- Email: [email protected]
Examining Turkish law on data protection
FEATURE 2. ‘Best global brands 2018 rankings’. Interbrand. Accessed Aug 2019. www.interbrand.com/best-brands/ best-global-brands/2018/ranking/. 3. ‘Brand protection elevates to board level, study shows’. MarkMonitor. Accessed Aug 2019. www.markmonitor.com/brand-protectiondomain-management-resources/ anticounterfeiting-whitepapersdatasheets/g/global-onlineprotection-business-surveyq4-2018?cid=resources. 4. ‘The Global Risks Report 2019’. World Economic Forum. Accessed Aug 2019. http://www3.weforum.
org/docs/WEF_Global_Risks_ Report_2019.pdf. 5. ‘Verisign Q1 2018 Domain Name Industry Brief: Internet grows to 333.8 million domain name registrations in the first quarter of 2018’. Verisign, 14 Jun 2018. Accessed Aug 2019. https:// blog.verisign.com/domain-names/verisign-q1-2018-domain-name-industrybrief-Internet-grows-to-333-8-milliondomain-name-registrations-in-the-firstquarter-of-2018/. 6. ‘The online brand protection life cycle: Domain and cyber security edition’. MarkMonitor. Accessed Aug 2019. https://s3.amazonaws.
com/media.mediapost.com/uploads/ OnlineBrandProtectionLifecycle.pdf. 7. Cimpanu, Catalin. ‘ICANN: There is an ongoing and significant risk to DNS infrastructure’. ZDNet, 23 Feb 2019. Accessed Aug 2019. www. zdnet.com/article/icann-there-is-anongoing-and-significant-risk-to-dnsinfrastructure/. 8. ‘ICANN Calls for Full DNSSEC Deployment, Promotes Community Collaboration to Protect the Internet’. ICANN, 22 Feb 2019. Accessed Aug 2019. www. icann.org/news/announcement-201902-22-en.
Examining Turkish law on data protection Eren Can Ersoy, Kılınç Law & Consulting Eren Can Ersoy
One of the biggest government data breaches in history took place in 2016 when the personal data of 50 million Turkish citizens was posted online in a single file. This politically motivated hack exposed two-thirds of the Turkish population to the risk of identity fraud, by publishing their names, addresses, dates of birth and national identity numbers. Ironically, the news of this major data breach broke just as Turkey’s first comprehensive data protection law was being launched, in April 2016. The 2016 Law on the Protection of Personal Data was based largely on EU data protection law - as a candidate state for EU membership, Turkey keeps much of its legal system in alignment with EU law.
“Turkish data protection law goes beyond fines and civil penalties, and criminal charges can be brought in respect of data breaches” Turkey is also keen to attract foreign direct investment, especially in the communications and technology sectors, and so an advanced and robust data protection regime is vital. In our increasingly September 2019
online world, even companies without any physical presence in Turkey may be subject to Turkish data protection law and may have to register there if their activities have an effect in Turkey. Turkey’s data protection laws allow for administrative fines of up to 3% of a company’s net annual sales to be levied if personal data is stolen, or disclosed without consent. This provides a strong incentive for companies to keep data secure. While Turkish data protection law shares many essential features with Europe’s data protection regime, it is also different in a number of important respects. Turkey’s 1982 constitution conferred a right of privacy, but this was drafted well before the advent of the Internet. Turkey’s 2016 Law on the Protection of Personal Data was the first comprehensive Turkish law to establish
standard practices and procedures for handling personal data in the Internet age. However, Turkish data protection law goes beyond fines and civil penalties, and criminal charges can be brought in respect of data breaches.
