Turkey: Cooperation Between The Turkish Competition Authority And The Personal Data Protection Authority

Competition law and data protection law are both regarded as essential parts of digital markets and the digital economy. Although they are two separate disciplines, these disciplines have started to overlap, especially when it comes to digital markets where the economic value of data has started to be discussed in conjunction with the concept of big data. Indeed, in digital markets, data not only serves as data, but also is considered as a factor that ensures market power and/or dominant position. Especially after the Facebook decision by the German Competition Authority, the relationship between competition and data protection authorities and whether they can interfere with each other's jurisdiction has started to be discussed worldwide. With the recently announced cooperation protocol between the Turkish Competition Authority and the Personal Data Protection Authority, it has become a matter of curiosity whether this debate can be resolved more easily in the Turkish practice. In this respect, the protocol, which strengthens the co-operation between the two institutions under Turkish law was published.

The Process that Started in Europe with the Facebook Decision

The Facebook decision dated February 6, 2019 issued by the German Federal Competition Authority "Bundeskartellamt" was an important launch point of the jurisdictional debate between competition and data protection authorities. In the decision, the terms of service applied to users by Facebook, which was determined to be in a dominant position in social networks, were discussed and certain restrictions on the processing of user data were stipulated. Previously, Facebook users were able to use the platform if they agreed the terms of service stipulating that Facebook may collect data including Facebook.com, but also through outside of the website and smartphone applications, including websites and applications owned by Facebook and the possibility of combining data collected by third parties and smartphones and transferring it to the user's Facebook account. In this respect, third parties were able to collect data by using Facebook's WhatsApp, Oculus, Masquerade and Instagram business services and third-party websites and applications. However, Facebook's actions in question were deemed incompatible with both the principles of personal data protection and competition rules. The most important and most controversial aspect of the infringement decision issued by the German Federal Competition Authority was that the German Federal Competition Authority considered itself authorised to decide on Facebook's breach of data protection rules in addition to competition infringements, and that the decision included assessments regarding the European Union General Data Protection Regulation ("GDPR").

A legal action was filed before the Higher Regional Court of Düsseldorf against the decision of the German Federal Competition Authority, which prevented Facebook from processing combined user data on its platform without the consent of users. In that case, the Higher Regional Court of Düsseldorf sought the opinion of the Court of Justice of the European Union ("CJEU") on how particular provisions of the GDPR should be interpreted and whether national competition authorities are entitled to apply the GDPR when investigating competition law infringements. In its decision dated 4 July 2023, the CJEU ruled that national competition authorities may apply the GDPR in their examinations of alleged abuse of dominant position. However, the CJEU also underlined that competition authorities may only use their competences to determine infringements of competition law, not to take over the duties of data protection authorities, and that they must cooperate with other authorities in the exercise of these duties.

A similar Facebook (now Meta) investigation was initiated in Türkiye and the Competition Board examined similar issues under Turkish competition law. The Board decided that Facebook had distorted competition by combining the data collected from Facebook, Instagram and WhatsApp services, which are referred to as core services, making it difficult for its competitors operating in the personalised social networking services and online display advertising markets and creating barriers to entry to the market. Similarly, the Board included assessments regarding the personal data protection legislation in its decision.

Protocol Signed Between The Authorities

Although the process that started with the Facebook decisions has raised questions between the jurisdictions of competition and data protection authorities, both the CJEU decision and the cooperation efforts of national authorities aim to facilitate the clarification of these grey areas. Accordingly, it was announced that a Cooperation and Information Sharing Protocol ("Protocol") was signed between the Turkish Competition Authority and the Personal Data Protection Authority on October 26, 2023. In the joint announcement made by both authorities, it was stated that with the Protocol in question, the two authorities will cooperate on the following issues:

The announcement also stated that the Protocol and other efforts aim to establish effective competition in the market and to strengthen the control of consumers over their personal data.

Although global discussions continue in the areas where competition law and personal data protection law overlap, it is seen that the foundations of cooperation between the two authorities have been laid in Türkiye and it is aimed to work together by strengthening the communication between the institutions instead of embracing a conflict.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.