Amazon Turkey & Binding Corporate Rules
Evaluation of the Turkish Data Protection Authority’s approach to Cross-Border Data Transfer
Bentley James Yaffe
On May 7th, 2020, the Turkish Data Protection Authority (“Authority”) published on its official website the summary of a ruling against Amazon Turkey Perakende Hizmetleri Limited Şirketi (“Amazon Turkey”) regarding the processing and transfer of personal data obtained from users making use of the Amazon Turkey website. The ruling of the Authority was significant for a number of reasons; primarily the high value of the administrative fine issued, and statement made as to the Authority’s approach to cross-border data transfer.
While the Authority’s ruling in the Amazon Turkey case also introduces additional considerations as to obtaining explicit consent and the sending of electronic communications to consumers in Turkey, this article will focus solely on the elements regarding cross-border data transfer. To better understand the implications surrounding cross-border data transfer in Turkey, the Authority’s recent announcements on Binding Corporate Rules (“BCRs”) and the minimum requirements of written transfer undertakings will also be presented.
Before presenting the facts of the Amazon Turkey decision, it is worth highlighting the requirements of Turkish Data Protection Law (“DP Law”) for the lawful cross-border transfer of personal data.
As per Article 9 of the DP Law, the main principle governing the transfer of personal data outside of Turkey is if the explicit consent of the data subject has been obtained. Article 9 also provides two exceptions to the requirement to obtain explicit consent:
For a number of reasons, the list of countries providing sufficient safeguards has still not been published by the Authority. Therefore, to ensure strict compliance to the DP Law, lawful cross-border transfers require either the explicit consent of the data subject or a written undertaking approved by the Authority. Furthermore, as recently as March 2020, officials from the Authority made public statements to the effect that no written undertaking submitted to the Authority had as of that date been approved. This approval method is a significant departure from the data protection regime in the EU, on which the DP Law is based, where Standard Contractual Clauses do not require the approval of any data protection authority.
While the provisions of the DP Law require processing and transfer methods to adhere to one of the two aforementioned conditions for lawful cross-border transfer, it should also be noted that there was a widely adopted approach by data controllers to wait for the publication of the list of countries providing sufficient safeguards. A key contributor to this approach was the fact that the Authority had not taken any official action against data controllers due to cross-border transfer. However, the ruling against Amazon Turkey has now changed the status quo.
An official summary of the Authority’s ruling against Amazon Turkey dated 27.02.2020 and numbered 2020/173 was published on the Authority’s official website on May 7th, 2020. The summary details the initial complaint received by the Authority, the defence presented by Amazon Turkey and the reasoning and final ruling of the Authority.
The ruling of the Authority focused on three areas of complaint raised against Amazon Turkey; the methods and processes utilized to obtain explicit consent as grounds for processing, the sufficiency of the method used in the privacy notice, and the grounds relied upon by Amazon Turkey for cross-border transfer.
As per the complaint received by the Authority, with regard to cross-border transfer, it was presented that Amazon Turkey’s privacy notice stated that personal data could be transferred abroad to the EU and subsequently to the United States, however at no point was explicit consent obtained for such a transfer.
In their defence, Amazon Turkey presented that their registered users had been both informed of such potential for cross-border transfer and had accepted this fact by consenting to the Amazon Turkey privacy notice. Furthermore, it was noted that correspondence between the Authority and Amazon Turkey regarding written data transfer undertakings was still ongoing. On these grounds, Amazon Turkey argued that the claim that they had engaged in unlawful cross-border transfer was without merit.
The Authority ruled that as the list of countries providing appropriate safeguards has not yet been published and as Amazon Turkey’s written data transfer undertakings had still not been approved by the Authority,the only legal grounds for lawful cross-border transfer available to Amazon Turkey was explicit consent of the data subject. Despite Amazon Turkey’s defence, the Authority ruled that merely stating that such cross-border transfer could occur in the privacy notice and stating that registered users would also be accepting the terms of the privacy notice by registering an account was not a sufficient method of obtaining explicit consent of the data subject for cross-border data transfer. Focusing on the main issues that data subjects were not provided with the opportunity to clearly provide explicit consent separately to such a transfer and that consent for data processing and the use of Amazon services were bundled into one process, the Authority ruled that Amazon Turkey had not obtained the explicit consent required for lawful cross-border transfer.
Consequently, on the grounds that Amazon Turkey had not obtained the required explicit consent for, amongst other fields of data processing, cross-border data transfer, the Authority issued an administrative fine of 1,100,000.00 Turkish Lira (at the time of drafting approximately 155,000 USD) against them.
