What is the regulatory regime for technology?
Regulatory regime for technology is constructed based on the subcategories of issues. Accordingly, Electronic Communications Law No.5809 (“Electronic Communications Law”) regulates the provision of electronic communications services and the construction and operation of the infrastructure and the associated network systems, as well as manufacture, import, sale, construction and operation of all kinds of electronic communications equipment and systems.
Law No. 5651 on Regulation of Publications on the Internet and Combating Crimes Committed by Means of Such Publication (“Internet Law”) regulates the obligations and responsibilities of content providers, location providers, access providers, mass use providers, and social network providers and the fight against certain crimes committed on the internet.
Law No.6112 on the Establishment of Radio and Television Enterprises and Their Media Services, and especially Regulation on Radio, Television and On-Demand Broadcasting Provided Through the Internet Platforms (“RTUK Regulation”), extends the licensing, content and advertisement related regulation and supervision powers of Türkiye’s Radio and Television Supreme Council (“RTUK”) to cover online service providers.
Law No. 6563 on Regulation of Electronic Commerce (“Electronic Commerce Law”) regulates principles and procedures regarding e-commerce, as well as direct marketing, responsibilities of service providers, intermediary service providers, electronic commerce service providers and electronic commerce intermediary service providers and contracts with electronic communication tools.
The Law No. 7194 on Digital Services Tax and Amending Various Laws and the Statutory Decree numbered 375 (“DST Law”) regulates digital services tax to be applied to digital service providers, regardless of whether they are fully liable or limited taxpayers or whether the taxpayer performs activities through a workplace in Türkiye or its permanent representatives.
Moreover, the Personal Data Protection Law No.6698 (“DPL”), Industrial Property Law No. 6769 (“Industrial Property Law”), and Law No. 5846 on Intellectual and Artistic Works (“Intellectual Property Law”) also play critical role within the regulatory framework for technology.
Regulation on not Using Crypto Assets in Payments regulates certain prohibitions for the use of crypto assets, while a more comprehensive regulation is expected to clarify the status of crypto assets, introduce the regime for crypto exchange platforms and the obligations of the actors operating in crypto sector.
Additionally, the Communiqué Amending the Communiqué on Mergers and Acquisitions (Communiqué No: 2010/4) Requiring Permission from the Competition Board (Communiqué No: 2022/2) introduced merger control regime for all tech deals concerning the acquisition of technology companies active in Türkiye, including those that have R&D activities in Türkiye or provide services to customers in Türkiye. Accordingly, in tech acquisitions, the TRY 250 million threshold determined for mergers will not be sought in terms of the acquired technology undertaking and more tech deals will be caught by the Turkish merger control regime. The Turkish Competition Authority explains the reason behind this specific requirement with regard to tech companies as “to catch and prevent killer acquisitions”.
Are communications networks or services regulated?
Yes, Electronic Communications Law No. 5809 regulates the provision of electronic communications services and the construction and operation of the infrastructure and the associated network systems.
If so, what activities are covered and what licences or authorisations are required?
In order to provide electronic communication services and/or to establish and operate an electronic communications network or infrastructure in Türkiye, it is necessary to be authorized by the Information Technologies and Communication Authority (“ITCA”). Authorization by the ITCA can be granted to companies by following one of these two methods: (i) only via notification or (ii) notification and granting the right of use.
Is there any specific regulator for the provisions of communications-related services?
ITCA is the regulator for communications-related services.
Are they independent of the government control?
ITCA is a public institution with an administrative and financial autonomy. The ITCA is independent in performing its duties; and no organ, authority, or person can give orders and instructions to the ITCA. On the other hand, ITCA is affiliated with the Ministry of Transportation and Infrastructure, which means they are in close collaboration while determining macro strategies and preparing long term projections for nationwide roadmaps.
Are platform providers (social media, content sharing, information search engines) regulated?
Yes, the Internet Law regulates the responsibilities of the access providers, content providers, mass use providers, hosting providers that operate on the internet, and covers access blocking requests and measures to be taken regarding violations of the internet. However, the information search engines are not specifically regulated under this law. Moreover, the Law No. 7253 Amending the Law No. 5651 on Regulation of Publications on the Internet and Combating Crimes Committed by Means of Such Publication (“Law Amending the Internet Law”), published in July 2020, introduced a new actor “social network providers”, which is defined as “natural persons or legal entities that enable users to create, display or share content such as texts, image, voice, location, over the internet for purposes of social interaction”, and broadens and aggravates the scope of liable parties and their obligations under the Internet Law. As per ITCA’s Procedures and Principles on Social Network Provider published in October 2020, the scope of social network provider was established. Accordingly, persons that include content for social interaction only in a certain part of the broadcast on the internet and platforms such as personal websites, electronic commerce sites and news sites where content for social interaction is offered as a secondary and ancillary service are excluded.
