İnternet

Constitutional Court Annulled the Provisions of the Internet Law

The Constitutional Court, with its decision numbered 2020/76 ("Constitutional Court Decision") published in the Official Gazette on January 10, 2024, partially annulled Article 8 and wholly annulled Article 9 of the Law on the Regulation of Internet Publications and Prevention of Crimes Committed through these Publications No. 5651 ("Internet Law"), which will enter into force on November 10, 2024.

The Constitutional Court stated that although the availability of removing the content provided under Article 8(4) and (11) of the Internet Law is regulated as an administrative measure, it is applied as a final measure that is detached from the criminal proceedings and based on a criminal offence determination to be made by the head of the Information and Communication Technologies and Communication Authority ("ICTA"). In this regard, according to the Constitutional Court Decision, issuing a decision to remove the content, which has the nature of a final measure due to the determination of criminal offence by an administrative authority, without a final court decision, and imposing an administrative fine in case of non-compliance with this decision, violates the presumption of innocence. Therefore, the Constitutional Court has decided to annul the relevant parts of Article 8 of the Internet Law stipulating the issuance of a decision on the removal of content other than access blocking and the imposition of administrative fines by the ICTA on relevant content, hosting and access providers, on the grounds that it is contrary to Article 36 of the Constitution, which regulates the right to a fair trial, and Article 38 of the Constitution, which guarantees the presumption of innocence.

In relation to Article 9 of the Internet Law, the Constitutional Court noted that the provisions subject to the annulment limit the freedom of expression (Article 26 of the Constitution) by allowing the removal of the content of the publications made on the internet and/or blocking access to these publications, and the freedom of the press (Article 28 of the Constitution), considering that this publication may also be within the scope of internet journalism. Based on this assessment, the Constitutional Court found the provision on the application of decisions on violations of personal rights as removal of content, in addition to access blocking, unconstitutional. Similarly, the Constitutional Court found the provision enabling the Access Providers Union to apply the decisions regarding the violation of personal rights as a content removal decision on other content, which has the same nature as the content subject to the decision, and the provision that allows the applicant's name not to be associated in the search engine with the internet addresses subject to the access blocking decision issued by the court, unconstitutional.

While assessing the unconstitutionality of the Article 9 of the Internet Law, the Constitutional Court referred to its evaluations in the individual application decision of Keskin Kalem Yayıncılık ve Ticaret A.Ş. dated October 17, 2021, and numbered 2018/14884. Accordingly, the Constitutional Court stated that Article 9 of the Internet Law does not provide procedural safeguards of judicial law, the safeguards to ensure a proportionate decision in accordance with the requirements of the democratic social order, underlining that it does not provide a gradual intervention method for the restriction of content, that the court decisions issued based on this article are groundless and contain general expressions, that a fair balance is not established between conflicting rights during the implementation of the article, and that the discretionary power of public authorities shall be limited.

In addition, although Additional Article 4 of the Internet Law, which regulates the obligations imposed on social network providers, was also included among the provisions subject to the request of annulment, the Constitutional Court decided that the request for annulment of the article is moot since the relevant provision has been amended by Law No. 7418.

You can access the Constitutional Court Decision here (in Turkish).

Protection of personal data

Constitutional Court Issued A Decision Regarding The Rejection Of Appeals To The Personal Data Protection Authority Decisions By The Court Of Criminal Judgeships Of Peace Without Providing Justification

The Constitutional Court's decision numbered 2020/7518 ("Decision"), regarding the rejection of the appeal against the administrative fine imposed by the Turkish Data Protection Authority ("Authority") by the Court of Criminal Judgeship of Peace without evaluating the applicant's claims violated the right to property of the data controller, was published in the Official Gazette dated December 15, 2023.

In the case subject to the Decision, the Authority decided to impose an administrative fine of TRY 1,450,000 on the data controller, which is a holding company, on the grounds that the necessary technical and administrative measures to ensure data protection were not taken.

The data controller appealed the decision of the Authority before the court of criminal judgeship of peace with a request for the annulment of the administrative fine by asserting their claims and defenses regarding the Authority's decision and the incident subject to the decision. The court of criminal judgeship of peace rejected the data controller's appeal by stating that the "conduct is confirmed with the report issued by the administration and that the administrative sanction decision issued for the misdemeanor caused by the conduct confirmed by the administration is in accordance with the law and procedure." The data controller then appealed against the objection decision of the relevant criminal judgeship of peace as well, but similarly, the data controller's appeal against the Court of Criminal Judgeship of Peace's decision was rejected by stating that "there is no procedural and legal violation and that there is nothing to be changed in the given decision." After the first instance and appeal authorities rejected the data controller's appeal by finding the administrative fine in accordance with the law and procedure, the data controller filed an individual application before the Constitutional Court, claiming that the first instance court rejected the appeal without conducting a sufficient and necessary examination.

In the Decision, the Constitutional Court stated that the administrative fine caused a decrease in the data controller's assets, and therefore, the fine in question constituted an interference with the applicant's right to property. Accordingly, interferences with the right to property must be proportionate, and a fair balance must be established between the aim to be achieved by the interference and the means. The Constitutional Court, in relation to the case subject to the application, concluded that the interference constitutes a violation of the data controller's right to property and ruled for a retrial, considering that the courts of first instance issued decision without evaluating the applicant's allegations, which would affect the entirety of the proceedings, and it did not provide any justification.

You may access the Decision here (in Turkish).

Turkish Data Protection Authority Published New Decision Summaries

On December 27, 2023, the Authority published thirty-one new decision summaries to provide guidance to ensure compliance with personal data protection legislation. The published decisions mainly address the issues of the unlawful disclosure of personal data to third parties, cross-border data transfers and excessive data processing. In this regard, some of the prominent decision summaries are as follows:

  • Decision numbered 2023/1041 and dated June 15, 2023: In the decision, the data subject submitted a complaint to the Authority stating that the data controller's products were sold (i) without approving the privacy policies and privacy notices and (ii) without giving consent for cross-border data transfer. In its assessment, the Authority evaluated the data controller's website and determined that the explicit consent request regarding the cross-border data transfer is included in the sales made online. However, for the customers who do not give explicit consent for the cross-border transfer of their personal data, an alternative sales channel is available through customer services, and this channel offers shopping options to customers without any additional cost/obligation. In this regard, the Authority decided that the data subject can purchase the product without suffering any damage and without being obliged to consent to the cross-border transfer of their personal data, and that the data controller shall only be instructed to clearly and understandably display the alternative sales channel on the membership and check-out screens. With regard to the mandatory approval of the privacy policies and privacy notices, the Authority stated that the data controller has fulfilled its obligation to inform, and therefore, there is no violation of Turkish Data Protection Law No. 6698 ("DPL"). You may access the summary of the relevant decision here (in Turkish).
  • Decision numbered 2023/1430 and dated August 17, 2023: In the decision, the Authority initiated an ex officio investigation on the subject upon the indication that the phone and Turkish ID number information of the persons were requested when registering for use of the data controller's mobile application providing meal card services. As a result of its investigation, the Authority stated that it would be in accordance with the proportionality principle to provide verification in the application, with data such as card information or a phone number to be provided to the data controller through the employer, if the physical cards are desired to be added to the mobile application by the meal card users, considering that the Turkish ID number is of relatively higher importance than the phone number, and may cause greater damages for individuals in the case of a data breach. Based on this assessment, the Authority has decided (i) to impose an administrative fine of TRY 200,000 on the data controller that has failed to fulfil its obligations under the first paragraph of Article 12 of the DPL by stating that it is contrary to the principle of proportionality in terms of processing limited to the specified processing purposes as in Article 4 of the DPL; (ii) to instruct the data controller to take the necessary technical and administrative measures for not processing the Turkish identity number and to inform the Authority of the result; (iii) to instruct the data controller to dispose of the Turkish ID number information, of which the data controller has no legal grounds for processing, in accordance with Article 7 of the DPL and the Regulation on Deletion, Destruction or Anonymization of Personal Data, and to inform the Authority with documents (such as log records) proving that the destruction has been carried out. You may access the summary of the relevant decision here (in Turkish).
  • Decision numbered 2023/1321 and dated August 3, 2023: In the decision, the data subject stated that they established a new company by leaving the data controller company in which they were previously a partner, but that their personal data was unfairly processed, since the email address they used while they were a partner of the data controller company was still actively used by the data controller and their emails were read. In its response to the Authority, the data controller stated that the e-mail address belonging to the data subject was closed when the data subject left the partnership and that the deleted e-mail addresses had the extension belonging to the data controller company and that the e-mails sent to this address fell into the administrator e-mail account as "undefined e-mail". In its evaluations, the Authority determined that a former customer, who did not know that the data subject had ended their partnership with the data controller, sent a message to the former email address of the data subject, and the data controller company official who read the message contacted the relevant customer. Therefore, even if the email address was classified as an undefined email, the data controller continued to process the personal data of data subject by reviewing messages in the undefined email, after the data subject's resignation from the job, and it does not rely on any legal ground stipulated under Article 5 of the DPL. Based on this evaluation, the Authority decided (i) to impose an administrative fine of TRY 50,000 on the data controller pursuant to Article 18 of the DPL; (ii) to instruct the data controller to correct the system in a way to ensure that personal data processing activities regarding the persons who resigned from their jobs do not continue and to inform the Authority about the result; and (iii) to instruct the data controller to dispose of the data subject's data and to inform the Authority about the result. You may access the summary of the relevant decision here (in Turkish).

