Turkish Law Blog
Request for Disclosure of User Data by Turkish Authorities
The meshing of space and cyberspace for corporations and businesses moved most of relevant pieces of evidence to cyberspace. In many cases, if not all, electronic evidence has undisputed importance to prove parties’ claims. Administrative authorities also seek electronic evidence to perform their duties.
This evidence shift to cyber-world has a profound impact on Information and Communication Technology (“ICT”) companies, which hold massive amounts of data of third parties. Accordingly, these ICT companies receive perhaps hundreds of information requests from Turkish authorities asking them to provide their users’ data. However, ICT companies are generally reluctant to deliver their users’ data to protect the sense of privacy and security of their users. As a result, it has become vital for ICT companies to distinguish binding and non-binding information requests an important question that this blogpost aims to answer.
Under Turkish law, an ICT company may receive an information request for user data from a civil court, a criminal court, an administrative agency, or from the National Intelligence Organization. Each request and non-compliance thereof are subject to different rules, which will be elaborated below.
In civil cases, save as rather exceptional circumstances where the court conducts research phase on its own, parties, rather than the court, collects and submits the relevant pieces of evidence to prove their claims. In some cases, upon the request of a party, the court may also ask third parties to disclose any document relevant to the case. While the relevant provision, Article 221(1) of the Turkish Code on Civil Procedure (“TCCP”), states that a court may request information or document from a third party if the information or document at issue is “essential” to prove the alleged claim, in practice, courts interpret this provision rather broadly and reach out to third parties even when there may be other ways to prove a claim.
Where a third party is asked to disclose a document by a civil court, they are under an obligation to do so. In the event that they are unable to present the court with the relevant document, they must explain the reasons of non-compliance by providing evidence. If the court deems the explanation unsatisfactory, the third party may be called to court to testify. The parties who are under an obligation to present a document may refrain from doing so in accordance with the provisions under the TCCP regarding “exemption from testimony”. Grounds for exemption might be a personal relationship with the parties to the dispute, a legal provision requiring the protection of a secret or the existence of a conflict of interest. The court determines whether the exemptions alleged by the third party are well-grounded.
In the event that a party fails to disclose a document without showing any legal basis or without sufficient legal basis, disciplinary fines are applied under Article 253 of the TCCP by virtue of a reference to the provision in Article 221(3). Moreover, non-compliance may also be viewed as “disobedience with a legal order” and sanctioned with an administrative fine of 320 Turkish Liras under the Misdemeanor Law.
The two phases of criminal proceedings under Turkish law are investigation and trial phases. The prosecutor is the leader of the investigation phase, who is obliged and authorized to collect evidence to reach the material truth. Pursuant to Article 161(1) of the Turkish Criminal Procedure Code (“TCPC”), prosecutors may collect any type of evidence that may shed light on the investigation at issue. Accordingly, a prosecutor may also request stored data from ICT companies in an information system or data storage device under their possession or control. In case an ICT company fails to provide such data, the prosecutor may initiate the search procedure under Article 134 of the TCPC to that ICT company’s servers, provided that the ICT company in question has a presence in Turkey.
Under the general principle of Turkish criminal procedure law, and pursuant to Article 161 of the TCPC, the police operates under the instructions of the prosecutor. Thus, requests sent by the police force are generally prepared under the instructions of a prosecutor and should include a reference to the prosecutor’s order in question.
Supplement Clause 6(18) of Police Duties and Entitlements Law (“PDEL”) is an exception to this general rule of hierarchy, which allows the police forces to conduct an investigation on its own initiation to determine the prosecutor with jurisdiction regarding crimes committed in cyberspace. Adopted only in 2018, the scope of the provision is unclear. As the PDEL does not limit the means available to the police force to determine the authorized jurisdiction, law enforcement agents have a broad authority to request any type of information from third parties.
Pursuant to Article 332 of the TCPC, a judge or a prosecutor may request information from anyone as part of a pending investigation or trial. The recipients of such requests must comply with it within ten days of receipt. Article 332 of the TCPC states that non-compliance with such a request would constitute a violation of Article 257 of the Turkish Penal Code (crime of misuse of public duty), which is subject to imprisonment up to two years. Non-compliance with a request to disclose user information may trigger this provision and hence may lead to criminal liability.
