Part I: Is There a Legal Basis Under Turkish Law for the Administrative Fines and Compliance Orders Against Foreign Data Controllers?

There is no provision on territorial scope under the Personal Data Protection Law numbered 6698 (the “PDPL”). However, this does not prevent the Turkish Personal Data Protection Board (the “Board”) from issuing compliance orders and administrative fines against data controllers located abroad. In terms of territorial scope, one opinion is that the Misdemeanours Act numbered 5326 (the “Misdemeanours Act”) constitutes the legal basis of these compliance orders and administrative fines, another opinion is that Article 20(3) of the Turkish Constitution constitutes the legal basis and finally another opinion is that the Board can rely on the secondary legislation issued by the Personal Data Protection Authority (the “KVKK”) and its own decisions when issuing such compliance orders and administrative fines. In our opinion, none of these can constitute a valid legal basis for these compliance orders and administrative fines against foreign data controllers. In this brief article, we will analyse whether the Misdemeanours Act can constitute a legal basis for this practice of the Board and in the following two articles, we will analyse whether Article 20(3) of the Turkish Constitution and the secondary legislation of the KVKK and the Board decisions can constitute valid legal bases.

Principle of Territoriality under Turkish Law

Territoriality is a well-established principle under Turkish law. Accordingly, Turkish laws, in principle, only apply within the borders of the Republic of Türkiye. This principle is accepted as a general rule in Turkish law. If  an administrative authority is authorized to apply Turkish law outside Türkiye as an exception to the general principle of territoriality, it must be authorised to do so by law and the relevant exception must be regulated explicitly. Such provisions are drafted taking into account various issues, such as the potential for conflicts of sovereignty between states, the practical effects of extra-territoriality, and the justification for the extra-territorial application. Such provisions should also state the conditions pursuant to which the relevant Turkish law provisions may be applied to companies or individuals located outside Türkiye.

Considering the above, the PDPL will not have extra-territorial application unless the PDPL contains explicit provisions to that effect. Yet, the Board has issued compliance orders and several administrative fines against foreign data controllers. It would therefore be reasonable to inquire what legal basis the Board relies on when issuing administrative fines and compliance orders against foreign data controllers.

Territorial Scope of the Misdemeanours Act

Although it is not acknowledged in writing in any public document by the Board or the KVKK, one opinion is that the Board and the KVKK consider Article 6 of the Misdemeanours Act as a legal basis for the compliance orders and administrative fines issued by the Board against the foreign data controllers. Article 6 of the Misdemeanours Act states that Article 8 of the Turkish Penal Code numbered 5237 (the “TPC”) regarding territorial scope will also apply to misdemeanours. Article 8 of the TPC reads as follows:

“Turkish law shall apply to all crimes committed in Türkiye. Where a criminal act is partially, or fully, committed in Türkiye, or the result of a criminal act occurs in Türkiye, the crime shall be presumed to have been committed in Türkiye.”

This approach considers that violation of any of the provisions of the PDPL constitutes a misdemeanour and Article 8 of the TPC should be used to determine the territorial scope for such violations, i.e., if the violation can be presumed to have been committed in Türkiye, the PDPL will apply against the data controllers located abroad and the Board will have territorial jurisdiction to issue compliance orders and administrative fines against them. We do not believe this to be a correct interpretation.

Why Can’t the Misdemeanours Act Constitute a Legal Basis for the Compliance Orders and Administrative Fines Against Foreign Data Controllers?

First, compliance orders do not fall within the scope of the Misdemeanours Act. As per Article 3(1)/b of the Misdemeanours Act, Misdemeanours Act is applicable to actions which require administrative fines or decisions for expropriation, and therefore Article 6 of the Misdemeanours Act, which stipulate the territorial scope of Misdemeanours Act cannot extend towards compliance orders. Compliance orders are not administrative fines nor are they expropriation decisions, they are executory administrative decisions of the Board instructing the data controller to comply with the PDPL. In this respect, the Misdemeanours Act cannot constitute a legal basis for the extraterritorial jurisdiction of the Board to issue compliance orders.

Second and related to the above, as discussed in more detail in another of our articles (see here), the PDPL does not regulate its Articles 4-9 as misdemeanours which can directly be subject to an administrative fine. In this respect, any administrative fine issued by the Board against a foreign data controller for the alleged violation of Articles 4-9 of the PDPL would be outside the scope of the Misdemeanours Act in addition to the fact that they would also be against the principle of legality.

