-
Is there a single regulatory regime that governs software?
Türkiye does not have a single comprehensive regulatory regime specifically governing software. However, there are various laws and regulations in place that touches upon certain aspects of software use and development. These regulations are often sector-specific or cover specific aspects of software, such as data protection and intellectual property. Additionally, there are sector-specific regulations and requirements in areas such as telecommunications, e-commerce, and intellectual property that can impact software development and usage in Türkiye. These regulations are overseen by various government agencies and institutions, such as the Information Technologies and Communication Authority and the Ministry of Trade.
-
How are proprietary rights in software and associated materials protected?
In Türkiye, proprietary rights in software and associated materials are protected primarily through intellectual property rights. The following are the key aspects of protection for software and associated materials in Türkiye:
- Software, as a literary work, is protected under the Law on Intellectual and Artistic Works (“IP Law”). Copyright automatically applies upon the creation of the software, and no formal registration is required to claim copyright protection. The rights granted to the software owner include the exclusive right to process, reproduce, distribute, represent, publicly perform, and display the software.
- The Industrial Property Law covers intellectual property rights beyond copyright, including patents, utility models, and industrial designs. While copyright protects the expression of software, patents may be sought for software-related inventions that meet the patentability criteria. However, it should be noted that software (computer program) itself cannot be considered as invention and would be excluded from patentability if the patent/patent application is related to software.
- Software is often distributed through license agreements that define the terms and conditions of use. These agreements may include restrictions on copying, distribution, modification, or reverse engineering of the software. Violations of license agreements can lead to legal consequences.
-
In the event that software is developed by a software developer, consultant or other party for a customer, who will own the resulting proprietary rights in the newly created software in the absence of any agreed contractual position?
In the absence of any agreed contractual position regarding ownership of the newly created software, the default ownership rules prescribed by Turkish law would apply. According to the IP Law, the general rule is that the owner of a work is the initial producer (author) of that work. Therefore, in the absence of a specific agreement to the contrary, the software developer or consultant who created the software will be considered the initial owner of the proprietary rights in the newly created software. It should be noted that the default ownership rules may vary depending on the specific circumstances and employment relationship between the parties involved. For example, if the software developer is an employee and the software creation falls within the scope of their employment duties, employee shall still be the owner of the resulting proprietary rights but the employer shall have certain rights with respect to financial rights. To avoid any ambiguity or disputes, it is advisable for the parties to establish a clear contractual agreement that explicitly addresses ownership of intellectual property rights related to the software. By doing so, the parties can define the ownership rights and any other relevant terms regarding the software’s development, use, and potential transfer of rights.
-
Are there any specific laws that govern the harm / liability caused by Software / computer systems?
In Türkiye, there are no specific laws that govern the harm / liability caused by Software / computer systems but there are several laws and regulations that may apply to address harm or liability within this context. The following are some of the key legal frameworks:
- The Turkish Code of Obligations (“TCO”) provides general provisions related to liability for harm caused by actions or omissions. If software or computer systems cause harm or damage to individuals or entities, TCO may be invoked to determine liability and potential compensation.
- The Turkish Commercial Code (“TCC”) may apply in cases where software or computer systems are used in a commercial context. It covers liability for damages caused by faulty products, including software or computer systems, and provides remedies for affected parties.
- The Law on Consumer Protection (“Consumer Law”) aims to protect the rights and interests of consumers. If harm or damage occurs to consumers as a result of software or computer system use, Consumer Law may be applicable in terms of liability, warranties, and consumer rights.
- The Law on the Protection of Personal Data (“LPPD”) governs the protection of personal data in Türkiye. If software or computer systems are involved in the processing of personal data and harm occurs due to non-compliance with data protection obligations, penalties may be imposed within the context of LPPD.
-
To the extent not covered by (4) above, are there any specific laws that govern the use (or misuse) of software / computer systems?
In addition to the laws mentioned earlier, the Turkish Penal Code includes provisions related to computer crimes and offenses. It criminalizes activities such as unauthorized access to computer systems, data tampering, data destruction, and other forms of cybercrimes, which allows perpetrators to face criminal liability and penalties.
-
Other than as identified elsewhere in this overview, are there any technology-specific laws that govern the provision of software between a software vendor and customer, including any laws that govern the use of cloud technology?
Türkiye does not have technology-specific laws that exclusively govern the provision of software between a software vendor and customer except for the laws mentioned herein.
Most important regulation affecting the provision of software between a software vendor and customer is the obligation to conclude relevant licensing contracts in written form (i.e., wet ink or e-signature provided by the licensed Turkish entities). Even though this explicit rule is duly in force, software vendors and customers are often executing such contracts via clickthrough methods in practice, especially in SaaS models.
