The newly enacted Law on Protection of Personal Data (Law), which entered into force on April 07, 2016, mainly aims to bring a certainty to the protection of privacy, rights, and freedoms of persons in connection with the processing of their personal data.

It is important to note that the Articles of the Law relating to:

  • The transfer of personal data,
  • Rights of data subject,
  • Application of data subject to the data controller,
  • Filing complaints before the Board,
  • The procedure and principals of the inspection conducted by the Board,
  • Data register, and
  • Crimes and misdemeanors,

will enter into force 6 months after the publication date of the Law (i.e., on October 07, 2016).

The Law, which sets out the general framework of personal data protection, is expected to have a significant regulatory affect on the personal data protection environment since all the definitions and principles are defined and sanctions thereof can now be imposed.

Social Media is surely one of the most important areas that the Law will have a big impact since the economic model of Social Media platforms are mainly based on processing of personal data.

  • Global Internet and Social Media statistics, including particularly Turkey

The “Digital in 2016” report of We Are Social[1] suggests that 3.42 billion people in the world population of 7.40 billion is an Internet user, which corresponds to 46% global penetration.

Moreover, 2.32 billion Internet users use social media actively. Besides, there are 3.790 billion unique mobile users and 1.968 billion active mobile social users.

More importantly, the above numbers have a large growth ratio in each year. For instance, the number of reported Internet users and Social Media is up by 10% since 2015.

An interesting part of the research has revealed that the average time spent on the Internet (outside of work) is 4 hours and 14 minutes per person, whereas the average time spent watching television for the same group of people is 2 hours and 18 minutes per person.

On a country basis, Turkey is above the average world ratio of 46% of internet users. Turkey has a ratio of 58% internet users for the total population, with 46 million Internet users and 42 million Social Media users in a total population of 79 million.

The statistics related to Turkey suggests, in our opinion, that Turkey is a prosperous market for currently active Social Media companies and also a great opportunity for the emerging companies in the sector. Moreover, the same data also suggests that there is a great amount and variety of personal data which is processed during social media activities.

  • Importance of personal data for Social Media platforms

There are a significant number of expenditure items, of which the core ones are maintenance of servers and P&R, for Social Media platforms to maintain their existence in the sector and to be able to provide service to users.

Social Media companies are required to make income through generating place for behavioral advertisement, which is an advertisement area that uses the personal data as an important raw material, to provide their service for free to users. Thus, the companies collect a great amount of personal data during the activities of users on the platforms.

In light of this fact, the requested personal data as well as the ones collected during the activity of users on the platform, which is so called “behavioral data”, is key to the Social Media economy since the same behavioral data is the most valuable assets that are offered to advertisement companies by the Social Media platforms.

It should be noted that there is a large number of personal data subject to processing in Social Media. Besides the classical personal data such as name, age, marital status, education information, etc., there are also new types of personal data which are unique to social media, such as meta-data, cookies, or geographical data.

  • The points which the platforms should address in the privacy notices

The points which the platforms should pay attention to in the preparation of their privacy notices can be evaluated under two categories: “data controller’s obligation for providing information” and “the principles in the processing of personal data”.

The data controller or the person authorized by the platform is obliged to provide the data subject with the following information during the course of personal data collection pursuant to the Law:

  1. The identity of the data controller and of its representative, if any,
  2. The purposes of the processing of personal data,
  3. The recipients of the processed personal data and the purpose of such transfer, and
  4. The method and legal grounds of personal data collection.

As to the purposes of the processing of personal data, it is advisable that all the purposes are written respectively without any vague, general definitions.

On the other hand, it would be acceptable even if recipients of the processed personal data are indicated not by name but only with the status of relation with the platform such as group company, advertisement company, etc.

It should be born in mind that processing of cookies and meta-tags should absolutely be addressed in privacy notices under the requirement of providing information on the method of personal data protection.

Besides the above information, the following principles must be complied with during the course of personal data processing pursuant to the Law, not only limited to social media sector but for any kind of sector:

  1. Processing personal data fairly and lawfully,
  2. Being accurate and, where necessary, up to date,
  3. Processing personal data for specified, explicit and legitimate purposes,
  4. Being relevant, adequate and not excessive in relation to the purposes for which they are processed, and
  5. Being kept for the period stipulated by law or for no longer than necessary for the purpose for which they are processed.

Accordingly it is advisable for platforms to take the above principles into account during the shaping of their privacy policies. Moreover it is advisable for platforms to address the above principles and undertake to comply with them.

  • The requirement of explicit consent

Pursuant to the Law, the personal data shall not be processed without explicit consent of the data subject. The provision regulating the consent in the Law should be read in line with the Directive 95/46 of EU since the Law is mainly adopted from the said directive.

Accordingly users should be clearly well informed and provide explicit consent for the processing of personal data in the notices. More importantly, users have to be clearly presented with an option to agree or disagree with the policy notice.

Meanwhile, it should be noted that personal data manifestly made public by the data subject him/herself will be subject to exemptions introduced in the Law. Thus, there is no requirement for platforms to obtain explicit consent for data falling under this category.

  • The rights of data subject against the Social Media companies

Pursuant to the Law, the privacy notices shall also bear information as to the rights of the data subjects, i.e. users, against the social media platforms. The rights of data subjects are determined as follows in the Law.

Every individual has the right to:

  1. Be informed whether or not personal data relating to him/her are being processed,
  2. Request information concerning the process, if personal data has been processed,
  3. Be informed of the purpose of personal data processing and whether they are used in line with its purposes,
  4. Be informed about the third parties in receipt of the personal data inside and outside the country,
  5. Request the rectification of the incompletely or inaccurately processed personal data,
  6. Request the erasure or destruction of personal data within the framework of the conditions prescribed in Article 7,
  7. Request the notification of third parties to whom the personal data are transferred about the operations conducted pursuant to subparagraphs (e) and (f),
  8. object to the result obtained and analyzed by means of exclusively automated systems against his/her interest, and
  9. Request the compensation of the damages suffered as a result of an unlawful personal data processing.

Besides the fact that the above rights have to be addressed in the privacy notices, the platforms should also make necessary preparation for a timely responding to the queries of users made on the above rights.

  • Consequences of non-compliance of privacy notices with the Law

The Law obliges the establishment of a Personal Data Protection Authority (Authority) for the implementation of the new regime. The Law also requires the establishment of a Personal Data Protection Board (Board) acting as the executive body, for monitoring of the compliance of data processing and transferring actions. The authority was established on October 07, 2016.

Furthermore the Board, upon complaint or ex officio, in case an alleged violation has come to be known, carries out the necessary investigation on the issues covered by its area of responsibility. The Board, in case unrecoverable or irreparable damages arise and explicit illegalities exist, may decide for the data processing or the data transfer to be ceased.

In view of the above legal environment, the platforms who fail to fulfill their obligation for providing information stipulated by Law will be charged fines from TRY 5,000 (around 1,700 USD) to TRY 100,000 (around 33,500 USD).

Moreover, in the event that a violation of principles by platforms during the course of processing data is detected and the Board renders a decision in this regard, the platforms that do not perform the decisions of the Board will be charged fines from TRY 25,000 (around 8,000 USD) to TRY 1,000,000 (around 335,000 USD).

See below the decision of the Board regarding Facebook: