You may find the legislative changes concerning the Turkish startup ecosystem in the third quarter of 2024 below.
- Significant Amendments to the Communiqué on Principles Regarding Venture Capital Investment Funds
The Communiqué (III-52.4.c) ("Amending Communiqué") Amending the Communiqué on Principles Regarding Venture Capital Investment Funds (III-52.4) ("Communiqué") entered into force upon its publication in the Official Gazette dated 21.09.2024. The Amending Communiqué introduced significant amendments regarding venture capital investment funds ("VCIF").
The Amending Communiqué replaces the investor information form with a fund issuance agreement. The fund issuance agreement will be concluded individually or collectively between the fund and the holders of participation shares and will contain the minimum elements listed in the fourth annex of the Communiqué. A fund issuance agreement shall be signed prior to the sale of participation shares to qualified investors. However, this obligation will not be required if the participation shares are purchased from the stock exchange. A copy of the fund issuance agreement will be sent to the portfolio custodian. A copy of the agreement will be made available on the Public Disclosure Platform page of the fund, and if the agreement is amended, the revised agreement will be announced through Public Disclosure Platform and sent to the portfolio custodian.
Prior to the Amending Communiqué, VCIFs could not be established as umbrella funds or basket funds. Pursuant to the Amending Communiqué, it is now possible for the VCIFs to issue funds under an umbrella fund by issuing a separate issuance document for each issuance of participation shares. In this case, all assets and liabilities of each fund will be separate from each other. Other requirements for the issuance of an umbrella fund or a basket fund are regulated in the Amending Communiqué.
Pursuant to the Communiqué, VCIFs could invest in venture capital companies established or to be established in Türkiye, or established abroad as of the date of investment, but at least 80% of the assets of which consisted of subsidiaries or affiliates established in Türkiye according to the latest annual financial statements. This ratio was reduced from %80 to 51% for companies established abroad.
The Communiqué already regulated convertible notes under the provision that VCIFs may invest in venture capital companies in the form of structured financing as a mix of debt and equity financing. The Amending Communiqué explicitly regulates that investments made through agreements that grant or will grant the right to become a shareholder in venture capital companies in the future will be considered as venture capital investments. Nevertheless, in order for this amendment to have an impact, convertible notes should be regulated as they can be used legally in the light of regulations such as the prohibition of the company's acquisition of its own shares, thin capitalisation, usury offence, and unauthorised loan utilisation.
- Crypto Assets Regulated
Crypto assets have been regulated with the amendment introduced to the Capital Markets Law on 02.07.2024. Amending law defined wallet, crypto asset, crypto asset service provider, crypto asset custody service and crypto asset trading platform and regulated the basic principles regarding crypto assets. The Capital Markets Board ("CMB") announced on the same day on its website the information and documents requested from service providers that already continue their activities and service providers that will commence their activities for the first time.
Pursuant to the new regulation, service providers are required to obtain authorisation from the CMB in order to be established and launch their operations. Service providers are not subject to the provisions of the Capital Markets Law which do not specifically refer to them. Service providers are obliged to make the necessary arrangements, take the necessary measures and establish the necessary internal control units and systems in accordance with the criteria to be determined by TÜBİTAK in order to manage their systems securely.
The principles regarding the trading, initial sale or distribution, exchange, transfer and storage of crypto assets through the platforms will be determined by the CMB. Contracts between service providers and clients may be concluded in writing, by way of a distant contract, or by methods that allow verification of customer identity through a communication device that the CMB determines to be a substitute the written form. The CMB will regulate the principles regarding the content and execution of these contracts. Provisions limiting the contractual liability of service providers shall be void. Platforms are required to provide mechanisms to effectively resolve client objections and complaints. Platforms are required to provide a written listing procedure for determination and termination of trading of crypto assets to be traded or for initial sale or distribution of crypto assets. The CMB, in consultation with TÜBİTAK or other relevant institutions, will regulate the principles in this regard. Platforms are responsible for the free formation of prices, the detection and prevention of market abuse, and taking necessary measures.
Crypto assets shall be stored in the clients' own wallets. Custody services for crypto assets that clients do not prefer to store in their own wallets shall be provided by banks or other institutions authorised by the CMB to provide crypto asset custody services, and cash belonging to clients shall be stored by banks. Clients' crypto assets and cash shall be stored and recorded separately from the assets of the service provider and cannot be seized due to the debts of the service provider under any circumstances.