Breached data Nowadays, we often see news stories about data breaches, which are becoming more commonplace as hackers and fraudsters target major companies and government entities. We also see how such major breaches can have an effect on millions of people across multiple jurisdictions. How does Turkish law protect people from data breaches? The 2016 Protection of Personal Data law represented a good start in the battle to protect private information in Turkey. Personal data refers to the data of natural persons, and not that of companies or other legal persons. Computer Fraud & Security
9
FEATURE Turkish data protection law is largely based on Directive 95/46/EC. It applies to both sensitive and non-sensitive personal information. Sensitive data is defined in Turkish law as including data relating to a subject’s race, ethnicity, religion, appearance, political views, union membership, health, sexual life and criminal convictions. Unlike the EU’s General Data Protection Regulation (GDPR), however, in Turkey “explicit consent” is required to process both sensitive and non-sensitive data. The exceptions to this general rule include where there is a legal obligation on a data processor to process the data, and where such processing is necessary to protect the life of the subject. Further processing is not allowed without specific consent, and there is no “compatible purpose” exception in Turkish law. The definitions of consent differ in Turkish law and under GDPR. While registration with an authority is not mandatory under GDPR, a mandatory registration system for data processors is currently being rolled out in Turkey. Since 1 Oct 2018, certain data processors have been required to register with Turkey’s Data Controller Registry Information System, VERBIS. These include Turkish resident data processors employing more than 50 employees or whose annual turnover is over 25m Turkish Lira (TRY) – or those who process certain specified categories of data. Data processors resident outside Turkey whose activities have an effect in Turkey also have to register and will have until 30 September 2019 to do so. The VERBIS registry is scheduled to be completed by October 2019.
Secure environment The new system aims to create a more transparent and secure environment as regards data protection in Turkey. Data controllers based outside of Turkey must appoint and register a data protection representative within Turkey. The representative must be either a Turkish citizen 10
Computer Fraud & Security
who is resident in Turkey or a Turkish company. The representative must liaise with the Turkish Data Protection Authority (DPA) on behalf of the data controller. Failure to appoint and register could mean a fine of TRY1m (£125,000 at current exchange rates).
“Overseas data controllers must also be aware of Turkish data protection law more broadly. For example, data processors have general obligations that include ensuring that data is processed lawfully, for a specific and legitimate purpose” The appointed representatives will accept and send official correspondence between the Turkish Data Protection Authority and the data controller based outside Turkey. Representatives will also facilitate the delivery of any applications by data subjects to the data controller, and will similarly facilitate the delivery of data controllers’ responses. Data controllers are also obliged to prepare a data retention and destruction policy, and a data processing inventory. Overseas data controllers must also be aware of Turkish data protection law more broadly. For example, data processors have general obligations that include ensuring that data is processed lawfully, for a specific and legitimate purpose, that it’s accurate and up to date and only kept as long as is necessary. Data subjects must be informed of the purpose for which their data will be processed, to whom the data could be transferred and the subject’s rights in relation to the data.
Legal obligation Turkey’s Personal Data Protection Board was created in 2017. This government body ensures that companies providing electronic communication services inform the Data Protection Authority if there is a data breach, or a risk to the
security of a network and personal data held within it. There is a legal obligation on processors to report a data breach to the Data Protection Authority and to notify the affected subject as soon as possible. There is no specific timeframe specified, but a company was fined for delaying by ten months before notifying the authority. The Data Protection Authority can make a data breach public knowledge, if necessary. Personal data should not be transferred outside Turkey without the consent of the data subject, except in strictly limited circumstances. Where the “interests of Turkey or the data subject will be seriously harmed” by a transfer of data outside Turkey, the approval of the Personal Data Protection Board is required.
“Although the Turkish data protection regime is largely based on EU law, it does have several distinct provisions that businesses operating in Turkey need to navigate carefully – not least since data breaches can result in criminal liability in Turkey” As with GDPR, data subjects in Turkey must generally opt in before they are sent commercial communications by electronic means. Every such communication must also provide a simple way to opt out. A significant exception to these general rules in Turkish law is that commercial traders and merchants may be sent commercial communications without their consent having first been obtained.
Criminal offence The penalties for data breaches in Turkey are not limited to fines. The criminal code allows for possible imprisonment for data breaches. Those illegally collecting personal data can be imprisoned for one to three years. This penalty rises if the data illegally collected is sensitive. Those who collect, illegally September 2019
FEATURE publish or transfer personal data may be imprisoned for two to four years. Penalties can be increased by half if offences are committed by public officials abusing their authority, or to secure a professional advantage. Even failing to delete data lawfully collected after the retention period expires can be punished by one to two years’ imprisonment. Once the VERBIS register of data processors is fully established, it will make the regulator’s task simpler and so enforcement actions are likely to increase.
Although the Turkish data protection regime is largely based on EU law, it does have several distinct provisions that businesses operating in Turkey need to navigate carefully – not least since data breaches can result in criminal liability in Turkey.