Additionally, the Law Proposal Amending the Press Law and Certain Other Laws, which foresees amendments in the Internet Law, the Electronic Communications Law, the Turkish Criminal Code and the Press Law, was proposed in May 2022 by the government. It will introduce disinformation as a crime, foresees a new local representative structure for social network providers, where the responsibilities of local representatives are extended, and ascribe criminal liability to social network providers from the content posted by third persons in certain cases. Moreover, it will introduce the concept of over-the-top (“OTT”) services and envisages a license obligation for OTT service providers. It will also introduce a new regime for internet news sites, which are defined as “a periodical publication that is established and operated to present written, visual or audio content in the form of news or comments on the Internet at certain intervals”. Although the proposal was postponed, it is likely to be enacted in the new legislative year starting in October 2022.
If so, does the reach of the regulator extend outside your jurisdiction?
Yes, the Internet Law does not make any distinction between the resident and non-resident actors of the internet.
Moreover, in order to ensure that obligations arising from the Internet Law are fulfilled and there is an addressee in Türkiye to whom the requests will be delivered, the Law Amending the Internet Law obliges the social network providers that have more than one million access from Türkiye per day to appoint a representative in Türkiye, to take necessary actions on notice, declaration or requests to be sent by the ITCA, the Access Providers Union, judicial or administrative authorities and to respond to applications made by individuals in accordance with the Internet Law. Additionally, with the Law Amending the Internet Law, the notifications relating to the administrative fines imposed under the Internet Law to those, who are residing outside of Türkiye, may be served to the e-mail addresses as well as to the other contact information discovered through the website, IP address or relevant means, without being required to consummate international notification procedures. While the social network providers resisted to the obligation of appointing local representative, after they were subjected to the administrative fines (and some of them, ad ban), as of August 2022, all social media companies, which were obligated to appoint a local representative by the notification of ITCA, namely, Facebook, YouTube, Twitter, Instagram, VK, LinkedIn, TikTok, Dailymotion and Pinterest, have appointed representatives in Türkiye.
Additionally, the Law Proposal Amending the Press Law and Certain Other Laws obliges social network providers that have more than one million access from Türkiye per day to establish a new local representative structure. Furthermore, if the daily access is above ten million, the legal person representative must be a local entity incorporated by the social network provider itself and the local representative should be fully authorized and responsible in technical, administrative, legal, and financial terms. On the other hand, same proposal also mandates that OTT service providers shall carry out their activities within the framework of the authorization to be granted by the ITCA through their fully authorized representatives, which are incorporated as joint stock companies or limited liability companies in Türkiye.
Does a telecoms operator need to be domiciled in the country?
Yes, companies applying for authorization (for serving communication services) before the ITCA must be established as a joint-stock or limited liability company in accordance with the Turkish laws, in order to carry out only the activities that are subject to the authorization or the activities required, and/or relevant while performing the service subject to the authorization.
Are there any restrictions on foreign ownership of telecoms operators?
No, however, as we have stated above, the telecom operators must be a joint-stock or limited liability company established in Türkiye, in accordance with the Turkish laws.
Are there any regulations covering interconnection between operators?
Yes. Network-to-network interconnection and access is regulated by the Electronic Communications Law and Regulation on Access and Interconnectivity (“Interconnectivity Regulation”).
Pursuant to the Interconnectivity Regulation, upon an access request by another operator, operators have the obligation to negotiate interconnection with each other with an aim to reach an agreement within a reasonable time. In this case, if an operator denies interconnection or imposes unreasonable terms not to make a negotiation, and if the ITCA decides that the actions of that operator damages the competition or the interests of end-users, such operator may be required to settle an agreement to provide an interconnection.
If so are these different for operators with market power?
Yes, the ITCA may require operators with significant market power to provide interconnection or to make available the technical specifications, network specifications, terms and conditions regarding supply and usage, fees and similar information. In such cases, operators are obliged to provide interconnection on a non-discriminatory basis to the other operators.
What are the principal consumer protection regulations that apply specifically to telecoms services?
Regulation on Consumer Rights in the Electronic Communications Sector is the main regulation for consumer protection that applies especially to telecoms services. Accordingly, rights such as protection against discrimination, right to enter into contract with the operator, right to ask for a detailed bill, right to request information on the scope of service, right to access updated information and being informed regarding changes in the tariff, the right to easily withdraw from the services are provided to the consumers of telecom services.