On the other hand, although the main aim of the following legislations is not regulating licensing and SaaS models, they have two impacts that may be important for Türkiye related businesses; (i) according to the legislation on the protection of the value of Turkish currency, if the software is not produced outside Türkiye, the fees and other payment obligations arising from software license or transfer agreements to be concluded between Turkish residents may not be determined in foreign currency or indexed to foreign currency (the fees must be determined in Turkish currency) and (ii) pursuant to TCO, if the software vendor is providing products/services requiring expertise, which can only be carried out with the permission granted by law or by the competent authorities via software, SaaS models’ liability limitations shall not be applicable and such software vendor cannot limit its liability.
As to the cloud services, there is no generally applicable regulation governing the provision and procurement of such services in Türkiye. In the absence of a specific legislative framework, the LPPD is considered to function as the main legislative instrument governing cloud-related practices. The provisions thereunder concerning the cross-border transfer of personal data is deemed as having a significant and direct impact on the procurement of cloud-based services which are hosted outside Türkiye, as they led to an unmanageably restrictive application as mentioned under the Question 29. It should be noted that this cross-border personal data transferring regime is expected to be amended within 2023 and therefore, it is recommended for the stakeholders to closely monitor the existing localization requirements.
In addition, Türkiye has many local laws that govern the collection, receipt, transmission, or use of certain data as part of an IT product or service, which may apply apart from or in addition to the data protection rules in terms of cloud-based services. There are certain sector specific regulations scattered amongst a variety of legislations which, in general, require entities operating in such sectors to refrain from procuring cloud-based services which are hosted outside Türkiye with data residency requirements. Said sectoral restrictions are mainly intended to localize information systems and to allow for on-premise audits to be conducted by the respective regulatory and supervisory authorities. It is observed that an increase in the number of vertical sectoral regulations that contain data residency requirements, since 2018, without making a sectoral distinction. While such regulations were already seen in several sectors, especially in financial sector, regulations that include data residency provisions in several areas, such as insurance, telehealth, health information systems, as well as additional regulations for payment systems, have been introduced as well.
On the other hand, one of the most severe developments relating to the matter of data residency is presently being realized in the public sector. In this regard, it should be specifically noted that the Presidential Circular No.2019/12 on Information and Communication Security Measures explicitly states that critical data relating to public institutions and organizations shall not be retained within cloud storing services, other than institutions’ own systems or systems which are controlled by such and local service providers.
Additionally, while the Regulation on the Information System of Banks and Electronic Banking Services allows banks to use cloud computing services as an outsourced service provided that certain conditions are met (which restricts the use of public cloud systems), it also introduces system localization by saying that if cloud computing services fall under the definition of primary or secondary systems, the on-soil requirement will be applicable and such systems may only be hosted on Turkish territory.
Moreover, adopting a similar approach with banking regulation, the Communiqué on the Information Systems of Payment and Electronic Money Institutions and Data Sharing Services in the Payment Services of Payment Service Providers also requires data and system localization, while the procurement of outsourced services through a shared cloud service model, which is subject to the strict conditions, is allowed, if provided by outsource service providers deemed appropriate by the Central Bank of the Republic of Türkiye. In this regard, the Guide on Outsource Service Providers that Provide Shared Cloud Services to Payment and Electronic Money Institutions lists eligibility requirements of outsource service providers wishing to serve shared cloud service model to institutions in the payment sector. As this guide list a restrictive approach with respect to eligibility criteria, conventional cloud service providers are in a way excluded from the sector due to the classification regulated, even if they host their data and systems within Türkiye.
-
Is it typical for a software vendor to cap its maximum financial liability to a customer in a software transaction? If ‘yes’, what would be considered a market standard level of cap?
In Türkiye, it is common for software vendors to include provisions in their contracts that limit their maximum financial liability to the customer. These liability limitation clauses are often included to manage risks and potential damages that may arise from software use or performance. The specific level of the liability cap can vary depending on several factors, including the nature of the software, the bargaining power of the parties, and industry practices. Limiting financial liability to foreseeable damages is not frequently seen in Türkiye. The cap on financial liability is typically subject to the value of the contract (ranging from a specific amount to certain percentage of the total contract fee). In practice, limiting the liability with the finalized court decision is also often encountered with. Even though the parties are free to decide on the liability cap, software vendor cannot limit its liability in the cases of gross negligence. Lastly, as mentioned under the Question 6, pursuant to TCO, if the software provider is providing products/services requiring expertise, which can only be carried out with the permission granted by law or by the competent authorities via software, liability limitations shall not be applicable and such software provider cannot limit its liability in any way.
-
Please comment on whether any of the following areas of liability would typically be excluded from any financial cap on the software vendor’s liability to the customer or subject to a separate enhanced cap in a negotiated software transaction (i.e. unlimited liability): (a) confidentiality breaches; (b) data protection breaches; (c) data security breaches (including loss of data); (d) IPR infringement claims; (e) breaches of applicable law; (f) regulatory fines; (g) wilful or deliberate breaches.
In practice, confidentiality breaches, data protection and data security breaches, IPR infringement claims and regulatory fines are generally carved out from the liability cap are subject to either unlimited liability or a separate cap (higher than the general cap), depending on the parties’ negotiation power.
- Loss of data is generally considered as indirect damage and often software vendors foresee that they are not liable for the indemnification of such indirect damages.
- Since the personal data protection laws’ monetary fines are up to TRY 5,971,989 (for the year 2023) and the risk of reputation loss is high (certain penalty decisions and data breach notifications are published), customers take such upper limit into consideration while defining a separate cap.
- If the customer is active in a highly regulated area (like banking), especially where outsource software usages are also regulated, all areas of liability would typically be excluded from any financial cap on the software vendor’s liability to the customer.
As to the wilful or deliberate breaches, if they result from a party’s gross negligence, liability cannot be limited due to TCO (as detailed under the Question 6). Therefore, such cases are not very open to parties’ contractual discretion.
-
Is it normal practice for software source codes to be held in escrow for the benefit of the software licensee? If so, who are the typical escrow providers used?
Escrow regime is not very frequently seen in Türkiye, but indeed more encountered with in cases of high-value license / SaaS relationships. Escrow arrangements are often used to provide assurance in cases where the software vendor goes out of business, discontinues support, or breaches certain contractual obligations. Istanbul Technical University National Software Certification Center is the most frequently seen escrow provider within this scope.
-
Are there any export controls that apply to software transactions?
Yes, there are export controls that apply to software transactions in Türkiye. But these regulations are usually related to the export of certain software, technologies or related goods to protect national security, prevent the proliferation of weapons of mass destruction, comply with international agreements, and ensure compliance with trade sanctions or embargoes.
-
Other than as identified elsewhere in this questionnaire, are there any specific technology laws that govern IT outsourcing transactions?
In Türkiye, there are no specific technology laws that exclusively govern IT outsourcing transactions. However, IT outsourcing transactions may be subject to various laws and regulations such as TCO (it governs the rights and obligations of the parties, performance, liability, and remedies in case of breach of contract), TCC (applies to IT outsourcing transactions involving commercial entities), LPPD (if the IT outsourcing transaction involves the processing of personal data), IP Law (to address ownership, licensing, and infringement issues) depending on the nature of the outsourcing arrangement and the specific activities involved.
-
Please summarise the principal laws (present or impending), if any, that protect individual staff in the event that the service they perform is transferred to a third party IT outsource provider, including a brief explanation of the general purpose of those laws.
In Türkiye, the legal protections for individual staff in the event of service transfer to a third-party IT outsource provider primarily stem from general employment laws rather than specific laws dedicated solely to outsourcing. The Labor Code aims to maintain the rights and job security of employees during such transitions and protects individual staff in the event of a service transfer to a third-party IT outsource provider. The Labor Code governs various aspects of employment relationships and provides certain protections to employees in the event of a transfer of undertakings or a change in the employer. In case of a transfer of service to a third-party IT outsource provider (this would usually be considered as a partial transfer of undertaking), the law aims to safeguard employees’ rights and preserve their employment status. It requires the new employer (the outsource provider) to assume the rights and obligations of the previous employer and recognize the accrued and vested rights of the automatically transferred employee. Also, the previous employer will continue to be liable to the employee together with the new employer for two years from the date of transfer. In addition, if the new employer terminates the employment relation without a valid reason, the employee benefits from job protection and can claim their rights from the former employer as well.
-
Which body(ies), if any, is/are responsible for the regulation of telecommunications networks and/or services?
Yes. The Information Technologies and Communication Authority (“ITCA”) is the public institution with an administrative and financial autonomy that is responsible for the regulation of telecommunications networks and services.
Under the Electronic Communications Law No. 5809 (“Electronic Communications Law”), ITCA is the authority authorized to and responsible from imposing sanctions on those violating the Electronic Communications Law and its secondary regulations, protecting competition in the electronic communications sector, following the developments in the electronic communication sector, conducting or having conducted the necessary researches in order to encourage the development of the sector and working in cooperation with the relevant institutions and organizations on these issues, receiving all kinds of information and documents it may need from operators, public institutions and organizations and real and legal persons in relation to electronic communications among others.
The ITCA is independent in performing its duties; and no organ, authority, or person can give orders and instructions to the ITCA. On the other hand, ITCA is affiliated with the Ministry of Transportation and Infrastructure, which means they are in close collaboration while determining macro strategies and preparing long term projections for nationwide roadmaps.
-
Please summarise the principal laws (present or impending), if any, that govern telecommunications networks and/or services, including a brief explanation of the general purpose of those laws.
Electronic Communications Law is the main legislation that governs telecommunications networks and services. Within this scope, Electronic Communications Law regulates the provision of electronic communications services and the construction and operation of the infrastructure and the associated network systems, as well as manufacture, import, sale, construction and operation of all kinds of electronic communications equipment and systems.
There are also secondary regulations to the Electronic Communications Law. The most prominent secondary regulations of the Electronic Communications Law may be listed as follows.
