Turkey: Regulations Regarding The Processing Of Personal Data With Cookies

1. Overview of Cookies

Cookies first appeared in 1994 as part of the Netscape Navigator web browser. The first cookie application, invented by Netscape developer Lou Montulli, was used to help the browser to tell if a user had visited a particular website before. In 1995, Montulli applied for a patent for this technology, and that same year it was applied to version 2 of Internet Explorer.

In technical terms, a cookie is a small computer file that contains data relating to the different websites the user visits online. Cookies can be accessed by web browsers, or by the owner of the individual website. Information Commissioner's Office, which is United Kingdom's independent body set up to uphold information rights, defines cookie as a small text file that is downloaded onto 'terminal equipment' (e.g., a computer or smartphone) when the user accesses a website. In addition, pursuant to the General Data Protection Regulation ("GDPR") website cookies are defined as small text files that websites place on your device as you are browsing.

A cookie's main purpose is to hold data that it recognizes as useful. It then uses that data to automatically fill in the blanks each time you visit a website. The aim of a cookie is to provide a quicker browsing experience for web users.

We will be looking to the regulations in Turkish legislation regarding the processing of personal data via cookies as well as European Union regulations and United Kingdom regulations, with examples from decisions of the relevant data protection authorities.

2. Regulations on Cookies in Turkish Legislation

There is currently no specific regulation regarding cookies under Turkish legislation and the term is yet to be defined. However, it can be said that cookies are subject to the Electronic Communications Law numbered 5809 ("ECL") and the Personal Data Protection Law numbered 6698 and secondary legislation ("PDPL") because cookies may collect personal data such as a user's name, age, gender, location, email, IP address, online shopping details, website preferences.

Although there is no specific regulation regarding cookies, since personal data is processed with cookies, it falls within the scope of the PDPL. In this context, on 20 June 2022 the Guide on Cookie Applications ("Guide") was published by the Personal Data Protection Authority (the "Authority") on the official website of the Authority.

The Guide makes recommendations for compliance of the relevant practices of data controllers using cookie technologies with the PDPL. Cookie usage scenarios that do not require explicit consent are also mentioned in the Guide, and the aim of the Guide is to simplify the way data controllers should follow regarding cookie systems with examples that will be beneficial in terms of reducing illegality.

Within the scope of the Guide, cookies are defined as a type of text file placed on the user's device by the website operators. Cookies are also defined as low-size rich text format that allow some information about users to be stored on users' terminal devices when a website is visited.

In the Guide data controllers are advised to consider the following critera when processing personal data through cookies.

• Criterion A: The use of the cookie is solely for the purpose of providing communication over the electronic communication network.
• Criterion B: The use of the cookie is strictly necessary for information society services that the subscriber or user explicitly requests to receive.

According to the Guide, in cases that do not meet one of the critera mentioned above or there are no other legal grounds under the PDPL that may be relied on when using the cookie, the explicit consent of the data subject is required. However, in the presence of any other legal grounds listed in Articles 5 and/or 6 of the PDPL for the use of cookies, the explicit consent of the data subject will not be required. It should be added that the explicit consent mentioned here means that an individual is clearly presented with an option to agree or disagree with the collection, use, or disclosure of personal data and clearly indicates their choice.

Also, in case the data processing carried out by using cookies relies on legal ground that it is "mandatory data processing for the legitimate interests of the data controller provided that it does not harm the fundamental rights and freedoms of the data subject" as stipulate under Article 5 paragraph 2 (f) of the PDPL, a balance test must be carried out considering the scope of Criterion A and B and the existence of legitimate interests must be evaluated. In the Personal Data Protection Board ("Board") decision dated 25.03.2019 and numbered 2019/78, the conditions which the balance test should rely on are specified in detail. According to the decision, a balance test should be performed by comparing the fundamental rights and freedoms of the individual with the legitimate interests of the data controller with ensuring that the fundamental rights and freedoms of the data subject are at a competitive level with the benefit to be obtained as a result of processing personal data, there must be a necessity of personal data processing in order to achieve the said benefit, the legitimate interest must be already present, specific and clear, a benefit must be provided and it must not be possible for this benefit to emerge in any other way and method without processing personal data in case of obtaining a legitimate interest that can compete with the fundamental rights and freedoms of the data subject, while determining the legitimate interest the said benefit must not affect a large number of people and must not aimed at making profit or providing economic benefit, must be based on transparent and accountable criteria such as facilitating business processes or a functioning and with ensuring the legal functioning of personal data in a data recording system for a limited purpose, and taking all kinds of technical and administrative measures to prevent damage and violations and ensuring compliance with the general principles in the processing of personal data.

