E-commerce

Developments Regarding New E-Commerce Regulations in Light of the Constitutional Court's Decision

Annulment requests regarding the Additional Article 2 regulating the obligations of electronic commerce intermediary service providers and the Additional Article 4 regulating electronic commerce licenses of the Law on the Regulation of Electronic Commerce ("Law") were claimed before the Constitutional Court. However, the Constitutional Court rejected these annulment requests by discussing the request at the General Assembly on 13 July 2023. The reasoned decision of the Constitutional Court ("Decision") was published in Official Gazette No. 32317 on 22 September 2023.

In the Decision, the Constitutional Court responded to public criticism of the amendments by stating that the state may intervene in the functioning of economic life when necessary, referring to Article 167 of the Constitution.

In the Decision, the Constitutional Court indicated that the current competition law regulations are remedial in nature and that the legislators may introduce preventive regulations. Based on this assessment, the Constitutional Court found the "private label" ban, e-commerce licensing, and limitations on advertising and campaign expenditures — which are considered as preventive measures with competition concerns and are considered to have been introduced in order to ensure an effective competitive environment — to be in compliance with the Constitution.

Although there is an ongoing review by the Council of State regarding the annulment of the entire Regulation on Electronic Commerce Intermediary Service Providers and Electronic Commerce Service Providers ("Regulation") and a stay of execution decision regarding the provisions of the Regulation, the Constitutional Court's annulment decision is expected to affect the Council of State's review.

You can access the Decision here (in Turkish).

The Guidelines on Consumer Reviews Have Been Published

The Guidelines on Consumer Reviews ("Guidelines") have been published, after having been adopted as a principle decision by the Advertising Board at its meeting on 12 September 2023 numbered 337. Consumer reviews have an important place in consumers' purchasing preferences and affect their purchasing decisions.

The Guidelines mainly cover consumer reviews made on the internet regarding goods or services, offered by sellers and providers or intermediary service providers, and their ancillary agreements. The Guidelines underline that consumers must have purchased the relevant goods or services in order to create a review, and they impose various obligations on sellers, providers and intermediary service providers to ensure that these evaluations do not mislead other consumers. Accordingly, sellers, providers and intermediary service providers are required to ensure that the process of publishing consumer reviews is conducted in an objective and reasonable manner.

For detailed information on the Guidelines, you can access our legal alert here and the Guidelines here (in Turkish).

The Constitutional Court's Decision on Geographic Data Rules

With Law No. 7410 on the Amendment of the Environmental Law and Certain Laws published in the Official Gazette on 15 June 2022, significant amendments were brought to Law No. 7221 on Geographical Information Systems and Amendments to Certain Laws ("Law") and legal entities that process more than one piece of location data and operate in the e-commerce sector became obliged to apply to the Ministry of Environment, Urbanization and Climate Change ("Ministry") to obtain permits and licenses.

Through Decision No. 2023/99 ("Constitutional Court Decision") published in the Official Gazette on 4 October 2023, the Constitutional Court annulled Article 1(2) of Law stating that "The procedures, principles and contents regarding those who will be subject to the permit, the duration of the permit and the data shall be determined by the Ministry of Environment, Urbanization and Climate Change." and the annulment decision will enter into force on 4 July 2024. The Constitutional Court ruled that the relevant provision was unconstitutional, stating that "freedom of initiative," as one of the fundamental rights and freedoms, can only be restricted by law, rather than administrative action.

In this context, with the Constitutional Court Decision's entry into force, although the obligation to obtain permits and licenses will continue, the legal basis of the Ministry's secondary legislation on the procedures and principles regarding these obligations will cease.

Finally, as the procedures and principles regarding the permit and license obligations of private enterprises can currently only be set out by law, amendments to the law in this regard are expected.

You can access the Constitutional Court Decision here (in Turkish).

Protection of Personal Data

The Turkish Data Protection Authority Publishes Guidelines on Genetic Data

On 13 October 2023, the Turkish Data Protection Authority ("DPA") published the Guidelines on Matters to be Considered in the Processing of Genetic Data ("Genetic Data Guidelines") to provide guidance on the lawful processing of genetic data that carries national and strategic importance. The Genetic Data Guidelines define the term "genetic data" as "all or part of the information obtained from all DNA, RNA and Protein sequences encoded from the genome, cell nucleus or mitochondria of a living being." The Genetic Data Guidelines also state that, since it is not possible to render a person's identity unidentifiable in terms of genetic data, the data cannot be anonymized, but rather, de-identification may be an option.

In terms of the legal grounds for processing genetic data, the Genetic Data Guidelines state that, in the absence of the explicit consent of the data subject, genetic data may be processed if it is specified in the law; however, in cases where genetic data is processed for health reasons, processing must rely on legal grounds specified for the processing of health data. Therefore, it is explained that in such cases, when there is a health reason for processing and the explicit consent is absent, genetic data can only be processed by persons or authorized institutions and organizations under the obligation of confidentiality within the scope of the purposes specified in Article 6/3 of the Law on the Protection of Personal Data.