Regulations
- Regulation on Authorization for the Electronic Communication Sector
- Regulation on Consumer Rights in the Electronic Communication Sector
- Regulation on the Processing of Personal Data and Protection of Privacy in the Electronic Communications Sector
- Regulation on Network and Information Security in the Electronic Communications Sector
- Regulation on Quality of Service in the Electronic Communication Sector
- Number Portability Regulation
- Regulation on Electronic Communication Infrastructure and Information System
- Regulation on Security Certificate for Electronic Communication Devices
- Regulation on the Process of Verifying the Identity of the Applicant in the Electronic Communication Sector
- Regulation on the Registration of Devices with Electronic Identity Information
- Radio Equipment Regulation
- Regulation on Market Surveillance and Inspection of Radio and Telecommunication Terminal Equipment
- Regulation on Emergency Aid Call Services in the Electronic Communication Sector
- Internet Domain Names Regulation
- Information Technologies and Communication Authority Regulation on Administrative Sanctions
Communiqués
- Communiqué on the Registration of Devices with Electronic Identity Information
- Communiqué on Notification of Devices Produced, Manufactured or Assembled in Türkiye
- Communiqué on Obtaining Service Quality Measures for GSM Mobile Telephony Services
- Communiqué on Obtaining Service Quality Criteria for 3N Mobile Communication Services
- Communiqué on Procedures and Principles for Obtaining Electromagnetic Field Measurement Certificate
-
Which body(ies), if any, is/are responsible for data protection regulation?
The Personal Data Protection Authority (“DPA”), which was established with administrative and financial autonomy and public legal personality to fulfil the duties assigned by LPPD, is responsible for the implementation of LPPD and its secondary regulations in Türkiye.
-
Please summarise the principal laws (present or impending), if any, that that govern data protection, including a brief explanation of the general purpose of those laws.
LPPD is the main legislation governing data protection in Türkiye. The purpose of LPPD is to protect the fundamental rights and freedoms of individuals, in particular the right to privacy, in the processing of personal data and to regulate the obligations of natural and legal persons who process personal data and the procedures and principles to be followed within this scope.
There are also secondary regulations and the binding decisions of DPA (principle decisions). The DPA is entitled to issue principle decisions if it determines that the violation is widespread in practice. The principle decisions of DPA are binding and demonstrate the position of DPA with regards to similar violations.
The secondary regulations of LPPD may be listed as follows.
Regulations
- Regulation on Data Controllers Registry
- Regulation on Erasure, Destruction or Anonymization of Personal Data
Communiqués
- Communiqué on Principles and Procedures to be Followed in Fulfilment of the Obligation to Inform
- Communiqué on the Principles and Procedures for the Requests to Data Controller
Principle Decisions of DPA
- Principle Decision on adequate measures to be taken by the data controllers during processing special categories of personal data, which introduces security measures for special categories of personal data,
- Principle Decision on personal data related to third parties unlawfully being sent by data controllers through communication channels such as phone numbers, e-mail addresses etc., which introduces an active diligence obligation for data controllers to ensure that the personal data is accurate and, when necessary, up-to-date.
- Other principle decisions.
-
What is the maximum sanction that can be imposed by a regulator in the event of a breach of any applicable data protection laws?
The maximum sanction which may be imposed by DPA in the case of a violation of the provisions of LPPD is TRY 5,971,989 for the year 2023.
This amount is applicable for the following three violations: (i) Failure to fulfil obligations regarding data security (while this violation type seems to only cover “data security related obligations”, in practice, DPA considers all unlawful data processing activities (including transfers) within this scope) (ii) Failure to comply with the decisions of the Personal Data Protection Board (“DP Board”) and (iii) Failure to register and notify own data processing process details to the Data Controllers Registry.
-
Do technology contracts in your country typically refer to external data protection regimes, e.g. EU GDPR or CCPA, even where the contract has no clear international element?
No. Technology contracts where the contract has no clear international element typically only refer to LPPD and its secondary regulations.
-
Which body(ies), if any, is/are responsible for the regulation of artificial intelligence?
Currently, there is no body responsible for the regulation of artificial intelligence (“AI”) in Türkiye. However, the Presidency’s Digital Transformation Office (“DTO”) is tasked with proliferating AI in the public sector and in the country, overall.
-
Please summarise the principal laws (present or impending), if any, that that govern the deployment and use of artificial intelligence, including a brief explanation of the general purpose of those laws.
There are no specific formal laws enacted or planned to be enacted in Türkiye, which directly govern the deployment and use of AI. Although Turkish law does not yet have a special legal framework that addresses AI, it is nonetheless possible to apply existing legal rules by analogy when AI-related difficulties occur.
On the other hand, the following legislations have certain provisions applicable to AI, but rather than regulating it within the meaning of governing the deployment and use of AI, these provisions aim at ensuring the due application of AI solutions within highly regulated areas.
