November 2020 – The Turkish Competition Board (“Board”) recently published its reasoned decision (“Decision”) concerning the requests for information pertaining to data on traders’ chat-rooms from a number of financial institutions operating in Turkey as part of its preliminary investigation.
The Board conducted an on-site inspection, followed by two requests for information. The initial notification by the Board requested information comprising all chat-room communications of traders resident in Turkey on the Bloomberg and Reuters platforms between 2018 and 2020. The second request consisted of the chat-room communications of foreign-based traders. For failing to comply with the information request, several undertakings including Citibank A.Ş. (“Citibank”), Goldman Sachs TK Danışmanlık A.Ş. (“Goldman Sachs”), ING Bank A.Ş. (“ING”), JPMorgan Chase Bank National Association Merkezi Colombus Ohio İstanbul Türkiye Şubesi (“JPMorgan”), and Türkiye Garanti Bankası A.Ş. (“Garanti”) have been penalised in the amount of 0.1% of their annual local Turkish turnover generated in their 2019 financial years.
The Decision addresses the validity of the excuses provided by the banks for not complying with the information request, such as General Data Protection Regulation (“GDPR”) and data privacy concerns, and the proper addressee of the information request made by the Board. The Board also addresses the turnover to be used for the calculation of the administrative monetary fine. This article explores the practical application of Articles 15, 16 and 17 of Law No. 4054 on the Protection of Competition (“Law No. 4054”) by the Board and the resulting implications for financial institutions.
GDPR and data privacy concerns of the undertakings
The undertakings expressed their concerns regarding any possible violation of GDPR and other data privacy rules when submitting chat-room data to the Turkish Competition Authority (“TCA”). In response, the Board indicated that the undertakings should not be put in a position of having to choose between obeying the rules of two different sovereign states and thus may not be held liable for an action in Turkey if such action constitutes a breach in other jurisdictions. Nonetheless, the Board in its Decision reminds the financial institutions of the exemptions related to the transfer of data to foreign countries such as Article 49 of the GDPR, as well as data anonymisation.
Consequently, the Board indicated that the undertakings, in their petitions, should detail which data need to be anonymised and for which reasons, as merely stating applicable laws requiring anonymisation is insufficient. Where the undertaking is required to anonymise chat-room communications in order not to violate the laws of the respective countries where the data is held, the Board accepts such anonymisation as long as the anonymisation does not hinder the preliminary investigation process and that the censoring and anonymisation are limited to personal data. In light of the foregoing, undertakings that anonymise personal data or request additional time to comply with the data request for data privacy reasons in good faith will not be in breach of the Board’s request. However, undertakings that cite laws and regulations for the purpose of not providing any information or documents will likely be in breach of Article 16(1)(c) of Law No. 4054.
Who should the information request be served to?
In its Decision, the Board also assessed whether the information request should be served to the subsidiary in Turkey or to the parent undertaking located abroad. The Board notes that whether or not chat-room data can be requested through the subsidiary of a foreign institution that affects the Turkish markets will depend on two criteria: (i) whether the subsidiary conducts operations within the scope of the subject matter of the preliminary investigation, and (ii) whether the subsidiary has any influence or impact on those operations. Quoting its previous decisions such as Syndicated Loans and Booking.com, the Board reminds financial institutions that it will address the company based overseas if the subsidiary has no impact and involvement on the undertaking’s operations in Turkey, as firms which constitute separate legal entities that are economically integrated will be evaluated as a single economic unit.
Notwithstanding this, the Board notes that it is possible to address the subsidiary of a foreign company due to an action that has an impact in Turkey and which is covered under the scope of Law No. 4054, even if it is not possible for the subsidiary to obtain and present the requested information and the subsidiary does not have any operations in relation to the preliminary investigation initiated by the Board. Although this may seem contradictory at first glance, it is apparent that the Board prefers to address the subsidiary under its jurisdiction, much like the European Commission (“EC”). The Board refers to its Syndicated Loans decision as well as the practice in the EU, and concludes that the official service of the information request addressed to the subsidiary in its jurisdiction (i.e., in Turkey) would be sufficient if the main undertaking does not have a seat in Turkey. In a similar vein, the Board evaluated by citing ICI v. Commission that legal notice can be served to the local subsidiaries and that it is the subsidiaries’ duty to act diligently and to inform their parent companies of the information request.
