Q&A on Technology Sector in Turkey Part I
Regulatory regime for technology is constructed based on the subcategories of issues. Accordingly, Electronic Communications Law No.5809 (“Electronic Communications Law”) regulates the provision of electronic communications services and the construction and operation of the infrastructure and the associated network systems, as well as manufacture, import, sale, construction and operation of all kinds of electronic communications equipment and systems.
Law No. 5651 on Regulation of Publications on the Internet and Combating Crimes Committed by Means of Such Publication (“Internet Law”) regulates the obligations and responsibilities of content providers, location providers, access providers and mass use providers; and the fight against certain crimes committed on the internet.
Law No.6112 on the Establishment of Radio and Television Enterprises and Their Media Services, and especially Regulation on Radio, Television and On-Demand Broadcasting Provided Through the Internet Platforms (“RTUK Regulation”), extends the licensing, content and advertisement related regulation and supervision powers of Turkey’s Radio and Television Supreme Council (“RTUK”) to cover online service providers.
Law No. 6563 on Regulation of Electronic Commerce (“Electronic Commerce Law”) regulates principles and procedures regarding e-commerce, as well as direct marketing, responsibilities of service providers and intermediary service providers, and contracts with electronic communication tools.
The Law No. 7194 on Digital Services Tax and Amending Various Laws and the Statutory Decree numbered 375 (“DST Law”) regulates digital services tax to be applied to digital service providers, regardless of whether they are fully liable or limited taxpayers or whether the taxpayer performs activities through a workplace in Turkey or its permanent representatives.
Moreover, the Personal Data Protection Law No.6698 (“DPL”), Industrial Property Law No. 6769 (“Industrial Property Law”), and Law No.5846 on Intellectual and Artistic Works (“Intellectual Property Law”) also play critical role within the regulatory framework for technology.
Yes, Electronic Communications Law No.5809 regulates the provision of electronic communications services and the construction and operation of the infrastructure and the associated network systems.
In order to provide electronic communication services and/or to establish and operate an electronic communications network or infrastructure in Turkey, it is necessary to be authorized by the Information Technologies and Communication Authority (“ICTA”).
Authorization by the ICTA can be granted to companies by following one of these two methods: (i) only via notification or (ii) notification and granting the right of use.
ICTA is the regulator for communications-related services.
ICTA is a public institution with an administrative and financial autonomy. The ICTA is independent in performing its duties; and no organ, authority, or person can give orders and instructions to the ICTA. On the other hand ICTA is affiliated with the Ministry of Transportation and Infrastructure which means they are in close collaboration while determining macro strategies and preparing long term projections for nationwide roadmaps.
Yes, the Internet Law regulates the responsibilities of the access providers, content providers, mass use providers, hosting providers that operate on the Internet, and covers access blocking requests and measures to be taken regarding violations of the internet. However, the information search engines are not specifically regulated under this law.
Moreover, on July 29, 2020, the Bill Amending the Law No. 5651 on Regulation of Publications on the Internet and Combating Crimes Committed by Means of Such Publication (“Bill Amending the Internet Law”), the proposal of which was submitted to the General Assembly by AK Party on July 21, 2020, has been accepted by the Parliament, which introduces a new actor “social network providers”, which is defined as “natural persons or legal entities that enable users to create, display or share content such as texts, image, voice, location, over the internet for purposes of social interaction”, and broadens and aggravates the scope of liable parties and their obligations under the Internet Law.
Yes, the Internet Law does not make any distinction between the resident and non-resident actors of the internet.
Moreover, in order to ensure that obligations arising from the Internet Law are fulfilled and there is an addressee in Turkey to whom the requests will be delivered, the Bill Amending the Internet Law obliges the social network providers that have more than one million access from Turkey per day to appoint a representative in Turkey, to take necessary actions on notice, declaration or requests to be sent by the ICTA, the Access Providers Union, judicial or administrative authorities and to respond to applications made by individuals in accordance with the Internet Law. Additionally, with the Bill Amending the Internet Law, the notifications relating to the administrative fines imposed under the Internet Law to those, who are residing outside of Turkey, may be served to the e-mail addresses as well as to the other contact information discovered through the website, IP address or relevant means, without being required to consummate international notification procedures.