- Under the electronic communication legislation, certain criteria are determined for AI to be used in identity authentication processors in order to verify the identities of applicants who wish to receive certain electronic communication services.
- In the finance sector, pursuant to the Regulation on Remote Identification Methods to be Used by Financial Leasing, Factoring, Financing and Savings Finance Companies and Establishment of Contractual Relationship in Electronic Environment, for transactions not exceeding TRY 7,500, the Banking Regulation and Supervision Agency (“BRSA”) is authorized to determine the principles regarding the transactions to be performed by the customer representative as referred to in this regulation with AI-based methods.
- Similarly, pursuant to the Regulation on Remote Identification Methods to be Used by Banks and Establishment of Contractual Relationship in Electronic Environment, BRSA is authorized to determine the procedures and principles regarding the transactions to be performed by AI-based methods, which are stated to be performed by the customer representative in this regulation.
However, various governmental organizations have published certain strategies and guidelines regarding their plans and views on the use of AI.
Within this context, the most deliberate document regarding the deployment of AI is the National Artificial Intelligence Strategy for the years 2021 – 2025 (“AI Strategy”) published by DTO. The AI Strategy determines the measures that will put Türkiye’s efforts in the AI field on a common ground and the governance mechanism that will be established to implement these measures. Issues regarding the development of domestic production capabilities in the field of AI technology, the use of this technology in priority sectors to increase productivity, the transformation of the workforce to work effectively with this technology, and the use of this technology in the development of public services are included in the AI Strategy. The vision of the AI Strategy was determined as “creating value on a global scale with an agile and sustainable AI ecosystem for a prosperous Türkiye” and to realize this vision, the AI Strategy prioritizes training AI experts and increasing employment, supporting research, entrepreneurship, and innovation, facilitating access to quality data and technical infrastructure, regulating to accelerate socioeconomic adaptation.
Additionally, the “Recommendations on the Protection of Personal Data in the Field of Artificial Intelligence” was published by DPA. This guide provides DPA’s recommendations on the protection of personal data in AI implementations in a way including developers, manufacturers, service providers and decision makers in the field of AI. The structure and the recommendations are mostly taken by the Council of Europe’s Guidelines on Artificial Intelligence and Data Protection (“CoE Guide”) by simplifying the rules stated there. In this regard, as in the CoE Guide, the guide provides a set of recommendations for (i) general, (ii) developers, manufacturers, and service providers, and (iii) decision makers. With these recommendations, ensuring clarity on the protection of personal data within the scope of the works done/to be done in the field of AI is aimed.
-
Are there any specific legal provisions (present or impending) in respect of the deployment and use of Large Language Models and/or generative AI?
No, there are no specific legal provisions (present or impending) in respect of the deployment and use of Large Language Models and/or generative AI.
-
Which body(ies), if any, is/are responsible for the regulation of blockchain and / or digital assets generally?
As there is no principal law with regard to blockchain, currently, there is no authority/supervisory body for blockchain.
On the other hand, the Financial Crimes Investigation Board (“MASAK”) has published the Crypto Asset Service Providers Guide in May 2021, in which the basic principles of the obligations of crypto-asset service providers regarding the prevention of (i) laundering proceeds of crime and (ii) financing of terrorism and the scope of the audits to be conducted by MASAK are determined. Therefore, to the certain extent, MASAK is one of the authorities indirectly responsible in the blockchain area.
Moreover, as it is known that the Capital Markets Board of Türkiye (“CMB”) has been working on the Draft Law Amending the Capital Markets Law on the Regulation of Crypto Assets and Crypto Asset Platforms (“Draft Crypto Law”), we may expect CMB to be the supervisory authority in the upcoming era regarding crypto assets.
-
What are the principal laws (present or impending), if any, that govern (i) blockchain specifically (if any) and (ii) digital assets, including a brief explanation of the general purpose of those laws?
In Turkish Law, there is no specific regulation focusing on blockchain, while certain developments have been observed in terms of cryptocurrencies.
With the Central Bank of the Republic of Türkiye’s (“CBRT”) Regulation on Not Using Crypto Assets in Payments (“Crypto Regulation”), which has been published in April 2021, one of the first significant steps has been taken by the Turkish authorities to address the use of cryptocurrencies in payments. The Crypto Regulation prohibited (i) the use of crypto assets as a form of payment and the provision of service that enable such use, (ii) development of business models by payment service providers that use crypto assets for provision of payment services and electronic money issuance as CBRT highlighted the risks associated with cryptocurrencies, such as market volatility, lack of regulation, and potential use for illegal activities. While payment and electronic money institutions were restricted from acting as an intermediary for fund transfers from or to platforms that offer trading, custody, transfer or issuance services for crypto assets, the Crypto Regulation allowed cryptocurrency owners to retain their holdings but prohibited their use for payment purposes.
Moreover, it is known for a while that CMB is working on the Draft Crypto Law, which is expected to (i) define crypto assets as capital market instruments, (ii) introduce licensing obligation and certain information security requirements for trading platforms of crypto assets.
