The ubiquitous role of technology in today's business world cannot be overstated. It plays an increasingly meaningful role in all sectors, particularly with many companies recently transferring a substantial portion of their businesses to online platforms. In addition, businesses also increasingly utilize the Internet of Things (IoT) to improve their operations, and capture extensive data to feed into "Big Data" engines to obtain a competitive advantage. In addition to IoT and Big Data, cloud solutions and consumer-based technologies are also changing how companies act to seek more opportunities in the market place. These developments present regulators, businesses and consultants with significant challenges. Naturally, from a legal perspective, three of the most important areas being affected are privacy, cyber security and consumer laws.
As a result of these changes, it has become increasingly difficult for organizations to understand and address the legal risks associated with their compliance with consumer and privacy laws, particularly given the increased pace and volume of new regulations in these areas. There has been an explosion of new data privacy regulations around the world, with some countries introducing on-soil requirements for businesses in order to force them to keep their citizens' personal data within the country. The recent CJEU decision on the EU-US Safe Harbor is another good example of legislative and judicial activity adding to the numerous debates and legal ambiguities that already exist.
Along with traditional IT/C companies, the industries affected by these developments most significantly include the financial, pharmaceutical and automotive industries in particular. This is particularly the case in Turkey in the financial services sector, being an inevitable outcome of Turkey having a young population and a reflection of their interest in technology. For example, according to the ING Mobile Banking 2015 Survey, Turkey is one of the top countries in Europe in terms of the number of mobile payment application users. In fact, Turkey is the only country in Europe where more than half the population says they have used mobile banking services, compared to an average of one-third of Europeans.
Unsurprisingly, this creates awareness of data privacy, cyber security and consumer law issues and forces financial institutions such as banks to increase their efforts on ensuring compliance with these laws in circumstances where there is often a lack of regulatory guidance. For example, Turkey is the only country within the Council of Europe that does not have any national data protection law. While there has been a draft law since 2007, it is uncertain whether it will be enacted in the near future. In addition to creating problems in the flow of cross-border data, lack of a national data protection law also creates legal uncertainty for companies in terms of determining what level of compliance they must maintain.
Yet earlier this year, substantial amendments were introduced to the Consumer Law and the much anticipated E-Commerce Law was enacted, both of which introduced a number of data privacy rules and created a stir among businesses and consumers. These legislative instruments particularly affect the operations of multinational organizations, including financial services companies, in Turkey on multiple levels.
While it is not yet possible to comment on the draft data protection law's impact, the practical implications of the Consumer Law and the E-Commerce Law have already started to emerge. For example, the E-Commerce Law, in force since May 2015, imposes strict rules on commercial messages, online sales and the protection of personal data. Commercial electronic messages include data, voice and images sent for commercial purposes with devices such as phones, call centers, fax machines, automated calling machines, smart voice recording systems, electronic mail and text messaging services. With the newly enacted opt-in mechanism, there is an obligation to obtain prior consent from consumers to send commercial electronic messages. With the availability of new legal remedies and significant administrative sanctions, companies have started altering their policies with respect to consumer relations. The anticipated enactment of the data protection law will similarly require concrete revisions of companies' data privacy policies. Moreover, if and when it enters into force, data protection law will introduce restrictions on cross-border data flows that are similar to those that are already in place in the EU.
In addition, banking, credit card, payment systems along with insurance regulations also provide for certain data privacy and cyber security rules with which the regulated companies must comply. For example, the newly enacted Payment Systems Law, which regulates e-money and e-payment services, introduced certain on-soil requirements for personal data collected by regulated companies. It is also one of the first regulations which specifically mention, and introduce restrictions, on use of cloud services. Moreover, these sectoral regulations also impose sanctions on companies failing to put in place the appropriate security measures to protect personal data.
With its young population and its increasing interest in online services, Turkey presents opportunities as well as challenges to multinational companies. For example, Turkey's financial sector increasingly faces hurdles in ensuring compliance with privacy, cyber security and consumer laws. The new legislative changes not only affect companies that are currently present in Turkey, but also those that have Turkey in their future plans.