Definition of social network provider
A social network provider is defined as "natural or legal persons that provide opportunities for users to create, view or share textual, visual, audio, or location data, etc. for social interaction." The broad definition and thus, interpretation of social interaction might result in a wide range of companies being considered social network providers. The new rules impose data localization requirements that depend on whether companies fall under the scope of the social network provider definition.
While the definition has been under discussion and found controversial, ICTA issued a decision regulating the rules on social network providers and narrowed the definition's scope by stating exemptions. Platforms such as e-commerce sites, online newspapers, personal websites providing content related to social interaction as a peripheral service, and internet broadcasts that include social interaction in a particular part are excluded from the requirements.
Data localization requirement
Under Law No. 5651, domestic or foreign social network providers that have more than 1 million daily access to their services from Turkey, are obligated to store user data within the country. ICTA’s secondary regulation indicates that social network providers must prioritize storing users' basic information and the information required by ICTA within Turkey, and the measures must be reported in every six months. The requirement covers all citizens that live in Turkey and excludes citizens, including Turkish nationals, that live abroad.
To apply the localization requirement, the entity must be considered a social network provider and must have 1 million daily access to their services in Turkey. The ambiguous definition of social network provider was addressed with the secondary regulation; however, the measuring unit and method for the 1 million daily access was not clarified. Further, it is still unclear if the localization requirement in terms of user data is an only-storage requirement or if storing a copy of the data (local storage) is sufficient. The data retention period was not stated either, but privacy rules must always be taken into account in terms of storage.
Cross border transfer
There is no restriction imposed under Law No. 5651 in terms of cross border transfer of user data, but privacy laws must be considered in terms of personal data transfers.
Sanctions
Law No. 5651 already set forth hefty administrative fines and severe measures in case of non-compliance with appointing a local representative, notification, reporting, and content removal obligations for social network providers. However, despite the requirement for the social network providers to store the users' data within Turkey, no explicit penalty was provided for a possible violation or noncompliance specific to this requirement. The lack of a penalty for not storing the users' data inside Turkey questions the enforceability of the localization requirement and makes practitioners think that it is an intended gap that leaves room for social network providers and the authority to negotiate if need be. In the meantime, the administrative fine of TRY 10 million for not complying with the reporting requirement. Thus, the administrative fine of TRY 10 million might also be evaluated in case of a breach of the localization requirement.
The rationale behind the new rules are mostly regulating social media content and enforcing social network providers to remove illegal content effectively. In most cases, Turkish authorities claim that it is hard to find a correspondent from giant known social network providers, or in some cases, they do not comply with legal requirements; thus, these newly introduced rules aim to create an effective content removal process for public bodies and prosecutors.
The the new rules aim to regulate social media content and enforce social network providers to remove illegal content. In most cases, Turkish authorities claim that it is hard to find a correspondent from well-known social network providers, or in some cases, they do not comply with legal requirements.
However, data localization (in terms of user data) is the most controversial requirement, and social network providers find it very difficult to comply as they all have global servers and storage systems. Further Law No. 5651 does not either provide detailed provisions on what type of user data must be stored in Turkey, or what are the responsibilities of a representative to be appointed in Turkey and if user data is not stored in Turkey, can the official bodies/prosecutor ask for user data from the representative? If the representative cannot provide access to the data, can they be liable personally or not?
Most practitioners tend to think that the localization requirement is a wishful provision of Law 5651, however, it is also known that the administrative powers of ICTA are extensive, and in case of noncompliance, it may interpret the rules widely.
Conclusion
The localization rules under Law No. 5651, although the enforceability of which is in question, might create a heavy burden on social network providers. ICTA’s secondary regulation did not answer the the localization requirement questions; thus, global social network providers may tend to refrain from applying the localization requirement or not comply with the law entirely.
Article provided by: Begüm Yavuzdoğan Okumuş (Gün+Partners, Turkey)
Discover more about INPLP, the INPLP-Members and the GDPR-FINE database
Dr. Tobias Höllwarth (Managing Director INPLP)