In the Guide, it is emphasized that explicit consent should be obtained through a specific and active affirmative action. The fact that the data subject accesses a website may not be regarded as the data subject giving explicit consent regarding the processing of personal data by way of using cookies. Also, it is necessary to specify the purpose of the use of the cookie, the duration of the cookie determined in accordance with this purpose, and whether the cookie is first or third party. The explicit consent given in terms of cookies must also be revocable. In the Guide, the Authority states that obtaining consent at frequent intervals may cause "consent fatigue" and may injure the free will of the data subject. It is underlined that placing cookie walls that prevent users from viewing the content of the website and obtaining explicit consent for access to the website will injure free will, since explicit consent is provided as a prerequisite for the service. In other words, making any issue, including the provision of services to the data subject, prerequisite for the explicit consent of the data subject will invalidate the consent. As we can see in the Board decisions dated 08/07/2019, numbered 2019/206 and dated 20/04/2021, numbered 2021/389, basing or benefiting the provision of a product or service to the data subjects on the precondition of explicit consent constitutes a violation of the rule of expressing the consent with free will, and in this case invalidates the explicit consent.

Another important issue is the use of third-party cookies. In cases where third-party cookies are used, it is stated that both the website owner and the third party shall be responsible for clearly informing the data subject and obtaining explicit consent in accordance with the PDPL. However, due to the fact that it is more difficult for third parties to establish a connection with the data subject compared to the website owner, it is among the Authority's suggestions that rules regarding the obligation of inform and obtaining consent be added to the agreements to be made among third parties and website owners.

The provisions of Article 10 of the PDPL and the Communique on Principles and Procedures to Be Followed in the Fulfillment of the Obligation to Inform shall be taken into account when fulfilling the obligation to inform within the scope of the Guide. In this context, in every case where personal data is obtained, the obligation to inform must be fulfilled by the data controller at the latest when the data is obtained, and the proof of fulfillment of the said obligation will belong to the data controller. It is stated in the Guide that the obligation to inform and obtain explicit consent when necessary must be fulfilled separately. In order to start processing personal data within the website visit, a privacy notice must be presented at the stage of entering the website, regardless of the legal grounds. It is also mentioned that in cases where an information regarding the processing of personal data is not provided upon access to the website, violation of the obligation to inform may come to the fore. It is recommended that the name of the cookie, its purpose of use and duration of use and information regarding whether it is a first or third party cookie is be included clearly in the privacy notice and the explicit consent text. Apart from the ones mentioned above, it is stated that in case the websites operating in Turkey transfer data abroad by using cookies by means of companies located abroad, these activities should comply with the regulations of the PDPL regarding transfer of personal data to abroad. Article 9 of PDPL states that cross-border data transfers are forbidden unless the data owner consents explicitly to such cross-border data transfers. Article 9/2 provides an exception to this rule and allows for cross-border data transfers without the data owners explicit consent in cases where circumstances set forth at Articles 5/2 and 6/3 are applicable and if (i) sufficient protection is provided in the foreign country where the data is to be transferred or (ii) the data controllers in Turkey and in the related foreign country guarantee a sufficient protection in writing and the Board has authorized such transfer, where sufficient protection is not provided.

With the Guide, the Authority not only informed the data controllers regarding cookie practices, but also drew attention to the importance of processing data in accordance with the PDPL. The scenarios provided in the Guide and the steps to be taken within the scope of the legislation were mentioned in detail, and the unlawful realization of a current and widespread activity was aimed to be prevented.