Yes, companies applying for authorization (for serving communication services) before the ICTA must be established as a joint-stock or limited liability company in accordance with the Turkish laws, in order to carry out only the activities that are subject to the authorization or the activities required, and/or relevant while performing the service subject to the authorization.
No, however, as we have stated above, the telecom operators must be a joint-stock or limited liability company established in Turkey, in accordance with the Turkish laws.
Yes. Network-to-network interconnection and access is regulated by the Electronic Communications Law and Regulation on Access and Interconnectivity (“Interconnectivity Regulation”).
Pursuant to the Interconnectivity Regulation, upon an access request by another operator, operators have the obligation to negotiate interconnection with each other with an aim to reach an agreement within a reasonable time. In this case, if an operator denies interconnection or imposes unreasonable terms not to make a negotiation, and if the ICTA decides that the actions of that operator damages the competition or the interests of end- users, such operator may be required to settle an agreement to provide an interconnection.
Yes, the ICTA may require operators with significant market power to provide interconnection or to make available the technical specifications, network specifications, terms and conditions regarding supply and usage, fees and similar information. In such cases, operators are obliged to provide interconnection on a non-discriminatory basis to the other operators.
12. What are the principal consumer protection regulations that apply specifically to telecoms services?
Regulation on Consumer Rights in the Electronic Communications Sector is the main regulation for consumer protection that applies especially to telecoms services. Accordingly, rights such as protection against discrimination, right to enter into contract with the operator, right to ask for a detailed bill, right to request information on the scope of service, right to access updated information and being informed regarding changes in the tariff, the right to easily withdraw from the services are provided to the consumers of telecom services.
Moreover, the Law on the Procedure of Execution Proceedings for the Collection of Monetary Receivables Arising out of Subscription Agreements regulates the initiation and execution of proceedings in the electronic environment regarding the receivables arising from the invoice of the goods or services, which are presented to the consumer for the purpose of performing the subscription contracts and the subscription contracts regulated in the relevant laws and regulations.
The computer software is regulated as “work” under the name of computer programs in Article 2 of the Law No. 5846 on Intellectual and Artistic Works (“Law No. 5846”). In addition, Article 6 of the Law No. 5846 states that the adaptation, editing or making any changes to a computer program is also considered as a “work”.
Pursuant to the Law No. 5846, the owner of a work is the person who creates it, and thus, the developer, who creates a new software or development, is accepted as the owner of the work. The owner of the work will own both the intangible and financial rights on the developed work.
To give an example to intangible rights, the owner of the work can exclusively determine the representation, timing, and the means of the promulgation of a work. Besides, abbreviations, additions or other changes cannot be made on the work or the name of its owner without the permission of the owner of the work. Also, the right to make use of a work not yet publicised in any way whatsoever belongs exclusively to the owner of the work.
Under the scope of financial rights, the right to partially or wholly duplicate the original or adaptations of a work belongs exclusively to the owner of the work. The right to disseminate, lease, lend or sell or make a subject of trade in any way whatsoever a work and its copies obtained by duplication from the original or adaptation of it and to benefit from this way belongs only to the owner of the work.
Under the Intellectual Property Law, databases obtained by the selection and compilation of data and materials according to a specific purpose and a specific plan, which are in a form that can be read by a device or in any other form are deemed as adaptations. However, it is stated that this protection cannot be extended to the data and materials contained in the database.
On the other hand, the Intellectual Property Law recognizes that the maker of a database who has made qualitatively and/or quantitatively substantial investment in either creation, verification or presentation of the contents shall have the right of permitting or prohibiting (i) permanent or temporary transfer to another medium by any means and in any form, and (ii) distribution or sale, rental or communication to the public in any way, of all or a substantial part of the content of the database contents with the exceptions specified in this Law and required by purposes of public security and administrative and judicial procedures.
