Developments on E-Commerce Law and Regulation in light of the Constitutional Court and Council of State decisions

Following the amendments to the Law on the Regulation of Electronic Commerce ("Law") in July 2022, the Regulation on Electronic Commerce Intermediary Service Providers and Electronic Commerce Service Providers ("Regulation") was published in December 2022. The Regulation repeats some of the obligations under the Law while clarifying others. You may access our legal alert dated 2 January 2023 for detailed information on the Regulation here.

After the amendments to the Law, requests for the annulment of Additional Articles 2 and 4 of the Law, which stipulate the e-commerce intermediary service obligations and e-commerce license respectively, were claimed before the Turkish Constitutional Court. In line with this, the Council of State carried out an evaluation for the annulment of the Regulation.

According to information on publicly available sources, on 10 May 2023, the 10th Chamber of the Council of State issued a stay of execution decision for the majority of the provisions of the Regulation. The request for the annulment of the entire Regulation, including the suspended provisions, is expected to be finalized by the 10th Chamber of the Council of State in the upcoming days.

The suspended provisions include the scope, definitions, removal of unlawful content, reporting obligations, private label restriction, license requirement, and restrictions on transportation and courier operations. As the Council of State's decision is not published, the entire scope of the decision cannot be identified.

However, certain provisions that are suspended under the Regulation mirror the requirements that are stipulated under Additional Articles 2 and 4 of the Law.

Publicly available sources have also revealed that the Ministry of Trade has appealed the Council of State's stay of execution decision. However, there is no publicly available information in relation to the aftermath of the Ministry of Trade's appeal.

In the meantime, the request to annul Additional Articles 2 and 4 of the Law, which regulate the obligations of electronic intermediary service providers and the license obligation, was evaluated by the Constitutional Court. The case numbered 2022/109 filed before the Constitutional Court was discussed at the General Assembly on 13 July 2023 and the annulment request was rejected. The Constitutional Court's full decision is not published yet. The Constitutional Court's decision is expected to influence the Council of State's evaluation.

Commercial Electronic Message Complaint System renewed

The Ministry of Trade renewed the Commercial Electronic Message Complaint System (tr. "TISS"), which was designed for consumers to file their complaints regarding commercial electronic messages sent without their consent.

With the renewed interface and infrastructure, the systems can automatically query companies that are the subject of complaints. Moreover, the consent status and whether the intermediary service provider applies filters can be automatically checked through the Message Management System (tr. "IYS").

In light of the innovations and improvements in TISS, an increase in the IYS and marketing communication oversight is expected.

World news

EU-US Data Privacy Framework adopted

A new framework for data transfers from the EU to US has been long awaited following the annulment of the "Privacy Shield Agreement" by the European Court of Justice in July 2020 through the "Schrems II" decision.

Accordingly, on 10 July, the European Commission adopted the adequacy decision for the EU-US Data Privacy Framework ("Framework"). The Framework entered into force on the same date.

Under the General Data Protection Regulation (GDPR), one of the conditions for transferring data from the EU to a third country is that the European Commission must determine that the recipient country has an adequate level of protection (a level of protection equivalent to the level of protection in the EU). Hence, the adoption of the adequacy decision allows multinational companies, especially those that need to transfer their customers' data across the ocean, to transfer it from the EU to the US in compliance with EU data protection regulations.

The Framework seeks to introduce new safeguards to address all the concerns raised by the European Court of Justice in the Schrems II decision, taking into account the various points for improvement identified by the European Data Protection Board ("The European Commission stated that the operation of the Framework will be subject to periodic reviews to be carried out by the European Commission together with representatives of the European data protection authorities and the competent US authorities. The first review will take place within one year after the adequacy decision enters into force, to verify that all relevant elements are fully implemented and functioning effectively in practice under US law. Finally, the Board will prepare an information note for stakeholders on the implications of the Framework in the coming weeks."). The Framework includes significant improvements compared to the Privacy Shield Agreement, such as the possibility for public authorities like US intelligence services to access EU data to the extent that it is necessary and proportionate to protect national security, and establishment of a Data Protection Review Court to investigate complaints from EU residents. It also allows for the deletion of data if data collection is found in violation of the new safeguards. In addition, EU residents are provided with remedies, such as dispute resolution mechanisms and an arbitration panel.

The European Commission stated that the operation of the Framework will be subject to periodic reviews to be carried out by the European Commission together with representatives of the European data protection authorities and the competent US authorities. The first review will take place within one year after the adequacy decision enters into force, to verify that all relevant elements are fully implemented and functioning effectively in practice under US law. Finally, the Board will prepare an information note for stakeholders on the implications of the Framework in the coming weeks.

The European Commission's adequacy decision is available here.

The European Parliament adopted its position on the Artificial Intelligence Act

With a final vote on 14 June 2023, the European Parliament adopted its official position on the proposal on the Artificial Intelligence Act ("AI Act") by a majority of votes. The AI Act follows a risk-based approach, prohibiting AI applications that pose unacceptable risks and providing for a strict regime for high-risk use cases.

