Designation of Countries Providing Adequate Safeguards
Written Undertakings and Binding Corporate Rules
Cross-Border Transfer Provisions in Other Legislation
On October 26th 2020, an announcement was published on the official website of the Turkish Data Protection Authority (“DPA”), summarizing its position on the requirements for lawful cross-border data transfer.
While the announcement itself does not present any new solutions for the current issues surrounding cross-border data transfer, it does provide an insight into the general approach of the DPA that mostly takes the form of a defence of its record.
The announcement begins with a lengthy explanation that recognizes the necessities of data-driven economies and the added value that the processing of personal data can create, stating however that the DPA is also bound by the scope and obligations as set out in Law numbered 6698 on the Protection of Personal Data (“Data Protection Law”).
In this sense, it can be said that the DPA has followed the critiques levelled against the Data Protection Law and its implementation, particularly in light of the recent Amazon Turkey ruling and the ruling on relying upon Convention 108 as the sole basis of cross-border data transfer. However, the undertone of the announcement is definitely an attempt to defend the DPA’s record and to issue clarifications on areas that have previously been criticized by practitioners.
To this effect, the announcement generally summarizes the conditions for lawful cross-border data transfer as set out in the Data Protection Law, while underscoring the fact that the DPA does not want to prevent any and all cross-border data transfers but simply wants to establish a transparent regime that protects fundamental rights and freedoms.
As per Article 9 of the Data Protection Law, in the absence of explicit consent, one of the primary methods available for lawful cross-border data transfer is if such transfers are to entities located in countries providing adequate safeguards.
In the announcement, the DPA once again elaborates on the criteria necessary to designate a country as providing adequate safeguards; with a particular emphasis on the criteria of reciprocity. The DPA also makes reference to the fact that the recognition of such countries is an intricate, long -and dynamic process that must also allow for the opportunity to regularly review and re-evaluate any such decision of adequacy.
While both of these points are very valid, it should be noted that the DPA makes supportive references through links to EU-based documents in the form of Article 29 Working Party guidance documents and European Commission documentation. A major critique levelled by practitioners has been the failure to recognize EU member states as countries providing adequate safeguards, particular since the Data Protection Law is based on Directive 95/46/EC and that the DPA’s implementation and approach has been shaped by reference to examples and interpretations of such bodies as the Article 29 Working Party. Therefore, it is interesting that the DPA has continued to make its points underscoring the inability to designate countries providing adequate safeguards by referring to guidance and documentation issued by such countries.
However, the general motivation behind such references may be sought in the DPA’s explanation that during the designation process the Ministry of Foreign Affairs has continually emphasized the requirement for reciprocity. This could indicate a tacit acknowledgement by the DPA that the process is stuck on political points that prevent the more practical approach that many practitioners hoped could be adopted.
In the following section of the announcement the DPA states that any unilateral designation of countries providing adequate safeguards by Turkey would provide an asymmetry that would disadvantage data controllers and data processors in Turkey. Admittedly, this is a point that is difficult to argue against, as any such unilateral designation would present a potential imbalance in the free cross-border flow of data. However, considering that the protection of personal data is a value that has been in development in the EU since the 1980s, taking the form of Directive 95/46/EC (that also formed the basis of the Data Protection Law) and the more comprehensive regime introduced by GDPR, and that data controllers in the EU have the Standard Contractual Clauses (“SCCs”) system available to them to transfer personal data to persons in Turkey, reducing the argument to such an imbalance seems to be a rather simplistic take on the issue.
With regard to the designation of countries providing adequate safeguards, the DPA goes on to state that no official requests have been made from other countries for such recognition, but that evaluations are ongoing with the cooperation of the Ministry of Justice, the Ministry of Foreign Affairs and the Ministry of Trade. The DPA explains that such evaluations and contact with the EU have focused both on the reciprocal recognition and the updating of the Data Protection Law in accordance with the EU legal acquis.
The general message conveyed is definitely that the DPA is ready to engage in bilateral talks with the European Commission for reciprocal recognition as countries providing adequate safeguards, with the undertone that any such process is likely to be held up politically by other ministries in Turkey should the criteria of reciprocity not be met.
The DPA also makes reference to the reliance upon Convention 108 when assessing lawful cross-border data transfer. The major takeaway is the reinforcement of the DPA’s approach that being a signatory to Convention 108 would be taken into account when evaluating the designation of a country, but that requiring additional criteria for designation as a country providing adequate safeguards is not contrary to the provisions of Convention 108. The DPA supports this assertion by highlighting that the EU itself does not regard being a signatory to Convention 108 alone as grounds for the recognition of adequacy.
Again, the DPA defends its past actions and states that their previous rulings on the validity of Convention 108 alone not providing adequate grounds for lawful cross-border transfer does not render cross-border transfer from Turkey impossible. However, if the DPA ruling published on its official website on September 4th 20020 dampened hope of relying upon Convention 108 as a primary grounds for lawful cross-border transfer from Turkey, the more detailed explanations provided in the announcement have finished the job and extinguished any such expectation. Though this obviously does not render cross-border data transfer from Turkey impossible, due to the ongoing issues with the list of countries providing adequate safeguards and the shortcomings of the other processes defined under the Data Protection Law, it does pose operational difficulties in implementing efficient models of cross-border data transfer that facilitate the free flow of data that is integral to many modern processes.
