This country-specific Q&A provides an overview to technology, media and telecom laws and regulations that may occur in Turkey.
This Q&A is part of the global guide to TMT. For a full list of jurisdictional Q&As visit http://www.inhouselawyer.co.uk/practice-areas/tmt-3rd-edition/
What is the regulatory regime for technology?
There are regulatory frameworks regulating various aspects of technology in Turkey. Law No. 5809 (Electronic Communications Law) is the main legislation in Turkey regulating electronic communications and electronic communication services. Law No. 6563 on Regulation of Electronic Commerce (E-Commerce Law) regulates the principles and obligations regarding electronic commerce activities. Law No. 5651 on Regulation of Broadcasts via Internet and Prevention of Crimes Committed through Such Broadcasts (Law No. 5651) regulate take-down procedures, principles of content liability, rights and responsibilities of the internet actors.
Are communications networks or services regulated?
Yes. Electronic Communications Law regulates electronic communication services, as further explained below.
If so, what activities are covered and what licences or authorisations are required?
Electronic communication services may be provided subject to and within the scope of an authorization to be issued by the Information and Communication Technologies Authority (ICTA). Entities who wish to provide electronic communication services and/or establish and operate an electronic communication network or infrastructure, shall notify ICTA before starting their activities.
Is there any specific regulator for the provisions of communications-related services?
ICTA is the designated authority for provisions of electronic communications.
Are they independent of the government control?
ICTA is independent in principle, but is related to the Ministry of Transportation and Infrastructure.
Are platform providers (social media, content sharing, information search engines) regulated?
Yes. Law No. 5651 regulates access ban procedures of Internet contents, and determines the obligations and responsibilities of content providers, hosting providers and access providers. Search engines are not defined under the law.
If so, does the reach of the regulator extend outside your jurisdiction?
Yes. Turkish laws concerning online content are applicable to non-Turkish websites as well.
Does a telecoms operator need to be domiciled in the country?
Yes. Entities that will submit to ICTA for authorization to provide electronic communication services must be a joint stock or limited liability company established under Turkish laws.
Are there any restrictions on foreign ownership of telecoms operators?
There are no foreign ownership restrictions with respect to authorization to provide telecoms services. However, the company applying to ICTA for authorization must be founded under Turkish laws.
Are there any regulations covering interconnection between operators?
Yes. Electronic Communications Law and Regulation on Access and Interconnection regulates obligations relating to interconnection services. Accordingly, operators are obliged to make interconnection negotiations with each other if requested, and if they cannot come to an agreement, ICTA may impose an interconnection obligation to the operators. ICTA may also restrict these obligations where it deems necessary in terms of public interest.
If so are these different for operators with market power?
Yes. As per the Regulation on Access and Interconnection, operators having an efficient market power in the relevant market may be imposed to interconnection obligations by ICTA.
What are the principal consumer protection regulations that apply specifically to telecoms services?
Regulation on Consumer Rights in the Electronic Communications Sector regulates terms and principles for the protection of rights and interests of consumers who use electronic communications services.
What legal protections are offered in relation to the creators of computer software?
Computer programs (i.e. computer software) and their preparation materials (provided that such materials form a program later on) are protected under Law No. 5846 on Intellectual Property (IPL). Accordingly, the owner of the work may determine whether the program will be shared with public, whether the owner’s name will be displayed while sharing the program with public, and prohibit making a change in the program.
Do you recognise specific intellectual property rights in respect of data/databases?
Yes. IPL states that database producers are entitled to enable or prohibit transfer, distribution, sale, lease or public dissemination of database. The protection envisaged for database producer is fifteen years as of publication.
What key protections exist for personal data?
The Law No. 6698 on Protection of Personal Data (DPL) provides the principles and procedures as to processing of personal data. Under the DPL, processing personal data requires either explicit consent of the data subjects, in principle, or existence of one of the legal grounds set out under Article 5 of the DPL (such as legitimate interest, performance of a contract or legal obligation etc.). DPL also requires data controllers to inform the data subjects regarding the purpose of data processing, the identity of the data controller, the persons to whom data will be transferred and the reasons of these transfers, the method and legal reason of data collection and their rights during collection of their personal data.