According to the text adopted by the European Parliament, subliminal techniques, biometric classification, predictive policing, internet-scrapped facial recognition databases and emotion recognition software are also included in the scope of prohibited activities. Their use in law enforcement, border management, workplaces and education is banned.

In addition, the final version of the text identifies the high-risk categories more precisely. Accordingly, the use of AI in law enforcement and the use of AI in migration control are considered high-risk AI categories. Moreover, the AI Act introduces new requirements for fundamental rights impact assessments and environmental impact monitoring.

Currently, as the next step in the legislative process, negotiations between the EU Council of Ministers, the European Commission and the European Parliament are underway and are expected to be concluded in fall.

The text of the AI Act adopted by the European Parliament is available here.

Provisional agreement reached on the Data Act

On 27 June 2023, the EU Council and the European Parliament reached a provisional agreement on the draft Data Act.

The Data Act is the second legislative initiative under the 2020 European Data Strategy, following the Data Governance Act adopted in 2022, with the aim of achieving the EU's strategy to be a leader in a data-driven world. While the Data Governance Act establishes processes and structures to facilitate data-sharing by companies, individuals and the public sector, the Data Act regulates who can benefit from data and under what conditions.

The Data Act proposes regulations on who can access and use data generated in the EU across all economic sectors. It gives both individuals and businesses more control over their data, through the right to portability, which allows data to be easily copied or transferred between different services where data is generated through smart objects, machines and devices. It introduces safeguards against illegal data transfer by cloud service providers and aims to develop interoperability standards for data to be reused across sectors.

Thereafter, the Data Act will be submitted to the representatives of the member states for endorsement following the endorsement of the transitional agreement by the EU Council and the European Parliament. The Data Act will be enforced 20 months after entry into force, allowing one year to meet design requirements for new products and five years to amend existing contracts for Internet of Things ("IoT") products.

The Council of Europe published model contractual clauses for cross-border transfers

On 27 June 2023, the Council of Europe announced the adoption of the first module of the model contractual clauses for data transfers between data controllers, based on the Protocol amending the Convention for the Protection of Individuals with regard to the Processing of Personal Data ("Convention 108+"). The model contractual clauses aim to provide adequate protection when data is transferred to a country that is not party to Convention 108+. It is noted that the model clauses could be incorporated into a broader contract, or added to other provisions or additional safeguards, provided that they do not conflict with the model clauses or applicable law and do not prejudice the human rights and fundamental freedoms recognized in Convention 108+.

The Council of Europe's press release is available here and the model contractual clauses are available here.

European Data Protection Board published Guidelines on the Calculation of Administrative Fines

The Board has published guidelines on the calculation of administrative fines ("Guidelines") to harmonize the methodologies used by data protection authorities in Europe for calculating fines and to determine "starting points." The Guidelines set out a five-step methodology. Accordingly, firstly, the data processing activities should be defined to comply with the GDPR provision stating that the amount of the administrative fine cannot exceed the amount adopted for the most serious infringement in the case of multiple infringements of the GDPR. Then, as a starting point, three factors should be taken into account, namely (i) the classification of breaches according to their nature, (ii) the seriousness of the breach, and (iii) the turnover of the business. Furthermore, to increase or decrease the fine, the aggravating and mitigating circumstances relating to the past or current conduct of the data controller or processor should be assessed, the relevant maximum penalty amounts foreseen in the law for different processing activities should be determined, and finally, whether the calculated final fine amount meets the requirements of effectiveness, deterrence and proportionality should be analyzed.

The Guidelines are available here.

Zalando challenges their "Very Large Online Platform" status under the Digital Services Act

The Digital Services Act ("DSA"), which was published in the Official Journal of the EU on 27 October 2022 and entered into force on 16 November 2022, aims to increase innovation and competition while providing users with a secure and transparent online environment. Online platforms and search engines with an average monthly user base of 45 million or more in the EU are recognized by the European Commission as "Very Large Online Platforms" ("VLOP") and "Very Large Search Engines" ("VLSE") under the DSA. To balance their impact on individuals and market regulations and to eliminate the risks they carry, the DSA imposed a number of obligations on VLOPs/VLSEs, effective as of 25 August. These include obligations on risk and crisis management, to be subject to independent external audit and internal oversight, to allow users to reject recommendations as a result of profiling, disclosure of data with relevant researchers and authorities, and to comply with a code of conduct.

On 27 June, Zalando, founded in Berlin in 2008 and currently operating in 25 countries as an online fashion platform, announced that it filed a lawsuit at the European Court of Justice to challenge its VLOP status determined by the European Commission. Zalando stated that it operates a hybrid business model and that the number of active users in the retail segment is 64% of the total number of monthly active users and that the DSA provisions are not applicable to retail services. According to Zalando, the second part of the business model, the "partner model," consists of the sale of products to users by third parties, and the number of monthly active users of this part constitutes only 36% of Zalando's total monthly users. In this sense, Zalando argues that the European Commission has ignored this hybrid model and that the number of monthly active users is 31 million.