Moreover, the Law on the Procedure of Execution Proceedings for the Collection of Monetary Receivables Arising out of Subscription Agreements regulates the initiation and execution of proceedings in the electronic environment regarding the receivables arising from the invoice of the goods or services, which are presented to the consumer for the purpose of performing the subscription contracts and the subscription contracts regulated in the relevant laws and regulations.
What legal protections are offered in relation to the creators of computer software?
The computer software is regulated as “work” under the name of computer programs in Article 2 of the Law No. 5846 on Intellectual and Artistic Works (“Law No. 5846”). In addition, Article 6 of the Law No. 5846 states that the adaptation, editing or making any changes to a computer program is also considered as a “work”. Pursuant to the Law No. 5846, the owner of a work is the person who creates it, and thus, the developer, who creates a new software or development, is accepted as the owner of the work. The owner of the work will own both the intangible and financial rights on the developed work. To give an example to intangible rights, the owner of the work can exclusively determine the representation, timing, and the means of the promulgation of a work. Besides, abbreviations, additions or other changes cannot be made on the work or the name of its owner without the permission of the owner of the work. Also, the right to make use of a work not yet publicised in any way whatsoever belongs exclusively to the owner of the work. Under the scope of financial rights, the right to partially or wholly duplicate the original or adaptations of a work belongs exclusively to the owner of the work. The right to disseminate, lease, lend or sell or make a subject of trade in any way whatsoever a work and its copies obtained by duplication from the original or adaptation of it and to benefit from this way belongs only to the owner of the work.
Do you recognise specific intellectual property rights in respect of data/databases?
Under the Intellectual Property Law, databases obtained by the selection and compilation of data and materials according to a specific purpose and a specific plan, which are in a form that can be read by a device or in any other form are deemed as adaptations. However, it is stated that this protection cannot be extended to the data and materials contained in the database. On the other hand, the Intellectual Property Law recognizes that the maker of a database who has made qualitatively and/or quantitatively substantial investment in either creation, verification or presentation of the contents shall have the right of permitting or prohibiting (i) permanent or temporary transfer to another medium by any means and in any form, and (ii) distribution or sale, rental or communication to the public in any way, of all or a substantial part of the content of the database contents with the exceptions specified in this law and required by purposes of public security and administrative and judicial procedures.
What key protections exist for personal data?
The protection of personal data is recognized as a fundamental right under Article 20(3) of the Constitution of the Republic of Türkiye as of its amendment in 2010. Since the aforementioned article requires the principles and procedures regarding the protection of personal data to be laid down in law, the constitutional guarantee for the protection of personal data is intended to manage the processing of personal data on a regulatory level. In this respect, Law on the Protection of Personal Data No. 6698 (“DPL”), which constitutes the main legislative instrument that specifies the principles and procedures concerning the processing and protection of personal data, has been published in the Official Gazette on 7 April 2016 and is in effect as of this date. The DPL provides almost the same definitions as GDPR and for sets forth the legal grounds on which personal data may processed fairly. We can say that the majority of the legal grounds are same while there are some divergences from EU’s regulations (see question 12). In addition to the legal grounds, providing clear information to data subjects about data processing purposes and respective data categories is obligatory. Also, similarly, the DPL provides a general requirement for taking technical and administrative measures for data controllers alongside with a mandatory data breach notification within 72 hours. Finally, we can say that most important and problematic issues are related to cross border data flow (see questions 10 and 13), divergencies from EU’s regulations (see question 12) and administrative fines (see question 11).
Are there restrictions on the transfer of personal data overseas?
DPL provides an enhanced set of rules to be followed when transferring personal data from Türkiye to abroad. In this respect, the DPL shall not be comprehended as wholly or directly prohibiting the transfer of personal data, but rather necessitating the existence of pre-determined conditions, and subsequently prescribing the cross-border data transfer regime.
The transfer regime foreseen under Article 9 of the DPL requires adherence to the either one of the following transfer mechanisms:
- Explicit consent: In the event that the data exporting party obtains explicit consent from the related data subjects for the cross-border transfer of personal data, the cross-border transfer operation is permitted.
- Adequate level of personal data protection: In the event that (i) the conditions specified for the due processing of personal data are deemed applicable, and that (ii) the recipient country is considered to ensure an adequate level of personal data protection (safe country), the cross-border transfer operation is permitted.
- Ad hoc approval of the Personal Data Protection Board (“DP Board”): In the event that the recipient country is unable to provide an adequate level of personal data protection, the cross-border transfer operation is permitted provided that (i) a written privacy undertaking agreement between the data transferring parties is concluded, and that (i) the DP Board’s approval is obtained following the submission of such undertaking to DP Board’s clearance.