Furthermore, the Board draws attention to the EC note pursuant to the OECD meeting dated 30 November 2018, in which the EC made clear that it often requests information from the EU subsidiaries of foreign companies pertaining to the main undertaking and all other subsidiaries of the undertaking.
As is the case in the EU, the Board ruled that a subsidiary not having access to the requested information and documents cannot by itself prevent a penalty. It is likely that the Board has taken this approach since in practice it may be difficult to enforce information requests and penalties for noncompliance on undertakings in foreign jurisdictions. As such, even those Turkish subsidiaries operating in different market segments than their foreign parent companies could be served notifications, resulting in implications for financial institutions with satellite offices in Turkey providing consulting services.
The Board concludes its contextual analysis of the practice in the EU and its previous case law and the provisions of the Turkish Commercial Code by finding that it is appropriate for the notifications to be served to undertakings’ subsidiaries in Turkey, given that the parent company cannot claim that its subsidiary did not inform it about the information request of the TCA.
Determining and calculating the administrative monetary fine
Article 14 of Law No. 4054 promulgates that the Board may request any information that it deems necessary from all undertakings while carrying out the duties assigned by this law. The officials of such undertakings are obliged to provide the requested information within a period to be determined by the Board.
In its Decision, the Board also addresses whether the single economic entity doctrine or the subsidiary’s turnover will be used for the calculation of the administrative monetary fine. Referring to its Booking.com and Google Android decisions, the Board highlighted that in case the requested information and documents are not provided to the TCA, an administrative monetary fine may be imposed on the undertakings located outside Turkey based on their Turkish turnover. That being said, for the case at hand, due to technical difficulties arising from the calculation of the Turkish turnover of financial institutions located abroad, the Board finds it appropriate for the local turnover of the Turkish subsidiaries to be used when calculating the fine.
Regarding the turnover that the monetary fine will be based on and its calculation, the Board cites its precedents. Previously, where administrative monetary fines were imposed on undertakings engaged in banking activities, the Board took into consideration the relevant provision of Communiqué No. 2010/4 on Mergers and Acquisitions Requiring the Approval of the Board (“Communiqué No. 2010/4”) regarding the turnover calculation for financial institutions. Within this framework, a distinction should be made depending on whether or not the investigated undertakings have the characteristics of a financial institution. In this respect, the Board concluded that since JPMorgan, Citibank, ING and Garanti are deposit banks, they should be considered as financial institutions.
Goldman Sachs on the other hand, serves as a consultancy company in Turkey and does not engage in activities such as investment consultancy, investment brokerage activity and portfolio management. Thus, it is understood that it cannot be evaluated as a financial institution, and its turnover was calculated through its net sales as defined under Article 3(f) of the Regulation on Fines to Apply in Cases of Agreements, Concerted Practices and Decisions Restricting Competition, and Abuse of Dominance.
Apart from the above, alongside the automatic, fixed-rate fine for not providing the requested information or documents per Article 16(1)(c) of Law No. 4054, the Board also reminds the undertakings of its authority to issue additional fines amounting to 0.05% of their Turkish turnover generated in the financial year preceding the fining decision for every day that the undertaking delays its response to the information request, as per Article 17 of Law No. 4054.
The recently released Decision of the Board shines a light onto the interpretation by the Board of Articles 15, 16 and 17 of Law No. 4054 dealing with on-site inspections and administrative penalties. Critically, the Board has ruled on the balance between data privacy and the protection of competition, the proper addressee of the information request, and the turnover to be used when calculating the administrative monetary fine to be imposed. Regarding the sharing of chat-room records of foreign and Turkey-based traders, the Board ruled that it is acceptable for the undertakings to relay the requested data following anonymisation pursuant to the data protection rules in different countries if three conditions are satisfied. Firstly, the anonymisation must be limited to personal data. Secondly, the anonymisation must not hinder the investigation.
Lastly, a detailed justification for the anonymisation must be provided. With regards to the official service of the information request and turnover calculation, the Board decided that the information request can be sent to the subsidiary in Turkey and that the domestic subsidiary’s Turkish turnover can be used for the calculation of the penalty amount after having established which undertakings are to be considered as financial institutions as per Communiqué No. 2010/4.