About the author Eren Can Ersoy is an associate at Turkish Law firm Kılınç Law and Consulting and has experience across a range of commercial and corporate legal practices. He
has expertise in advising joint stock and limited liability companies including company establishment, branch opening, general assemblies, capital increase, capital reduction, board of directors’ resolutions, internal directives, mergers & acquisitions, liquidation and other transactions. He also advises companies on general corporate and business law matters and assists companies in the coordination and implementation of multijurisdictional restructuring and joint venture transactions.
Just about managing: dealing with the threats to industrial systems
Ilan Barda
Ilan Barda, Radiflow Although studies and surveys from analyst firms Gartner and IDC differ slightly, there is an assumption that organisations spend around 10% of their IT budgets on cyber security.1,2 When differentiated by industry sector, financial services tend to spend more, leisure and hospitality slightly less. Industrial sectors including manufacturers that deploy industrial control system (ICS) solutions sit somewhere in the middle but often face a set of cyber security challenges that are harder to overcome. This includes budgets for upgrades often measured in five- to 10-year cycles that impose a major obstacle in the fast-changing world of IT-related security. A recent study by Pierre Audoin Consultants (PAC) suggests that within the industrial sector, mandatory cyber security regulations such as the Network and Information Security (NIS) Directive are given priority but are expensive to implement, which in turn consumes the bulk of IT security budgets. However, the same survey also found that the two biggest cyber security priorities for organisations with ICS was the “Hiring [of] ICS cyber security employees with the right skills” alongside “Finding reliable partners who could implement ICS cyber security solutions”. This climate suggests that a wholesale move to managed security serSeptember 2019
vices designed specifically for ICS environments could provide many benefits – but what are the compromises?
“Threat actors attributed to state-affiliated groups or nation states combined to make up 93% of breaches, with former employees, competitors and organised criminal groups representing the rest” ICS solutions are used extensively throughout the manufacturing sector, including petrochemical. ICS has evolved over the past few decades from largely mechanical systems to software-centric
platforms that tie into a broader range of local and remote systems. This interconnectivity has increased the flexibility and responsiveness of many of these systems but has also led to more potential attack surfaces for hackers to exploit.
The rise of cyber espionage According to the highly regarded ‘2018 Data Breach Investigations Report’, which examined 53,000 incidents and 2,216 confirmed data breaches, manufacturing victims suffered largely from cyber espionage.3 Incidents in this pattern included unauthorised network or system access linked to state-affiliated actors and/or exhibiting the motive of espionage. The report found that threat actors attributed to state-affiliated groups or nation states combined to make up 93% of breaches, with former employees, competitors and organised criminal Computer Fraud & Security
11
org/docs/WEF_Global_Risks_ Report_2019.pdf. 5. ‘Verisign Q1 2018 Domain Name Industry Brief: Internet grows to 333.8 million domain name registrations in the first quarter of 2018’. Verisign, 14 Jun 2018. Accessed Aug 2019. https:// blog.verisign.com/domain-names/verisign-q1-2018-domain-name-industrybrief-Internet-grows-to-333-8-milliondomain-name-registrations-in-the-firstquarter-of-2018/. 6. ‘The online brand protection life cycle: Domain and cyber security edition’. MarkMonitor. Accessed Aug 2019. https://s3.amazonaws.
com/media.mediapost.com/uploads/ OnlineBrandProtectionLifecycle.pdf. 7. Cimpanu, Catalin. ‘ICANN: There is an ongoing and significant risk to DNS infrastructure’. ZDNet, 23 Feb 2019. Accessed Aug 2019. www. zdnet.com/article/icann-there-is-anongoing-and-significant-risk-to-dnsinfrastructure/. 8. ‘ICANN Calls for Full DNSSEC Deployment, Promotes Community Collaboration to Protect the Internet’. ICANN, 22 Feb 2019. Accessed Aug 2019. www. icann.org/news/announcement-201902-22-en.
Examining Turkish law on data protection Eren Can Ersoy, Kılınç Law & Consulting Eren Can Ersoy
One of the biggest government data breaches in history took place in 2016 when the personal data of 50 million Turkish citizens was posted online in a single file. This politically motivated hack exposed two-thirds of the Turkish population to the risk of identity fraud, by publishing their names, addresses, dates of birth and national identity numbers. Ironically, the news of this major data breach broke just as Turkey’s first comprehensive data protection law was being launched, in April 2016. The 2016 Law on the Protection of Personal Data was based largely on EU data protection law - as a candidate state for EU membership, Turkey keeps much of its legal system in alignment with EU law.