The DPL also envisages that provisions of other laws concerning cross-border personal data transfers are reserved and international agreements concerning data transfers are prioritized. While the DPL allows cross-border of personal data by introducing mechanisms in this regard, we would like to underline that Türkiye has not announced the list of safe countries yet and all countries are now deemed unsafe, and in September 2020, the DP Board disregarded applicability of the Convention No. 108 on the Protection of Individual with regard to Automatic Processing of Personal Data, despite the specific provision recognizing priority of international agreements. Additionally, the undertaking option is also not very preferrable option as the DP Board approved only 5 companies’ application. Moreover, a decision rendered against WhatsApp in September 2021 concluded that all data processing activities conducted over the data directly collected from data subjects located in Türkiye via servers located abroad constitutes a cross-border data transfer. In other words, direct transfer is also qualified as cross-border data transfer.
As the criticism over the DP Board’s practice increased, the Economic Reform Package announced in March 2021 put forward that the necessary amendments to bring the cross-border data transfer mechanism of the DPL in line with the provisions of the GDPR will be made by March 31, 2022. Additionally, the Human Rights Action Plan’s Implementation Schedule, which was published on April 30, 2021, also granted 1-year period for full harmonization of the DPL with the European Union standards. Within that respect, the Ministry of Justice, together with a science committee consisting of experts, started preparations for harmonization of the DPL with GDPR. Although the deadlines envisaged under the policy documents are already expired, the amendments on harmonization with GDPR are hoped to be enacted during the legislative year starting in October, while it is anticipated that the amendments regarding cross-border data transfer regime will be prioritized.
What is the maximum fine that can be applied for breach of data protection laws?
The maximum fine, which can be applied to i) those, who do not fulfil the obligations related to data security, ii) those who do not fulfil the decisions issued by the DP Board, iii) those who act contrary to the obligations for registry with the Data Controllers’ Registry and for notification, is determined as TRY 1,000,000 which is updated evert year based on the be subject to the re-evaluation rate announced by the state (for year 2022, this fine is calculated as TRY 2,678,863).
What additional protections have been implemented, over and above the GDPR requirements?
First of all, the DPL is prepared based on the Directive 95/46/EC of the European Parliament, which was repealed by the GDPR; therefore, although the Personal Data Protection Authority follows the implementation of GDPR in many areas, the exact comparison is not possible.
In the DPL, stricter regime is applied for processing of personal data concerning health and sexual life. Accordingly, these data may only be processed, without seeking explicit consent of the data subject, by persons, who are subject to secrecy obligation or competent public institutions and organizations, for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as their financing. While DPL increases the protection level of the personal data concerning health and sexual life by way of restricting the people that may process them, which is a narrower scope compared to GDPR, this results in difficulties in practice.
Moreover, GDPR and DPL also differ in terms of the regime that they stipulate for cross-border transfer of personal data. While GDPR introduces multiple alternatives facilitating the transfer of personal data, due to cyber security concerns and economic interest of the retention of data, DPL introduces a more controlled and authority-centered structure for the transfer, when the personal data is not transferred with the explicit consent of the data subject. Furthermore, unlike GDPR application, direct transfer is qualified as cross-border data transfer as per the DP Board’s decision. In this regard, higher level of protection for personal data is aimed, while it results in a block and/or restriction on use of certain services, including cloud services.
Unlike GDPR, the DPL requires a notification to be made to the data subjects affected by a data breach, regardless of the scope of the effect and whether any measures are taken by the data controller.
Lastly, the Human Rights Action Plan published in March 2021 set forth that the DPL will be harmonized with the European Union standards until March 31, 2022. Although the DPL is not yet harmonized with the GDPR, the Ministry of Justice has been appointed as the responsible authority for the harmonization and the new text of DPL is hoped to be introduced to the Parliament during the next legislative year starting in October 2021.
Are there any regulatory guidelines or legal restrictions applicable to cloud-based services?
There is no specific regulation governing the provision and procurement of cloud services in Türkiye. In the absence of a specific legislative framework, the DPL is considered to function as the main legislative instrument governing cloud-related practices. The provisions thereunder concerning the cross-border transfer of personal data is deemed as having a significant and direct impact on the procurement of cloud-based services which are hosted outside Türkiye, as they led to an unmanageably restrictive application as mentioned under the Question 10.
In addition, Türkiye has many local laws that govern the collection, receipt, transmission, or use of certain data as part of an IT product or service, which may apply apart from or in addition to the DPL in terms of cloud-based services. There are certain sector specific regulations scattered amongst a variety of legislations which, in general, require entities operating in such sectors to refrain from procuring cloud-based services which are hosted outside Türkiye with data residency requirements. Said sectoral restrictions are mainly intended to localize information systems and to allow for on-premise audits to be conducted by the respective regulatory and supervisory authorities.