You may access other decisions summaries (in Turkish) published by the Authority here.

Turkish Data Protection Authority Published Guidelines on Processing of Turkish Identity Numbers

On January 16, 2024, the Authority published the Guidelines on the Processing of Turkish Identity Numbers ("Guidelines"), which aims to provide guidance for the processing of Turkish ID Numbers, which constitute personal data, in accordance with the DPL and secondary legislation, due to various complaints received by the Authority.

The Guidelines contain detailed information on the relevant legislation regarding the processing of Turkish ID numbers in sectors such as e-commerce, cargo, transport, electronic communication, insurance, and in services provided by public institutions and organizations.

The Guidelines stipulate that obtaining Turkish ID numbers allows access to other associated personal data, and may have significant negative effects on the data subjects in this regard. In parallel with this evaluation, the Guidelines emphasize that although the Turkish ID number is not among the sensitive personal data specified in the DPL, it carries crucial importance among general personal data. The Guidelines highlight the principles that data controllers shall comply with while processing personal data regulated under Article 4 of the DPL, relating to data being "relevant, limited and proportionate regarding the purpose for which it is processed," which is important in the processing of Turkish ID numbers, by underlining that all general principles and processing conditions shall be considered in the processing of personal data. Accordingly, in terms of the processing of the Turkish ID number, data controllers are required to examine whether there is a method that interferes less with the right to the protection of personal data, and to apply this method, if any, as well as to take the necessary technical and administrative measures.

The Guidelines, which aim to guide the entities processing the Turkish identity number data in practice, lists the provisions of the legislation that require the processing of the Turkish ID number. In this regard, filing a complaint to the Ministry of Trade regarding commercial electronic messages by real persons, delivery of packages, sending commercial electronic messages by craftsmen, registration of the establishment and liquidation of incorporated and limited liability companies, ticketing of journeys, and events and sporting events are some of the examples of situations that foresee the processing of Turkish ID number given in the Guidelines.

In addition, the Guidelines also provide for the provisions of the relevant legislation requiring the submission, display or notification of documents containing the Turkish ID number or identity information to the competent authorities for identification and other purposes. In this regard, some of the cases listed in the Guidelines are identity-verification procedures in the electronic communication sector, electronic payment services, distance contracting and identity verification by biometric methods in private hospitals.

You may access the Guidelines here (in Turkish).

Turkish Data Protection Authority Published Recommendations on Protection of Privacy in Mobile Applications

On December 22, 2023, the Authority published Recommendations on the Protection of Privacy in Mobile Applications ("Recommendation") regarding the protection of personal data within mobile applications, which has become an integral part of people's lives with the increase in the general use of mobile devices. The Recommendation, in general, focuses on personal data processing activities carried out through mobile applications used on smartphones and tablets, and imposes responsibilities on many actors, including the application provider, application developer, advertising network, app store organizations, operating system provider, library provider and device manufacturer.