Apart from the Guide, the first decision of the Board regarding cookies was the Amazon Decision dated 27.02.2020 and numbered 2020/173 ("Amazon Decision"). The fact that the Amazon Decision is also mentioned in the Guide has once again shown the importance of this decision. One of the most important results of the Amazon Decision is the acceptance by the Board that the data controller may rely on legal grounds stipulated under the PDPL, instead of obtaining consent when processing personal data via cookies.

In addition, it is stated that since it is not certain whether a person who visits the website for the first time will enter into a contractual relationship with the data controller or will give explicit consent, it cannot be considered that an explicit consent is given for the processing of personal data by simply entering the website. At this point, some previous examples are of importance. Today, explicit consent for cookies appears as a pop-up when accessing most websites, and the user gives explicit consent to the processing of personal data via cookies in the form of opt-in. The opt-in systems mentioned here are the systems that allow the user to give consent with conscious affirmative action. However, some websites use systems that process the personal data of the user through cookies when the user accesses the website, and the processing ends only when the user removes the consent for the cookies to process their personal data, such systems are called opt-outs. Obtaining explicit consent regarding the processing of personal data with cookies should be done with opt-in systems.

Another issue addressed within the scope of the Amazon Decision is that the processing of personal data as a prerequisite for the service. In other words, if the user does not accept the use of cookies when accessing a website, stating that no product or service will be offered shall mean that the service is subject to explicit consent. In this case, it is stated by the Board that since it would injure the explicit consent, it would violate the principles of being in compliance with the law and honesty rules and being bound, limited and proportional for the purpose of processing within the scope of Article 4 of the PDPL.
As a result, explicit consent should not be a prerequisite for service.

The other decision of the Board regarding cookies is the decision dated 10.03.2022 and numbered 2022/229 ("Decision"). As mentioned above, with the Amazon Decision, it is determined that for the processing of personal data via cookies, the data subject may rely on a legal ground other than explicit consent. With the Decision, it is concluded that, it is not necessary to obtain the explicit consent of the data subject and personal data processing can be carried out based on the legal grounds stipulated under Article 5 paragraph 2 or Article 6 paragraph 3 of the PDPL within the scope of mandatory cookies which are used for the proper functioning of the website. However, it is stated that the use of cookies in relation to advertising, marketing and performance purposes are subject to the explicit consent of the data subject.

Apart from this, it is mentioned in the Decision that the Cookie Policy on the website should be in compliance with the Communique on Principles and Procedures to Be Followed in the Fullfillment of the Obligation to Inform.

Finally, as mentioned in the Amazon Decision, it is once again pointed out that opt-in systems should be used to allow cookies to work with the voluntary active action of the data subjects.

In the content of the Guide, the relationship between Electronic Communications Law No. 5809 ("ECL") and PDPL is also mentioned. Due to the partial compliance of paragraph 3 of Article 51 of the ECL with the Article 5 of EU Directive 2002/58/EC, it is evaluated that ECL may find a limited area of application for data controller operators regarding cookies. Apart from this, it is stated that PDPL can be applied to the processing of personal data through cookies and the Amazon Decision can be taken into account in terms of information society services that are not specifically regulated by the ECL.

Within the scope of paragraph 3 of Article 51 of the ECL, only companies that provide electronic communication services and/or provide electronic communication networks and operate their infrastructure can find an area of evaluation within the scope of ECL, other data controllers are not included in this scope. For this reason, with the phrase "providing communication", it is accepted that only data controllers with operator qualifications can process data without explicit consent through cookies within the scope of Criteria A in accordance with the paragraph 3 of Article 51 of the ECL.

3. Regulations on Cookies in European Union

The General Data Protection Regulation ("GDPR") governs the processing of personal data in the European Union ("EU"). In GDPR cookies are only mentioned once in Recital 30. The Recital states that natural persons may be associated with cookies and that this may identify them. In other words, cookies are used to identify users, qualify as personal data and are therefore subject to the GDPR.Data controllers do have a right to process their users' data as long as they receive consent or if they have a legitimate interest. Generally, GDPR cookie compliance is achieved on websites through cookie banners that allow users to select and accept certain cookies for activation.