It is observed that an increase in the number of vertical sectoral regulations that contain data residency requirements, since 2018, without making a sectoral distinction. While such regulations were already seen in several sectors, especially in financial sector, regulations that include data residency provisions in several areas, such as insurance, telehealth, health information systems, as well as additional regulations for payment systems, have been introduced during the last year.
On the other hand, one of the most severe developments relating to the matter of data residency is presently being realized in the public sector. In this regard, it should be specifically noted that the Presidential Circular No.2019/12 on Information and Communication Security Measures explicitly states that critical data relating to public institutions and organizations shall not be retained within cloud storing services, other than institutions’ own systems or systems which are controlled by such and local service providers.
Additionally, while the Regulation on the Information System of Banks and Electronic Banking Services allows banks to use cloud computing services as an outsourced service provided that certain conditions are met (which restricts the use of public cloud systems), it also introduces system localization by saying that if cloud computing services fall under the definition of primary or secondary systems, the on-soil requirement will be applicable and such systems may only be hosted on Turkish territory.
Moreover, adopting a similar approach with banking regulation, the Communiqué on the Information Systems of Payment and Electronic Money Institutions and Data Sharing Services in the Payment Services of Payment Service Providers also requires data and system localization, while the procurement of outsourced services through a shared cloud service model, which is subject to the strict conditions, is allowed, if provided by outsource service providers deemed appropriate by the Central Bank of the Republic of Türkiye (“CBRT”). In this regard, a recently published the Guide on Outsource Service Providers that Provide Shared Cloud Services to Payment and Electronic Money Institutions lists eligibility requirements of outsource service providers wishing to serve shared cloud service model to institutions in the payment sector. As this guide list a restrictive approach with respect to eligibility criteria, conventional cloud service providers are in a way excluded from the sector due to the classification regulated, even if they host their data and systems within Türkiye.
Are there specific requirements for the validity of an electronic signature?
Yes. While contracts executed online are valid in Türkiye, the effect of an online/electronic contract as evidence may be questioned, due to the Turkish Civil Procedure Code. The Code requires a contract executed with a handwritten signature or secure electronic signature for proving the transactions with a value exceeding TRY 6,646 as of 2022. It should be noted that this issue does not regard the validity of the agreement but its quality as a proof (especially in the event of a dispute), in case of a dispute before Turkish courts regarding an electronic contract. In this context, under the E-Signature Law, a secure electronic signature shall be a signature that;
- is obtained from an e-signature provider authorized by the ITCA,
- is exclusively assigned to the signature owner,
- is generated with the secure electronic signature creation device which is kept under the sole control of the signature owner,
- enables the identification of the signature owner based on the qualified electronic certificate,
- enables detection as to whether signed electronic data has or has not been altered or not subsequent to the signature being applied.
In principle, an electronic signature, which meets the conditions stated above, shall have the same legal effect as that of a handwritten signature. However, a secure electronic signature cannot be used for legal proceedings subject to a special procedure or an official form pursuant to laws and warranty contracts.
Furthermore, as per ITCA’s Regulation on Verification Process of the Applicant’s Identity in the Electronic Communication Sector, published in the Official Gazette in June 2021, for the transactions within the scope of the regulation, the operator/service provider cannot obtain the biometric data of individuals electronically by using an electronic pen or a similar method, therefore, biometric signature may not be used. Accordingly, the DP Board, with its decision dated 27 August 2020 and numbered 2020/649, concluded that biometric signature would be contrary to the principle of proportionality and broadens the interpretation Turkish data protection legislation. Finally, as per the Regulation on Remote Identification Methods and Establishment of Contractual Relations in Electronic Environment to be Used by Banks, which entered into force on 1 May 2021, banks are allowed to verify customer identity with video call method and to establish contracts in electronic environment, where contracts with customers can be signed electronically. It is stipulated that the customer’s declaration of will must be signed with the customer-specific encryption secret key and be forwarded to the bank. In this respect, the way has been cleared for not only contracts at the stage of identification, but also for contracts based on individual transactions to be signed electronically.
In the event of an outsourcing of IT services, would any employees, assets or third party contracts transfer automatically to the outsourcing supplier?
No, automatic transfer of employees, assets or third-party contracts to the outsourcing supplier is not yet regulated under Turkish legislation.
If a software program which purports to be a form of A.I. malfunctions, who is liable?
