The Regulation on the Processing of Personal Data and Protection of Privacy in the Electronic Communication Sector (“Regulation”) has been published in the Official Gazette dated 4 December 2020 numbered 31324.
The general aim of the Regulation seems to be to ensure the protection and privacy of personal data in the communications sector and the regulation of procedures and principles regarding operators’ relevant data protection obligations arising from the Electronic Communication Law (“ECL”) numbered 5809 and the Personal Data Protection Law (“DPL”) numbered 6698.
The Regulation has been prepared in accordance with the general personal data protection rules established in the ECL and the DPL; though there is a point of contention regarding provisions of the Regulation that allow the offering of additional “bonus” benefits to obtain explicit consent for processing.
As the authorized body responsible for the implementation of the ECL, the Regulation has been prepared and published by the Information and Communication Technologies Authority (“ICTA”), and to a great degree has been prepared in a manner that avoids overlapping with the authority and purview of the Turkish Personal Data Protection Authority (“DPA”).
Technical and Administrative Safety Measures
The Regulation defines the minimum technical and administrative measures that must be taken by operators to ensure the safety of their services and personal data.
These measures have been listed as:
- establishing required security policies,
- protection of personal data against data breaches such as unauthorized or unlawful access to, or the damage, loss, or disclosure of such data,
- ensuring the security of systems storing personal data.
These minimum measures must remain in accordance with all requirements imposed by the DPL and national and international standards. Furthermore, the Regulation states that operators must implement such measures pursuant to a risk-based approach in accordance with available technological developments.
Therefore, it is clear that the ICTA expects operators to remain up-to-date with sectoral and technological developments. This is further reinforced by a provision in the Regulation that authorizes the ICTA to request information and documentation as to measures implemented by operators, and to require changes to be made to such measures.
In addition to the operators’ obligation to notify their subscribers and users in the situation of a data breach as per the DPL, the Regulation also introduces an obligation for operators to notify their subscribers and users of any occurrence of risk that threatens their network infrastructure or services.
Explicit Consent Requirements
In addition to the general requirements of the DPL, the ECL contains provisions that establish further principles in relation to the regulatory regime that is applicable to processing personal data by operators.
The relevant provisions of the ECL provide for situations where operators do not need to obtain the consent of their subscribers, such as the use of traffic data to manage traffic, providing interconnections, reviewing customer complaints and the use of location data for emergency call management. Other than for such purposes, the consent of subscribers is required for data processing, particularly for the provision of value-added electronic communication services or marketing electronic communication services. The Regulation further clarifies the procedures and principles that apply to the obligation to obtain consent.
Many of the clarifications provided as to the conditions required to lawfully obtain explicit consent mirror the provisions of the DPL and the subsequent rulings issues by the DPA. Such clarifications include the requirement to obtain explicit consent prior to any processing activity necessitating such consent and the requirement to clearly inform the subscribers and users as to the purpose of processing prior to obtaining their consent. The Regulation determines that operators must clearly provide subscribers and users with information as to specific location and traffic data that is to be used pursuant to gaining explicit consent.
Furthermore, the Regulation also affirms the position of the DPA that such explicit consent cannot be made compulsory in the form of a precondition for the establishment of a subscriber relationship or for the provision of electronic communication services.
An important development in the Regulation is that it enables operators to request explicit consent from subscribers and users as a condition of providing “additional bonuses” such as complementary minutes, SMS, or data. While subscribers and users cannot be forced to provide explicit consent and accept such additional bonuses, this provision has been criticized as being open to misuse by operators and granting operators in the telecom sector an unfair competitive advantage in obtaining explicit consent for marketing purposes.
The Regulation also diverges somewhat from the DPL with a provision that states that, unless subscribers and users have requested otherwise, upon termination of a subscription any explicit consent that was previously provided by the subscriber or user shall be deemed as withdrawn as of the final date of the subscription.
Another area in which the Regulation diverges from the DPL with regard to relying upon explicit consent is with a newly introduced obligation to notify subscribers and users who have provided explicit consent as to the data processing activities carried out pursuant to such consent on an annual basis in the third quarter of each year. Failure to provide notification will require operators to suspend data processing based on such explicit consent until notification has been provided.
While both the ECL and the Regulation provide that traffic and location data can be transferred abroad pursuant to explicit consent, Article 5(2) of the Regulation contains a provision that is something of a contradiction. Article 5(2) states the principle that, based on the grounds of national security, traffic and location data must remain in Turkey. However, as both the ECL and the Regulation contain provisions that allow for such transfer abroad, it is our interpretation that Article 5(2) should not be interpreted as a blanket ban on the transfer of such categories of data. Instead, it may indicate a continuation of the legislative and regulatory trend in Turkey towards increased data localization. Including such a principle in the Regulation may provide future grounds for the ICTA to issue orders that prevent the transfer of such data abroad based on the grounds of national security.
Consent Obtained Prior to the Regulation
The Temporary Provision of the Regulation provides that consent obtained lawfully prior to the Regulation remains valid. However, as per the Temporary Provision, the processing of personal data for anyone whose explicit consent had been previously lawfully obtained but who had subsequently terminated their subscription to the operator must cease within a month of the Regulation coming into effect, unless explicit consent to continue has been obtained by operators.
The Regulation also provides additional rights of privacy for subscribers and users and aims to increase their involvement and agency in the management of their privacy preferences.
Consequently, the Regulation requires that in situations where operators provide incoming call screening options, operators must also provide a simple and free method for the caller to withhold their number from the recipient. In the case of calls where the caller number is withheld, operators may only allow a connection if the recipient subscriber or user has previously provided their consent to receive number withheld calls.
The operators are also required to provide subscribers and users with the right to prevent any calls transferred by third parties, and to obtain their consent before transferring their calls to any number/automatic message system that will accrue charges.