By its decision dated 17.03.2020 and numbered 2020/DK-THD/077, the Information and Communication Technologies Authority (the "ICTA") published the Draft Regulation on the Processing of Personal Data and Protection of Privacy in the Electronic Communications Sector (the "Draft Regulation") for public consultation.
Initially, it is of capital importance to underline that the scope of application of the Draft Regulation remains unchanged, to the extent that it only applies to authorized operators in the electronic communications sector.
Pursuant to the above-mentioned decision, the Draft Regulation shall remain open for public consultation until 20.04.2020 and related stakeholders are instructed to submit their opinions / suggestions by utilizing the form published on ICTA's website.
Please also find below a table indicating the timeline for public consultation:
| Issue Date | : 17 March 2020 |
| Date of Publication | : 20 March 2020 |
| Deadline for Opinion | : 20 April 2020 |
The Draft Regulation constitutes the most recent compliance instrument introduced by the ICTA, as a result of its efforts to ensure consistency with the European regulatory framework for privacy in the electronic communications sector, which date back to the mid-2000s.
Following the first regulation in 2004, the Draft Regulation, upon its entry into force, shall constitute the third amendment to the ePrivacy regulatory framework in Turkey; while being the first after the entry into force of the Law on the Protection of Personal Data numbered 6698 (the "Law No. 6698"), in 2016. Having said, this version of the Draft Regulation constitutes the third version published for public consultation by the ICTA, with the first and second versions being published in 2017 and 2018, respectively.
Please find below a summary of the legislative background:
| 2004 | : Regulation on the Processing of Personal Data and the Protection of Privacy in the Telecommunication Sector entered into force. |
| 2008 | : Electronic Communications Law numbered 5809 ("Law No. 5809") entered into force. Article 51 of the Law No. 5809; explicitly envisaged that the ICTA is entitled to determine procedures and principles applicable to the processing of personal data and the protection of privacy within the electronic communications sector. |
| 2010 | : Following the result of the referendum held on 12 September 2010, Article 20 of the Constitution was amended in a manner introducing new measures concerning data protection and access to personal information. |
| 2012 | : Regulation Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communication Sector repealed the previous regulation dated 2004. The regulation has been prepared in compliance with the 2002/58/EC Directive1, as amended by Directive 2009/136/EC2. |
| 2014 | : The Constitutional Court annulled the Article 51 of the Law No. 5809 on the grounds that any provision relating to the protection of personal data must be introduced under a law; in lieu of an ancillary regulation. |
| 2015 | : According to Article 32 of the Law numbered 6639, published in the Official Gazette on 15 April 2015, Article 51 of the Law No. 5809 was amended. |
Within the purposes of the electronic communications (EC) legislation, subscribers are construed as natural or legal persons entering into a subscription agreement with the authorized operator, for the provision of EC services. Whereas, within the purposes of the data protection legislation, a data subject is defined as the natural person whose personal data is processed.
Consequently, in order to clarify uncertainties, the scope of the Draft Regulation is reiterated as the principles and procedures to be followed by operators, with respect to data collected during the provision of EC services, including legal entity subscribers.
It is essential to underline that while the current text of the Regulation determines the objective and scope thereof, as to determine the principles and procedures to be followed by operators in the EC sector with regards to the processing and retention of personal data as well as the protection of privacy, the Draft Regulation does not place a specific emphasis on the processing of personal data; but rather refers to a broadly-understood term: data. Data, in this sense, is defined under the Regulation as traffic data, location data, subscriber/user identity and other related information.
Entered into force in the absence of a specific legal instrument governing data privacy practices in Turkey, the provisions under the Regulation is far from being consistent with the personal data protection legislation, particularly with the principles and procedures set forth under the Law No. 6698. Therefore, when interpreted together with the Law No. 6698, the current text of the Regulation creates a significant degree of uncertainty, as to how data privacy practices should be exercised by authorized operators.
In consideration of the above, the main objective of the Draft Regulation could be comprehended as ensuring consistency with the personal data protection legislation. Accordingly, provisions of the Regulation specifying principles, including confidentiality of communication, applicable to the processing of personal data, traffic and location data, determining categories of data to be retained as well as retention periods, and envisaging reporting obligations for statistical data, are excluded from the scope of the Draft Regulation.
Art. 5(1) of the Draft Regulation introduces the obligation to prepare a security policy concerning the processing of personal data on operators, in addition to the existing obligation to take all necessary technical and organizational measures consistent with international and national standards. Art. 5(3) introduces a minimum retention requirement which indicates to a two year period, in relation to process records documenting access to personal data and other related systems, and further envisages a time-stamping obligation on said process records.
In consistency with the provisions of the Law No. 6698 determining joint liability for data controllers and data processors concerning data security obligations, Art. 5(4) emphasizes that compliance with data security obligations shall also be ensured in respect of processes undertaken by parties authorized by the operator.
Likewise, Art. 5(6) envisages that, without prejudice to the administrative sanctions to be imposed by the ICTA, the operator shall be fully responsible for personal data breach incidents arising in connection with the transfer of personal data to third parties.
