Q&A on Technology Sector in Turkey Part II

Q&A on Technology Sector in Turkey Part II


19.               Are there any regulatory guidelines or legal restrictions applicable to cloud-based services?


There is no specific regulation governing the provision and procurement of cloud services in Turkey. In the absence of a specific legislative framework, the DPL is considered to function as the main legislative instrument governing cloud-related practices. The provisions thereunder concerning the cross-border transfer of personal data is deemed as having a significant and direct impact on the procurement of cloud-based services which are hosted outside Turkey.


In addition to the data protection regulations, there are certain sector specific regulations scattered amongst a variety of legislations which, in general, require entities operating in such sectors to refrain from procuring cloud-based services which are hosted outside Turkey. Said sectoral restrictions are mainly intended to localize information systems and to allow for on-premise audits to be conducted by the respective regulatory and supervisory authorities. In this respect, said sector-specific regulations mainly concentrate on heavily regulated sectors, such as financial services, capital markets, and public sector.


In this regard, it should be specifically noted that the Presidential Circular No.2019/12 on Information and Communication Security Measures explicitly states that critical data relating to public institutions and organizations shall not be retained within cloud storing services, other than institutions’ own systems or systems which are controlled by such and local service providers. Additionally, while the Regulation on the Information System of Banks and Electronic Banking Services allows banks to use cloud computing services as an outsourced service provided that certain conditions are met (which restricts the use of public cloud systems), it also introduces system localization by saying that if cloud computing services fall under the definition of primary or secondary systems, the on-soil requirement will be applicable and such systems may only be hosted on Turkish territory.


20.               Are there specific requirements for the validity of an electronic signature?


Yes. While contracts executed online are valid in Turkey, the effect of an online/electronic contract as an evidence may be questioned, due to the Turkish Civil Procedure Code. The Code requires a contract executed with a handwritten signature or secure electronic signature for proving the transactions with a value exceeding TRY 4,480. It should be noted that this issue does not regard the validity of the agreement but its quality as a proof (especially in the event of a dispute), in case of a dispute before Turkish courts regarding an electronic contract. In this context, under the E-Signature Law, a secure electronic signature shall be a signature that;


is exclusively assigned to the signature owner,

is generated with the secure electronic signature creation device which is kept under the sole control of the signature owner,

enables the identification of the signature owner based on the qualified electronic certificate,

enables detection as to whether signed electronic data has or has not been altered or not subsequent to the signature being applied.


In principle, an electronic signature, which meets the conditions stated above, shall have the same legal effect as that of a handwritten signature. However, a secure electronic signature cannot be used for legal proceedings subject to a special procedure or an official form pursuant to laws and warranty contracts.


21.               In the event of an outsourcing of IT services, would any employees, assets or third party contracts transfer automatically to the outsourcing supplier?


No, automatic transfer of employees, assets or third-party contracts to the outsourcing supplier is not yet regulated under Turkish legislation.


22.               If a software program which purports to be a form of A.I. malfunctions, who is liable?


Liability in terms of Artificial Intelligence (AI) malfunctions is not specifically regulated under Turkish laws, and thus, the general provisions of the Turkish Code of Obligations (“TCO”) in terms of “tort” will apply. In accordance with the Article 41 of the TCO, the tort must contain four vital elements such as unlawful act, damage, omission and causality link. On the other hand, it should be noted that causality link should be assessed in each specific case since algorithm, underlying data, mechanics or the user/operator of AI based system may be individually or jointly the root cause of respective damage.


23.               What key laws exist in terms of: (a) obligations as to the maintenance of cybersecurity; (b) and the criminality of hacking/DDOS attacks?


Cybersecurity rules in Turkish law are not consolidated under one legislative instrument but rather scattered under different sector-specific regulations. Accordingly, the Circular Note on Information and Communication Security Measures numbered 2019/12 (the Circular) establishes extensive cybersecurity-related obligations that are mainly applicable to public authorities and institutions. The most notable measures contained within the Circular are (1) significantly limiting the use of cloud systems; and (2) seriously restricting social media use in the public sector.


There are multiple sector-specific regulations that require organisations from critical sectors to employ cybersecurity measures to safeguard their information systems. For example, their sector-specific legislation requires organisations related to capital markets (including on- stock companies) and entities from sectors such as insurance, banking and payment services to employ certain measures related to cybersecurity.