In the event that a platform resident abroad opens a place of business in Türkiye, creates a website in Turkish, and engages in promotional and marketing activities, such platforms will be deemed to be operating for Turkish residents and these activities will be subject to the authorisation of the CMB.
Changes in the shareholding structure of service providers will also be subject to the authorisation of the CMB. The qualifications required to be fulfilled by the shareholders, managers and those who have control over service providers are also stipulated.
With the amendment, the responsibilities of service providers and their managers and the sanctions to be applied in case of breach of these responsibilities have also been regulated. These amendments have entered into force through its publication in the Official Gazette dated 02.07.2024. Service providers were obliged to apply to the CMB until 02.08.2024 for an operating licence if they will continue their operations, or to declare that they will take a liquidation decision within three months if they will not continue their activities.
The CMB regulated the conditions for the establishment of crypto asset platforms with the Decision dated 08.08.2024. Accordingly, in order for the CMB to authorise the establishment of a platform, (i) it must be established as a joint stock company, (ii) all of its shares must be registered shares, (iii) its shares must be issued against cash, (iv) its minimum capital of TRY 50,000,000 must be fully paid in cash and its shareholders' equity must not be less than this amount, (v) its articles of association must comply with the provisions of the Capital Markets Law and the relevant regulations, (vi) its founders must meet the conditions specified in the Capital Markets Law and the relevant regulations, (vii) its trade name must include the phrase "crypto asset trading platform" to indicate the services it will offer, (viii) its articles of association stipulates that its field of activity is exclusively limited to one or more of crypto asset trading, initial sale or distribution, clearing, settlement, transfer and custody services required by these activities, (ix) its board of directors must consist of at least three members, (x) its shareholding structure must be transparent and open. With the Decision dated 08.08.2024, the CMB also regulated the requirements for founders, shareholders and managers. Companies operating as per the announcement dated 02.07.2024 are required to comply with this Decision until 08.11.2024.
The CMB regulated the listing of crypto assets and the advertising activities of platforms due to the different practices in receiving and storing customer cash and receiving customer orders via social media with the Decision dated 19.09.2024. Pursuant to the Decision dated 19.09.2024, customer cash shall be stored by banks, recorded and monitored separately from the assets of the service provider, and cash transfers shall be made through banks or authorised institutions. Customer orders shall only be received through the platforms' website, mobile application and registered phones, which are notified to the CMB. Platforms shall not offer a guarantee commitment against absolute return or loss, and shall not provide benefits to customers who bring in other customers to the platform. In addition, platforms will not carry out transactions in the form of loans, credits or leveraged transactions. Non-fungible tokens (NFT) and crypto assets used to create or provide various elements in virtual games will not be under the listing principles; however, platforms will notify the CMB if they process these assets.
- The European Union Adopted First Artificial Intelligence Regulation
The European Parliament adopted the EU Artifical Intelligence Act ("AI Act") on 13.03.2024. The AI Act introduced the first legal framework to regulate the artificial intelligence. The AI Act aims to improve the functioning of the internal market and promote the uptake of human-centric and trustworthy AI, while ensuring a high level of protection of health, safety, fundamental rights, including democracy, the rule of law and environmental protection, against the harmful effects of AI systems in the EU and supporting innovation.
The AI Act adopts a risk-based approach which defines four levels of risk for AI systems. AI systems are categorized based on their potential risks to fundamental rights, safety, and societal values. Accordingly, the AI Act classifies AI systems into four risk categories: unacceptable risk, high-risk, limited risk, and minimal risk, each subject to varying levels of regulatory requirements. AI systems posing unacceptable risk, such as those designed to manipulate human behaviour or exploit vulnerable groups, are prohibited. AI systems posing high risks (e.g., in healthcare, transportation, law enforcement) are subject to strict requirements, including mandatory risk assessments, high-quality datasets, transparency, and human oversight. AI systems with limited risk do not fall into the high-risk or unacceptable risk categories but still require specific regulatory measures, including ensuring that end-users are aware that they are interacting with AI. Minimal risk systems do not pose significant risks to individuals' rights or safety; therefore, they require only a few measures.
On the other hand, AI systems using a general-purpose AI model ("GPAI") are also regulated. GPAI systems display significant generality and are can competently perform a wide range of distinct tasks. GPAI system providers shall prepare technical documentation and information for downstream providers, establish a policy to comply with copyright rules, and publish a summary of the content used for training.
