Cross-Border Transfers of Personal Data in Turkey
23.12.2020
International transfer of personal data is one of the most important and problematic issues in data protection practice both for regulators and practitioners. It is for this reason that some of the earliest documents issued by the Working Party 29 were related to international transfer of personal data. This issue has also been a point of discussion in Turkish practice and it is even more problematic in Turkey as the current legislative framework almost brings a de facto localization requirement. This brief article intends to explain the Turkish legislative framework applicable to the international transfer of personal data (except for sector specific requirements), provide a brief comparison with the GDPR, determine the problems faced in Turkish practice and possible solutions for those problems.
A. Transfer Mechanism Under the Law on Protection of Personal Data
The Law on Protection of Personal Data numbered 6698 (the “DPL”) is the main legislation in Turkey in relation to data protection and governs the international transfers of personal data. Article 9/p.1 of the DPL sets forth that personal data cannot be transferred outside Turkey without the explicit consent of the data subject. However, in its second paragraph, Article 9 sets forth two situations where personal data can be transferred outside Turkey without the explicit consent of the data subject. As per Article 9/p.2 of the DPL, if there is a legal ground for transferring personal data outside Turkey, personal data can be transferred abroad if
a. the destination country is listed within the list of countries providing adequate protection, or
b. the data controller in Turkey and the data controller located abroad undertake in writing to provide adequate protection and DPB gives an authorization for such transfer.
As can be seen from the above, the international transfer mechanism set forth by the DPL is quite different and more restrictive than the international transfer mechanism in the GDPR. In this section, I will analyze the above stated paragraphs of Article 9 of the DPL.
I. The Scope of Article 9 in terms of Transferring Parties
Article 9/p.2 (b) mentions only data controllers. This brings the question of whether the DPL regulates only the international data transfers between data controllers. The answer of the Turkish Data Protection Authority (the “DPA”) and the Data Protection Board (the “DPB”) is no: the transfers of personal data between data controllers located in Turkey to data processors located abroad are also subject to Article 9 of the DPL. As will be explained in Section B below, the DPA issued a list of provisions that must be included in the agreement between a data controller and a data processor when the data controller located in Turkey is transferring personal data to a data processor located abroad. This shows that the DPA considers the international transfers between data controllers and data processors subject to Article 9 of the DPL. The DPA has not explained their legal justification of this interpretation. They may have assessed that the reference in b/ii above to the data controllers located abroad and located inside Turkey does not limit the entirety of Article 9 only to the international transfers between two data controllers and that the intention of the provision is to govern any type of international transfers to be made by data controllers. They may then have concluded that if Article 9 allows international transfer between two data controllers, it should allow international transfer between a data controller and a data processor a fortiori, as the transfer to a data processor which is subject to the instructions of a data controller poses less risk to data subjects than the transfer to a data controller which is more independent in terms of processing activities. It would be better if we could have seen the reasoning of the DPA, especially considering the explicit reference to only data controllers under Article 9/p.2 (b).
It is also worth mentioning the question whether the transfers made by data subjects directly to data controllers abroad would fall under Article 9 of the DPL. The answer to this question is also no; Article 9 of the DPL is not applicable to those transfers. The DPL does not bring obligations on data subjects, as Article 9 of the DPL is a provision that brings obligations on the party transferring the personal data, the international transfers made directly by the data subjects fall outside the scope of this provision.
II. The Situations Where Personal Data Can Be Transferred Abroad:
i. Explicit Consent
Article 9/1 of the DPL sets forth that personal data can be transferred abroad if the data subject gives their explicit consent for such transfer. It is important to note that the DPL requires “explicit” consent and not ordinary consent for international transfers. In order for an explicit consent to be valid, the consent must be given for a specified subject, it must be given willingly and based on sufficient information. In this context, the information to be provided to the data subject should clearly state that their personal data will be transferred outside Turkey and the data subject must actively declare their consent.