Liability in terms of Artificial Intelligence (AI) malfunctions is not specifically regulated under Turkish laws, and thus, the general provisions of the Turkish Code of Obligations (“TCO”) in terms of “tort” will apply. In accordance with the Article 41 of the TCO, the tort must contain four vital elements such as unlawful act, damage, omission and causality link. On the other hand, it should be noted that causality link should be assessed in each specific case since algorithm, underlying data, mechanics or the user/operator of AI based system may be individually or jointly the root cause of respective damage. In addition, even though a person does not have a fault in its action, which causes a damage, it may be liable for compensation under the regime of “liability without fault”. Under the Article 66 and its continuation in the TCO, it is regulated that employer, animal keeper and building owner may be liable for damages caused by their employee, animal or defects in the construction provided that they do not exercise all reasonable care to prevent the damage. Besides, the TCO also envisages a concept of “liability on grounds of equity” in terms of a general duty to take reasonable care. Pursuant to the Article 65 of the TCO, the judge is entitled to rule on compensation of loss and damage partially or fully caused by a mentally incapable person on the grounds of equity. According to this provision, in order for a mentally incapable person to be held responsible for the damage it caused, the action must be defective and against the objective law and committed personally by the mentally incapable person. Thus, it may be possible to apply the aforementioned liability regime by analogy for person using AI to be liable for compensation due to the damages caused by AI.
What key laws exist in terms of: (a) obligations as to the maintenance of cybersecurity; (b) and the criminality of hacking/DDOS attacks?
Cybersecurity rules in Turkish law are not consolidated under one legislative instrument but rather scattered under different sector-specific regulations. Despite the lack of a generally applicable cybersecurity legislation in force, legislative bodies and regulatory authorities are currently forming a cybersecurity environment in Türkiye and the preparation of appropriate and general cybersecurity rules and standards have been on the agenda of the government.
Accordingly, the Presidential Circular No. 2019/12 on Information and Communication Security Measures (the Circular) establishes extensive cybersecurity-related obligations that are mainly applicable to public authorities and institutions. The most notable measures contained within the Circular are (1) significantly limiting the use of cloud systems; and (2) seriously restricting social media use in the public sector. Additionally, the Circular refers to an “Information and Communication Security Guide, (the Guide) that has been prepared under the coordination of the Digital Transformation Office of the Presidency. The Guide brings detailed technical requirements and rules in relation to procurement and use of cloud services by public institutions, among others.
There are multiple sector-specific regulations that require organisations from critical sectors to employ cybersecurity measures to safeguard their information systems. For example, their sector-specific legislation requires organisations related to capital markets (including on-stock companies) and entities from sectors such as insurance, banking and payment services to employ certain measures related to cybersecurity.
Cyber-crimes are described directly in the Turkish Criminal Law (“TCL”) which entered into force in 2004. Although DDoS attacks are not specifically regulated under TCL, “unlawful access to data information system” and “hindrance or destruction of the system, deletion or alteration of data” are defined as criminal acts respectively under articles 243 and 244 of TCL. If parties organising DdoS attacks unlawfully capture others’ devices, they will be having “an unlawful access to information systems”. Also, if the attacking parties are aiming to hinder the operationality of a certain system, this will trigger Article 244 (up to 5 years of imprisonment). Additionally, if such an attack is committed against to a bank or credit institution, or public institutions or corporations, respective sanctions will be aggravated.
Lastly, the Presidential Circular on National Cyber Security and Action Plan (2020- 2023), which has been published in the Official Gazette in December 2020, has underlined that within the scope of the fight against cyber threats, which are rapidly increasing in number and nature, it is important to take the necessary measures at national level, identify strategic goals and develop and implement action plans to achieve these goals. Presidential Circular has also referred to the National Cyber Security Strategy, which is published on the website of the Ministry of Transportation and Infrastructure, and the National Cyber Security Action Plan, which will only be shared with institutions and organizations, who are responsible for the realization of such actions and who the Ministry will cooperate with in this regard. However, following the publishment of the strategy, there has been no regulation enacted to pursue such aims.
What technology development will create the most legal change in your jurisdiction?
We opine that given the recent government plans and strategies, cyber security and fintech may continue to create significant impact in our jurisdiction in terms of legal change and disrupt their respective ecosystems.
Türkiye has a strong and significant financial sector. In parallel to the government’s goals towards digitalization, financial technologies will transform the sector and create a disruptive impact, which as a result will trigger legal change. As one of the most heavily regulated sectors, financial sector will evolve along with financial technologies. On the other hand, in order to ensure data security and to eliminate the cyber security related risks in the market, regulations on cyber security and resulting obligations to become compliant with the same may also be discussed.
Additionally, as Türkiye experienced difficulties during the year with the collapse of a few cryptocurrency exchange platforms and the fact that cryptocurrencies are considered as a hot topic in Türkiye, the Capital Markets Board of Türkiye is expected to introduce a new regulation imposing a license requirement for these platforms.