The announcement also covers the other methods of lawful cross-border data transfer that may be utilized in the absence of the explicit consent, namely written undertakings and Binding Corporate Rules (“BCRs”).
As per Article 9 of the Data Protection Law, in the absence of explicit consent and/or a country providing adequate safeguards, the parties of a cross-border data transfer must submit a written undertaking detailing the transfer for the approval of the DPA. In the announcement, the DPA states that, while two templates for such undertakings (Data Controller to Data Controller, and Data Controller to Data Processor) have been published on its official website, applications submitted have not contained sufficient information and do not meet the level of detail and clarity expected by the DPA.
However, while such criticism may be valid, it should also be underlined that these undertaking templates were originally provided by the DPA and that, up until recently, detailed guidance had not been provided.
The DPA goes on to state that any written undertaking submitted is closely examined, that the process is handled efficiently and that applicants are provided with adequate guidance. In light of this defence by the DPA, it should be stated that, while there had been critiques of the DPA complicating and prolonging the process, the main concerns focused on other areas. These areas were predominantly the lack of clarity in the process (which had admittedly been somewhat addressed with subsequent guidance published) and concerns as to the status of any ongoing cross-border data transfer subject to the submission of a written undertaking.
The announcement also makes reference to the fact that the DPA has subsequently acknowledged that BCRs are a valid method for lawful cross-border transfer equivalent to an approved written undertaking, and highlights the fact that detailed guidance has been provided as to the minimum requirements such BCRs must meet. Much like in the section of the announcement detailing the process of designating countries providing adequate safeguards, the section relating to BCRs also makes reference to the fact that BCRs are recognized as a viable option under GDPR.
The final section of the announcement makes reference to provisions governing cross-border data transfer in legislation other than the Data Protection Law. The DPA states that the Data Protection Law provides the main regulatory framework, and that other sectoral legislation only serve as supplementary measures to be applied in conjunction with the Data Protection Law.
However, the DPA goes on to highlight that Article 9(6) of the Data Protection Law states that all provisions relating to cross-border data transfer in other laws remain reserved, thus stating that should a provision relating to cross-border data transfer be present in another legislative measure, steps can be taken in accordance with said provisions. The DPA provides the example of the ruling made in favour of the banking sector that allowed for cross-border data transfer for the purposes stated in Article 73 of the Banking Law, provided that such actions remained compliant with the other provisions of the Data Protection Law.
While the announcement itself does not provide any new short term solutions to resolve the issues surrounding cross-border data transfer, it does provide valuable insight as to the general approach of the DPA and a few potential future developments.
With regard to the central point made by the DPA throughout the announcement, it is impossible to disagree with the assertion that it is bound by the limitations as presented by the Data Protection Law. The defensive tone used in the announcement and the undertones that highlight the insistence of other ministries’ with regard to the principle of reciprocity, while emphasizing the readiness of the DPA to negotiate with the EU Commission may indicate that the DPA itself is aware of the current predicament and may be willing to adopt a more conciliatory tone.
The final brief section that makes reference to other sectoral legislation regarding cross-border data transfer may be one such method utilized to emphasize such a conciliatory approach. As with the example of the banking sector, should other sectors and industries be able to show that applicable sectoral legislation provides for cross-border data transfer, such an argument may be submitted for the DPA’s consideration. However, while even such sectoral exceptions would provide increased operational clarity, having such decisions issued on a piecemeal sector-based approach would lead to an imbalance in implementation and scenarios where larger industries with more active and influential representative organizations are able to secure preferential exceptions.
Instead, a hopeful reading of the subtext of the announcement may provide another potential way forward for stakeholders engaging with the DPA. While the DPA is indeed bound by the limitations of the Data Protection Law, in the announcement it does make reference to the ongoing processes to reform the legislation and harmonize it with the EU legal acquis. Furthermore, the announcement also makes reference to the recognition of BCRs as a valid method of cross-border data transfer, a method that was not explicitly established under the Data Protection Law or any subsequent ancillary legislation. Instead, the process for recognition of BCRs and their equivalency to written undertakings was only established through a DPA ruling that was published on its official website.
Therefore, should the DPA show willingness to introduce such further changes to implementation, or maybe even amend the Data Protection Law, stakeholders engaging with the DPA may want to explore the introduction of a model of SCCs for implementation in Turkey. Focusing sectoral representation and influence, which may otherwise be expended on securing sectoral exemptions, on trying to introduce viable SCCs that also satisfy the concerns of the DPA would present the most balanced, encompassing and operationally viable way forward.
However, while the DPA’s general approach may indicate some potential changes, the factual content of the announcement does mostly repeat either what is established under the provisions of the Data Protection Law or how such provisions have been implemented as per the rulings of the DPA. Therefore, until a new significant development, data controllers in Turkey should review their cross-border data flows and expedite the measures implemented to legitimize such flows.