The Recommendation is divided into two sections, one for individuals using the application and one for parties processing personal data through the application, and different recommendations are given for each category.

Accordingly, the prominent recommendations for both categories can be exemplified as follows:

  • Recommendations for Individuals: According to the Recommendation, to ensure the security of their personal data, individuals should check what data the application requests access to and review its privacy policy before installing the application. Applications should be downloaded from platforms that are considered trustworthy, such as app stores. The Recommendation also warns individuals to be careful about the permissions requested during the use of the application. Similarly, logging into applications through social media accounts should be avoided in order to prevent applications from collecting information from the relevant social network account and making it more vulnerable to threats.
  • Recommendations for Parties Processing Personal Data: The Recommendation emphasizes that data processing activities through applications shall be based on a specific legal ground, shall be honest and transparent regarding data processing activities, and shall allow data subjects to exercise their rights. It cites the need to provide transparency about personal data processed through applications that work with voice commands as an example of this situation. The Recommendation provides advice to parties processing personal data by giving examples, in light of the principles set out in Article 4 of the DPL. According to the Recommendation, in accordance with the principle of being accurate and up-to-date where necessary, data controllers shall allow users to correct their personal data and shall ensure that this mechanism that enables information changing has been considered in the design of the application. In this respect, the Recommendation underlines the risk of disclosure of personal data to a third party in cases where the user enters email and phone number information during subscription to a mobile application, but no verification is made for this information in the mobile application in question. In addition, the Recommendation emphasizes that personal data shall be processed for specific, explicit and legitimate purposes and shall be relevant, limited and proportionate to the purpose for which it is being processed. In this regard, in a mobile application used in contact tracing for the purpose of combating infectious diseases, the Recommendation states that accessing the exact location and movement of users would be contrary to the proportionality principle, while it is possible to obtain information on how close people are to each other over a certain period of time through data collected via Bluetooth technology. Finally, the Recommendation also notes that personal data shall be retained for the period stipulated in the relevant legislation or the period necessary for the purpose for which it is processed, and that, for example, converting the status of a user of a mobile application that provides email services to an inactive user if they do not log in to the application for a certain period of time, and retaining their personal data for a shorter period of time compared to active users, would constitute an example of good practice.

The Recommendation also mentions other obligations such as the obligation to register with VERBIS for non-resident data controllers that offer goods and services targeting data subjects in Türkiye, with indicators such as providing a Turkish language option or a delivery option to Türkiye within the application, and making the privacy notice and privacy policies easily accessible in mobile applications to ensure transparency. According to the Recommendation, in personal data processing activities to be carried out through mobile applications, the explicit consent of the user must be obtained in the case of processing personal data that is not required to fulfil the actual function of the application. For example, in cases where access to the user's location is not required for any feature or function of an application, then the user's location data shall not be processed for targeted advertising purposes unless the user gives explicit consent.

In addition, the Recommendation also includes the measures to be taken by data controllers in case of processing personal data of children through mobile applications. Accordingly, establishing systems to verify the age of users and to carry out processing activities for children by following a separate policy and procedure is recommended, especially for applications that are directed towards children or known to be widely used by children.

You may access the Recommendation published by the Authority here (in Turkish)

The Turkish Data Protection Authority Issued an Announcement on Sending a Verification Code via SMS to the Data Subjects During Shopping in Stores

The Authority published a second public announcement ("Announcement") on November 13, 2023, stating that there were complaints received by the Authority regarding the processing of personal data by sending a verification code via SMS to the data subjects during instore shopping. The Announcement mainly includes recommendations in relation to the complaints regarding the sending of commercial electronic messages related to the store activities to the data subjects after sending an SMS to the them for verification purposes during the payment procedures in stores. In this regard, the recommendations provided in the Announcement are as follows:

  • The obligation to inform shall be provided in a layered manner to the data subjects during the payment process. Accordingly, data subjects shall be informed by the authorized persons in the stores and through SMS content about the purpose of the SMS and the consequences that may arise if the data subject reads the code sent to them.
  • Obtaining a single consent for different processing activities such as approval of a membership agreement and sending commercial electronic messages, and processing personal data by sending a verification code via SMS shall be ceased, and explicit consent shall be obtained separately for each processing purpose.
  • Obtaining explicit consent and notice requirements must be carried out separately, and if explicit consent is obtained via an SMS verification code, the consent in question must contain all the elements of explicit consent stipulated in the Turkish Data Protection Law No. 6698.
  • Requesting explicit consent to process personal data for the purpose of sending commercial messages shall not be a prerequisite for providing the service. In this regard, the relevant explicit consent shall be requested after the completion of the shopping by performing a notice requirement to prevent any confusion that may occur for the data subjects.

You may access the Announcement published by the Authority here (in Turkish).

World News

ICO Publishes Draft Guidelines on the Protection of Candidates' Personal Data in Recruitment Processes for Public Opinion

On December 12, 2023, the Information Commissioner's Office ("ICO") published its draft guidelines on the protection of personal data in recruitment processes (the "Draft Guidelines") for public opinion until March 5, 2024, with the aim of assisting employers and recruiters in understanding their data protection obligations when using candidates' personal data.

n the Draft Guidelines, which contain detailed guidance on the phases such as finding candidates, testing, interview processes, verifying the information provided by candidates and keeping recruitment records for employers to process candidates' personal data in accordance with the privacy legislation, remarks on recruitment through automated decision-making and profiling are prominent. Accordingly, the Draft Guidelines regulate the risks that may arise in the recruitment processes carried out by employers through automated decision-making and profiling, and the issues that employers must pay attention to.

According to the Draft Guidelines, the processing of personal data through partially or fully automated decision-making and profiling carries various risks for the rights and freedoms of candidates. For example, algorithms may lead to unfair or discriminatory targeting of certain candidates. In other words, since there is always a margin of error in the decisions made through automated decision-making and profiling, negative effects may occur for candidates. Candidates eliminated as they live a certain distance away from the workplace, even if they intend to move to the region requested by the employer, or those eliminated since their CV is incomplete due to a serious illness can be given as examples of negative results. In this respect, the Draft Guidelines state that data controllers are responsible for processing candidates' data and ensuring that the AI system only uses the information in ways that the employer plans or expects.

The Draft Guidelines' recommendations for employers to avoid these risks include providing human intervention in the process, being selective about when and to what extent automated methods are used, and ensuring that the software used does not contain biases that target or discriminate against candidates.

In addition, the Draft Guidelines underline the importance of informing candidates on that profiling will be used during the recruitment process and how their data will be processed, considering that profiling may be a data processing activity that is not expected by candidates in the regular recruitment process. In this regard, the Draft Guidelines recommends that employers and recruiters to inform candidates about the risks that may arise from automated decision-making and profiling, and the measures taken to minimize these risks (such as regular testing of the software, ensuring that the algorithm used by the software is fair, effective and non-discriminatory); the level of human participation in the decision-making process; and the right of the data subject to not be subject to automated decision-making.

The Draft Guidelines also include the issues that employers must pay attention to during the examination and verification of the information provided by candidates during the recruitment process. Accordingly, the Draft Guidelines suggest that if employers need to verify the accuracy of the information provided by candidates, they shall obtain only the minimum information they need, inform candidates about the methods to be used in the verification process and only ask for the information they need from the provided referees. In addition to verifying the information provided by candidates, the Draft Guidelines also provide guidance for employers on conducting pre-employment vetting of candidates by consulting third parties. The Draft Guidelines emphasize that such vetting may constitute a serious interference and that employers shall only conduct pre-employment vetting where there is a legal obligation to do so, or where there is a risk for customers or others.

You may access the Draft Guidelines here and the page for public opinion here.

Council of the European Union Adopts Data Act

On December 12, 2023, the Information Commissioner's On February 23, 2022, the European Commission ("Commission") published the Data Act as part of the European Data Strategy. Subsequently, the Council of the European Union ("Council") adopted the Data Act on November 27, 2023. Following its publication in the Official Journal of the European Union on December 22, 2023, the Data Act entered into force on January 11, 2024 and will start to be implemented on September 12, 2025, twenty months after its entry into force.

