Turkish Law Blog
Cross-Border Data Transfers in Turkey & Effects of the Data Protection Board’s Amazon Turkey Decision
Data Protection Board recently issued a new decision and fined Amazon Turkey 1.100.000 TRL for violations of data protection and e-commerce legislation, and for unlawful cross-border data transfers especially for data transfers to its overseas affiliates. Moving forward, the decision will have serious ramifications regarding data transfers in Turkey, and in order to better understand these consequences, we need to first understand the background that lead to such decision.
Personal Data Protection in Turkey
In a globalized economy where technology companies dominate and control much of the content marketing and where data is seen as the new gold, restricting and monitoring cross-border data transfers is becoming ever-more important, which is also highlighted in the Data Protection Board’s (DPB) Amazon Turkey Decision. In this respect, Turkey is taking a similar stance regarding data protection as Europe, by implanting the Law on the Protection of Personal Data No. 6698 (LPPD), which is essentially the Turkish version of the General Data Protection Regulation (GDPR).
Transfer of Personal Data to Third Parties
Personal data transfers to third parties are quite restrictively regulated under the LPPD (similar to provisions in the GDPR). Article 5 of the LPPD clearly states that data controllers cannot transfer personal data to third parties without the explicit consent of the data owner except for the circumstances set forth at Article 5/2 and 6/3. Article 9 further states that cross-border data transfers are forbidden unless the data owner consents explicitly to such cross-border data transfers. Article 9/2 provides an exception to this rule and allows for cross-border data transfers without the data owners explicit consent in cases where circumstances set forth at Articles 5/2 and 6/3 are applicable and if (i) “sufficient protection is provided in the foreign country where the data is to be transferred” or (ii) “the controllers in Turkey and in the related foreign country guarantee a sufficient protection in writing and the Board has authorized such transfer, where sufficient protection is not provided”.
Data Transfers and Exceptions to Explicit Consent
As noted above, the general rule for data transfers, either domestic or cross-border, is to obtain the prior explicit consent of the data owner. However, the LPPD does provide certain exemptions to this requirement both for personal data and for personal data of special nature, set forth at article 5/2 and 6/3 respectively. According to Article 5/2, personal data can be processed and transferred to third parties without the explicit consent of the data owner if:
- Provided/required by the law,
- Required for the protection of life or physical integrity of a person who is not bodily able to provide consent,
- Required for the conclusion, fulfillment or procurement of services noted in a contract,
- Required for the data controller to perform its legal duties,
- The data is disclosed to the public by the data owner,
- Data is deemed as mandatory for the establishment exercise or protection of any right, or
- Mandatory for the legitimate interests of the controller, provided that it does not violate the fundamental rights and freedoms of the data owner.
Article 6/3 further states that personal data of special nature, excluding data relating to health and sexual life, can be processed, and transferred to third parties without the explicit consent of the data owner if provided for by the laws.
Cross-Border Data Transfers and the Problem of Sufficient Protection
These provisions that set forth exceptions to the explicit consent rule for cross-border data transfers are quite clear, as Article 9/2 states that cross-border data transfers can be executed without the explicit consent of the data owner if sufficient protection is provided in the foreign country where the data is to be transferred. Taking into account that this LPPD is almost a direct translation of the GDPR, it is reasonable to assume that all cross-border data transfers into one or more of the countries where the GDPR is applicable will be covered by this provision and therefore will be exempt from the explicit consent requirement.
Unfortunately, this is not the case. The problem here arises from subparagraph 3 of the same Article 9, which states that the DPB shall determine and announce the countries where sufficient level of protection is provided. The DPB is yet to announce such list, which means that the exemption provided for at Article 9/2/a is not yet applicable to any cross-border data transfers, including to countries where the GDPR is applicable.