The AI Act applies to providers and deployers offering services in the EU, irrespective of whether those providers are established within the EU. Additionally, it also applies to providers and deployers of AI systems that are located in a third country, if the output produced by the AI system is used within the EU. Therefore, in case the persons or market of the EU are involved, the relevant AI system (including those are provided or exported by Turkish undertakings) will be subject to the AI Act.
The AI Act entered into force 20 days after its publication in the Official Journal of the EU. Unacceptable AI systems will be prohibited after 6 months from the effective date. Obligations and governance rules for GPAI systems will be applicable after 12 months from the effective date. Obligations for high-risk AI systems, as outlined in specific cases listed in the AI Act, will come into effect 24 months after the effective date.
- The Artificial Intelligence Law Proposal Submitted to the Grand National Assembly
The Artificial Intelligence Law Proposal ("Proposal"), which aims to regulate artificial intelligence for the first time in Türkiye, was submitted to the Grand National Assembly of Türkiye on 24.06.2024. The Proposal aims to ensure the safe, ethical and fair use of artificial intelligence technologies; to ensure that personal data protection and privacy rights are not violated; and to establish a regulatory framework for the development and use of artificial intelligence systems.
Although the Proposal is substantially in line with the AI Act, it may face criticism for not clearly defining its basic principles, rules, compliance measures, and the institutions responsible for enforcing sanctions in cases of non-compliance. Nevertheless, the Proposal is still of importance as it marks the first legislative efforts in this field.
- Action Plan on National Artificial Intelligence Strategy Announced
The "National Artificial Intelligence Strategy 2021-2025" was prepared in cooperation with the Digital Transformation Office of the Presidency of the Republic of Türkiye and the Ministry of Industry and Technology and published in August 2021. Due to the recent developments in the world, especially the EU AI Act, which is also mentioned above, the National Artificial Intelligence Strategy had to be updated as the "National Artificial Intelligence Strategy 2024-2025 Action Plan" ("Action Plan").
The Action Plan aims to train artificial intelligence experts and increase employment in this field, support research, entrepreneurship and innovation, expand access to quality data and technical infrastructure, implement regulations to accelerate socioeconomic integration, strengthen international collaborations, and expedite structural and labour transition. In line with these objectives, the Action Plan assigns various public institutions responsibilities such as preparing supportive programs to encourage the use of AI products, preparing guidelines on intellectual property rights for AI products, conducting standardization studies for the patentability of AI products, issuing regulations that align with international norms for the development and market introduction of AI systems, preparing a legal analysis guideline for AI applications, and preparing an impact analysis guideline regarding AI values and principles.
- Procedures and Principles regarding the Transfer of Personal Data Abroad Regulated
Pursuant to the Law No. 7499 published in the Official Gazette dated 12.03.2024, important amendments were introduced to the Personal Data Protection Law ("PDPL") regarding the processing of special categories of personal data and the transfer of personal data abroad. The amendments regarding the transfer of personal data abroad entered into force on 01.09.2024.1
The Personal Data Protection Authority ("Authority") had prepared a draft regulation in order to regulate the procedures and principles regarding the transfer of personal data abroad and opened the draft for public opinion and assessment. The draft regulation, largely unchanged, has entered into force through its publication in the Official Gazette dated 10.07.2024 by the Authority under the title of Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad ("Regulation").
In parallel with the PDPL, pursuant to the Regulation, transferring personal data abroad is permitted without explicit consent, provided that one of the conditions for processing general data or special categories of personal data is met, and one of the additional conditions gradually explained below is fulfilled.
(i) Firstly, it is required that the Personal Data Protection Board ("Board") has issued an adequacy decision on the third country, international organisation, or a specified sector within that third country. The Board will take into account criteria such as reciprocity, rules and protection mechanisms in the place of transfer, and international conventions when making an adequacy decision. Adequacy decisions shall be reviewed at least every four years. In case the Board deems necessary, it may determine a shorter review period, or it may review the adequacy decision at any time, regardless of this period, and may amend, suspend or repeal the decision without retro-active effect. Adequacy decisions and the decisions to amend, suspend or repeal the adequacy decisions shall be published in the Official Gazette and on the website of the Authority.
(ii) In the absence of an adequacy decision made by the Board, it is required that the controller or processor should provide appropriate safeguards such as agreements that are not international conventions, binding corporate rules, standard data protection clauses, commitment, etc., provided that enforceable data subject rights and effective legal remedies for data subjects are available in the country where the personal data are to be transferred.