-
Are blockchain based assets such as cryptocurrency or NFTs considered “property” capable of recovery (and other remedies) if misappropriated?
With the Crypto Regulation, crypto assets have gained a legal definition for the first time with the Crypto Regulation, in which cryptocurrencies are defined as “intangible assets that are created virtually using distributed ledger technology or a similar technology and distributed over digital networks but are not qualified as fiat money, dematerialized money, electronic money, payment instrument, security or another capital market instrument”. However, it is also reserved that the definition’s application scope is limited with the implementation of the Crypto Regulation itself.
Other than this definition, in Turkish law, there is no regulation which explicitly or implicitly attaches certain status to cryptocurrency or NFTs, including being treated as property. As the long-standing doctrine and practice in Türkiye recognizes only things that have material existence as property, which deals with the concept of property in a narrow sense, Turkish law tends to exclude cryptocurrency or NFTs from the definition and scope of property, despite technical and economic developments. Therefore, in terms of the current regulations, NFTs and cryptocurrencies, which are digital data on the blockchain and do not have material existence, cannot be legally recognized as property under Turkish law. On the other hand, in 2021, for the first time in Türkiye, cryptocurrency has been seized and a cryptocurrency account worth TRY 60,000 has been blocked. As Turkish law defines attachable property as “goods”, which do not cover cryptocurrency and NFTs by definition, this attachment constitutes a first example of such application.
-
Which body(ies), if any, is/are responsible for the regulation of search engines and marketplaces?
Bodies responsible for the regulation of search engines and marketplaces may be listed as follows: (i) Ministry of Trade, (ii) ITCA, (iii) DPA and (iv) Advertisement Board.
Ministry of Trade is the main regulator as the implementor of the Law on the Regulation of Electronic Commerce (“E-Commerce Law”), the principal law governing marketplaces’ obligations.
ITCA is also included as one of the responsible authorities since (i) marketplaces are considered hosting providers under the Law No. 5651 on the Regulation of Broadcasts via Internet and Prevention of Crimes Committed through Such Broadcasts (“Internet Law”), and therefore, subject to the obligations of hosting providers and (ii) search engines are obliged to comply with the decisions rendered within the scope of the Internet Law regarding right to be forgotten.
Another responsible authority is DPA as apart from its general regulatory and supervisory duties regarding data controllers and processors, DPA also specifically regulates how right to be forgotten can be exercised against search engines.
The Advertisement Board, which operates under the General Directorate of Consumer Protection and Market Surveillance of the Ministry of Trade, is one of the authorities authorized to conduct administrative supervision of advertisements. Pursuant to the Consumer Law, it is essential that commercial advertisements of marketplaces comply with the principles determined by the Advertisement Board.
-
Please summarise the principal laws (present or impending), if any, that govern search engines and marketplaces, including a brief explanation of the general purpose of those laws.
The regulatory regime for marketplaces is constructed based mainly on the E-Commerce Law, which regulates (i) the relations between marketplaces and sellers/providers and customers, (ii) obligations of marketplaces and sellers/providers, (iii) unfair commercial practices, (iv) advertisement rules, (v) commercial communication requirements.
In 2022, comprehensive amendments to the E-Commerce Law were introduced with the Law Amending the Law on the Regulation of Electronic Commerce (“Amendment Law”) due to the rise of e-commerce, as well as concerns with respect to digital platforms. The Amendment Law drew an atypical regulatory framework that is prepared according to the internal market dynamics and targets the activities of the main actors holding a significant share in the e-commerce sector. It regulated the definitions of electronic commerce intermediary service providers (“EISPs”) and electronic commerce service providers (“ESPs”) and introduced two new concepts – economic integrity and net trading volume – which are structured with problematic definitions and are of critical importance in terms of being obliged to comply with certain obligations.
Followingly, the Regulation on Electronic Commerce Intermediary Service Providers and Electronic Commerce Service Providers (“E-Commerce Regulation”) was published at the end of 2022, which regulates the procedures and principles for the regulation and supervision of the activities of EISPs and ESPs and the commercial relations between them in order to ensure the establishment of an effective and fair competition environment and the development of e-commerce.
Therefore, E-Commerce Law and E-Commerce Regulation constitutes main regulations in the context of marketplaces. However, it shall be underlined that the implementation of these regulations is currently vague. In May 2023, the Council of State, the highest court for the administrative law issues, unanimously decided the stay of execution of 17 articles of the E-Commerce Regulation due to the alleged unconstitutionality of the relevant articles. Accordingly, the Council of State rendered an interim decision on the stay of execution of several E-Commerce Regulation provisions as the applicant argued that there is a pending action before the Constitutional Court regarding the annulment of the Amendment Law. The Council of State also stated that the Constitutional Court’s response will be awaited before the Council of State renders a final decision.
