The Most Recent Ruling by the Authority
Considerations as to Convention 108
What this Means for Cross-Border Data Transfer
On September 4th, 2020, the Turkish Data Protection Authority (“Authority”) published on its official website the summary of a ruling against an unidentified data controller regarding the use of the Convention for the Processing of Individuals with Regard to Automatic Processing of Personal Data (“Convention 108”) as grounds for lawful cross-border data transfer. While Turkey had signed Convention 108 in 1981, it was only ratified in 2016, officially coming into effect on September 1st, 2016.
As per the ruling of the Authority, it has been established that solely relying upon Convention 108 would not be sufficient grounds to establish lawful cross-border data transfer as per the Turkish Data Protection Law (“Data Protection Law”). While the Authority did state that being a party to Convention 108 would be looked upon favourably when determining whether a country provided adequate safeguards, being a signatory to Convention 108 itself would not provide overriding grounds to legitimize cross-border data transfer to persons located in said countries.
With this ruling the Authority has further solidified its approach to cross-border data transfer that was established in its ruling on Amazon Turkey. While the Data Protection Law does not have any explicit requirements for data localization, with this most recent ruling the conditions for lawful cross-border transfer have in effect become a lot more limited.
As per Article 12 of Convention 108, “A Party shall not, for the sole purpose of the protection of privacy, prohibit or subject to special authorisation transborder flows of personal data going to the territory of another Party.” While the remainder of Article 12 does allow for certain derogations, it is clear that this provision of Convention 108 has the general aim of restricting prohibitions and ensuring the freedom of cross-border data transfer amongst the parties that have ratified the convention.
The data controller that was the subject of the investigation by the Authority presented the defence that as the recipient persons were located in countries that were party to Convention 108, measures that would prohibit cross-border data transfer to such countries should not be imposed. The data controller presented the argument that as Turkey had not registered any requests for derogations to the relevant provision of Convention 108 or the additional protocol of Convention 108, it should be accepted that transfer of personal data to persons located in countries party to Convention 108 should be regarded as lawful as per the Data Protection Law.
In summary, the Authority rejected this argument and ruled that being a party to Convention 108 would only serve as an ancillary consideration when determining whether a country was to be included on the list of countries providing adequate safeguards. Despite Article 12, being a party to Convention 108 in itself was not determined to be grounds for lawful cross-border data transfer. Due to the fact that the data controller had relied solely upon Convention 108, the Authority ruled that the cross-border data transfer was contrary to the relevant provisions of the Data Protection Law and issued an administrative fine of 900,000 TRY.
Up until the ruling of the Authority there had been an approach in Turkey that Convention 108 could, in theory, be relied upon to legitimize cross-border data transfer to persons who were located in countries that were party to the convention and could, therefore, be used as a defence against any attempts by the Authority to issue administrative fines.
While this approach may be categorized as wishful thinking on behalf of data controllers and privacy professionals in Turkey, in the continued absence of the list of countries providing adequate safeguards, it was viewed as a viable method of ensuring lawful cross-border data transfer. Furthermore, this approach was also grounded in the wording of Article 9 of the Data Protection Law that stated that the provisions of international treaties and other legislation remained reserved with regard to lawful cross-border data transfer.
It should also be noted that Convention 108 was ratified and came into effect as applicable law in Turkey after the Data Protection Law was published in the Official Gazette and thus came into effect. Therefore, the relevant provisions of Convention 108 could be considered both within the scope of an international treaty that Turkey was a party to and as a measure having legislative effect that clearly came into effect at a later date than the Data Protection Law.
The approach to rely upon Convention 108 came about mostly due to issues regarding the implementation of Article 9 of the Data Protection Law that governs the conditions for lawful cross-border data transfer. As per Article 9, there are three methods available for lawful cross-border data transfer originating from Turkey: the explicit consent of the data subject, the recipient person being in a country that provides adequate safeguards, or, both parties of the transfer signing a written undertaking that is submitted for the approval of the Authority.
While it was expected that an initial list of countries providing adequate safeguards (which would include EU countries) would be published relatively soon after the Authority was established, as of yet no version of the list has been made public. While the Authority has published a more detailed set of criteria to be used to determine such countries, it has not ruled that any country provides such adequate safeguards. A primary reason for the continued delays can be linked to the fact that reciprocity is listed in both the Data Protection Law and further guidance published by the Authority as a criteria when determining whether a country provides adequate safeguards.
In practice the fact that the list of countries providing adequate safeguards remains unpublished meant that data controllers could only rely upon the methods of explicit consent or the written undertaking submitted to the approval of the Authority. In addition to these two methods, as per the Authority’s announcement of April 10th, 2020, applications for Binding Corporate Rules to be recognized as having the same standing as approved written undertakings is also listed as an option to legitimize cross-border data transfer.
However, all three of these methods have inherent problems that raise issues with regard to structuring processes for cross-border data transfer. Relying upon explicit consent as a method poses problems as to contingency plans and systems should data subjects not provide consent or withdraw their consent at a later date. Additionally, any attempt to make explicit consent mandatory for cross-border data transfer would face questions as to the legitimacy of the consent.
The process for submitting written undertakings for the approval of the Authority is currently embroiled in many delays, with Authority officials making public admissions as recently as March 2020 that no submissions had been approved. These delays are despite the fact that the template undertaking formats used by data controllers are those published on the official website of the Authority. Furthermore, as these undertakings must list the grounds and purposes of processing in relation to each category that will be transferred abroad, preparing the undertakings to the level of detail that is increasingly requested by the Authority poses problems relating to accuracy; particularly considering the dynamic and evolving nature of data processing and data flows.
Similar issues also exist with obtaining approval for Binding Corporate Rules, a method that – as of the time of drafting – has not yielded any officially published decisions by the Authority for their recognition.
As previously expressed above, this ruling has reinforced the Authority’s approach of strict compliance to the provisions of the Data Protection Law, despite the Authority’s continued failure to publish a list of countries providing adequate safeguards.
As relying upon either of the methods of explicit consent or submitting written undertakings to the approval of the Authority pose a number of issues in terms of practicality and efficiency, from a strict compliance approach, the options of lawful cross-border data transfer originating from Turkey have become limited.
In combination with these limitations, the fines issuesd against the data controller in this most recent ruling by the Authority and the administrative fine of 1,100,000 TRY previously issued against Amazon Turkey (for issues that included failure to ensure lawful cross-border transfer) has increasingly indicated that the Authority will take a stricter approach in to investigating and fining cross-border data transfers that do not comply with the Turkish Data Protection Law.
Therefore, all ongoing and planned cross-border data transfer involving the personal data of data subjects in Turkey must be placed under scrutiny. A risk based approach is essential, and data controllers must consider the currently available options for lawful cross-border data transfer when determining the extent and methodology of data transfer from Turkey.