The current text of the Regulation requires operators to notify the ICTA, and if deemed necessary by the ICTA, notify subscribers / users, in a timely and efficient manner. However, the Draft Regulation restructures said notification obligation and requires operators to immediately notify the ICTA, the Personal Data Protection Authority (the "DPA"), its subscribers / users and other related public institutions / authorities.
The current text of the Regulation refers to consent as a legal ground for processing personal data which is inconsistent with the explicit consent requirement under the Law No. 6698. In this regard, all references to consent are replaced with explicit consent under the Draft Regulation, and conditions for obtaining consent are set forth under Art. 7, thereof. Said conditions are envisaged in parallel with the definitive conditions for explicit consent under the Law No. 6698: (i) provided for a specific subject, (ii) provided upon being adequately informed, (iii) freely given, and thus, adopt an equivalent protection regime for subscribers / users.
As the validity of explicit consent is contingent upon being adequately informed, Art. 7 of the Draft Regulation further introduces a comprehensive ruleset to be followed when providing information to and subsequently obtaining explicit consent from the subscribers / users. Accordingly, prior to obtaining explicit consent, operators are required to provide information on (i) the types of personal data and the types of traffic and location data to be processed, (ii) the scope of processing, (iii) the purpose of processing, and (iv) the period of processing, in a clear and comprehensible manner. Further, if such information is to be provided in writing, operators are required to provide such information in at least 12 point size. In the event that explicit consent is obtained by electronic media, operators shall be subject to the aforementioned time-stamping obligation, while respecting retention requirements specified under the related regulations, to such extent that if not time-stamped, explicit consent shall be considered invalid.
It is essential to underline that the Draft Regulation introduces a separate structure for transferring personal data to third parties, other than public bodies permitted under the related legislation. Accordingly, pursuant to Art. 7(1)(d), operators are under the obligation to provide information on (i) the scope of data to be transferred, (ii) the name and address of the recipient entity, (iii) purpose and period of transfer and (iv) how data will be destructed by the end of the period, prior to obtaining explicit consent for such transfer. In the event of any change to the above-listed information, said article further requires operators to once again obtain explicit consent for the transfer.
Art. 7(1)(e) of the Draft Regulation, requires operators to ensure that personal data is processed by the third-party, information relating to which has been provided in the explicit consent information notice. Said requirement is likely to be interpreted as a direct restriction for the recipient third parties' use of sub-processors.
In direct correlation with the Law No. 6698, as per Art. 7(1)(f) of the Draft Regulation, operators shall have the burden to prove that necessary information has been provided and explicit consent has been obtained.
Art. 8 of the Draft Regulation reiterates operators' obligation to inform, in cases where traffic and location data are processed for the purposes envisaged under the related legislation or judicial decisions, which consequently do not require obtaining explicit consent. In such cases, operators are nevertheless under the obligation to provide general information to subscribers / users on (i) the types of traffic and location data to be processed, (ii) purposes, (iii) period, and (iv) methods for processing.
With respect to cross-border personal data transfers, it is of capital importance to underline that the current text of the Regulation explicitly prohibits cross-border transfer. However, as deduced from Art. 7(1)(d) of the Draft Regulation, personal data is permitted to be transferred to a third-party outside of Turkey upon obtaining explicit consent, provided that additional information on (i) the country to which data will be transferred, (ii) the purpose and period for retention abroad, (iii) the corresponding legislation and practice in the recipient country, are presented to subscribers / recipients.
It is of paramount importance to note that the Draft Regulation makes no reference to the cross-border transfer regime envisaged under the Law No. 6698.
In addition to the current text of the Regulation, Art. 11(1) of the Draft Regulation introduces a prior explicit consent requirement for registering subscribers to directories.
Art. 13(1) of the Draft Regulation requires operators to provide information to subscribers / users on how explicit consent can be withdrawn. In any case, operators are required to ensure that withdrawing consent must be as easy as giving consent.
Art. 13(2) of the Draft Regulation further envisages that, in January each calendar year, operators shall inform subscribers / users whose personal data are being processed, on the processing of their personal data upon prior explicit consent given by the respective subscriber / user, to such extent that, if information is not provided, processing activities shall be ceased until such standardized notification is made. Art. 13(3) thereof, further reiterates the operators' burden to prove that such notifications are conveyed to subscribers / users.
Pursuant to Art. 13(4), operators shall be subject to an accessibility requirement, with regards to notifications to be conveyed to subscribers / users with disabilities.
Art. 13(5) of the Draft Regulation, determines that all given explicit consent, shall be deemed withdrawn, upon termination of the subscription.
Footnotes
1. Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)
2. Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 amending Directive 2002/22/EC on Universal Service and Users' Rights Relating to Electronic Communications Networks and Services, Directive 2002/58/EC Concerning the Processing of Personal Data and the Protection of Privacy in The Electronic Communications Sector and Regulation (EC) No 2006/2004 on Cooperation Between National Authorities Responsible for the Enforcement of Consumer Protection Laws
