Lexology GTDT Market Intelligence provides a unique perspective on evolving legal and regulatory landscapes. This interview is taken from the Digital Transformation volume discussing various topics, including a look at the main laws and regulations, the impact of cybersecurity legislation, cloud contract considerations, the impact of data protection laws and more, within key jurisdictions worldwide.
1 What are the key features of the main laws and regulations governing digital transformation in your jurisdiction?
The digital transformation journey of an organisation may require attention to many legal areas as it includes changes in technology, processes and people. The main areas that organisations are focusing on are agreements to be executed with the technology and service providers; data processing; transfer; and cybersecurity.
While the agreements to be executed with the technology and service providers should be carefully reviewed and negotiated as per the general laws including the Law of Obligations and the Law on Intellectual and Artistic Works, data processing, transfer and cybersecurity obligations are mainly stipulated under the Personal Data Protection Law No. 6698 (PDPL).
The PDPL sets out the general framework on the processing, transfer and security of personal data. As for cybersecurity, the PDPL does not provide detailed and precise obligations for companies, but refers to a general obligation to protect personal data where it obliges data controllers to take all necessary technical and organisational measures to provide an appropriate level of security for the purposes of preventing the unlawful processing of, or access to, personal data and ensuring its protection. The requirements are more specifically determined under the decisions and guides of the Personal Data Protection Authority of Turkey. Apart from the PDPL, there is no specific law on cybersecurity in Turkey, however, certain provisions related to cybersecurity are included under different laws, although mostly in direct relation to public institutions and organisations at this point and indirectly affecting the private sector. Accordingly, we generally see the private sector following the best practices in line with their area of work and the personal data that they process.
Significant restrictions are regulated under other laws, especially regarding regulated sectors such as banking. Digitalisation in this area, including open banking, outsource service providers and other developments, are subject to various rules and limitations which the organisations carefully review.
2 What are the most noteworthy recent developments affecting organisations’ digital transformation plans and projects in your jurisdiction, including any government policy or regulatory initiatives?
If not conducted and planned carefully, restrictions on transborder data transfer and emphasis on data localisation may present a setback for organisations’ digital transformation plans and projects. The Personal Data Protection Authority (PDPA) prioritise the enforcement of rules related to the transfer of personal data to foreign countries and recent decisions have clarified several discussions on the transfer of data outside of Turkey. The PDPA is expected to announce safe third countries where data processors will be allowed to transfer personal data. Accordingly, the decisions of the PDPA should be carefully monitored by organisations which intends to adopt international digital transformation projects or use cloud services.
We have also seen a change in policy and regulatory initiatives regarding use of electronic means in government processes in the past decade, and efforts have been accelerated as a result of the covid-19 pandemic. With the digitalisation of data processed by governmental organisations and the vast use of electronic signature, online document transfer and approval procedures, the private sector is keen on digital transformation to comply with these developments.
There is also a policy change which is expected to be adopted regarding electronic commercial messages which includes nearly all electronic communication to be conducted with consumers including email and text messages, which would require businesses to register on a centralised system where they store information on approvals provided by consumers related to their choices for obtaining electronic commercial messages. The businesses are required to keep their records updated on the system, which will accelerate their digital transformation processes.
3 What are the key legal and practical factors that organisations should consider for a successful Cloud and data centre strategy?
Organisations are embracing cloud strategies as an integral part of their digital transformation journey with questions on their minds for agreements to be executed with technology and service providers; business continuity; service sustainability; cybersecurity; and personal data protection. It is important to answer all these questions before adopting a digital transformation project based on the cloud, to minimise challenges which organisations may face.
Ensuring business continuity and service sustainability is central to implementing a digital transformation project and, in most cases, digital transformation comes with a considerable investment in technology, internal talent and a change of processes. Accordingly, most organisations expect a long-term use and therefore, should carefully consider enforcement mechanisms and contractual obligations that lead to the continued use of services.
The PDPL and the current legal structure related to the transfer of personal data outside Turkey is a challenge to be addressed for organisations intending to use cloud services, when the data is processed in foreign data centres. It is important to consider whether the required processes provided under the PDPL can be followed. If the personal data will not be transferred outside Turkey, organisations shall ensure the cloud provider and the data centre will abide by the security standards of the organisation and if applicable, organisations should ensure that the necessary approvals have already been taken from the data subjects. The PDPA’s Personal Data Security Guidebook also refers to good market practices while using cloud services, such as using encryption methods, two factor authentication and ensuring removal of all data from cloud servers after the agreement is terminated.
