On July 24, 2012, the Turkish telecommunications regulator, the Information Technologies and Communication Authority (the “ITC Authority”), issued a new regulation, the Regulation on the Processing Personal Data and Protection of Privacy in the Electronic Communications Sector (the “e-Privacy Regulation”). The Regulation was initially to enter into force on January 24, 2013. On February 15, however, the effective date was postponed until July 24, 2013.
What the e-Privacy Regulation will do
Severe new penalties for violations
The new e-Privacy Regulation will introduce more stringent measures on illegal access to and processing of personal data, personal data security, data retention, international data transfer, and processing of location and traffic data. Violation of the new e-Privacy Regulation may result in severe sanctions for telecommunications companies, including a fine of up to three percent of annual turnover and revocation of telecommunications licenses. In light of the new regulation, telecommunications companies should update their data protection measures, data retention systems and information risk management policies.
Illegal processing and access
The e-Privacy Regulation will also introduce more detailed rules on the measures against the illegal processing of and access to personal data. When the regulation becomes effective, operators will be required to have a security policy on processing of personal data and to implement managerial and technical steps to secure personal data appropriate to the risk. In contrast to the previous regulation, the e-Privacy Regulation specifies minimum security requirements, including measures to prevent unrequested, illegal and unauthorized destruction, loss, modification, storage, recording, processing, disclosure and access.
The new regulation also introduces a five-year retention requirement for records of access to personal data. The ITC Authority may also require additional information on security measures as well as modifications adopted.
Risks threatening personal data security
Where a risk threatening personal data security arises, an operator must inform the ITC Authority and its subscribers and users of the risk in an effective and prompt manner. If the risk is beyond the operator’s preventive measures, the operator also must inform subscribers and users how to prevent the risk and indicate the approximate cost of prevention. In the event of a breach of personal data security, the operator must also notify the ITC Authority of the actions taken to minimize the risk and the information provided to subscribers and users on the type and effect of the risk.
If subscribers/users may be negatively effected by the risk, the operator is obligated to notify them of the type of risk, where more information on the risk may be found, and the measures available to reduce its negative effect. Operators must also record the cause and effect of the personal data security breach as well as the remedial action taken.
Retention and deletion of data
Previously, the data retention requirement was limited: Only the identity of the caller needed to be retained for one year. The new e-Privacy Regulation extends the scope of the one-year retention period to include an extensive list of data for each type of electronic communication. As of July 24, 2013, telecommunications companies will be required to retain certain data to detect the source of a communication and the time, duration, type, and location of the communication device where required by law, implement security measures against illegal access and processing, and control access to and the destruction and anonymization of data at the end of the retention period. The e-Privacy Regulation also requires that traffic information retained by an operator be deleted or anonymized when the activity requiring retention is completed.
Processing of traffic data
Traffic data cannot be processed for the purposes outside the scope of their services. When traffic data is processed to resolve disputes, their confidentiality and integrity must be preserved until the resolution of the dispute. Processing traffic data to market electronic communications services or to provide value-added communication services requires the data subject's consent and must be limited to permitted purposes. A data subject may withdraw consent at anytime in the manner which the consent has initially granted or by an undefined “simple method”.
Processing of location data
Location data may only be processed to provide value-added communication services and, then, only with the consent of the data subject or after the data have been anonymized. Consent is valid only if the data subject is first informed of the type, purpose and period of the data processing. A data subject may withdraw consent at anytime in the manner by which the consent was initially granted or by an undefined “simple method”. Location data may, however, be processed without the data subject’s consent where required by law, court order or in cases of emergency assistance calls.
Prohibition on international data transfer
The international transfer of traffic data, retained data and location data is prohibited without exception by the new e-Privacy Regulation. Violation may result in a monetary fine of up to three percent of the operator's annual turnover, and repeated violations may result in the revocation of the operator's license.
Actions to consider
Before the e-Privacy Regulation comes into force, electronic communication companies should:
- Revise their data security measures to comply with the regulation;
- Revise their information risk management policies in line with the regulation;
- Ensure their data retention systems comply with the regulation’s retention requirements;
- Ensure that traffic data is processed in line with the regulation;
- Prevent the processing of location data except where (i) value-added communication services are provided and the data subject consents to such processing or the data has been anonymized, (ii) required by law or court order, or (iii) in cases of emergency assistance calls; and
- Ensure no retained traffic data or location data is transferred abroad.
The ITC Authority has extended the period granted to the telecommunications companies for compliance with the new e-Privacy Regulation. These new stringent rules on processing of personal data will have profound implications for the telecommunications sector. Companies active in this sector must take significant measures to ensure compliance with these rules by July 24, 2013.