Summary of Amazon Turkey Decision on Cross-Border Data Transfers
Complaints against Amazon Turkey
As noted at the beginning of this article, following a complaint filed by an Amazon Turkey user regarding unlawful data processing and transfer, Data Protection Board fined Amazon Turkey 1.100.000 TRL for unlawful cross-border data transfers to its overseas affiliates and for non-compliance with data protection and e-commerce laws. One of the major claims stated in this compliant was the fact that Amazon Turkey included the phrase “We may transfer your personal data to the European Union and the United States in order to store and process your personal information within the context of the purposes set forth in this Privacy Notice”, which, according to the complaint, violated the obligations set forth in LPPD due to the fact that Amazon Turkey did not obtain the explicit consent of the data owner for such international transfers, but rather only notified that it can transfer the data overseas.
DPB’s Amazon Turkey Decision Regarding Cross-Border Data Transfers
Following the complaint, the DPB launched an investigation into Amazon Turkey and determined that it did not, in fact, obtain an explicit consent from the data owners for cross-border data transfers, but rather provided the data owners the option to opt out or choose not to share their data with third parties. This opt-out mechanism was found to be in violation of the LPPD, as the law clearly requires an explicit consent from data owners for cross-border data transfers, and therefore requires that the data owners explicitly “opt-in” to such transfers rather than assuming the data owners opted-in to this by default and then providing them an opt-out option.
Since Amazon Turkey did not acquire prior explicit consent from the data owners, the only option for Amazon Turkey to lawfully conduct cross-border data transfers in Turkey was to claim that such transfers fell within the scope of the exemptions provided for in Article 9/2 LPPD. However, as seen above, such exemptions only apply for cross-border data transfers if sufficient protection is provided in the foreign country where the data is to be transferred and the DPB is authorized to determine the countries with sufficient levels of protection as per Article 9/3. The issue here is, as also mentioned above, the DPB is yet to publish such an exempted countries list, and since that list is not yet made available, this exemption provided for countries with sufficient protections does not yet apply to any country, including EU countries where the GDPR is applicable.
Since Amazon Turkey cannot benefit from this “sufficient protection” exemption, that leaves the final exemption provided in Article 9/3, where cross-border data transfers can be conducted without prior explicit consent to countries without sufficient protection, if the foreign data controllers in Turkey and in the related foreign country gives letters of guarantee to the DPB in writing and the Board approves such transfer. It should be noted here that Amazon did actually submit a guarantee to the Board in order to benefit from such exemption. However, at the time of this complaint and the decision, Amazon’s guarantee letter and exemption application was still pending before the DPB, awaiting the Board’s final decision and approval. Article 9/3 clearly states that this exemption will only be applicable if a guarantee letter is provided and the DPB approves transfers, and since DPB never approved Amazon Turkey’s exemption application, the DPB decided that such cross-border data transfers executed by Amazon Turkey violated the provisions of the LPPD.
Moving Forward: Effects of the Amazon Turkey Decision on Cross-Border Data Transfers
The decision to fine Amazon Turkey was a highly controversial decision by the DPB. It was controversial because Amazon Turkey was transferring personal data to EU countries, which should have been deemed as countries with sufficient protection since those countries are also under the regulation of the GDPR, and because Amazon Turkey had already provided the Board with the necessary guarantee letters to benefit from the second exemption provided for in Article 9/3.
Although we understand where the arguments against this decision are coming from, we also believe that the law is quite clear and transparent about exemptions. The LPPD provisions clearly state that exemptions for cross-border data transfers shall only be applicable if the country where the data is transferred has sufficient levels of protection (to be determined by the Board), or where sufficient protection is not available, a guarantee letter is provided and the transfer is approved by the Board. Since the exempted countries list is not yet published by the Board, the only way to benefit from cross-border data transfer exemptions is to submit a guarantee letter to the Board and wait for the Board’s approval for transfers. Although Amazon did provide a guarantee letter, they did not wait for the application to be processed and for the Board’s approval and continued with cross-border data transfers without obtaining explicit consents from the data owners.
In this respect, the DPB have made its position abundantly clear; if data controllers want to conduct cross-border data transfers without obtaining explicit consents, they should either wait for the exempted countries list to be published, or submit a guarantee letter and wait for the Board’s approval. Otherwise, all data controllers are required by the LPPD to obtain explicit consent from data owners before conducting cross-border data transfers