4 What contracting points, techniques and best practices should organisations be aware of when procuring digital transformation services at each level of the Cloud ‘stack’? How have these evolved over the past five years and what is the direction of travel?
From infrastructure to platform, and to software as a service, the cloud provides a wide range of opportunities for organisations. While the infrastructure-as-a-service (IaaS) products act as the underlying framework, platform-as-a-service (PaaS) products provide the coding and application creating environments for customised development. SaaS products are the final customised products that reach the end user.
There are different factors leading to material changes on contract negotiation and best practices at each level of the cloud stack, including the stage of digital transformation journey at which the relevant organisation sits; whether there is already an IaaS or PaaS solution that the organisation is using; requirements for interoperability; whether the organisation intend to use customised solutions or general purpose software; the question of who will conclude the implementation or development processes; and whether the data will be hosted on a private cloud. Organisations should carefully consider all these factors to reach their goals for digital transformation.
During the past five years, we have seen a great shift in organisations giving more importance to personal data protection, cybersecurity and to ensure business continuity and service sustainability. We have also seen organisations finding ways to ensure there is a continuous digital transformation which requires educating or investing in internal talent and expertise.
For personal data and cybersecurity, organisations may prefer private clouds where there are regulatory limitations related to their area of work, or when it is meaningful on a scale and financial basis. Organisations shall also consider IaaS providers’ data centre locations as a transfer of data outside of Turkey that may create legal obstacles in some cases.
In terms of business continuity and service sustainability, organisations are looking for long-term use and consistent and durable solutions, as in most cases digital transformation projects come with a considerable investment in technology, internal talent and change to processes. This leads to a search for legal and practical solutions for organisations, such as implementing service levels with technology and service providers; requirements for business continuity and disaster plans; increasing maintenance and support obligations and service levels; specific structures for protecting intellectual property rights and exit plans including escrow agreements related to the safekeeping of source codes; and transfer of know-how and talent. Organisations shall carefully consider the consequences of failure and the disruption of technological systems and services, as mostly, these affect their own internal processes or their relations with and obligations to their clients, customers or business partners.
5 In your experience, what are the typical points of contention in contract discussions and how are they best resolved?
The concerns of organisations and technology or service providers varies greatly in line with the technical and financial scopes of digital transformation processes. However, common contract discussions include negotiations on terms related to fee structures and payment schedules; acceptance procedures; change management and warranties for development and implementation projects; exit procedures and source code release for services or development; licence terms, territory and usage limits for licences; service levels for service or support processes; and limitation of liability, governing law and security obligations in general.
In our experience, following the negotiation process with experienced practitioners and technical teams minimises the time and efforts in contract negotiation related to digital transformation. We also believe it is important to list the key terms which can differ from project to project. For an inclusive project where organisations’ internal teams will provide maintenance, further development and support, it will be important to have access to source codes and to transfer know-how. However, where the service or technology provider will provide such services it is important to negotiate how the transition will be conducted if the agreement is terminated or the provider does not duly fulfil its obligations. A working resolution related to these concerns mostly comes from clearly defining the exit procedures and includes enforcement mechanisms which respects both parties’ interests such as confidentiality clauses and source code escrow.
Another common discussion point is on warranties. While most software providers press for ‘as-is’ clauses or very limited warranty terms, organisations ask for continuous compliance with software specifications and long-term warranties. Resolution mostly comes from an unexpected path of changing and elaborately defining acceptance procedures or testing methods and executing further agreements related to maintenance and support services.
Limitation of liability is another challenging discussion point between the parties. Organisations take the risks to face damages when the technological solutions do not work as agreed by the parties, such as damages incurred by customers or clients who are end users of such solutions or incurred by the organisation or their business partners because of interruption of services. There are also risks based on cybersecurity and violation of personal data protection regulations. On the other side, technology and service providers do not want to be liable for such third-party damages or organisations’ loss of profits, business, works or data. The dilemma is mostly solved by including indemnification clauses which are not subject to limitations of liability or subject to different limitations, excluding some terms such as breach of security obligations from limitation of liability, including insurance requirements for technology or service providers and limiting the liability of the organisation itself to its customers, clients, vendors or partners.