Besides GDPR, cookies are regulated in Directive 2009/136/EC which came into force on May 2011, amended the Directive 2002/58/EC and concerns the processing of personal data and the protection of privacy in the electronic communications sector. It is usually referred to as the "e-Privacy Directive". It should be noted that an e-Privacy Regulation, which is to replace the existing e-Privacy Directive of 2002, aims to regulate the conditions under which service providers may process electronic communications data or have access to data stored on end-users' devices. The e-Privacy Regulation supposed to be passed in 2018, at the same time as the GDPR came into force. In the EU, a directive must be incorporated into national law by EU countries making it more flexible while a regulation becomes legally active and binding for all EU countries automatically on the date it comes into force. However, EU didn't pass the e-Privacy Regulation in 2018. Since the e-Privacy Directive is a directive and not a regulation, each EU member state implements it through its own national legislation and is enforced by each EU member state's data protection authority according to national law. In fact, e-Privacy Directive is meant to apply to every type of technology that you can use to store and process user information. However, because currently cookies are the most common technology for storing user information on personal devices, it is mainly referred as cookie directive.

The e-Privacy Directive applies to all countries within the EU, as well as websites that are owned by EU companies, and international websites that cater to EU citizens. The e-Privacy Directive covers processing of personal data and the protection of privacy including provisions on the security of networks and services, the confidentiality of communication, access to stored data, processing of traffic and location data, calling line identification, public subscriber directors and unsolicited commercial communications (spam).

According to e-Privacy Directive Article 5 paragraph 3, the end-user must give his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. An exception followed this provision, allowing for the storage or access to the electronic communications data for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.¹

The e-Privacy Directive requires website owners to refrain from placing trackers and cookies on users' browsers until they've given their consent for you to do so, ask users for consent to all trackers and cookies on your website, give users detailed information about all trackers and cookies on your website, give users the ability to withdraw or opt-out of consent as easily as they can opt-in.

The e-Privacy Directive only obliges website owners to these requirements for non-essential cookies like advertising cookies and social media cookies. These requirements do not apply to essential cookies. Essential cookies are the cookies that are necessary to provide an online service and that are used solely to facilitate or carry out the transmission of communications over a network. Other than these requirements, e-Privacy Directive leave penalties to be decided by local governments.

In order to give some brief examples about the policies of the EU law on cookies, we are going to provide some court decisions.

In a decision dated October 17^th, 2019, given by the Spanish Data Protection Authority², a company called Vueling was imposed a fine of 30,000 euros for their cookie policy. The Authority decided that there must have been a way to configurate the cookies (e.g., through a management system, cookie configuration panel) accepted by the user but Vueling did not provide the users with any useful method for that.

It is seen that Vueling says users can revoke the consent given for the use of cookies at any time but there is only one way to do that, and it is by adjusting the browser settings to prevent the installation of cookies, websites or third parties in general. However, the company should have provided a way to "configure cookie preferences in a granular or selective form", considering that adjusting the browser setting is insufficient to comply with the policies of Spanish Law on Information Society Services and Electronic Commerce.

As it can be seen from this decision of the Authority, being able to accept or reject cookies is not enough itself but there must be a way, provided by data processors, to configurate cookie preferences.

In the other example, on October 1^st, 2019, the Court of Justice of the European Union³ decided that a pre-ticked check box on a website for the acceptance of cookies would not be validly constituted, as, a user must deselect to refuse his or her consent. Since the consent must be specific and freely given, a pre-ticked check box cannot conclude that the user validly gave their consent to the storage of cookies.

The Court in its interpretation of the EU Law, noted that EU law aims to protect the user from any interference with his or her private life, in particular, from the risk that hidden identifiers and other similar devices enter those users' terminal equipment without their knowledge, regardless of the data being personal or not.

Also, the Court notes that consent must be specific so that the fact that a user selects the button to participate in a promotional lottery is not sufficient for it to be concluded that the user validly gave his or her consent to the storage of cookies.

According to the EU Law, the information that the service provider must give to a user includes the duration of the operation of cookies and whether third parties may have access to those cookies.