With the Data Act, the European Union aims to increase access to data and ensure a fair environment for the use of data, while taking another step towards its goal of reaching its target as part of its digital transformation strategy by 2030. The Data Act regulates the flow of data between individuals and the private sector, fundamental rights in relation to data, and who can benefit from data and under what conditions.

Accordingly, the Data Act sets out the following regulations in summary: (i) measures to promote co-operation standards for data sharing and data processing; (ii) right to access to data generated through the use of connected products and related services; (iii) obligations for the sharing of private sector data with public authorities and EU institutions/organizations in exceptional circumstances; and (iv) various contractual, commercial and technical requirements to facilitate the data transition between cloud service providers and other data processing service providers.

For detailed information on the Data Act, you can access our legal alert here and the Data Act published in the Official Journal of the European Union here.

European Union Reaches Agreement on Artificial Intelligence Act

With practices such as using smart devices, recommendation systems and automation becoming more integrated into our lives, legal discussions and developments on artificial intelligence are also progressing. In this regard, in the DigiDiary issue published in July, we reported that trilogue negotiations would start in the legislative process regarding the Artificial Intelligence Act ("AI Act"). As a result of the trilogue meetings between the European Commission, the Council of the European Union and the European Parliament, the parties reached an agreement on the AI Act on December 8, 2023.

The first phase of the negotiations focused on the provisions on general purpose AI systems, prohibited and high-risk systems, and the establishment of the supervisory structure responsible for the implementation of the AI Act, while the second part addressed discussions on national security and law enforcement exemptions.

As a result of the negotiations, an agreement was reached on transparency obligations in relation to general-purpose AI systems. In this respect, the current agreed version of the AI Act includes a number of additional obligations for general-purpose AI systems, including risk management for robust systems that may cause systemic risk, monitoring of significant events and model assessment. These obligations are expected to be fulfilled through rules that will developed in practice by industry practices, civil society and academic studies.

Moreover, it is specified that the supervision of the implementation of the provisions of the AI Act will be carried out both at national level and by the European Union, and for this purpose, a new Artificial Intelligence Office will be established within the European Commission.

The AI Act categorizes systems used by providers as follows: (i) prohibited; (ii) high-risk; (iii) minimal risk; or (iv) no risk. As a result of the trilogues, an agreement was reached on the scope of the prohibited and high-risk systems under the AI Act. Accordingly, the AI Act classifies systems that manipulate human behavior by interfering with people's free will, social scoring systems and certain elements of predictive policing as prohibited systems. In addition, the use of emotion recognition software in workplaces and school systems is also prohibited. On the other hand, the AI Act considers artificial intelligence systems used in law enforcement, in the administration of justice and democratic processes, and in the practice of law that may interfere with people's fundamental rights as high-risk AI systems.

The AI Act stipulates different levels of fines in case of a breach of the provisions, according to the fixed amounts or amounts to be calculated based on global annual turnover. Accordingly, an administrative fine of 7% of the global annual turnover of the company or up to 35 million Euros for using prohibited AI systems; 3% of the annual global turnover of the company or up to 15 million Euros for using high-risk AI systems; and 1.5% of the annual global turnover of the company or up to 7.5 million Euros for providing inaccurate information may be imposed against those that breach the relevant requirements.

When discussing the prohibited AI systems, parliamentarians insisted that the prohibitions shall not only apply to systems used within the European Union, but also prevent European Union based companies from exporting prohibited applications outside Europe. However, the export ban was not accepted on the grounds that it did not have a sufficient legal basis.

The AI Act is expected to enter into force 20 days after its publication in the Official Journal of the European Union, and to be fully implemented in two years. In the meantime, the provisions on systems prohibited by the AI Act are expected to enter into force six months after the publication of the AI Act in the Official Journal of the European Union, while the general-purpose AI provisions are expected to enter into force one year later. According to information provided by publicly available sources, the European Commission plans to sign an Artificial Intelligence Pact for the transition period to allow relevant actors to complete their compliance with the key obligations in the AI Act before the provisions come into force.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.