- Appropriate safeguard can be provided by concluding an agreement, which is not an international convention, between public institutions and organisations or professional organisations with the status of public institution in Türkiye and public institutions and organisations or international organisations in a foreign country. The agreement shall include the provisions that aims to protect personal data, which are listed in the Regulation. The agreement and related information and documents require Board's approval, after which data transfer may commence.
- Appropriate safeguard can also be provided by employed binding corporate rules aiming to protect personal data, which the companies within the group of enterprises engaged in joint economic activity are obliged to comply with. The binding corporate rules require Board's approval. Application forms for binding corporate rules for data controllers and data processors were published on the website of the Authority on 10.07.2024. The application form contains a commitment that the binding corporate rules are legally binding and enforceable for the parties and their employees, that the rights of the data subject can be exercised where the data are to be transferred, the structure of the group of undertakings, the safeguards and details of the data flow.
- Appropriate safeguard can also be provided by signing standard contractual clauses containing data categories, purposes of data transfer, the recipient and recipient groups, technical and administrative measures to be taken by the data recipient, additional measures taken for special categories of personal data. The standard contractual clauses to be used in data transfers between data controllers and data processors were published on the website of the Authority on 10.07.2024. These contracts shall be signed without any changes and the Authority shall be notified of the signature of the contract. Unlike the other methods, signing the standard contractual clauses and notifying the Board is sufficient to provide appropriate safeguard for data transfer. However, in case the clauses are amended, the Board will assume the amended contractual clauses as the commitment detailed below and will review it for approval.
In addition, the obligation to notify the Authority of standard contractual clauses regulated in the PDPL has been extended by the Regulation. Pursuant to the PDPL, parties shall notify the Authority of standard contractual clauses within five days, whereas the Regulation stipulates that any changes in the parties or the content of the clauses or the termination of the standard contractual clauses must also be notified to the Authority. This amendment may face criticism as the Regulation expands the scope of an obligation that imposes an administrative fine stipulated by the PDPL.
- Lastly, appropriate safeguard can be provided by employing a commitment to be signed between the parties of the data transfer. The commitment shall include the provisions aiming to protect the personal data, which are listed in the Regulation. The commitment requires Board's approval, after which data transfer may commence.
(iii) Finally, in the absence of an adequacy decision, or of appropriate safeguards, transfer may be made on an incidental basis. Incidental transfer may take place only if the transfers are not regular, occur once or a few times, are not repetitive and are not in the ordinary course of business. However, it should be noted that this provision permits transfers to be made under certain compulsory conditions listed in the PDPL, such as the informed explicit consent of the data subject, performance of the contract, superior public interest.
- Amendment to Taxation of Employee Share Options
Law No. 7524 on the Amendment of Tax Laws, Certain Laws and Decree Law No. 375 published in the Official Gazette dated 02.08.2024 ("Amending Law") introduced significant regulations regarding the taxation of shares acquired through employee share option plans.
Pursuant to the Income Tax Law, shares acquired through employee share option plans are among the pecuniary benefits which are granted to the employee in return for services. Therefore, if shares are acquired through employee share option plans, income tax is accrued on the fair value of the shares.
Pursuant to the Amending Law, it is regulated that if technology startups grant shares to their employees free of charge or at a discount, income tax will not be accrued for the portion of the fair value of the shares that does not exceed the amount of one year's gross salary in the relevant year. However, the Amending Law also regulated that the employer may have to pay the uncollected income tax in some cases.
The exempted income tax will be collected together with the default interest from the employer (i) at the rate of 100% if the employee disposes of the shares within three years, (ii) at the rate of 75% if the employee disposes of the shares within four to six years, (iii) at the rate of 25% if the employee disposes of the shares withing seven to twelve years.
This regulation introduced by the Amending Law does not provide a practical benefit in terms of exempting the shares acquired through employee share option plans from income tax. In fact, the portion of the fair value of the shares acquired through the employee share option plan that exceeds the employee's gross salary for one year will continue to be subject to income tax.
Considering that one of the main reasons for the employee share option plan is to reduce the cost of employment, it is clear that the portion exempted from income tax, which corresponds to one year's gross salary, may be insignificant compared to the total fair value of the shares granted through the share option plan. In addition, it is also problematic that if the employee does not retain his/her shares for a long period of time, the uncollected income tax will be collected from the employer together with the default interest. In short, the said regulation is criticised as it does not foresee any practical change that encourages the issuance of employee share option plans.
The said regulation entered into force on 02.08.2024.
Footnote
1. Further details regarding the aforementioned amendment can be found here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.