Regarding the notice requirement of data controllers, the Genetic Data Guidelines state that the requirement cannot be fulfilled with a general privacy notice in the case of processing genetic data. Accordingly, since genetic data not only concerns the data subjects themselves, but also the persons belonging to their line of descent, a detailed privacy notice shall be provided to explain the situation and its possible consequences, the reasons for genetic data processing, the consequences that the data subjects may face and the related risks in the case of cross-border transfer. Regarding explicit consent, the Genetic Data Guidelines underline that making processing genetic data mandatory in order for a person to receive a service will impair the principle that explicit consent must be freely given. In addition, the Genetic Data Guidelines emphasize that the concepts of "informed consent" and "informing" stipulated under the Regulation on Patients' Rights differ from the concepts of "explicit consent" and "privacy notice" respectively.

Finally, in addition to the measures specified in the law, regulations, communiqués, board decisions and DPA guidelines, it is also stated that data controllers who process genetic data should pay attention to the issues set out in the Decision of the Turkish Data Protection Board dated 31 January 2018 numbered 2018/10 regarding sensitive personal data. The Guidelines also list additional measures that can be taken in addition to these measures.

You can access the Guidelines published by the DPA here (in Turkish).

Other Developments

Amendment to the Regulation and Communiqué on the Registration of Devices with Electronic Identity Information

In the DigiDiary issue published last April, we reported that the Information and Communication Technologies Authority ("ICTA") published the Draft Regulation Amending the Regulation on the Registration of Devices with Electronic Identity Information and Draft Communiqué on its website for public opinion. In parallel with the published drafts, the ICTA published the Regulation Amending the Regulation on the Registration of Devices with Electronic Identity Information ("Regulation") and the Communiqué Amending the Communiqué on the Registration of Devices with Electronic Identity Information ("Communiqué") in the Official Gazette dated 12 October 2023 numbered 32337.

With the Communiqué, the time period for blacklisting devices on the blacklist because they have not received service from electronic communication networks for seven years without interruption while registered in the central mobile device identification and database system of the ICTA has been changed to "one year from the last signal received."

The Communiqué stipulates that the registration of electronic identification information of imported or manufactured devices will be made through the user account allocated for the importer or manufacturer.

You can access the Regulation here (in Turkish) and the Communiqué here (in Turkish).

World News

The ICO Published Guidance on Monitoring Employees

On 3 October 2023, the Information Commissioner's Office ("ICO") published guidance ("Guidance") on the lawful monitoring of employees by employers, indicating that employers monitor their employees in various ways, such as checking the entry and exit times of employees, inspecting work phones and e-mail accounts provided to employees, and placing audio or video recording devices in work areas.

It is important for employers to conduct lawful monitoring of their employees in order to ensure that employees' personal rights are not violated and their personal data is processed lawfully. In this context, the Guidelines set out the following points that employers should consider during the monitoring processes:

  • The nature, scope, grounds and manner of the monitoring shall be clearly and understandably communicated to employees prior to the monitoring activities.
  • The monitoring purpose's limits shall be clearly defined, and it shall be remembered that employees always have the right to be informed about the purposes for which their data is processed and monitored In addition, personal data collected as part of the monitoring shall be made available to employees if they make a "Subject Access Request" ("SAR").
  • It shall be ensured that the monitoring is proportionate and necessary and that it is conducted using the least intrusive means.
  • The monitoring shall be based on a legal ground. If monitoring involves sensitive personal data, it shall be based on one of the legal grounds specified for the processing of sensitive personal data.
  • In cases where explicit consent is required, it shall be ensured that the explicit consent consists of clear and understandable expressions that are not ambiguous.
  • The information collected as a result of the monitoring shall be kept for a period of time that is appropriate for the monitoring purposes.
  • It shall be ensured that the monitoring is transparent.
  • A Data Protection Impact Assessment shall be conducted for monitoring activities posing a high risk to the rights of employees.

In addition, the Guidance provides employers with information on how to ensure the accuracy of information collected as a result of the monitoring, how to ensure the security of the information collected, and points to consider in cases where monitoring is conducted by third parties or through third-party applications.

You can access the Guidance published by the ICO here (in English).

The Digital Services Act's Obligations Come Into Force

As we reported in the last DigiDiary issue, the Digital Services Act ("DSA") was published in the Official Journal of the European Union on 27 October 2022 and entered into force on 16 November 2022. Following the publication of the DSA, online platforms and search engines with an average monthly user base of 45 million or more in the European Union ("EU") were recognized by the European Commission ("Commission") as "Very Large Online Platforms" ("VLOPs") and "Very Large Search Engines" ("VLSEs").