Are there restrictions on the transfer of personal data overseas?
Yes. In principle, personal data may be transferred abroad upon explicit consent of the data subject. Personal data can be transferred abroad without the explicit consent of the data subject, only if there is one of the conditions set out under paragraph two of Article 5 and paragraph three of Article 6, provided that the country that the personal data will be transferred provides an adequate level of protection. If the protection is not adequate in such country, then the data controllers in Turkey and in that country can provide a written undertaking warranting an adequate level of protection, which should be approved by the Data Protection Board. The Board determines the countries where there is an adequate level of protection and announces them.
What is the maximum fine that can be applied for breach of data protection laws?
The fines regulated under the DPL vary as per the type and degree of breach. Failure to comply with data security requirements, Board decisions as well as registration and notification requirements may be subject to a maximum administrative fine of 1,000,000 Turkish Liras (approximately USD 170,000).
What additional protections have been implemented, over and above the GDPR requirements?
Unlike the GDPR, appearance and clothing and criminal conviction and security measures regarding a person are also considered special categories of data under the DPL. Accordingly, a higher level of protection is provided for a wider range of personal data.
In addition to some of the rights provided for data subjects under the GDPR, under the DPL, data subjects are expressly provided with the rights to (i) request the notification to third parties to whom the personal data have been transferred of operations carried out such as rectification, erasure or destruction, (ii) object to any conclusion to the detriment of himself/herself, which results from analysis of the processed data exclusively by means of automated systems and (iii) request compensation for the damages incurred as a result of an unlawful personal data processing. The foregoing rights should also be included in the privacy notices provided for data subjects by the data controllers.
Are there any regulatory guidelines or legal restrictions applicable to cloud-based services?
Yes. Although there is no particular law or regulation dedicated and specific to cloud-based services, various legislations and regulatory frameworks are applicable to cloud-based services to a certain extent.
For example, in the guidelines published by the Turkish Data Protection Authority (DPA) regarding technical and administrative measures which should be taken by the data controllers, there are references made to cloud-based services and guidelines on erasure of personal data from cloud-based services.
Legislative documents overseen by the Capital Markets Board of Turkey also refer to cloud-based services. For example, Regulation on Operation, Working and Supervision of Data Storage Organizations prohibits storage of certain data on cloud-based services. On the other hand, secondary legislation under the supervision of Banking Regulation and Supervision Agency permits use of cloud-based services for storage of payment information provided that certain precautionary measures are taken.
Most recently, Presidential Circular on Information and Communication Security Measures prohibited storage of data pertaining to public institutions and organizations on cloud services. An exception has been made to the storage of such data on the private systems of public institutions and services provided by local service providers who are under the control of public institutions.
Are there specific requirements for the validity of an electronic signature?
Yes. There are some restrictions and requirements as to the electronic signature, in order to have a valid electronic signature under the E-signature Law. In order to qualify as a secured electronic signature under the E-signature Law, an electronic signature should (i) be uniquely linked to the signatory, (ii) be created through means that the signatory can maintain under his sole control, (iii) be capable of identifying the signatory, (iv) enable determination of whether there are any changes to the electronic data signed by electronic signature afterwards.
In principle there are no restrictions or requirements on the use of valid electronic/digital signatures in Turkey, since an electronic signature has the same legal effect as a handwritten signature under Turkish laws. In this regard agreements may be signed electronically by using an electronic signature certified by (i) an electronic certificate service provider established in Turkey or (ii) an electronic certificate service provider established outside Turkey but whose certificates are accepted by an electronic certificate service provider established in Turkey.
On the other hand electronic signature may not be used in the legal transactions, where the law stipulates official form requirements or special formal procedures for, and the agreements for guarantees. For instance, pursuant to Article 1526 of the Turkish Commercial Code, commercial deeds such as bills of exchange, bonds, checks, warrants and commercial bills may not be executed through electronic signature. Furthermore transactions on these commercial deeds such as acceptance, surety and endorsement may not also be made by using electronic signature.
In the event of an outsourcing of IT services, would any employees, assets or third party contracts transfer automatically to the outsourcing supplier?
