Subscribe to regular updates:

Share

DPA Digital Digest: Turkey

A close-up of Turkey's regulatory approach to data governance, content moderation, competition and more

Report Image

This is the third issue of the “DPA Digital Digest” series based on the Digital Policy Alert database. This series provides concise summaries of each G20 nation’s recent policy changes in data governance, content moderation, competition and further domestic focal points.

Authors

Tommaso Giardini

Date Published

28 Mar 2023

Turkey's 2023 Industry and Technology Strategy declares its ambitions to become a leading force in technology, combining competitiveness, independence, and innovation. But what do Turkey’s domestic digital policies stand for?

The third DPA Digital Digest provides a succinct overview of the latest policy and enforcement developments in major policy areas and Turkey-specific focal points. Turkey’s data governance regime requires data localisation for social networks and registration for data controllers. In content, new moderation obligations apply to e-commerce, online news and social network providers, while enforcement extends to advertisement bans. Competition policy evolved both regarding unilateral conduct and merger regulation, accompanied by active enforcement. The focal points include the digital service tax, regulation of electronic payments including cryptocurrencies, licensing for e-commerce providers and consumer protection in electronic communications.

Jump directly to the section that interests you most:
or browse this Digital Digest in full below.

Discover the details of Turkey's approach below and stay informed on our dedicated page: https://digitalpolicyalert.org/countries/turkey

Remain up-to-date on new and upcoming policy developments with our free notification service: https://digitalpolicyalert.org/subscription


Data governance

Data protection policy developments

As of 2022, data controllers must register with the Data Controllers Registry Information System (VERBIS). The requirement applies to all foreign data controllers as well as those local controllers that exceed employee and revenue thresholds or pursue data processing as their principal business activity. The registration process requires a data processing inventory, the appointment of a local representative (either a natural or legal Turkish person residing in Turkey) and a contact person (a natural Turkish person residing in Turkey).

In March 2021, the Turkish government launched the Action Plan on Human Rights, including the goal of Protecting the Private Life in the Processing of Personal Data (6.7). The plan tasked the Ministry of Justice with proposing amendments to the data protection regime within one year. A stated objective was to harmonise the Law on the Protection of Personal Data with the standards of the European Union (EU). In August 2021, the data protection authority (KVKK) circulated amendments within the government that were not yet made public. The proposed amendments included requirements for processing special categories of personal data, but did not advance beyond this stage.

Data transfer/localisation developments

The social media law of 2020 established a local storage obligation for social networks accessed by over a million daily users. Such networks are required to take "necessary measures" to localise the data of Turkish users.

The Law on Protection of Personal Data allows transfers only with the consent of the data subject or the approval of the KVKK. Technically, transfers are allowed to countries with an adequate protection level. To date, however, the KVKK has not issued the necessary whitelist. Hence, without user consent, controllers must seek permission from the KVKK for data transfers, even with binding corporate rules. The abovementioned 2021 amendments–which the KVKK proposed non-publicly but did not advance further–aimed to create a “standard undertaking” mechanism to facilitate transfers. The use of such clauses would have required notification to the KVKK rather than approval, aligning the regime to the EU’s approach.

Secondary legislation and enforcement developments

Digital businesses must navigate a variety of secondary legislation on data protection. The KVKK has issued guidance on typical practices, such as third-party personal data sharing and the use of cookies. It has also provided guidelines relating to specific technologies including recommendations relating to artificial intelligence, guidelines on biometric data and the right to be forgotten regarding search engines.

Recently, the KVKK imposed fines on several companies for failing to fulfil data registration obligations or for not being transparent about data transfers. In March 2023, the KVKK fined Meta and WhatsApp TRY 2.67 million each (approx. USD 140,000), for failing to comply with registration requirements. Already in 2021, the KVKK had sanctioned WhatsApp with a fine of TRY 1.95 million (approx. USD 102,000) for failing to obtain consent for the processing of personal data and not being transparent regarding data transfers. Also in March 2023, the KVKK fined TikTok TRY 1.75 million (approx. USD 92,000) for not ensuring appropriate data security and preventing unlawful data processing. The privacy policy did not sufficiently specify the purposes of data collection and processing and did not require separate consent for particular data disclosures, such as cookie profiling. Finally, TikTok collected the data of children (below 13) without parental consent and did not appropriately restrict access to this data. In 2020, the KVKK sanctioned Amazon Turkey for not obtaining express consent before using cookies and sending electronic commercial messages.