Third, the part under Article 8 of the TPC where it mentions “the result of a criminal act occurring in Türkiye” is not relevant and applicable to the PDPL and cannot be the legal basis for extra-territorial jurisdiction for the administrative fines under the PDPL. The provisions under the PDPL regulate behaviour (or movement in the legal sense), they do not set forth the result which can form the basis of an administrative fine. The “result” is an element in the Turkish criminal law system that must be clearly stated in the relevant legal provision in order to be punishable. It is a firmly acknowledged doctrine that the result must be included in the legal definition of a crime or misdemeanour. Put simply, the “result” must be one that is specifically contemplated, defined, and explicitly provided for in the relevant law. As a result, the mere fact that a data controller located abroad processes the personal data of data subjects residing in Türkiye does not mean that the result of such processing activity occurs in Türkiye.

Considering the above, even if the Misdemeanours Act could have been used as a means to determine the territorial scope of the PDPL, the only analysis that could have been made under Article 8 of the TPC would be related to whether the act or the movement was committed wholly or partially in Türkiye. Foreign data controllers are located abroad, their servers and infrastructure are also located abroad, the decisions about processing activities are made abroad and the processing activities themselves are performed outside Türkiye. As a result, it would not be correct to state that the “movements” regulated under the PDPL occur wholly or partially in Türkiye. For instance, in case of a data breach where the servers of a foreign data controller which are located outside Türkiye are hacked due to a failure to take the necessary measures to provide an adequate level of security (as required under Article 12 of the PDPL), it would not be possible to argue that the misdemeanour is fully or partially committed in Türkiye even if the hacker accesses the personal data of data subjects residing in Türkiye. In that scenario, the servers will be outside Türkiye and more importantly any possible security measure can only be taken outside Türkiye. As a result, any movement related to this breach would be committed outside Türkiye and therefore outside the territorial scope of the Misdemeanours Act.

Fourth, the existence of a territorial scope provision under the Misdemeanours Act does not mean that it constitutes a clear territorial scope for the PDPL. The territorial scope under the Misdemeanours Act would work only in conjunction with a clear territorial scope under the PDPL. For example, if it were to be interpreted that the obligation to register with the Data Controllers’ Registry (under Article 16 of the PDPL) should be at least partially performed in Türkiye as the registry is held by the KVKK in Türkiye, this would mean that this obligation would apply to foreign data controllers which process personal data of the data subjects residing in Türkiye even when all of their processing activities occur outside Türkiye. In our opinion this would not be a lawful interpretation. The Data Controllers’ Registry requires information on the processing activities of a data controller, therefore the processing activities themselves should be subject to the PDPL for them to trigger the registration obligation. Furthermore, if the Misdemeanours Act is used as the sole source to determine the territorial scope of this obligation, this would lead to a preposterous result where any foreign data controller which somehow accesses and/or retains the personal data of an individual residing in Türkiye would need to register itself with the Data Controllers’ Registry. Hotels all around the world which have hosted individuals residing in Türkiye, foreign banks which have had transactions involving an individual in Türkiye, airlines around the world with passengers residing in Türkiye (even if the flight is not to or from Türkiye), foreign companies which receive employment applications from Türkiye, universities and schools which receive applications from potential students in Türkiye, any website operator which somehow collected personal data of an individual in Türkiye, etc., hundreds of thousands of foreign data controllers would be subject to the registration obligation under PDPL if the Misdemeanours Act could have been accepted as the legal basis of the territorial scope of the PDPL. Neither the KVKK nor any other data protection authority in the world would have the resources to monitor and enforce compliance in such a wide scope. As a result, this interpretation would lead to selective enforcement where among thousands of foreign data controllers which are purportedly subject to the registration obligation under this interpretation, only a few of them which are very visible, will be subject to enforcement. Such a practice would be against the principle of state of law under Article 2 of the Turkish Constitution and would also be against the principle of equality under Article 10 of the Turkish Constitution.

In light of the above, we believe that the Misdemeanours Act cannot constitute a legal basis for the Board to issue compliance orders and administrative fines against foreign data controllers. In our next article, we will analyse whether Article 20(3) of the Turkish Constitution can constitute such a legal basis.