Part III: Is There a Legal Basis Under Turkish Law for the Administrative Fines and Compliance Orders Against Foreign Data Controllers?
08.04.2024
In our previous articles, we analysed whether the Misdemeanours Act numbered 5326 (the “Misdemeanours Act”) or Article 20(3) of the Turkish Constitution could constitute a legal basis for the Personal Data Protection Board (the “Board”) to issue administrative fines and compliance orders against foreign data controllers (please see here and here). In this article, we will analyse whether the Board can rely on secondary legislation issued by the Personal Data Protection Authority (the “KVKK”) or its own decisions when claiming jurisdiction over foreign data controllers.
The Regulation on Data Controllers Registry issued by the KVKK, the decision of the Board dated 24.01.2019 and numbered 2019/10 and the decision of the Board dated 23.06.2020 and numbered 2020/471 all claim jurisdiction of the KVKK and the Board over foreign data controllers. In our previous article, we explained how the differing interpretations on territorial scope in these documents went against the legal certainty principle under Article 2 of the Turkish Constitution. Relying on these documents for territorial jurisdiction against foreign data controllers is unlawful also because an administrative body cannot claim jurisdiction without an explicit provision in the law in that respect.
Article 123 of the Turkish Constitution states that the administrative bodies are established by law and their authorities are determined by law. Administrative bodies therefore only have the powers expressly granted to them by law and are not permitted to act outside those powers. Thus, the KVKK, which is an administrative institution, and the Board, which is the executive body of the KVKK, do not have the power to grant duties and powers to themselves. The authorization to provide power to the Board and the KVKK belongs only to the legislature as the general law-making body of the state.
One may argue that Türkiye is a sovereign state and must exercise its sovereignty through the KVKK and the Board against foreign data controllers to ensure the protection of the personal data of the individuals residing within its borders. One may further state that this alone should be considered sufficient for the jurisdiction of the KVKK and the Board against foreign data controllers. As logical as such an argument may seem, it would still be unlawful. There is no doubt that Türkiye is a sovereign state. However, it is also a state of law as per Article 2 of the Turkish Constitution and the use of such sovereignty is regulated by the Turkish Constitution and laws.
The preamble of the Turkish Constitution states that no individual or body empowered to exercise sovereign rights in the name of the Turkish nation shall deviate from the principles of liberal democracy set out in the Turkish Constitution and the legal system instituted according to its requirements. This language clearly confines the exercise of sovereign powers to the provisions of the Turkish Constitution and relevant laws. Article 6(2) of the Turkish Constitution sets forth that Turkish nation exercises its sovereignty through authorized bodies, in accordance with the principles set forth under the Constitution. Article 7 of the Turkish Constitution sets forth that the legislative power belongs to the Turkish Grand National Assembly and this power cannot be delegated. In other words, public authorities, including the KVKK, can only exercise sovereign powers where the Turkish Constitution and/or the relevant laws explicitly allow it. Neither the Board nor the KVKK can extend the scope of its authority with secondary legislation such as a regulation or Board decision. In this respect, it is not possible for the Board or the KVKK to purport to create extra- territorial effect of the Personal Data Protection Law numbered 6698 (the “PDPL”) and provide themselves with the power to regulate data controllers located abroad by way of secondary legislation that they themselves issued. This would be against the principle of non-delegation of the legislative power under Article 7 of the Turkish Constitution, which belongs solely to the Turkish Grand National Assembly. This would also be against Article 2 of the Turkish Constitution which sets forth that the Turkish Republic is a state of law. Even if there is a gap in relation to an administrative institution’s responsibility or duty, and what an administrative institution is actually legally empowered to do, the administration cannot fill this gap by granting itself power. In other words, even if an administrative authority believes that it needs to take an action to achieve a purpose that it considers to be within its responsibilities or duties but there is no clear provision of law that empowers such administrative authority to take the relevant action, such action cannot be taken.
As stated by Prof. Dr. Kemal Gözler:
“In order for a state body to be authorized, such authority must be provided to it separately and clearly. If an authority is not provided to that body on a particular issue, that body is unauthorized on that issue as there cannot be any self-proclaimed authority and such body cannot provide itself with authority. The relevant authority must be provided to that body separately and clearly. No state body can claim that the Constitution and the legislature provided it with such authority or should have provided such authority, etc.”1
In light of the above, even if the KVKK believes that the PDPL needs to apply to data controllers located abroad or the processing activities conducted abroad, it cannot grant itself extraterritorial power without an explicit provision under the PDPL allowing it to do so. Only the Turkish Grand National Assembly can decide whether or not to include a provision providing an extraterritorial scope under the PDPL. In this respect, if the KVKK and the Board believe that there is a need to apply the PDPL to foreign data controllers, they need to communicate this need to the Turkish Grand National Assembly. The Turkish Grand National Assembly can then decide whether or not to include a territorial scope provision under the PDPL that would provide the Board with the jurisdiction to issue administrative fines and compliance orders against foreign data controllers. Without such a provision under the PDPL, any administrative fine and compliance order issued by the Board will not have any legal basis under Turkish law.
1 Kemal GÖZLER, Anayasa Hukukunun Genel Teorisi, 2020, Volume I, pg. 337