In addition to the published summary of the ruling against Amazon Turkey, the Authority also recently published two announcements that have an important bearing on the issue of cross-border data transfer. The first of these was the announcement dated April 10th, 2020 on BCRs, while the second was the announcement dated May 7th, 2020 on the minimum requirements of written undertakings that must be approved by the Authority.
As per the announcement on BCRs, the Authority said that they will also accept applications by companies who have BCRs and that approved BCRs will be given the same standing as approved written undertakings. The Authority stated that any application for the recognition and approval of BCRs will be evaluated and finalized within one year, though this period may be extended in six-month periods, as necessary.
However, it should be noted that the documentation provided by the Authority regarding BCR applications includes numerous references to the provisions of the DP Law; particularly in areas of the enforcement of rights granted to data subjects under the law. Therefore, even for multinational companies that have BCRs approved by a data protection authority in the EU, there is a high likelihood that any such BCR must be amended or a Turkey-specific addendum signed in order to be granted approval by the Authority.
The announcement on written undertakings to be approved by the Authority, aims to clarify the information and minimum requirements that such undertakings must contain. While the Authority had previously published draft written undertakings for use on its official website, as stated above, as recently as March 2020 no applications made using these draft templates had been approved by the Authority.
The announcement of May 7th, 2020 included guidance in the form of a general requirement to provide detailed explanations as to the purpose of the data transfer and the legal grounds and categories of personal data to be transferred. It should be noted that in the announcement the Authority has clarified that these undertakings should only be prepared for data processing and transfers that rely upon legal grounds other than explicit consent.
The primary requirements introduced by the announcement relate to specificity; in terms of clarifying the purpose of the transfer, what categories of personal data are to be transferred for these purposes, the categories of data subjects involved in such transfers, and the legal grounds relied upon for such transfers. To this effect, the Authority has provided guidance that all such information should be clear, specific and avoid generalizations through the use of vague phrases. Furthermore, the relationship between each category transferred, the category of data subject and the purposes of processing and transfer must be clearly laid out.
The Authority’s ruling against Amazon Turkey and the two recent announcements have presented a clearer approach towards the issue of cross-border transfer. The Authority’s approach indicates a stricter enforcement of the DP Law’s provisions relating to cross-border transfer. However, it also introduces additional elements of uncertainty and concerns regarding uniform implementation.
It is beyond contestation that the provisions of the DP Law are in effect and that data controllers in Turkey are under obligation to adhere to such provisions, including those on cross-border transfer. To this effect, to ensure full compliance with the law it is clear that data controllers must either rely upon explicit consent or have written undertakings approved by the Authority. Despite the fact that these are conditions imposed by the DP Law, the Authority’s recent actions have overlooked an important mechanism that would be instrumental in resolving many of the ongoing issues regarding cross-border data transfer: the list of countries providing sufficient safeguards.
While explicit consent and the approval of written undertakings remain the only methods to ensure lawful cross-border transfer, both methods have inherent issues that may lead to certain impracticalities in terms of the certainty required for operational cross-border transfer. Relying upon explicit consent will always pose the risk of data subjects not providing such explicit consent or withdrawing it at a later date, thereby requiring data controllers to have contingency systems that do not rely upon the transfer of personal data abroad. On the other hand, with regard to the approval of written undertakings, as publicly stated by the Authority, as of March 2020 there have been no reported instances of such undertakings being approved by the Authority. However, following the publication of the content and minimum requirements, there may potentially be an increase in the number of undertakings reviewed and ultimately approved.
As cross-border data transfer remains a key component of the business and operational models of many companies, the issues of certainty and practicality that are apparent in the only available options for lawful cross-border transfer pose operational considerations for data controllers in Turkey. The long-awaited publication of the list of countries providing sufficient safeguards would provide data controllers in Turkey with more certain grounds to ensure lawful cross-border transfers. While the Authority’s recent announcements on BCRs and written undertakings may lead to a streamlined application and approval process, the predicted increase in the number of applications that will be submitted to the Authority may lead to increased delays during which cross-border data transfer remains uncertain.
In the short-term, data controllers in Turkey aiming to achieve strict compliance with the DP Law have a number of important considerations to make. Primary considerations will be the feasibility of integrating explicit consent mechanisms into existing cross-border data transfer processes and evaluating and planning the submission of written undertakings to the Authority.