Organisations should also keep in mind the potential required extensions of scope and scalability of the software and solutions. Accordingly, they should foresee terms with respect to licence scope, usage limitations and scope and further development opportunities.
6 How do your jurisdiction’s cybersecurity laws affect organisations on their digital transformation journey?
There is no specific cybersecurity law in Turkey, however cybersecurity related obligations are referred to under different laws and regulations, such as the PDPL for security of personal data.
Cybersecurity as a concept is particularly included under the Electronic Communication Law No. 5809. The Cybersecurity Board, tasked with approving and making decisions regarding the effective application of policies, strategies and action plans in relation to cybersecurity, is established therein. The Information and Communication Technologies Authority, by reference to International Communication Union Recommendation X.1205, Overview of Cybersecurity, defines cybersecurity on its official website, and emphasises that cybersecurity strives to ensure the attainment and maintenance of the security properties of the organisation and the user’s assets against relevant security risks in the cyber environment; and provides that the general security objectives comprise availability, integrity (which may include authenticity and non-repudiation), and confidentiality.
Through the Presidential Circular on Information and Communication Security Measures No. 2019/12 published on 6 June, 2019, certain measures for information and communication security are set forth, directly regulating public institutions and organisations, and also concerning private businesses that provide critical infrastructure services. Accordingly, the Presidency Digital Transformation Office has published an Information and Communication Security Guide for maintaining the security of critical data, that in general emphasises data localisation and restricts the use of cloud services.
Cybersecurity measures are also included under other laws regarding regulated sectors, the most important being the banking and financial services sector. It is regulated under the Regulation on Information Systems of Banks and Electronic Banking Services that certain systems of banks shall be located in Turkey including cloud service providers. There are also restrictions regarding use of cloud services and obligations which should be followed by third-party technology service providers.
7 How do your jurisdiction’s data protection laws affect organisations as they undergo digital transformation?
Processing and especially, in case of technological solutions, storing and transferring, personal data is a key factor for digital transformation. As per the PDPL, personal data shall be processed in accordance with the general principles stipulated under the PDPL, and as applicable, processing shall either be based on the explicit consent of the data subject or exceptions stipulated under the PDPL. These principles also apply to the transfer of data, though there are additional requirements considering the risks arising out of the transfer process and means of transfer.
In the case of transborder data centre and cloud services, or multinational companies with shared data servers, personal data will be deemed transferred abroad. Under the PDPL, in principle, personal data shall not be transferred abroad without the explicit consent of the data subject. There are some exceptions to this general rule. As per the PDPL, personal data may be transferred abroad without the explicit consent of the data subject upon the existence of one of the legal conditions for processing personal data, provided that the country where personal data will be transferred has adequate level of protection; or otherwise upon execution of undertakings for adequate protection in writing by the data controller in Turkey and the recipient abroad in addition to authorisation by the PDPA.
To date, no list of countries with adequate level of protection has been published by the PDPA. However, the PDPA made a public announcement on 26 October 2020 regarding data transfers abroad. It is emphasised by the PDPA that they aim to contribute to technological developments provided that they are in line with the PDPL, for the benefit of all stakeholders. In this respect, they are pursuing their work on establishing the countries with adequate level of protection.
Nonetheless, relevant provision of the PDPL restricting data transfers abroad is strict and Convention 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data cannot be used as an exception to the PDPL as the PDPA clarified that any obligations regarding enabling transborder data transfers under the Convention shall be evaluated further to and in line with the PDPL. The PDPA also pointed out that undertaking letters (outlines of which are published by the PDPA) or binding corporate rules can be used in order to transfer personal data abroad.
There are also specific restrictions under certain laws, especially in regulated sectors such as banking or areas related to sensitive personal data such as medical data or data related to religion or membership to associations. For example, banking law defines client secrets as including real and legal person data obtained through client relationship; and establishes that, even when consent is obtained as per the PDPL, client secrets cannot be transferred to third parties in Turkey or abroad without the specific request of the clients. The Banking Regulatory and Supervision Authority is entitled to prohibit client and bank secrets to be shared with or transferred to third parties abroad, and to decide that information systems of banks and their back-ups shall be kept in Turkey.