Lastly, the French Council of State confirmed the jurisdiction of the of Commission Nationale de l'Informatique et des Libertés ("CNIL") to impose sanctions regarding cookies outside the one-stop shop mechanism. On the decision dated December 7^th, 2020, the CNIL imposed administrative fine of 150 million euros against Google Ireland Limited and administrative fine of 60 million euros against Facebook Ireland Limited. In its decision, the CNIL noticed three violations of Article 82 of the French Data Protection Act which is transposing the e-Privacy Directive. The violations mentioned in the decision were the deposit of cookies without obtaining the user's prior consent, the lack of information to the user and the partial failure of the mechanism enabling to refuse cookies.⁴

4. Regulations on Cookies in United Kingdom

In United Kingdom ("UK") the Privacy and Electronic Communications Regulations ("PECR") cover the use of cookies and similar technologies for storing information, and accessing information stored, on a user's equipment such as a computer or mobile device. PECR sits alongside the Data Protection Act 2018 ("DPA") and the UK GDPR, and provides specific rules in relation to privacy and electronic communications. Most of the DPA's provisions about cookies are similar to what we see in the GDPR and the e-Privacy Directive. The UK GDPR classes cookie identifiers as a type of online identifier, meaning that in certain circumstances these will be personal data. While the PECR does not refer to cookies within the meaning deduced from Article 6 website owners must say what cookies will be set, explain what the cookies will do and obtain consent to store cookies on devices. Also, like e-Privacy Directive, PECR has two exemptions to the cookie rule. One of these exemptions is if the cookie is used for the sole purpose of carrying out the transmission of a communication over an electronic communications network and the second one is if the cookie is strictly necessary for the provision of an information society service requested by the subscriber or user. The second exemption applies for information society services. Also, it must be mentioned that if cookies require consent under PECR, then website owner cannot use one of the alternative legal reasons from the UK GDPR to set them. That's why a website owner in UK , must look to PECR firstly and comply with its specific rules, before considering any of the general rules in the UK GDPR.

However, nowadays UK government is considering withdrawing the requirement for consent to cookies from UK law. This change is mainly considering because many users do not engage with privacy information and controls, and simply accept the terms or use of cookies because they want to access the website. The government has presented two concrete proposals for reform to make the consent rules less restrictive. Under the first proposal, organisations would be able to use analytics cookies and similar technologies without the user's consent. A second option the government is considering to allow the use of cookies without consent for other limited purposes like legitimate interests of the data controller.

5. Conclusion

In conclusion we evaluate that cookie regulations are similar to each other and that The Guide has been prepared in compliance with both EU and UK regulations. Within the scope of all regulations, explicit consent is not required for mandatory cookies. However, in terms of non-essential cookies, the explicit consent of the data subject must be obtained. Moreover, the consent of the user is not required if the cookie is strictly necessary for the provision of an information society service requested by the subscriber or user and if the cookie is used for the sole purpose of carrying out the transmission of a communication over an electronic communications network. These regulations, which also meet a common denominator, ensure that companies and data controllers do not have difficulty in complying with more than one legislation and facilitate their commercial activities. Currently, most sites cater to people from all over the world, so this common denominator is very beneficial.

Footnotes

1. E-Privacy Report: Lessons Learned from the European Experience & Reflections for e-Privacy Laws in Turkey, September 2020 https://itlaw.bilgi.edu.tr/media/2020/9/23/FINAL_2020BILGI_ITLAW_Final_Copy%20of%20Working%20Doc%20e-Privacy%20Report%20and%20Lessons%20Learned%20for%20the%20Turkish%20Privacy%20%26%20Data%20Protection%20and%20e-Privacy%20Law.pdf

2. https://edpb.europa.eu/news/national-news/2019/spanish-data-protection-authority-fined-company-vueling-cookie-policy-used_en

3. https://curia.europa.eu/jcms/upload/docs/application/pdf/2019-10/cp190125en.pdf

4. https://www.conseil-etat.fr/actualites/cookies-publicitaires-google-definitivement-condamne-a-payer-100-millions-d-euros

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.