ii. Destination Country Providing Adequate Protection
If the transfer of personal data abroad is based on a legal ground set forth under the DPL (i.e. legal grounds under Article 5 for non-sensitive data and under Article 6 for sensitive data), the personal data can be transferred to a country providing adequate protection. The DPB is responsible for issuing a list of countries providing adequate protection but no such list has been issued yet. Therefore, currently no international transfers of personal data from Turkey can be made on this ground.
iii. Data Controllers’ Undertaking to Provide Adequate Protection
Article 9/p.2 (b) sets forth that in cases where the transfer of personal data abroad is based on a legal ground set forth under the DPL, personal data can be transferred abroad without the explicit consent of the data subject, if the data controllers undertake in writing to provide adequate protection and obtain an authorization from the DPB.
Standard Forms of Agreement
In terms of undertakings mentioned in the DPL, the DPA issued two standard forms of agreement; one to be signed for the cross-border transfers between two data controllers and the other to be signed for the cross-border transfers from a data controller to a data processor. Although Article 9/p.2 (b) mentions only the cross-border transfers between data controllers, the DPA seems to have made a broad interpretation of this Article to include cross-border transfers within the scope of the situations where cross-border transfers can be made without obtaining explicit consent. The parties applying to the DPB for an authorization for cross-border transfer must fill in the standard forms of agreements published on the website of the DPA. The parties may add new provisions to those agreements as long as the provisions set forth in the original forms are not changed. The standard forms of agreement require information about various issues, such as the categories of personal data to be transferred, categories of data subjects, purposes of transfer, legal grounds of transfer, security measures to be taken, retention periods, etc.
Although the standard forms of agreement must be used when applying for an authorization, this process should not be confused with the Standard Contractual Clauses mechanism under the GDPR. Under this written undertaking mechanism, an authorization from the DPB is still required unlike in the Standard Contractual Clauses mechanism.
Based on the information available to public, the DPB has not provided any authorizations yet. The DPA and the DPB set forth that the applications they received so far do not comply with the requirements for an authorization. The reasons for rejection of an authorization have not been made public but the sections titled “purposes of transfer”, “legal grounds of transfer” and “security measures” in the standard forms of agreement published by the DPA indicate that the DPA and the DPA make a compliance review for each transfer. This, in turn, makes the authorization procedure complicated and lengthy. Considering that the DPA and the DPB does not make a compliance review for the processing activities of every data controller located inside or outside Turkey and that the DPL does not require such a detailed review, such a compliance review can be considered an unnecessary burden on the DPB, the DPA and the data controllers.
Binding Corporate Rules
The DPA issued a declaration on April 10, 2020 that group companies can apply to the DPB for obtaining an authorization for the cross-border transfers of personal data among the group companies under their Binding Corporate Rules. This declaration is also based on Article 9/p.2 (b) of the DPL; in the declaration, it is stated that the application to be made under this mechanism will be considered as provision of written undertaking to provide the adequate level of protection.
The application for authorization will be made by the group company which is located in Turkey. The application must be made by filling in an application form published on the website of the DPA and the Binding Corporate Rules of the relevant group of companies must also be filed together with the application form. The application form requests various types of information, such as how the compliance with those rules would be ensured, the consequences of violation, etc. and declarations such as the data subjects will be able to file lawsuits for compensation before Turkish courts, all types of legal assistance (including translation assistance, appointment of lawyers, etc.) will be provided to data subjects for the lawsuits that they would file in other jurisdictions, etc. Preparing Binding Corporate Rules is a difficult task and the application form in itself also requires detailed preparation and certain declarations that many companies would not be willing to make (e.g. providing legal assistance to data subjects). Binding Corporate Rules mechanism is not a method that many companies choose to apply in Europe due to the difficulties in its preparation and implementation. However, as the GDPR provides alternative methods for cross-border transfers (particularly Standard Contractual Clauses), those companies have other routes to follow in terms of cross-border transfers. As the DPL does not provide many alternative methods for cross-border transfers, it will be interesting to see if any of the group companies will choose to apply this method in Turkey, despite the difficulties it involves.
