Cross-border data transfer in Turkey: will the problems end?

Since the enactment of the Turkish Personal Data Protection Law No 6689 (the Law) in 2016, one of the most critical problems that in-house lawyers of both local and multinational companies face has become cross-border personal data transfers from Turkey. The government has a tendency to keep the data of Turkish residents in Turkey and, additionally, the government has not being recognised as a secure country by the European Union. The Personal Data Protection Board has reciprocated in this determination of the secure countries providing adequate level of protection, disregarding the transfer mechanisms envisaged under the Law and aggravating the already strict environment for the cross-border transfer of personal data.

Despite the Board’s strict stance with respect to cross-border data transfers, in practice, companies in Turkey largely relied on the provisions of the Council of Europe’s Convention No 108 of 1981 on the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108) for data transfers to be made to European countries. However, the Board’s decision, published in September 2020, disregarded the implementation of the Convention 108 for such data transfers prompted private sector players to voice their concerns, which eventually led the Board to soften its approach and government to take action to resolve inconsistencies with the EU’s General Data Protection Regulation (GDPR). While the Board’s approach to the implementation of Convention 108 remains the same, it has signaled that amendments to the Law, in line with the provisions of the GDPR, will be necessary. Therefore, it can be inferred that the government is moving away from its strict stance towards a more liberal approach. In this regard, this article focuses on the legislative framework and how the Board’s practice has been shaped over time.

Legislative framework and practice

Although it is not as comprehensive as the GDPR, Article 9 of the Law envisages several mechanisms, which regulate how personal data may be transferred abroad:

  • In the event that (i) the Board determines that the recipient country ensures an adequate level of personal data protection, and (ii) the conditions specified under the Law are deemed applicable, the related transfer operation is permitted to be performed. On the other hand, although the Board has been assigned to publish a list of countries providing an adequate level of protection, no country has been announced yet on the grounds of lack of reciprocity with other countries, especially in Europe. Therefore, this option is currently inapplicable.
  • With the explicit consent of the data subject. Although this mechanism is provided as the first option and the Board mentioned it as a viable choice in practice, companies refrain from applying this mechanism as it may be impractical and unfeasible, since the data subjects’ preferences may change frequently and companies have to comply with their choices duly and without any delay.
  • where the parties of the related cross-border transfer guarantee an adequate level of protection in writing (concluding undertaking or binding corporate rules (BCR) (BCR, which are adopted from the GDPR, are applicable to data transfers between multinational group companies)) and the approval of the Board on such transfer is obtained. The Board has published the matters that have to be taken into consideration while preparing the undertaking or BCR, as well as the templates to be used. The Board has required the companies to use the templates verbatim while applying for data transfer approval. While the uniform undertaking imposed on companies causes problems for companies – especially for multinational companies that are required to use their own agreements under any jurisdiction due their company policies – the fact that the Board has not granted any approval until recently has also shaken confidence in terms of the operability and effectiveness of this mechanism.

Recent developments

Considering the main mechanisms envisaged under the Law were not feasible for data controllers in practice, companies were forced to seek other options. As the Law also envisages that provisions of other laws concerning cross-border personal data transfers are reserved and international agreements concerning data transfers are prioritised, companies tend to use the special laws and international agreements as the lawful basis for their operations.

Although companies performing data transfers to European countries started to apply to Convention 108 as the lawful basis, the decision of the Board published in September 2020 shocked the private sector players as the Board declared that the Convention 108 is not a primarily applicable source of law for cross-border transfers. This is despite the fact that the Turkish Constitution recognises the priority of international agreements duly put into effect and concerning fundamental rights and freedoms. However being party to Convention 108 will be taken into consideration as a positive element in the adequacy decision.

As another mechanism was blocked by the Board, the only options remaining were unsustainable and non-business-friendly mechanisms requiring obtaining explicit consent of data subjects and the approval of the Board to a mutually signed transfer agreement. This did not seem possible as the Board had not granted one. As such, the pressure from companies on both the Board and the government increased and cross-border data transfer has become one of the most controversial issues of Turkish data protection law.

As the criticisms increased and the private sector’s pressure reached a not insignificant level, on 9 February 2021, for the first time, the Board has announced that an application of a company (TEB Arval) has received the Board’s approval. This was followed by the approvals of Amazon Turkey Perakende Hizmetleri Ltd Şti and Amazon Turkey Yönetim Destek Hizmetleri Ltd Şti on 4 March 2021, which indicated that the Board is signaling a moderate approach to liberating cross-border data transfers.

Nearing the end

Due to the unmanageably restrictive application of cross-border data transfer in practice, business flow is deeply affected, and therefore sector players are putting pressure on both the Board and the government. This has led to the ongoing work regarding the amendment of the Law’s cross-border data transfer provisions in accordance with EU acquis. Against this background, the Board published a public announcement on cross-border data transfers on 26 October 2020, which signalled their intention to harmonise the cross-border data transfer provisions of the Law with those of the EU. The announcement also sets forth that the principle of reciprocity is significant in the determination of safe countries. However, while bilateral negotiations continue in this regard, since Turkey is not yet recognised as a secure country by any foreign country or the European Union, significant delay may reasonably be expected in the announcement of secure countries.

Additionally, on 12 March, President Erdoğan introduced the Economic Reform Package, which puts forward that necessary amendments to bring the Law in line with the provisions of the GDPR will be made by 31 March 2022. Therefore, it is expected that the current strict transfer mechanism will be relaxed with the harmonisation of the provisions regarding cross-border data transfer, which will lead to an effectively functioning transfer regime compatible with the GDPR.