International transfer of personal data is now permissible under Turkish law with data subjects' explicit consent, a significant change from the blanket prohibition on such transfer under the previously annulled law. Last year, the Turkish Constitutional Court annulled Article 51 of the Electronic Communications Act ("ECA"), the statutory basis of the Regulation on Protection of Personal Data in the Electronic Communications Sector (the "Regulation"), issued by the Information Technologies and Communications Authority ("ITC Authority") on the grounds that personal rights could only be regulated by parliamentary acts. Please click here for more information on the Constitutional Court's annulment decision.
The Constitutional Court's ruling entered into force on 26 January 2015, and since then there had been no law addressing data retention and the processing and transfer of personal data in electronic communications. When combined with the absence of a framework law on the protection of personal data, the annulment decision created room for debate. Finally, on April 15, 2015, the Parliament adopted an omnibus bill which included an amendment to the ECA. The new Article 51 of the ECA contains detailed rules on personal data, including the new rule allowing international transfer of personal data with explicit consent, and replaces the annulled Regulation.
What the new article says
Composed of 13 subparagraphs, the new Article 51 addresses many issues previously addressed in the Regulation. The new, parliamentary-level rules provide that:
- Personal data may only be processed when explicitly permitted by law and in line with principles of good faith.
- Electronic communications and traffic data will be deemed private; therefore, the recording, retention, interception or tracking of electronic communications, in the absence of another legal basis or the consent of the data subject (i.e., parties to the communication) will be prohibited.
- Retaining and accessing data in users' terminal equipment for purposes other than those related to the provision of electronic communications services will only be permitted after obtaining the users' informed consent.
- Electronic communications operators will be obligated to take administrative and technical measures to ensure the security of their users' personal data.
- Subject to other laws governing the transfer of personal data abroad, the transfer of traffic and location data abroad will only be permitted with the data subjects' explicit consent. It is not clear what the phrase "other laws governing the transfer of personal data abroad" means as there is currently no legal framework addressing this issue. It is likely this particular reference is to the draft Law on the Protection of Personal Data, which Parliament has not yet adopted.
Implications for telecommunications operators
While the new Article 51 does not significantly diverge from the annulled Regulation, telecommunication companies and data solution providers which have already revised their data processing, transfer, retention and deletion procedures in line with the Regulation should ensure these procedures comply with the new parliamentary-level rules. Please click here for more information on the annulled Regulation.
Those companies and service providers that have not yet upgraded their systems and procedures should take the necessary steps to ensure compliance with the amended ECA. All actors in the telecommunications sector should also watch for issuance of the secondary regulations which the ITC Authority will issue to provide clearer guidance.
Arguably the most significant change under the new Article 51 is the ability to transfer traffic and location data abroad upon obtaining the data subjects' express consent. Previously, the Regulation had banned the international transfer of data obtained through electronic communications services, without exception. This absolute prohibition complicated the operations of telecoms operators and service providers, including cloud service providers. Following the removal of the on-ground requirements, however, operators and other handlers of this data are expected to breathe a sigh of relief.
The absence of an umbrella data protection law addressing privacy concerns in all sectors worries individuals and complicates international business as many countries and the EU require an adequate level of protection for international transfers of personal data. In the absence of an umbrella law, the amended ECA will not provide an adequate level of protection as it only addresses data protection concerns in the electronic communications sector; however, it is a step forward.