Cyber-crimes are described directly in the Turkish Criminal Law (“TCL”) which entered into force as of 26 September 2004. Although DDoS attacks are not specifically regulated under TCL, “unlawful access to data information system” and “hindrance or destruction of the system, deletion or alteration of data” are defined as criminal acts respectively under articles 243 and 244 of TCL. If parties organising DDoS attacks unlawfully capture others’ devices, they will be having “an unlawful access to information systems”. Also, if the attacking parties are aiming to hinder the operationality of a certain system, this will trigger Article 244 (up to 5 years of imprisonment). Additionally, if such an attack is committed against to a bank or credit institution, or public institutions or corporations, respective sanctions will be aggravated.


24.               What technology development will create the most legal change in your jurisdiction?


We opine that given the recent government plans and strategies, cyber security and fintech may continue to create significant impact in our jurisdiction in terms of legal change and disrupt their respective ecosystems.


Turkey has a strong and significant financial sector. In parallel to the government’s goals towards digitalization, financial technologies will transform the sector and create a disruptive impact, which as a result will trigger legal change. As one of the most heavily regulated sectors, financial sector will evolve along with financial technologies. On the other hand, in order to ensure data security and to eliminate the cyber security related risks in the market, regulations on cyber security and resulting obligations to become compliant with the same may also be discussed.


25.               Which current legal provision/regime creates the greatest impediment to economic development/ commerce?


Greatest impediment to economic development/commerce in Turkey with respect to technology is the delay in adopting the necessary legal framework, which will not hinder, but enhance the technological advances, and accelerate the growth of digital economy. This does not only correspond to delays in the regulatory processes, but also to delays in apprehending the current needs of the sector and regulatory void that need to be filled with a good understanding of technology, its impact and international benchmarks. Moreover, growing tendency towards local and national also impairs the investment ecosystem of Turkey.


Most regulations adopted in Turkey especially in the field of digital services and technology are transposed from the EU. Having said that, in various cases this does not eliminate the discrepancies and hardships in the very implementation of legal provisions and in practice. One example to such hardship may be given as the international data transfer regime under DPL. The list of countries providing adequate level of protection has not been announced yet by the Turkish Personal Data Protection Authority. Given the fact that other mechanisms envisaged under DPL (as explained above in this document) are burdensome and operationally unfeasible to many, this also creates an impediment to economic development, and a negative perception with respect to the investment environment and ease of doing business in Turkey.


26.               Do you believe your legal system specifically encourages or hinders digital services?


The government in Turkey pays utmost attention to digital services and the digital transformation of public institutions. In fact, as per the new government system, Digital Transformation Office has been established, which is tasked to realize the digital transformation of public institutions and to carry out any and all necessary works and studies in this regard. This stance of the government also manifests itself through all government plans and strategies.


On the other hand, as mentioned before, there is a rising trend and tendency of the government that favors local and national corporations and technologies. Although it is the natural consequence of today’s digital world and digital economy to have companies that operate in Turkish market yet are not residents, localization requirements and the restraining stance of the government that only continue to increase and weighs on the sector.


The most recent example in this regard is the Bill Amending the Law No. 5651 on Regulation of Publications on the Internet and Combating Crimes Committed by Means of Such Publication (“Bill”), which imposes strict restrictions on social media providers and includes a provision that obliges social network providers established abroad and that has more than one million access from Turkey per day to appoint a representative in Turkey for taking necessary actions on notice, declaration or requests to be sent by the Information and Communication Technology Authority (“Authority”), the Access Providers Union, judicial or administrative authorities and for responding to applications by persons.


27.               To what extent is your legal system ready to deal with the legal issues associated with artificial intelligence?


As we have stated above, currently, there is no specific regulation or provision regarding artificial intelligence, and the problems that may arise this respect are trying to be solved with general principles that may be relevant. In this regard, it could be stated that Turkish legal system is not competent to responds the legal issues that may occur and legislative works to be done with relevant stakeholders are needed. On the other hand, Turkish legislators tend to monitor EU Commission’s legislative works and may use them as bases for a legislation to be prepared. Accordingly, it could be stated that any developments in this context may be affected by the EU policies, especially White Paper published this year, “Artificial Intelligence: a European approach to excellence and trust”, and report “Policy and investment recommendations for trustworthy Artificial Intelligence”.


Moreover, establishment of “Artificial Intelligence Institute” is set forth in Turkey’s 2023 Industry and Technology Strategy, which is also to produce information that will be considered in setting policies and standards on issues such as management, protection and dissemination of data, among other targets. Therefore, it could be argued that the results to be concluded by this institute may also help to determine the problematic issues and introduce solutions on artificial intelligence.