The protection of personal data is recognized as a fundamental right under Article 20(3) of the Constitution of the Republic of Turkey as of its amendment in 2010. Since the aforementioned Article requires the principles and procedures regarding the protection of personal data to be laid down in law; the constitutional guarantee for the protection of personal data is intended to manage the processing of personal data on a regulatory level. In this respect, Law on the Protection of Personal Data No. 6698 (“DPL”), which constitutes the main legislative instrument that specifies the principles and procedures concerning the processing and protection of personal data, has been published in the Official Gazette on 7 April 2016 and is in effect as of this date.
The DPL provides almost the same definitions as GDPR and for sets forth the legal grounds on which personal data may processed fairly. We can say that the majority of the legal grounds are same while there are some divergences from EU’s regulations (see question 12). In addition to the legal grounds, providing clear information to data subjects about data processing purposes and respective data categories is obligatory. Also, similarly, the DPL provides a general requirement for taking technical and administrative measures for data controllers alongside with a mandatory data breach notification within 72 hours. Finally, we can say that most important and problematic issues are related to cross border data flow (see questions 10 and 13), divergencies from EU’s regulations (see question 12) and administrative fines (see question 11).
DPL provides an enhanced set of rules to be followed when transferring personal data from Turkey to abroad. In this respect, the DPL shall not be comprehended as wholly or directly prohibiting the transfer of personal data, but rather necessitating the existence of pre- determined conditions, and subsequently prescribing the cross-border data transfer regime
The transfer regime foreseen under Article 9 of the Law No. 6698 requires adherence to the either one of the following transfer mechanisms:
Explicit consent: In the event that the data exporting party obtains explicit consent from the related data subjects, for the cross-border transfer of personal data, the cross-border transfer operation is permitted.
Adequate level of personal data protection: In the event that (i) the conditions specified for the due processing of personal data are deemed applicable, and that (ii) the recipient country is considered to ensure an adequate level of personal data protection, the cross- border transfer operation is permitted.
Ad hoc approval of the Board: In the event that the recipient country is unable to provide an adequate level of personal data protection, the cross-border transfer operation is permitted provided that (i) a written privacy undertaking agreement between the data transferring parties is concluded, and that (i) the Board’s approval is obtained following the submission of such undertaking to Board’s clearance.
On the other hand, while the DPL allows cross-border of personal data by introducing mechanisms in this regard, we would like to underline that as of July 2020, the list of countries providing an adequate level of personal data protection has not been published by the Board.
The maximum fine, which can be applied to i) those, who do not fulfill the obligations related to data security, ii) those who do not fulfill the decisions issued by the Board, iii) those who act contrary to the obligations for registry with the Data Controllers’ Registry and for notification, is determined as TRY 1,000,000, which is updated evert year based on the be subject to the reevaluation rate announced by the state (for year 2020, this fine is calculated as TRY 1,802,636.)
First of all, the DPL is prepared based on the Directive 95/46/EC of the European Parliament, which was repealed by the GDPR; therefore, although the Personal Data Protection Authority follows the implementation of GDPR in many areas, the exact comparison is not possible.
In the DPL, stricter regime is applied for processing of personal data concerning health and sexual life. Accordingly, these data may only be processed, without seeking explicit consent of the data subject, by persons, who are subject to secrecy obligation or competent public institutions and organizations, for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as their financing. While DPL increases the protection level of the personal data concerning health and sexual life by way of restricting the people that may process them, which is a narrower scope compared to GDPR, this results in difficulties in practice.
Moreover, GDPR and DPL also differ in terms of the regime that they stipulate for cross- border transfer of personal data. While GDPR introduces multiple alternatives facilitating the transfer of personal data, due to cyber security concerns and economic interest of the retention of data, DPL introduces a more controlled and authority-centered structure for the transfer, when the personal data is not transferred with the explicit consent of the data subject. In this regard, higher level of protection for personal data is aimed, while it results in a block and/or restriction on use of certain services, including cloud services.