Content moderation

Content moderation developments

Turkey has increased content moderation obligations across the digital economy. Since 2023, e-commerce intermediary providers must remove unlawful content from the listings on their platforms, including advertisements, and notify authorities. In October 2022, the disinformation law incorporated Internet news sites into the scope of the Press Law. Ever since, the dissemination of misinformation and false accusations regarding national security and public order on news sites is a criminal offence, punishable by jail. Furthermore, news sites must keep a record of the posted information for 2 years. In 2020, the social media law introduced obligations for social networks. Providers with over one million daily users have to maintain a legal presence in the country and must respond to requests to remove illegal or privacy-infringing content within 48 hours. Non-compliance is punished with a cascade of increasing fines, an advertisement ban and internet bandwidth reduction. In 2021, a guideline introduced obligations regarding online advertisements for influencers and advertisers. It prohibited hidden advertisements across platforms, threatening advertisement suspensions for non-compliance.

Enforcement developments

Governmental content takedown requests are not documented by public, official sources. The Information Technologies and Communications Authority (ITCA) has publicly sanctioned foreign companies for non-compliance with the local presence requirement enshrined in the social media law. In 2020, it fined several firms, including Twitter, Facebook, Instagram and YouTube, with TRY 10 million (approx. USD 525,000) and, after 30 days, TRY 30 million (approx. USD 1.6 million). Subsequently, in 2021, the authority imposed an advertisement ban on Pinterest, Twitter and Periscope.

In January 2022, the Turkish Constitutional Court published a ruling restricting the blocking of online news. The ruling overturned blocking orders concerning online news articles that allegedly harmed the reputation of politicians and public servants. The blockings were issued without notice to or hearing of the content or hosting providers, a procedure reserved for blatant violations that judges can determine without a hearing (prima facie). The court overruled the orders, limited the use of the blocking procedure to criminal cases with a heightened harm threshold and implemented safeguards and reversal procedures.


Competition

Competition policy developments

Starting in 2024, the 2022 amendment to the Law on the Regulation of Electronic Commerce subjects e-commerce intermediary platforms to a strict regime concerning unilateral conduct. For one, they are prohibited from selling their own trademarked goods. For two, platforms with an annual transaction volume exceeding TRY 10 billion (approx. USD 525 million) cannot use the data collected from their e-commerce platform to compete with other providers. Finally, platforms with an annual transaction volume exceeding TRY 60 billion (approx. USD 3.15 billion) are prohibited from entering certain new industries including transportation.

Since May 2022, large technology companies are subjected to specific merger notification rules. The rules apply to companies such as digital platforms, software and gaming companies as well as financial and health companies that conduct research and development in Turkey or provide services for users in Turkey. For acquisitions by these companies, the usual notification threshold of TRY 250 million (approx. USD 13.1 million) annual turnover does not apply. Any acquisition must be notified to the Turkish Competition Authority.

Enforcement developments

The Turkish Competition Authority (TCA) regularly enforces competition rules in digital markets. In March 2023, the TCA fined Twitter for failing to request authorisation before Elon Musk’s acquisition thereof but subsequently allowed the transaction. The TCA also cleared Google’s acquisition of Mandiant in June 2022, which was subject to the new merger notification rules. In October 2022, the TCA fined Meta approx. TRY 346.7 million (approx. USD 18.2 million) for abusing its dominant position by combining data from its core services Facebook, Instagram and WhatsApp. Furthermore, the TCA accused Meta of limiting competitors’ access to the online display advertising and social networking markets.

