As economies navigate the digital transformation tide, data has emerged as a cornerstone of economic dynamism. The surge in personal data processing carried out by big data technologies evokes considerable concerns surrounding effective competition and personal data protection. A delicate equilibrium between personal data protection and data privacy, and data-driven economic activity is thus imperative. The ensuing relationship impacting the execution of both competition and data protection laws necessitates synergies between relevant regulatory authorities.
The existing collaboration channel between the Turkish Personal Data Protection Authority (the "DPA") and the TCA established through a cooperation protocol signed on 12 April 20191, fortified further through a recent cooperation and information-sharing protocol inked on 26 October 2023.2 Such reinstated cooperation is pivotal in harmonizing the protection of personal data with the datacentric economy.
Data Protection Dimensions in Data
The Turkish Personal Data Protection Law No. 6698 ("Law No. 6698" or the "DPL"), enacted in 2016, predominantly mirrors the EU Directive 95/46/EC, the precursor to Regulation (EU) 2016/679 (General Data Protection Regulation) (the "GDPR"), overseen by the DPA. It delineates principles pertaining to accountability, transparency in personal data processing, transfer, and obliteration, besides outlining data subjects' rights. While the DPL largely echoes European data protection lexicon, distinctions from the GDPR do exist. Critical data protection tenets intersecting with competition law include:
- General Principles of Data Processing and Information Obligation: The DPL mandates lawful, fair personal data processing for specific, explicit, and legitimate objectives. It necessitates transparent communication to data subjects regarding the nature and aims of data processing activities, ensuring no overstepping beyond initial collection intents. As such, personal data should not be processed for any reasons other than its initial collection purposes and/or in a manner beyond information that should have been provided to the data subjects.
- Explicit Consent: The DPL allows personal data processing with explicit consent, or under specific legal exemptions. Valid consent must be freely granted, well-informed, and specific to certain data processing activities, devoid of any coercion or perceived negative repercussions. The consent should not be conditional upon any advantage, including the provision of goods or services, as described by the DPA in its WhatsApp decision.3 Otherwise, such consent would considered as void and the relevant data processing activities that have been performed based on such consent would be deemed illegal.
- Right to Data Portability: The right to data portability under the GDPR allows data subjects to retrieve, reuse, and transfer their data seamlessly and securely between different IT environments. This right increases the control of data subjects over their personal data and is considered as an important competitive tool as it allows users to simultaneously use multiple online service providers and easily switch among them. Although the DPL doesn't encapsulate data portability rights, the inclusion of such a right seems inevitable given competitive digital market dynamics. In fact, as per the Medium Term Programme of the Turkish Government4, new concepts in line with the GDPR are expected to be introduced in the DPL as part of the European Union harmonisation process.
Competition Law Facets Concerning DataDriven Practices
There are several intersections between data protection law and competition law, most importantly both aim to enhance consumer welfare. However, when it comes to data-driven economies, user data or competitively sensitive data which may include such as amalgamated user data or big data and governed by competition law, may transcend personal data boundaries.
Abuse of dominance is the main aspect of competition law where data-based considerations come to play. Dominant entities restricting data accessibility, portability, interoperability, and engaging in data combination practices are typical manifestations of exclusionary abuse of dominance, aimed at barricading competitor entry by monopolizing data as a precious input. The Board's approach to data combining is best illustrated in the Meta (previously Facebook) and Trendyol decisions. In the Meta decision, the Board ruled that Meta abused its dominant position in the markets for social network services for personal purposes, consumer communication services and online display advertising by combining user data collected from Facebook, Instagram and WhatsApp, resulting in the exclusion of its competitors from the market.5 Previously, the Board had ruled that DSM Grup Danışmanlık İletişim ve Satış Ticaret A.Ş. (owner of Trendyol, a leading B2C online marketplace) abused its dominant position by using data gathered from third-party sellers to self-preference its own retail offering.6 Regarding data portability, the Board ruled that Sahibinden.com (a leading Turkish online classified advertisement platform) abused its dominant position by restricting advertisers on its website from using multiple platforms simultaneously by preventing data transfers to rival platforms.7 Similarly, the Board held that NadirKitap (an online platform for the sale of second hand books) abused its dominant position by refusing to allow its users from transferring their data to rival platforms.8
Breach of data protection or privacy norms can manifest as exploitative abuse, where end-users may relinquish more data for subpar products or services. In this sense, data privacy can be considered as a quality metric for products/ services and lack of privacy would imply a decrease in quality in such product/service. While the Board considered the exploitative aspect of Meta's practices, the question of whether such practices led to an abuse of dominance was ultimately left open.9 In that case, Meta was combining data from multiple platforms based on the explicit consent of users that was conditional upon the provision of Meta's services, thereby rendering the consent invalid under personal data protection rules as explained in the first section of in this essay.
The recent cooperation and information-sharing protocol between the DPA and the TCA heralds a closer collaborative chapter, expected to facilitate extensive information exchange, especially during sector-specific reviews and investigations. This collaboration should notably augment the DPA's investigation and enforcement prowess, drawing from the TCA's extensive investigative experience. The outlined aspects and considerations are anticipated to be focal points in these authorities' assessments, reflecting a concerted effort to foster a competitive, data-protected digital economy landscape.
1. See https://www.rekabet.gov.tr/tr/Haber/rekabet-kurumu-ile-kisiselverileri-koru-cdcd250e245de91180f400505694b4c6. (last accessed 3 November 2023)
2. See https://www.rekabet.gov.tr/tr/Guncel/kisisel-verileri-korumakurumu-ile-rekab-6df0abc2d373ee118ec700505685da39. (last accessed 3 November 2023)
3. DPA's WhatsApp Decision dated 3 October 2021 and numbered 2021/891.
4. See Medium Term Programme (2024-2026) published by the Presidency of Strategy and Budget on 6 September 2023, available at https://www.sbb.gov.tr/wp-content/uploads/2023/09/Orta-Vadeli-Program_2024-2026.pdf. (last accessed 3 November 2023)
5. Board's Meta Decision dated 20 October 2022 and numbered 22- 48/706-299.
6. Board's Trendyol Decision dated 30 September 2021 and numbered 21-46/669-334.
7. Board's Sahibinden.com Decision dated 17 August 2023 and numbered 23-39/754-263.
8. Board's NadirKitap Decision dated 7 April 2022 and numbered 22- 16/273-122.
9. Board's Meta Decision.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.