Under Turkish law, however, legal entities may not be the perpetrators of a crime. Instead, employees of the legal entity who performed the activities would be criminally liable. However, legal persons may be subjected to certain security measures because of the commission of certain crimes enumerated in the Turkish Penal Code (“TPC”). According to Article 60 of the TPC, these measures are the cancellation of the permit issued by public authorities and confiscation of property.
Under Turkish law, most ICT companies may be categorized either as a hosting provider or an access provider. Hosting providers are persons or entities providing, operating, and maintaining systems that are used for hosting online platform while access providers are persons or entities providing access to the Internet. Under this categorization, generally, Turkcell or Kablonet would be access providers while websites such as Hepsiburada or EksiSozluk would be deemed as hosting providers.
Pursuant to Articles 5 and 6 of the Law on the Regulation of Publications on Internet and Suppression of Crimes Committed by means of Such Publications committed by means of such Publications (“Law No. 5651”), the Information Technology and Communications Authority (“ITCA”) may request any type of information from hosting providers and access providers.
The broad scope of these provisions were once brought to the attention of the Constitutional Court, which struck down the provisions noting that “[t]he provisions which are sought to be annulled provides a basis for the delivery of all types of personal data, information and documentation to [ITCA] unconditionally, without being subject to necessary limitation in terms of object, purpose and scope despite the safeguard provided in the Constitution, and render the individuals defenseless against the administration.” However, the same provisions were re-adopted in 2016, which are still in force.
If a company does not present the ITCA with requested information or documents within the determined time frame, the company may be fined to pay 0.003% of its net sales in the previous year pursuant to Article 23 of the Regulation on Administrative Sanctions by the Information Technologies and Communication Authority (“Regulation on Administrative Sanctions”). In the event that the non-compliance with the request is repeated, an increasing fine up to 1% of the net sales in the previous year shall be applied. Different fines may also apply in the event that the documents presented are wrong, missing or falsifying pursuant to Articles 24, 25, and 26 of the Regulation on Administrative Sanctions, respectively.
Notably, pursuant to Article 5 of the Law No. 5651, hosting providers that fail to fulfill their duties under the Law No. 5651 may be subject to an administrative fine between TL 14,705 and TL 147,058. As for access providers, Article 6 of the Law No. 5651 foresees an administrative fine between TL 14,705 and TL 73,529 for non-compliance with an information request. It is unclear, whether these are additional fines that may be applied by the ICTA, or have been implicitly abrogated by the relevant provisions in the Regulation on Administrative Sanctions. If implicit abrogation is the case, the discrepancy between the Law No. 5651 and the Regulation on Administrative Sanctions may pose difficulties when 0.003% of a company’s net sales exceed the threshold stated in Articles 5 and 6 of the Law No. 5651 as the regulation would be in conflict with the law.
Albeit a remote possibility, the Turkish National Intelligence Organization (“NIO”) is also authorized to request information from entities. Article 6 of the Law on State Intelligence Services and National Intelligence Organization authorizes NIO to request any information and document from any legal entity or even entities that do not have legal personality. There does not seem to be a limitation on such power to request information. Those who fail to comply with the information request may be sanctioned with imprisonment between three to five years.
Given its sensitivity, ICT companies should individually evaluate each data request under Turkish law by taking into account both the law in the books and the practice of the authority issued that request. For the ICT companies located abroad, whether the request was properly served through the appropriate international cooperation mechanism is another matter that needs to be considered.
As for the users of these ICT companies, the broad powers of the administrative authorities or the police force may threaten the privacy of the users if the authority falls in the wrong hands. Accordingly, revision of some of the vague provisions mentioned above, such as the PDEL or the Law No. 5651, by implementing clear-cut limitations and instructions, would advance data privacy and protection of the users.
 Other authorities may also request information from ICT companies, such as tax authorities or the Competition Board. However, the purpose of this piece is not to provide an exhaustive list of all authorities that may request data from a company but focus on the ones that would request user data from ICT companies.
*** The conclusions, suggestions and views are entirely the author’s own and does not represent her law firm