Pursuant to the DSA, the obligations for VLOPs and VLSEs to (i) ensure content moderation, (ii) detect illegal content, (iii) submit risk assessments to the Commission, and (iv) provide users with the opportunity to challenge the platforms' content moderation decisions and reject recommendations made as a result of profiling, entered into force on 25 August 2023. In this regard, 19 major platforms categorized as VLSEs or VLOPs are taking various steps to comply with the obligations set out in the DSA. According to reports from publicly available sources, the following are some examples of the steps that platforms are taking and planning to take to comply with the DSA:

  • Announcing the creation of repositories to provide information on how content moderation processes are handled in order to monitor illegal content and prevent online hate speech and disinformation
  • Conducting risk assessments or independent algorithm audits to prevent cyber violence and discrimination against women, or harm to minors and send the results to the Commission
  • Blocking targeted ads/recommendations by profiling minor users
  • Expanding advertising transparency measures to ban or limit apps that target users Announcing a change to terms and conditions

Pursuant to the DSA, fines of up to 6% of the company's total worldwide annual turnover may be imposed for breaching the obligations set forth, as well as exclusion from the European Single Market. Therefore, it is important for platforms that are considered VLSEs and/or VLOPs to fulfill these obligations in order to comply with the DSA.

In addition, in order to create a more reliable online platform, small companies not falling under the definitions of a VLSE and a VLOP will also be subject to certain obligations as of 24 February 2024.

Data Governance Act Provisions Came Into Force

The provisions of the EU Data Governance Act ("DGA"), which entered into force on 23 June 2022 and aim to enable European citizens and businesses to benefit more from the potential of data and to facilitate the transfer of data between EU countries, started to be fully implemented on 24 September 2023, following the completion of a 15-month transition period.

The DGA aims to pave the way for the societal and economic benefits that can be derived from data sharing, and, therefore, aims to minimize the problems caused by both technological barriers and the lack of datasharing structures. In this context, in order to ensure lawful data sharing, the DGA imposes various obligations on data intermediary (data-sharing) service providers and data altruism organizations with respect to both personal data relating to natural persons and non-personal data. Within the scope of these obligations, data intermediary service providers and data altruism organizations are required to — but not limited to — (i) notify the competent authority in the EU country in which they intend to provide services, (ii) act impartially during the service provided, which means not using the data obtained during the provision of the service for personal purposes and interests, and (iii) act in accordance with the GDPR in cases where it is a natural person's data.

Therefore, it is important for both data intermediary service providers and data altruism organizations to act by considering the GDPR, especially in matters related to natural persons' data. In line with this, the DGA also stipulates that data altruism operations must be carried out with the consent of the data subjects.

Under the DGA, each EU member state is required to appoint a competent authority to monitor whether data intermediary service providers and data altruism organizations are acting in compliance with the DGA and to take specific actions in the case of non-compliance with the obligations. Where data intermediary service providers or data altruism organizations fail to comply with their obligations under the DGA, the competent authority will have the authority to impose deterrent financial penalties (including penalties with retroactive effect), as well as to suspend or terminate the data-sharing service, or to request the removal of a data altruism organization from the public national register.

You can access the DGA here.

Stay of Execution Request for EU-US Data Privacy Framework Agreement Rejected

In the last DigiDiary issue, we reported that the European Commission had issued an adequacy decision for the US-EU Data Privacy Framework ("Framework") and that the Framework entered into force on 10 July 2023. Within the two-month period for bringing an annulment action following the Framework's entry into force, the French MP Philippe Latombe ("Latombe") filed two separate applications seeking an annulment of the first two articles of the Framework and an interim injunction to stay the execution of the adequacy decision.

On 12 October 2023, the Court of Justice of the European Union ("CJEU") dismissed the application for an interim injunction on the grounds that Latombe had failed to prove the serious harm that he would suffer in the absence of a stay of execution of the adequacy decision, and, therefore, his application did not meet the urgency requirement.

As Latombe applied for the annulment of the first two articles of the Framework acting in the capacity of a citizen rather than a French MP, he will be required to prove that he has the legal authority to file a lawsuit. Based on publicly available reports and opinions, the CJEU is expected to reject the annulment request on procedural grounds, as the threshold for legal authority is high according to precedents.

You can access the CJEU's rejection decision dated 12 October 2023 here (in French).

Online Safety Bill Completes Final Debate in UK Parliament

The Online Safety Bill ("Bill"), which aims to create a safer online platform for children and adolescents, completed its final debate in the House of Lords and House of Commons on 19 September 2023 and is now ready to be adopted. The Bill adopts a zero-tolerance approach to child protection and includes provisions to combat online fraud and violence against women.

To achieve these goals, the Bill imposes various obligations on social media platforms. Accordingly, preventing illegal content from appearing as a priority, removing infringing content quickly, preventing children from accessing content that is inappropriate for them by applying age limits and control measures, and being more transparent by publishing risk assessments for children are some of the obligations that social media platforms must fulfill.

The Office of Communications ("Ofcom") has the power to impose fines of up to 10% of social media platforms' global annual revenues or £18 million, whichever is higher. In this context, it is known that social media platforms, while waiting for the Bill to come into force, have already started to take some steps to manage the compliance process due to the large fines, such as implementing stricter age limit policies and closing the accounts of minors.

The Bill, approved by the House of Lords and the House of Commons, is expected to gradually come into force following royal assent.

You can access the press release on Bill here and Bill here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.