B. A Brief Comparison with the GDPR:
The explanations set forth above show that the transfer mechanism under the DPL has a narrower scope than the GDPR in terms of cross-border transfer.
In terms of appropriate safeguards; without an authorization from the DPB, the DPL does not allow cross-border transfer via (i) legally binding and enforceable instrument between public authorities or bodies, (ii) standard data protection clauses (SCCs), (iii) an approved code of conduct, and (iv) an approved certification mechanism.
In terms of derogations; explicit consent is not set forth as a derogation under the DPL but as one of the main options for cross-border transfer of personal data. There are no derogations under the DPL for cross-border transfers.
C. Problems with the Current Cross-Border Transfer Mechanism in Turkey
Currently, the only viable option to make a cross-border transfer for a data controller is to obtain the explicit consent of the data subjects. As mentioned above, the list of countries providing adequate protection has not been issued yet and the DPB has not yet granted a permission for a cross-border transfer under Article 9/p.2 (b).
The requirement to obtain an explicit consent to make a cross-border transfer creates problems for data controllers. Explicit consent is not a convenient method of transfer in most cases. It is actually suitable mostly for one-off transfers. Data controllers make investment decisions in terms of the data processors that they will work with in relation to various issues. Currently, the largest data processors in the world do not have servers in Turkey. A data controller may make an agreement with a data processor to have all its data stored in the servers of the data processor or to use an e-mail service provider with services located abroad or a data processor for HR activities, but if a data subject withdraws their consent, the data controller must either delete the relevant personal data or establish another storage capacity in Turkey so that the relevant data can be stored in Turkey. This storage capacity means additional investment and in some cases that would not be a viable solution either; in cases where the personal data of the data subject withdrawing their consent is mixed with the personal data of other data subject, it would be practically almost impossible for the data controller to separate this data and take it back to Turkey or delete it. This is why both the EU Directive 95/46/EC and the GDPR included consent under the title “derogation” for international transfers; it is not suitable for everyday operations of a data controller. The current mechanism in Turkey forces data controllers to either store all the personal data within Turkey or face the risk of an administrative fine for cases where a data subject withdraws their consent and it is not possible to delete the relevant personal data or take it back to Turkey.
Furthermore, the DPB and the DPA state that explicit consent should not be a precondition for providing a service to a data subject. When a data controller’s servers are located outside Turkey, such data controller would request the explicit consent of data subjects to provide its services to them and would not be able to provide services if the data subjects do not provide their explicit consents. In this respect, explicit consent would be a precondition to provide the services. However, in the current situation where there is no practical way for data controllers to transfer personal data outside Turkey other than obtaining explicit consent, the principle of “explicit consent not being a precondition of the service” should not be interpreted to cover the explicit consents obtained for cross-border transfers. The DPL does not aim to localize all personal data, or to require data controllers establish servers in Turkey or use data processors which have servers in Turkey. Its provisions should not be interpreted in a way that serves a purpose which is not aimed by the DPL.
As mentioned above, even if the explicit consent is interpreted to be valid, this still does not create a perfect solution because it does not offer a workable response to what the data controller would do if the consent is withdrawn. It is clear that the current cross-border transfer mechanism in Turkey is not sensible. There should be a list of countries providing adequate protection and additional workable appropriate safeguards and derogations. Regulating cross-border transfers should not mean restricting them completely or providing only unworkable impractical solutions. Data controllers need to be able to transfer personal data if they are to be a part of the global economy. Leaving them without any sensible way to transfer personal data means that they are forced to choose between taking the risks of facing administrative fines and positioning themselves only in the periphery of the global economy.
D. Possible Solutions
The cross-border transfer mechanism under the DPL is too restrictive. Therefore, the best solution would be for the legislator to amend the DPL to include appropriate safeguards and derogations in it for cross-border transfer. This would provide the DPB with a wider playground to implement lest restrictive regulations. However, there is no work in progress in the legislative level to make such amendments yet.