No. Automatic transfer of employees, assets or third party contracts to the outsourcing supplier is not regulated under Turkish laws.
If a software program which purports to be a form of A.I. malfunctions, who is liable?
Liability in terms of Artificial Intelligence (AI) is not expressly regulated under Turkish laws and is subject to the general provisions under the Turkish tort law. Fault is the basis to deem that there is liability in Turkish liability regime in principle. The applicability of these general laws on AI disputes is not an established clear issue in the Turkish jurisdiction yet.
What key laws exist in terms of: (a) obligations as to the maintenance of cybersecurity; (b) and the criminality of hacking/DDOS attacks?
a) obligations as to the maintenance of cybersecurity; and
DPL is imposing obligations on data controllers regarding cybersecurity within the scope of data safety obligations. Accordingly, data controllers are obliged to take all technical and administrative measures in order to ensure an adequate level of security including cybersecurity.
Regulation on Network and Information Security overseen by the ICTA also imposes extensive obligations regarding cybersecurity including an obligation to form a team to address and resolve cybersecurity issues.
Communiqué on the Management and Audit of Payment Institutions and Electronic Money Institutions’ Data Systems also imposes obligations to act upon cybersecurity incidents and maintain the security of data systems.
b) the criminality of hacking/DDOS attacks?
Hacking/DDOS attacks are considered as the crime of illegal access to computing systems under Turkish Criminal Code. Besides the DPL also prohibit illegal access to personal data.
What technology development will create the most legal change in your jurisdiction?
Developments in the blockchain technologies and AI might have the most impact in the Turkish jurisdiction in terms of legal changes.
While current laws can be interpreted in a way to apply to future disputes on these matters, new regulations might also be required to address issues arising for the first time in new contexts such as liabilities in terms of AI and transactions through the use of blockchain.
Which current legal provision/regime creates the greatest impediment to economic development/ commerce?
Restraining approach to novel and disruptive technology and digital services, based on traditional regulatory reflexes and to maintain the current established traditional practice and legal landscape without fully adopting to the current needs and fast pace of the market creates the greatest impediment to economic development/commerce.
That said, the legal framework concerning technology, intellectual property, data protection are generally in line with the European Union’s laws on these matters. Therefore, in most of the cases, the letter of law does not constitute an impediment but the interpretation and implementation and the lack of established precedents in certain regulatory landscape that is newly implemented (such as data protection) provides obstacles or barriers to the economic development/commerce.
Do you believe your legal system specifically encourages or hinders digital services?
Turkish legal system is developing in the direction of encouraging digital services. However there are still certain regulations and practices which could interfere with digital services in practice. For instance, access ban procedures and content liability provisions regulated under the internet laws can at times be applied in an excessive manner and therefore, might be problematic in terms of social media services and other digital services provided through internet. That said, this is an area that is gradually improving for the positive and on that note, the Ministry of Justice recently (in May 2019) prepared and announced the judicial reform strategy document which introduces comprehensive changes and improvements to the Turkish judicial system, including the re-visiting of the internet laws on access banning, with a focus on freedom of expression and the methods of blocking access on the internet. Therefore we might expect the continuance of the positive improvements on encouragement of digital services in the days to come.
Regulations and practices in intellectual property and e-commerce are generally compliant with the rules and practices in the European Union. Therefore, international companies providing digital services can usually adapt to and comply with the Turkish laws without much need to alter their existing practices. It might be argued that the foregoing is encouraging both foreign digital services to be launched in Turkey and also for digital services which are provided in Turkey to be launched abroad without significant alterations and thus, related costs.
With the digitalisation of conventional services such as banking, insurance and health services, the laws have already started shifting to allow more room for transactions to take place in the digital medium, such as rules on e-signature.
To what extent is your legal system ready to deal with the legal issues associated with artificial intelligence?
Turkish legal system is at a very early stage to deal with legal issues associated with artificial intelligence. Legal framework and practice concerning digital technologies are relatively new and immature. There is no remarkable legislative or judicial work conducted for preparation to the potential legal issues associated with artificial intelligence.