New Era Regarding the Transfer of Personal Data Abroad
Assoc. Prof. Dr Hüseyin Can Aksoy
Bilkent University Faculty of Law - The Dickson Poon School of Law - King's College London Visiting Research Fellow; hcaksoy@bilkent.edu.tr
Introduction
After the Law No. 6698 on the Protection of Personal Data entered into force in 2016, there have been significant changes in European Union data protection law, notably the adoption of the General Data Protection Regulation. However, the Law was criticised for not incorporating these changes and not keeping pace with the requirements of the age. Last March, some of the most criticised and problematic articles of the Law were amended. In particular, the regime regarding the transfer of personal data abroad was renewed by taking into account the European Union regulations.
Following the amendments to the Law, the ‘Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad’ was published in the Official Gazette dated 10 July 2024. Simultaneously, the Personal Data Protection Board published standard contract texts to be used in the transfer of personal data abroad, binding corporate rules application forms and auxiliary guidelines on the basic issues to be included in binding corporate rules. It also announced the English versions of these texts in the future.
These new regulations on the transfer of personal data abroad entered into force on 1 September 2024. The new regulation, contrary to what has been the usual practice so far, makes an exception to the transfer based on explicit consent and introduces new mechanisms and a tiered system in terms of transfer processes abroad: (1) transfer based on an adequacy decision; (2) transfer based on appropriate safeguards; and (3) incidental transfer.
But have all the questions on practitioners' minds been answered?
I. What has not changed: Qualification Decision, Undertaking, Binding Company Rules
Although the Law introduced a new regime regarding the transfer of personal data abroad, some of the procedures and principles of the previous period were preserved. In this framework,
- In the new period, as in the past, data controllers and data processors will be able to transfer personal data abroad if there is an adequacy decision issued by the Board. However, an important innovation in this regard is that the Board will be able to issue an adequacy decision on the basis of sectors or international organisations within the country in addition to the country-based assessment as in the past. For example, in the new period, the Board will be able to make an adequacy decision on the German automotive sector.
- Another protected method in terms of foreign transfers is letters of undertaking. In this framework, personal data may be transferred abroad provided that the Board authorises the transfer in the presence of a written undertaking containing provisions to ensure adequate protection.
- Data transfer within the framework of binding corporate rules continues to be in accordance with the law as in the past. However, with the new regulation, transfers can be made not only between group companies, but also to a group of companies that will act as a data processor from a data controller resident in Turkey but not a member of the group, through binding corporate rules.
So, can we expect a large number of territorial adequacy decisions or the approval of undertakings or binding corporate rules in the new period? In my opinion, the answer to this question is no. In my opinion, the answer to this question is no, because the amendments do not bring any change in the conditions observed by the Board for the issuance of qualification decisions, nor do they introduce any innovation that will facilitate the approval of commitment letters or binding corporate rules. However, in the medium term, we can expect the issuance of adequacy decisions in some sectors. For this to happen, sector representatives will need to engage in intensive co-operation at the international level and convince the Board.
II. The most important change: Transfer Based on Standard Contracts
In cases where there is no adequacy decision, in order to transfer abroad, provided that one of the conditions specified in Articles 5 and 6 of the Law is present and the relevant person has the opportunity to exercise his/her rights and apply for effective legal remedies in the country where the transfer will be made, the parties must provide one of the appropriate safeguards listed in the Law: agreement that is not an international contract; binding company rules; standard contracts and undertakings.
Among the appropriate safeguards, the one that will be used most in practice for personal data transfer abroad will undoubtedly be standard contracts. On July 10, 2024, the Board announced standard contracts suitable for different types of transfers, namely from the data controller to the data controller, from the data controller to the data processor, from the data processor to the data controller and from the data processor to the data processor. Parties who sign these contracts without making any changes to their content, except for the annexes that need to be filled in, do not need to obtain permission from the Board for the transfer. However, standard contracts are not subject to the Board's approval, but the data controller or data processor must notify the Institution within five business days of signing the contracts. Let us underline that the Board has the authority to audit whether these texts are used without modification and whether they are signed by authorized persons.
While the transfer parties can specify in the standard contract who will fulfill the notification obligation, if no such specification is made, the standard contract must be notified to the Institution by the data transferor. The Law foresees administrative fines for those who fail to fulfill the notification obligation, and one of the innovations introduced is the regulation that this administrative fine will be applied to the data controller or data processor.
III. Incidental Transfers: Transfer Based on Explicit Consent
In the absence of an adequacy decision regarding the transfer of personal data abroad and if any of the appropriate assurances mentioned above cannot be provided, the last option is incidental data transfer. Regulation Art. 16, incidental transfer: “Transfers that are not regular, occur once or a few times, do not have continuity, and are not included in the normal course of the activity are incidental.” Although it is defined as such, incidental transfers can be single or multiple times. As long as the activity in question is not an activity that the data transferor regularly performs within the normal course of activity.
The law lists the situations in which personal data can be transferred abroad incidentally, and the explicit consent of the relevant person is one of these situations. Therefore, it will no longer be possible for continuous data transfers to be made with the explicit consent of the relevant persons. In addition, for an incidental transfer based on explicit consent to be made, the relevant person must be informed about the possible risks before their explicit consent is obtained. Let us underline that this information must be about the risks of the transfer and is different from the obligation to inform in the Law.
Conclusion and Evaluation
The amendments made to the Personal Data Protection Law, which introduced a new regime for the transfer of personal data abroad, entered into force as of September 1, 2024. Although the Regulation clarifies many issues, there are still many questions in the minds of practitioners. In particular, the situations where cloud computing technologies are used and how the legality of subsequent transfers will be ensured in practice are among the important questions. The Board's approach will shape the answers to these questions.