In terms of search engines, DPA published a Guideline titled “Evaluation of the Right to be Forgotten Specific to Search Engines” in October 2021. Pursuant to this guideline, search engines are the data controller and the activity carried out by search engines is considered as data processing activity. In this regard, the data subjects may request the search engines to remove the links related to their personal data from the search results under certain conditions, such as if their data is inaccurate, inconvenient, irrelevant or disproportionate to the purpose of data processing.
The Internet Law defines hosting providers as real persons or legal entities that provide or run systems to contain services and content, and as stated above, marketplaces are considered hosting providers. In this respect, the Internet Law stipulates their obligations as (i) to remove the illegal content from broadcast, provided that it has been informed about the illegal content, (ii) to store the traffic information in relation to the provided hosting services for a period not less than a year and not more than two years, (iii) to make hosting provider notification. Moreover, a specific obligation is also foreseen for the search engines in terms of contents violating personal rights. Persons whose personal rights are violated due to online content may request from judge to render a decision that mandates search engines not to associate their name with the internet addresses subject to the content removal decision.
Apart from those mentioned above, there also several secondary e-commerce regulations governing distance sales, price tags, unfair terms under consumer contracts, advertisement rules, unfair commercial practices, E-Commerce Info Platform, trust stamp in e-commerce, commercial communication.
-
Which body(ies), if any, is/are responsible for the regulation of social media?
ITCA is responsible for the regulation of social media.
-
Please summarise the principal laws (present or impending), if any, that govern social media, including a brief explanation of the general purpose of those laws?
The Internet Law, the main regulation focusing on social media, regulates the obligations and responsibilities of content providers, hosting providers, access providers, mass use providers and social network providers (“SNP”), and grounds and procedures of prevention of crimes committed on the internet environment, such as content removal and access blocking.
While social media was already covered by the Internet Law, two significant amendment laws were enacted recently in order to further regulate social media. The Law No. 7253 Amending the Law No. 5651 (“2020 Amendment Law”), published in July 2020, introduced a new actor “social network provider”, which is defined as “natural persons or legal entities that enable users to create, display or share content such as texts, image, voice, location, over the internet for purposes of social interaction”, and broadened and aggravated the scope of liable parties and their obligations under the Internet Law. The most significant obligation was the appointment of local representative for SNPs having more than 1 million daily access from Türkiye.
Followingly, in October 2022, the Law No. 7418 Amending the Press Law and Certain Other Laws (“2022 Amendment Law”), was published to address disinformation on social media and further aggravate the obligations of SNPs. With the 2022 Amendment Law, stricter local representative model has been brought for SNPs, together with new obligations, such as expanded reporting, data disclosure in non-delayable cases, protection of users’ rights, preparation of a crisis plan, criminal liability for certain promoted content, providing unbundled services for children, establishing ad library. Moreover, ad ban and bandwidth reduction were introduced as sanctions for not complying with certain content removal/access blocking decisions and not paying administrative fines.
The 2022 Amendment Law also introduced disinformation (publicly disseminating false information regarding the internal and external security, public order and general health of the country, with the sole motive of creating anxiety, fear or panic among the people, in a way that is suitable for disturbing the public peace) as a crime in the Turkish Criminal Code.
Lastly, Procedures and Principles Regarding Social Network Provider, the secondary legislation for SNPs prepared by ITCA pursuant to the Internet Law, was published in April 2023.
-
What are your top 3 predictions for significant developments in technology law in the next 3 years?
GDPR harmonized LPPD: While a comprehensive draft law has been prepared to transpose GDPR into our national law as a whole, in a way amending the LPPD, the most significant impact that is expected to be created with the new law, is the liberalization of cross-border data transfer regime. Currently, the cross-border transfer of personal data is regulated under LPPD in quite an orthodox fashion and does not mandate a blockage; but requires compliance with certain requirements. Accordingly, (i) although personal data can be transferred to safe countries announced by the DP Board, no country has been announced as a safe country so far, (ii) in the event that the data exporting party obtains explicit consent from the related data subjects for the transfer, the transfer operation is permitted, (iii) the cross-border transfer operation is permitted provided that a written privacy undertaking (which was published by the DP Board) between the data transferring parties is concluded, and that the DP Board’s approval is obtained following the submission of such undertaking to the DP Board’s clearance.
LPPD also envisages that provisions of other laws concerning cross-border personal data transfers are reserved and international agreements concerning data transfers are prioritized. However, in September 2020, the DP Board disregarded applicability of the Convention No. 108 on the Protection of Individual with regard to Automatic Processing of Personal Data, despite the specific provision recognizing priority of international agreements. Additionally, the undertaking option is also not very preferrable option as the DP Board approved only a few companies’ application. Therefore, de facto blockage occurred in practice, due to several obstacles created by the regulator at implementing the requirements.
As the criticism over the DP Board’s practice increased, the amendment of the cross-border data transfer regime in line with the provisions of the General Data Protection Regulation has been included on the agenda of the government. A regime compatible with GDPR and introducing hierarchical, multi-layered legal bases that can be used depending on the purpose, characteristics, and frequency of the transfer is expected.
