yet regulated under Turkish legislation.

Liability in terms of Artificial Intelligence (AI) malfunctions is not specifically regulated under Turkish laws, and thus, the general provisions of the Turkish Code of Obligations (“TCO”) in terms of “tort” will apply. In accordance with the Article 41 of the TCO, the tort must contain four vital elements such as unlawful act, damage, omission and causality link. On the other hand, it should be noted that causality link should be assessed in each specific case since algorithm, underlying data, mechanics or the user/operator of AI based system may be individually or jointly the root cause of respective damage.

Cybersecurity rules in Turkish law are not consolidated under one legislative instrument but rather scattered under different sector-specific regulations. Accordingly, the Circular Note on Information and Communication Security Measures numbered 2019/12 (the Circular) establishes extensive cybersecurity-related obligations that are mainly applicable to public authorities and institutions. The most notable measures contained within the Circular are (1) significantly limiting the use of cloud systems; and (2) seriously restricting social media use in the public sector.

There are multiple sector-specific regulations that require organisations from critical sectors to employ cybersecurity measures to safeguard their information systems. For example, their sector-specific legislation requires organisations related to capital markets (including on-stock companies) and entities from sectors such as insurance, banking and payment services to employ certain measures related to cybersecurity.

Cyber-crimes are described directly in the Turkish Criminal Law (“TCL”) which entered into force as of 26 September 2004. Although DDoS attacks are not specifically regulated under TCL, “unlawful access to data information system” and “hindrance or destruction of the system, deletion or alteration of data” are defined as criminal acts respectively under articles 243 and 244 of TCL. If parties organising DDoS attacks unlawfully capture others’ devices, they will be having “an unlawful access to information systems”. Also, if the attacking parties are aiming to hinder the operationality of a certain system, this will trigger Article 244 (up to 5 years of imprisonment). Additionally, if such an attack is committed against to a bank or credit institution, or public institutions or corporations, respective sanctions will be aggravated.

We opine that given the recent government plans and strategies, cyber security and fintech may continue to create significant impact in our jurisdiction in terms of legal change and disrupt their respective ecosystems.

Turkey has a strong and significant financial sector. In parallel to the government’s goals towards digitalization, financial technologies will transform the sector and create a disruptive impact, which as a result will trigger legal change. As one of the most heavily regulated sectors, financial sector will evolve along with financial technologies. On the other hand, in order to ensure data security and to eliminate the cyber security related risks in the market, regulations on cyber security and resulting obligations to become compliant with the same may also be discussed.

Greatest impediment to economic development/commerce in Turkey with respect to technology is the delay in adopting the necessary legal framework, which will not hinder, but enhance the technological advances, and accelerate the growth of digital economy. This does not only correspond to delays in the regulatory processes, but also to delays in apprehending the current needs of the sector and regulatory void that need to be filled with a good understanding of technology, its impact and international benchmarks. Moreover, growing tendency towards local and national also impairs the investment ecosystem of Turkey.

Most regulations adopted in Turkey especially in the field of digital services and technology are transposed from the EU. Having said that, in various cases this does not eliminate the discrepancies and hardships in the very implementation of legal provisions and in practice. One example to such hardship may be given as the international data transfer regime under DPL. The list of countries providing adequate level of protection has not been announced yet by the Turkish Personal Data Protection Authority. Given the fact that other mechanisms envisaged under DPL (as explained above in this document) are burdensome and operationally unfeasible to many, this also creates an impediment to economic development, and a negative perception with respect to the investment environment and ease of doing business in Turkey.

The government in Turkey pays utmost attention to digital services and the digital transformation of public institutions. In fact, as per the new government system, Digital Transformation Office has been established, which is tasked to realize the digital transformation of public institutions and to carry out any and all necessary works and studies in this regard. This stance of the government also manifests itself through all government plans and strategies.

On the other hand, as mentioned before, there is a rising trend and tendency of the government that favors local and national corporations and technologies. Although it is the natural consequence of today’s digital world and digital economy to have companies that operate in Turkish market yet are not residents, localization requirements and the restraining stance of the government that only continue to increase and  weighs on the sector.

The most recent example in this regard is the Bill Amending the Law No. 5651 on Regulation of Publications on the Internet and Combating Crimes Committed by Means of Such Publication (“Bill”), which imposes strict restrictions on social media providers and includes a provision that obliges social network providers established abroad and that has more than one million access from Turkey per day to appoint a representative in Turkey for taking necessary actions on notice, declaration or requests to be sent by the Information and Communication Technology Authority (“Authority”), the Access Providers Union, judicial or administrative authorities and for responding to applications by persons.

As we have stated above, currently, there is no specific regulation or provision regarding artificial intelligence, and the problems that may arise this respect are trying to be solved with general principles that may be relevant. In this regard, it could be stated that Turkish legal system is not competent to responds the legal issues that may occur and legislative works to be done with relevant stakeholders are needed. On the other hand, Turkish legislators tend to monitor EU Commission’s legislative works and may use them as bases for a legislation to be prepared. Accordingly, it could be stated that any developments in this context may be affected by the EU policies, especially White Paper published this year, “Artificial Intelligence: a European approach to excellence and trust”, and report “Policy and investment recommendations for trustworthy Artificial Intelligence”.

Moreover, establishment of “Artificial Intelligence Institute” is set forth in Turkey’s 2023 Industry and Technology Strategy, which is also to produce information that will be considered in setting policies and standards on issues such as management, protection and dissemination of data, among other targets. Therefore, it could be argued that the results to be concluded by this institute may also help to determine the problematic issues and introduce solutions on artificial intelligence.