8 What do organisations in your jurisdiction need to do from a legal standpoint to move software development from (traditional) Waterfall through Agile (continuous improvement) to DevOps (continuous delivery)?
Waterfall (traditional) development processes provide specific milestones, detailed descriptions of deliverables and clear division of obligations of the parties during the development process. Accordingly, the contracts are more focused on terms of delivery and warranties, and technical specifications, and they mostly have clear and detailed scopes on work, deliverables, schedule and fees. With the fast-paced nature of technology and organisations giving more value to earlier returns of investment on digital transformation, we are seeing Agile and DevOps processes implemented by organisations.
Agile methodologies are iterative, fluctuating and mostly focus more on developing smaller sections of shorter notice projects. Teamwork, constant review and development are the building blocks of the process. Accordingly, it is more challenging to determine the scope, obligations of the parties, quality or specification for the deliverables, and the warranties for such deliverables. Organisations should give greater importance to meeting and review procedures and to defining the obligations of the parties. As for most projects it is not possible to define the detailed scope and specifications of the deliverables during an altering project plan; organisations should work on defining the general vision and outcomes; change procedures; acceptance criteria; and dispute resolution mechanisms. It is also important to focus on intellectual property rights and confirm who will have the rights in the developed works, as these methodologies are based on collaborative work. The payment and fee structures can greatly vary under a project run by Agile methodology; accordingly, it is required to have innovative fee structures and payment methods. For DevOps, as the development and operations teams are working together, it is important to clarify each party’s role, and who will have the intellectual property rights in the developed works.
9 What constitutes effective governance and best practice for digital transformation in your jurisdiction?
Organisations should carefully review the legal considerations related to digital transformation. If the digital transformation process is not properly planned and coordinated, this may result in outcomes that were not intended, and the organisation may face many challenges. It is important for them to review technology and software providers’ legal, financial and technical capabilities as well their own. To benefit from the digital transformation process as much as possible, the agreements should reflect the best interests of the organisation and be carefully drafted to include terms for acceptance procedures; continuation of services; licences; scope; further development opportunities; maintenance and support; cybersecurity; personal data protection and processes; termination procedures; and exit strategies.
Regulations relating to personal data protection and cybersecurity should be considered in detail and with a holistic approach. Digital transformation projects are required to be designed in line with the principles and terms set forth under these regulations from the initiation of the process. The specific regulations relating to organisations’ fields of activities should also be reviewed to detect any limitations or rules and to avoid unwanted surprises during the later stages of the process.
The Inside Track
What aspects of and trends in digital transformation do you find most interesting and why?
We are very excited to see the use of complex data structures and application programming interfaces to create interoperable and integrated systems and their effects on organisations. Similar to projects themselves, contractual relationships have become more dynamic and integrated, and practitioners now require new skills to provide effective consultation for their clients. We are also interested in observing different evolving technologies such as artificial intelligence and blockchain. The legal questions raised by the use of these technologies requires practitioners to think about different aspects of law and the fundamental concepts such as rights, ownership and data as well as ethics.
What challenges have you faced as a practitioner in this area and how have you navigated them?
Understanding technological developments and clients’ evolving needs is a major challenge for legal teams. Having a relatively young team of legal professionals with a background in or experience with software, technology and digitalisation is a big advantage in this respect. Legislation and application often follow behind technological developments. In many cases, this poses a challenge while advising clients in relation to technology-based activities and throughout digital transformation steps. Delay in regulation and the resulting confusion of public authorities in setting effective application can be overcome by extensive legal knowledge and experience in many related areas of law.
What do you see as the essential qualities and skill sets of an adviser in this area?
An adviser in this area should have a significant understanding of the technology and project development processes to give efficient and informed advice. They should be innovative in order to find enforceable solutions, as the main goal should almost always be the continuation of services and protection of data. As the projects touch important business processes in most cases, it is important to advise holistically. We also believe it is crucial for advisers to keep up with the fast pace of digital transformation, while being able to work with all teams from legal, to IP, operations and security.