Contemplated Digital Markets Act: Another expected critical development is the enactment of an amendment to the Law No. 4054 on the Protection of Competition in a way transposing the EU’s Digital Markets Act into our national law. It is known in the market that, a draft law, which targets digital undertakings with significant market power and providing various core platform services, has already been prepared.
OTT Regulations: With the 2022 Amendment Law, (i) a definition for the over-the-top network services (“OTT”) has been incorporated to the Electronic Communications Law, as “interpersonal electronic communications services within the scope of audio, visual, written communications provided to the end users or subscribers having internet access, independently from the operators and internet services, through a publicly available software”; and (ii) ITCA has been granted with the authority for making the necessary regulations regarding the provision of OTT services, including an authorization regime. Currently, such regulations are being awaited in the market and it is expected the ITCA to take BEREC of European Union as a reference point.
-
Do technology contracts in your country commonly include provisions to address sustainability / net-zero obligations or similar environmental commitments?
Currently, no. However, since the green transition has become one of the key agenda items of the government recently, more regulations and obligations are expected in the sustainability area. Therefore, the trend in the contracts may differ in the mid-term.
Turkey: TMT
This country-specific Q&A provides an overview of TMT laws and regulations applicable in Turkey.
-
Is there a single regulatory regime that governs software?
-
How are proprietary rights in software and associated materials protected?
-
In the event that software is developed by a software developer, consultant or other party for a customer, who will own the resulting proprietary rights in the newly created software in the absence of any agreed contractual position?
-
Are there any specific laws that govern the harm / liability caused by Software / computer systems?
-
To the extent not covered by (4) above, are there any specific laws that govern the use (or misuse) of software / computer systems?
-
Other than as identified elsewhere in this overview, are there any technology-specific laws that govern the provision of software between a software vendor and customer, including any laws that govern the use of cloud technology?
-
Is it typical for a software vendor to cap its maximum financial liability to a customer in a software transaction? If ‘yes’, what would be considered a market standard level of cap?
-
Please comment on whether any of the following areas of liability would typically be excluded from any financial cap on the software vendor’s liability to the customer or subject to a separate enhanced cap in a negotiated software transaction (i.e. unlimited liability): (a) confidentiality breaches; (b) data protection breaches; (c) data security breaches (including loss of data); (d) IPR infringement claims; (e) breaches of applicable law; (f) regulatory fines; (g) wilful or deliberate breaches.
-
Is it normal practice for software source codes to be held in escrow for the benefit of the software licensee? If so, who are the typical escrow providers used?
-
Are there any export controls that apply to software transactions?
-
Other than as identified elsewhere in this questionnaire, are there any specific technology laws that govern IT outsourcing transactions?
-
Please summarise the principal laws (present or impending), if any, that protect individual staff in the event that the service they perform is transferred to a third party IT outsource provider, including a brief explanation of the general purpose of those laws.
-
Which body(ies), if any, is/are responsible for the regulation of telecommunications networks and/or services?
-
Please summarise the principal laws (present or impending), if any, that govern telecommunications networks and/or services, including a brief explanation of the general purpose of those laws.
-
Which body(ies), if any, is/are responsible for data protection regulation?
-
Please summarise the principal laws (present or impending), if any, that that govern data protection, including a brief explanation of the general purpose of those laws.
-
What is the maximum sanction that can be imposed by a regulator in the event of a breach of any applicable data protection laws?
-
Do technology contracts in your country typically refer to external data protection regimes, e.g. EU GDPR or CCPA, even where the contract has no clear international element?
-
Which body(ies), if any, is/are responsible for the regulation of artificial intelligence?
-
Please summarise the principal laws (present or impending), if any, that that govern the deployment and use of artificial intelligence, including a brief explanation of the general purpose of those laws.
-
Are there any specific legal provisions (present or impending) in respect of the deployment and use of Large Language Models and/or generative AI?
-
Which body(ies), if any, is/are responsible for the regulation of blockchain and / or digital assets generally?
-
What are the principal laws (present or impending), if any, that govern (i) blockchain specifically (if any) and (ii) digital assets, including a brief explanation of the general purpose of those laws?
-
Are blockchain based assets such as cryptocurrency or NFTs considered “property” capable of recovery (and other remedies) if misappropriated?
-
Which body(ies), if any, is/are responsible for the regulation of search engines and marketplaces?
-
Please summarise the principal laws (present or impending), if any, that govern search engines and marketplaces, including a brief explanation of the general purpose of those laws.
-
Which body(ies), if any, is/are responsible for the regulation of social media?
-
Please summarise the principal laws (present or impending), if any, that govern social media, including a brief explanation of the general purpose of those laws?
-
What are your top 3 predictions for significant developments in technology law in the next 3 years?
-
Do technology contracts in your country commonly include provisions to address sustainability / net-zero obligations or similar environmental commitments?