Turkish Data Localization Rules in Effect for Social Media Companies


On Oct. 1, 2020, amendments to the Regulation of Internet Broadcasts and Prevention of Crimes Committed through Such Broadcasts (Law No. 5651), also known as the Social Media Law in Turkey, entered into force. The amendments define the term "social network provider," oblige them to appoint a local representative, set out procedures for content removal, request reports every six months, and require user data to be stored within Turkey. On Oct. 2, the Information and Communication Technologies Authority, Turkey’s telecommunications regulatory authority, published guidance or secondary regulation clarifying the amendments applicable to social network providers.

Definition of 'social network provider'

A social network provider is defined as "natural or legal persons that provide opportunities for users to create, view or share textual, visual, audio, or location data, etc. for social interaction." The broad definition and thus, interpretation of social interaction, might result in a wide range of companies being considered social network providers. The new rules impose data localization requirements that depend on whether companies fall under the scope of the social network provider definition.

While the definition has been under discussion and found controversial, ICTA issued a decision regulating the rules on social network providers and narrowed the definition's scope by stating exemptions. Platforms, such as e-commerce sites, online newspapers, personal websites providing content related to social interaction as a peripheral service, and internet broadcasts that include social interaction in a particular part, are excluded from the requirements.

Data localization requirement

Under Law No. 5651, domestic or foreign social network providers that have more than to their services from Turkey are obligated to store user data within the country. ICTA’s secondary regulation indicates that social network providers must prioritize storing users' basic information and the information required by ICTA within Turkey, and the measures must be reported every six months. The requirement covers all citizens who live in Turkey and excludes citizens, including Turkish nationals, that live abroad.

To apply the localization requirement, the entity must be considered a social network provider and have 1 million daily access to its services in Turkey. The ambiguous definition of social network provider was addressed with the secondary regulation; however, the measuring unit and method for the 1 million daily access were not clarified. Further, it is still unclear if the localization requirement in terms of user data is an only-storage requirement or if storing a copy of the data (local storage) is sufficient. The data retention period was not stated either, but privacy rules must always be taken into account in terms of storage.

Cross-border transfer

There is no restriction imposed under Law No. 5651 in terms of cross border transfer of user data, but privacy laws must be considered in terms of personal data transfers.

Sanctions

Law No. 5651 already set forth hefty administrative fines and severe measures in case of noncompliance with appointing a local representative, notification, reporting and content removal obligations for social network providers. However, despite the requirement for the social network providers to store the users' data within Turkey, no explicit penalty was provided for a possible violation or noncompliance specific to this requirement. The lack of a penalty for not storing the users' data inside Turkey questions the enforceability of the localization requirement and makes practitioners think it is an intended gap that leaves room for social network providers and the authority to negotiate if need be. In the meantime, the administrative fine is TRY 10 million for not complying with the reporting requirement. Thus, the administrative fine of TRY 10 million might also be evaluated in case of a breach of the localization requirement.

The rationale behind new rules are mostly regulating social media content and enforcing social network providers to remove illegal content effectively. In most cases, Turkish authorities claim it is hard to find a correspondent from giant known social network providers or, in some cases, they do not comply with legal requirements; thus, these newly introduced rules aim to create an effective content removal process for public bodies and prosecutors.

However, data localization in terms of user data is the most controversial requirement, and social network providers find it very difficult to comply as they all have global servers and storage systems. Further, Law No. 5651 does not either provide detailed provisions on what type of user data must be stored in Turkey or what are the responsibilities of a representative to be appointed in Turkey, and if user data is not stored in Turkey, can the official bodies/prosecutor ask for user data from the representative? If the representative cannot provide access to the data, can they be liable personally or not?

Most practitioners tend to think that the localization requirement is a wishful provision of Law 5651; however, it is also known the administrative powers of ICTA are extensive, and in case of noncompliance, it may interpret the rules widely.

Conclusion

The localization rules under Law No. 5651, although the enforceability of which is in question, might create a heavy burden on social network providers. ICTA’s secondary regulation did not answer the localization requirement questions; thus, global social network providers may tend to refrain from applying the localization requirement or not comply with the law entirely.

Photo by Katka Pavlickova on Unsplash

First published by IAPP - Privacy Tracker, in 14.10.2020

Find more insights

Share