Lastly, with the rise of social network platforms and personal communication-based OTTs amongst the society, disinformation has become a serious problem both for the governments and individuals. Due to the popularity of social network platforms and OTTs, information shared on the platforms have become accessible to anyone and thus, the spread of disinformation is accelerated. On the hand, intervention to the spread of disinformation by introducing restrictive regulations puts freedom of expression on risk. Thus, the balance between fight against disinformation and freedom of expression must be maintained while preparing the regulations.
As stated above, in need for a disinformation regulation and governing social network networks and OTT service providers, Türkiye has introduced the Law Proposal Amending the Press Law and Certain Other Law, which determines disinformation as crime. In addition to the additional requirements explained above (please see question 1.5), the Proposal describes the disinformation crime as “publicly disseminating false information regarding the internal and external security, public order and general health of the country, with the sole motive of creating anxiety, fear or panic among the people, in a way that is suitable for disturbing the public peace”, and is aimed at imposing imprisonment for the perpetrators of this crime. While the proposal was postponed, regulation of social media, OTT service providers and other information society issues are expected to remain the challenging topics for the regulators.
Which current legal provision/regime creates the greatest impediment to economic development/ commerce?
Greatest impediment to economic development/commerce in Türkiye with respect to technology is the novel legal regime introduced, which restricts the activities of the e-commerce players. With the rise of e-commerce, especially with the pandemic, as well as concerns with respect to digital platforms, a need for amendments to current regulations has become necessary. In this regard, the Ministry of Trade has prepared the Law on the Amendment of the Law on the Regulation of the Electronic Commerce Law (“Amendment E-Commerce Law”) in order to eliminate unfair commercial practices in the retail trade and to ensure a fair and functioning supply chain in line with EU legislation. Due to the reference made to the EU legislation in policy documents and the general tendency of harmonizing Turkish e-commerce legislation with the EU legislation, it was expected that the amendments will be in line with the EU’s P2B Regulation No. 2019/1150 and Digital Services Act (“DSA”) and will introduce similar obligations. However, although there are certain similarities between the Amendment E-Commerce Law and the EU’s legislative framework regarding e-commerce platforms, the Amendment E-Commerce Law draws an atypical regulatory framework that is prepared according to the internal market dynamics and targets the activities of the main actors holding a significant share in the e-commerce sector.
In addition to the new actors (electronic commerce intermediary service provider and electronic commerce service provider) defined, the Amendment E-Commerce Law also introduces two new concepts – economic integrity and net trading volume – which are structured with problematic definitions and are of critical importance in terms of being obliged to comply with certain obligations to be introduced.
Accordingly, the Amendment E-Commerce Law imposes quite severe obligations, which are open to broad interpretation, on e-commerce intermediary service providers and e-commerce service providers that exceed certain thresholds. As one of the critical obligations, the Amendment E-Commerce Law introduces “e-commerce license” for e-commerce intermediary service providers and e-commerce service providers based on their net trading volume. The e-commerce license obligation is considered as an extraordinary obligation devoted to e-commerce players and is expected to prevent the players from growing their businesses as the license fee increases too much with the growth that, at certain point, growing becomes unprofitable.
Moreover, in line with the aim of the lawmaker in terms of preventing the over-growth of several e-commerce players, the Amendment E-Commerce Law restricts the advertising expenditures and discounts of the e-commerce players, which exceed certain thresholds determined under the Amendment E-Commerce Law.
The Amendment E-Commerce Law also introduces several activity restrictions, such as not engaging in certain banking and payment/e-money activities, for both the players themselves and the entities within the same economic integrity with them.
Considering the rise of e-commerce during the last couple of years, lawmaker’s heavy-handed approach of regulating e-commerce sector could overshadow the growth of the sector and limit the business opportunities. Given the fact that almost all obligations envisaged under the Amendment E-Commerce Law are quite burdensome and operationally unfeasible/challenging, this also creates an impediment to economic development, and a negative perception with respect to the investment environment and ease of doing business in Türkiye.
Do you believe your legal system specifically encourages or hinders digital services?
The government in Türkiye pays utmost attention to digital services and the digital transformation of public institutions. In fact, as per the new government system, Digital Transformation Office has been established, which is tasked to realize the digital transformation of public institutions and to carry out any and all necessary works and studies in this regard. This stance of the government also manifests itself through all government plans and strategies.
On the other hand, as mentioned before, there is a rising trend and tendency of the government that favours local and national corporations and technologies. Although it is the natural consequence of today’s digital world and digital economy to have companies that operate in Turkish market yet are not residents, localization requirements and the restraining stance of the government that only continue to increase and weighs on the sector.