The proceeding against the European Commission is expected to be finalized within two years by the General Court of the European Court of Justice. Zalando is subject to the provisions of the DSA in the meantime.

You may access the announcement published by Zalando on its website here.

Enforcement of the California Privacy Rights Act postponed to 2024

The California Consumer Privacy Act of 2018 ("CCPA"), which gives California residents control over their personal data and aims to make data processing transparent, was amended and strengthened by the California Privacy Rights Act of 2020 ("CPRA") in November 2020. Pursuant to the Sacramento County Superior Court's decision on 30 June on a complaint filed by the California Chamber of Commerce, the implementation of the provisions of the CPRA was postponed from 1 July 2023 to 29 March 2024.

Unlike the CCPA, the CPRA designates certain data, such as identification numbers, financial data or genetic data, as "sensitive data" and strengthens the protection granted to users through new rights. The CPRA also established the California Privacy Protection Agency ("Agency") as a supervisory mechanism and increased the obligations imposed on businesses, including taking the necessary technical and administrative measures against data breaches, the principle of data minimization, and reporting of risk assessments and cybersecurity audits to the Agency. Finally, the 30-day remedy period for businesses following breaches of the CCPA has also been abolished by the CPRA.

You may access the text of the CPRA amendments here.

Washington signed "My Health My Data Act"

The Supreme Court decision "Dobbs v. Jackson Women's Health Organization" which was adopted in June 2022 and considered as a turning point in the US, ruled that the US Constitution does not recognize the right to abortion and that abortion can be regulated by the individual states. After the decision, which overruled the Roe v. Wade decision, the abortion debate in the US was reignited again.

On 27 April 2023, the state of Washington signed the "My Health My Data Act" ("MHMD") to fill the gap created by the overruling of Roe v. Wade and to ensure the protection of health-related data. The MHMD provides some additional protections for data protection that go beyond abortion concerns.

The regulations were introduced to address the risk of states that have passed anti-abortion laws to tracking residents' movements in other states to collect their health and location data through mobile apps and state prosecutors to request user data from technology companies.

Accordingly, the MHMD specifically addresses applications that fall outside the scope of the Health Insurance Portability and Accountability Act ("HIPAA"), such as fitness apps, period trackers, web history and GPS location information. In this regard, the MHMD interprets the scope of the term "consumer health data" broadly, even recognizing data that is not used as "health data" by apps, such as web history or location information, as health data, to the extent it is associated with an individual's health.

Accordingly, the MHMD prohibits any organization providing face-to-face healthcare in Washington from installing a tracking geofence on its property to protect user GPS location data that can be linked to health process. Moreover, the MHMD requires consumers' explicit consent for the collection, disclosure or sale of their health data, and guarantees their right to access and request disposal of collected data.

The MHMD establishes both monetary penalties and a private right of action against breachers of health data privacy under existing provisions of the Washington Consumer Protection Act.

The MHMD, which mirrors the protections recognized in the GDPR, is important as the first of its kind in US law.

The MHMD provisions will enter into force on 31 March 2024, but small businesses will have an additional extension of three months from that date. The geofencing prohibition, however, entered into force as of 23 July 2023.

EU agreed on common position regarding the Cyber Resilience Act

On 2 December 2020, the EU Council of Ministers stated that products directly or indirectly connected to another device should be subject to a horizontal regulation on cybersecurity and harmonization between member states before they are placed on the market. Accordingly, on 15 September 2022, the European Commission adopted a regulatory proposal ("Proposal") to amend EU Regulation 2019/1020 ("Cyber Resilience Act"). In its public announcement on 19 July 2023, the European Commission pointed out that the EU member states have agreed on a common position regarding the Proposal.

The Proposal, motivated by the goal of a secure and single digital market, aims to cover digital products — with exceptions — such as products based on the IoT, in line with today's trends, by addressing the shortcomings in the current regulations regarding the mandatory basic cybersecurity criteria that the relevant products must meet. It also aims to enable customers to make more informed choices and access more secured products. Thus, it aims to make the market entry processes and the digital environment more protected.

The EU Council of Ministers retained the provisions of the Proposal, such as the manufacturer's responsibility for ensuring that the product meets the requirements, the requirements that the manufacturer must follow for vulnerability handling processes, the improvement of transparency on product safety for customers, and market surveillance. However, the EU Council of Ministers also introduced amendments to the scope of the regulation, reporting obligations for active vulnerabilities and hazards, the factors that the manufacturer must take into account when determining the lifetime of the product, and support measures for small and micro enterprises.

The Proposal, which is expected to complement the EU's other cybersecurity regulations, will next be subject to further negotiations between the EU Council of Ministers, the European Commission and the European Parliament.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.