In recent years, the TCA has pursued several investigations into the abuse of dominance by Google. Currently, the TCA is investigating the alleged abuse of a dominant market position in the general search services market. In 2021, the TCA conducted an investigation into the search market and price comparison tools, which led to a fine of TRY 296 million (approx. 15.5 million). The TCA found that Google favoured its price comparison tool for accommodations and search services and disadvantaged competitors. In 2020, the TCA investigated the search market and shopping comparison tools, fining Google TRY 98 million (approx. USD 5.1 million) for channelling internet traffic away from competitors to its Google Shopping service. Notably, the TCA classified Google's first page of search results as "vital" for traffic and Google’s unlimited discretion over the page as anti-competitive. Regarding the digital advertising market, the Administrative Court of Ankara confirmed a fine of TRY 196.7 million (approx. 10.3 million) for preferencing its own advertisement platforms (Google Adsense / Adwords) in 2022.


Further digital policy focal points

Taxation

Since March 2020, the Turkish digital service tax is in force. The tax applies to companies that pursue digital advertising, sales of audio/visual/digital content through a digital platform or digital marketplace services and exceed a global annual revenue of EUR 750 million (approx. USD 815.7 million) or local annual revenue of TRY 20 million (approx. USD 1.1 million). The president may adjust the tax rate of 7.5% at his discretion within the range of 1-15%.

On 22 November 2021, the United States and Turkey announced an agreement on the transition from the existing Turkish tax to the OECD/G20 Inclusive Framework. Under the agreement, Turkey will remove its existing DSTs before the entry into force of Pillar One of the framework, in exchange for the US retracting trade measures originally adopted in response to the tax.

Electronic payments

Since 2021, several regulators have enacted secondary legislation to regulate electronic payments. The regulations concern both data security in the financial context and the validity of cryptocurrencies.

The Banking Regulatory and Supervisory Authority (BRSA)’s has adopted a regulation expanding the banking confidentiality obligation to any information related to bank clients. In addition, the BRSA’s Regulation on Bank Information Systems and Electronic Banking Services introduces data protection obligations as well as fake advertising prevention and risk management mechanisms. The Turkish data protection authority’s guidelines on the protection of personal data in the banking sector establish best practices, including on the legal grounds for data processing and the content of data processing agreements. Finally, a central bank communiqué obliges financial institutions (specifically, their board of directors) to ensure the security of information systems, including safeguards for sensitive customer data and information mechanisms for data breaches.

Regarding cryptocurrencies, the Turkish central bank imposed a ban on the use of crypto assets in the Regulation on the Disuse of Crypto Assets in Payments in 2021. In the same year, the central bank issued the Regulation on Payment Services and Electronic Money Issuance, which excludes cryptocurrencies as legal tender by tying the definition of electronic money to fiat currencies. Meanwhile, the central bank is conducting a pilot Digital Turkish Lira Project, which will expanded to a Collaboration Platform with banks and fintech companies in 2023.

Electronic commerce

The 2022 amendment to the Law on the Regulation of Electronic Commerce brought substantial new rules for electronic commerce providers – beyond those outlined in the competition and content moderation sections above.

From 2025 onwards, a new licensing regime applies to e-commerce intermediary platforms. Platforms with a transaction volume exceeding TRY 10 billion (approx. USD 525 million) and intermediating more than 100,000 transactions per calendar year must obtain a license and renew it regularly. The licensing fee is calculated according to the platforms’ net transaction volume. The government can sanction violations with TRY 20 million (approx. USD 1.1 million) or 10% of yearly net sales and, if they are not rectified, may block access to the platform. In addition, the amendment increases the Ministry of Trade’s ability to regulate e-commerce activities, which providers must report to every year.

In December 2022, the government adopted the Regulation on Electronic Commerce Intermediary Service Providers and Electronic Commerce Service Providers. It includes obligations regarding counterpart identification, complaint mechanisms and compliance reporting as well as a requirement to establish a local contact point for e-commerce intermediary platforms.

Electronic communications

The 2022 amendment to the Regulation on Consumer Rights in the Electronic Communication Sector subjects imposes various transparency obligations on communications operators. Operators must inform consumers clearly and free of charge regarding fees and publish tariffs in a consistent, transparent format. Regarding subscription agreements, operators must provide one-page summaries on fees, enable electronic agreements and terminations and store information on agreements for 30 years after termination. Finally, service restrictions and suspensions are restricted to cases of severe overuse and excessive failure of payment.