One of the most obvious partial solution to the problem explained in the sections above would be for the DPB to issue the list of countries providing adequate protection and for such list to include at least the EU countries. One of the challenges in issuing the list is that Article 9/p.4 of the DPL sets forth that the DPB must take into consideration whether there is reciprocity in terms of international data transfer with the country which is under review for inclusion in the list. The DPL does not explicitly set forth reciprocity as a strict condition for determining a country as providing adequate protection. A broad interpretation may conclude that the DPB can determine a country as providing adequate protection even though the same country has not made any such declaration or even has adopted certain restrictions for transfers to Turkey. However, in its public announcement dated October 26, 2020, the DPA stated that the process for the issuance of list of countries providing adequate protection is handled in cooperation with the Ministry of Justice, the Ministry of Foreign Affairs and the Ministry of Trade, and that the Ministry of Foreign Affairs adopts a position that in order for Turkey to recognize a country as providing adequate protection, there must be reciprocity in that regard. In this context, the Ministry of Foreign Affairs and the DPB have adopted a strict interpretation and consider the reciprocity as a prerequisite to accept a country as providing adequate protection. This strict interpretation seems to be the only issue preventing the DPB declaring the EU countries as providing adequate protection. Otherwise, it does not make sense for the DPB to at least declare the member countries of the European Union as providing adequate protection; after all, the DPL is modelled on the EU Directive 95/46/EC, the EU has a longstanding practice of protecting the personal data and privacy of individuals, both national and EU institutions which set important precedents in relation to data protection and there should be no reason for the DPB not to declare EU countries as providing adequate protection.
It is worth to question whether the DPB could make a unilateral adequacy decision for EU countries even under their strict interpretation of reciprocity. Can we say that there is a strict prohibition of transfer of personal data from the EU to Turkey? The GDPR does not impose such a strict prohibition; it imposes certain requirements to be complied with when personal data is being transferred to countries which are not currently subject to an adequacy decision. Within the context of the Standard Contractual Clauses (SCCs), data controllers in the EU can transfer personal data to Turkey provided that they sign an agreement which includes the SCCs. There is no requirement to obtain a separate authorization from any institution in order to effect the transfer; the only requirement is for the parties of the transfer to bind themselves with pre-approved SCCs. In this regard, it is not possible to say that the EU does not allow transfers of personal data from the EU to Turkey. It can be said that the EU legislation and practice allows transfers of personal data from the EU to Turkey albeit with some conditions. As a result, it would not be a violation of Article 9/p.4 of the DPL if the DPB had decreed the EU countries as providing adequate protection. However, the DPA made it position on this issue very clear with its statement dated October 26, 2020 and therefore it is not reasonable to expect such a list with the EU countries in it without the EU recognizing Turkey as providing adequate protection.
As the two solutions stated above would most likely not be adopted in the near future, it is reasonable to inquire whether the DPB can bring a more practical solution with the tools that it already has. As explained above, the DPL does not have any provision for the Standard Contractual Clauses mechanism; the DPB must give an authorization even if the data controllers and data processors sign a written undertaking to provide adequate protection. However, this does not mean that the DPA and the DPB cannot adopt a mechanism which is similar to (albeit not the same with) the SCC mechanism under the GDPR. The DPB can issue standard contractual clauses (which are similar to the ones used in the EU) to be signed for the cross-border transfer between data controllers and between data controllers and data processors. These standard contractual clauses would include provisions that could be directly applied by the data subjects in Turkey against the data controller or data processor outside Turkey, which would ensure the rights to claim compensation from the data importer before the courts in Turkey and an obligation to submit to the audit of the Turkish DPA. The provisions would not require description of security measures but only a warranty that appropriate security measures have been taken. They would not require the description of purposes of transfer and legal bases of transfer either. This would release the DPB and the DPA from making a detailed compliance review of the transfer. As a result, the DPB would be able to give authorizations very quickly. This, in turn, would create a workable solution where the rights of data subjects are also protected efficiently.