Moreover, the fact that tech companies, even if the local and national corporations supported by the government, face increased scrutiny through the harsh obligations introduced or investigations of the Competition Authority also becomes challenging for digital services.
In addition, although the government prioritizes the enactment of regulations regarding digital services and technology, the law-making process of Türkiye can be deemed insufficient considering the rapid developments in the sector. Accordingly, in order for preparing a regulation that meets the needs of the sector, regulatory impact analysis, where the possible consequences of the said regulation are evaluated, is necessary. Moreover, the opinions of the relevant stakeholders are vital for understanding the business models and creating a proper legal framework that protects the interests of the public and proliferates innovation. Therefore, the implementation of the regulatory impact analysis legislation and the contribution of relevant stakeholders in tech-oriented regulations are essential for ensuring a better legislative environment for technology.
To what extent is your legal system ready to deal with the legal issues associated with artificial intelligence?
As we have stated above, currently, there is no specific regulation or provision regarding artificial intelligence, and the problems that may arise this respect are trying to be solved with general principles that may be relevant. In this regard, it could be stated that Turkish legal system is not competent to responds the legal issues that may occur and legislative works to be done with relevant stakeholders are needed. On the other hand, Turkish legislators tend to monitor EU Commission’s legislative works and may use them as bases for a legislation to be prepared. Accordingly, it could be stated that any developments in this context may be affected by the EU policies, especially the EU’s Artificial Intelligence Act. Moreover, with the leadership of the Ministry of Justice and the Presidency’s Digital Transformation Office (“DTO”), Türkiye took an active role in the works of the Council of Europe’s Ad hoc Committee on Artificial Intelligence (“CAHAI”) and continues its support for Committee on Artificial Intelligence (“CAI”) for preparation of a binding convention and soft-law documents on regulation of artificial intelligence on the basis of human rights, rule of law and democracy.
On the other hand, in 2021, two developments have been observed with respect to AI policies and regulations:
- First, the DTO published the National Artificial Intelligence Strategy 2021-2025. The strategy determines the measures that will put Türkiye’s efforts in the AI field on a common ground and the governance mechanism that will be established to implement these measures. Issues regarding the development of domestic production capabilities in the field of AI technology, the use of this technology in priority sectors to increase productivity, the transformation of the workforce to work effectively with this technology, and the use of this technology in the development of public services are included in the strategy. The vision of the strategy was determined as “creating value on a global scale with an agile and sustainable AI ecosystem for a prosperous Türkiye” and to realize this vision, the strategy prioritizes training AI experts and increasing employment, supporting research, entrepreneurship, and innovation, facilitating access to quality data and technical infrastructure, regulating to accelerate socioeconomic adaptation, etc.
- Recommendations on the Protection of Personal Data within the Field of Artificial Intelligence was published by the DP Board. This guide provides DP Board’s recommendations on the protection of personal data in AI applications in a way including developers, manufacturers, service providers and decision makers in the AI field.
Turkey: TMT
This country-specific Q&A provides an overview of TMT laws and regulations applicable in Turkey.
What is the regulatory regime for technology?
Are communications networks or services regulated?
If so, what activities are covered and what licences or authorisations are required?
Is there any specific regulator for the provisions of communications-related services?
Are they independent of the government control?
Are platform providers (social media, content sharing, information search engines) regulated?
If so, does the reach of the regulator extend outside your jurisdiction?
Does a telecoms operator need to be domiciled in the country?
Are there any restrictions on foreign ownership of telecoms operators?
Are there any regulations covering interconnection between operators?
If so are these different for operators with market power?
What are the principal consumer protection regulations that apply specifically to telecoms services?
What legal protections are offered in relation to the creators of computer software?
Do you recognise specific intellectual property rights in respect of data/databases?
What key protections exist for personal data?
Are there restrictions on the transfer of personal data overseas?
What is the maximum fine that can be applied for breach of data protection laws?
What additional protections have been implemented, over and above the GDPR requirements?
Are there any regulatory guidelines or legal restrictions applicable to cloud-based services?
Are there specific requirements for the validity of an electronic signature?
In the event of an outsourcing of IT services, would any employees, assets or third party contracts transfer automatically to the outsourcing supplier?
If a software program which purports to be a form of A.I. malfunctions, who is liable?
What key laws exist in terms of: (a) obligations as to the maintenance of cybersecurity; (b) and the criminality of hacking/DDOS attacks?
What technology development will create the most legal change in your jurisdiction?
Which current legal provision/regime creates the greatest impediment to economic development/ commerce?
Do you believe your legal system specifically encourages or hinders digital services?
To what extent is your legal system ready to deal with the legal issues associated with artificial intelligence?