“Turkish data protection law goes beyond fines and civil penalties, and criminal charges can be brought in respect of data breaches” Turkey is also keen to attract foreign direct investment, especially in the communications and technology sectors, and so an advanced and robust data protection regime is vital. In our increasingly September 2019
online world, even companies without any physical presence in Turkey may be subject to Turkish data protection law and may have to register there if their activities have an effect in Turkey. Turkey’s data protection laws allow for administrative fines of up to 3% of a company’s net annual sales to be levied if personal data is stolen, or disclosed without consent. This provides a strong incentive for companies to keep data secure. While Turkish data protection law shares many essential features with Europe’s data protection regime, it is also different in a number of important respects. Turkey’s 1982 constitution conferred a right of privacy, but this was drafted well before the advent of the Internet. Turkey’s 2016 Law on the Protection of Personal Data was the first comprehensive Turkish law to establish
standard practices and procedures for handling personal data in the Internet age. However, Turkish data protection law goes beyond fines and civil penalties, and criminal charges can be brought in respect of data breaches.
Breached data Nowadays, we often see news stories about data breaches, which are becoming more commonplace as hackers and fraudsters target major companies and government entities. We also see how such major breaches can have an effect on millions of people across multiple jurisdictions. How does Turkish law protect people from data breaches? The 2016 Protection of Personal Data law represented a good start in the battle to protect private information in Turkey. Personal data refers to the data of natural persons, and not that of companies or other legal persons. Computer Fraud & Security
9
FEATURE Turkish data protection law is largely based on Directive 95/46/EC. It applies to both sensitive and non-sensitive personal information. Sensitive data is defined in Turkish law as including data relating to a subject’s race, ethnicity, religion, appearance, political views, union membership, health, sexual life and criminal convictions. Unlike the EU’s General Data Protection Regulation (GDPR), however, in Turkey “explicit consent” is required to process both sensitive and non-sensitive data. The exceptions to this general rule include where there is a legal obligation on a data processor to process the data, and where such processing is necessary to protect the life of the subject. Further processing is not allowed without specific consent, and there is no “compatible purpose” exception in Turkish law. The definitions of consent differ in Turkish law and under GDPR. While registration with an authority is not mandatory under GDPR, a mandatory registration system for data processors is currently being rolled out in Turkey. Since 1 Oct 2018, certain data processors have been required to register with Turkey’s Data Controller Registry Information System, VERBIS. These include Turkish resident data processors employing more than 50 employees or whose annual turnover is over 25m Turkish Lira (TRY) – or those who process certain specified categories of data. Data processors resident outside Turkey whose activities have an effect in Turkey also have to register and will have until 30 September 2019 to do so. The VERBIS registry is scheduled to be completed by October 2019.
Secure environment The new system aims to create a more transparent and secure environment as regards data protection in Turkey. Data controllers based outside of Turkey must appoint and register a data protection representative within Turkey. The representative must be either a Turkish citizen 10
Computer Fraud & Security
who is resident in Turkey or a Turkish company. The representative must liaise with the Turkish Data Protection Authority (DPA) on behalf of the data controller. Failure to appoint and register could mean a fine of TRY1m (£125,000 at current exchange rates).
“Overseas data controllers must also be aware of Turkish data protection law more broadly. For example, data processors have general obligations that include ensuring that data is processed lawfully, for a specific and legitimate purpose” The appointed representatives will accept and send official correspondence between the Turkish Data Protection Authority and the data controller based outside Turkey. Representatives will also facilitate the delivery of any applications by data subjects to the data controller, and will similarly facilitate the delivery of data controllers’ responses. Data controllers are also obliged to prepare a data retention and destruction policy, and a data processing inventory. Overseas data controllers must also be aware of Turkish data protection law more broadly. For example, data processors have general obligations that include ensuring that data is processed lawfully, for a specific and legitimate purpose, that it’s accurate and up to date and only kept as long as is necessary. Data subjects must be informed of the purpose for which their data will be processed, to whom the data could be transferred and the subject’s rights in relation to the data.
Legal obligation Turkey’s Personal Data Protection Board was created in 2017. This government body ensures that companies providing electronic communication services inform the Data Protection Authority if there is a data breach, or a risk to the
security of a network and personal data held within it. There is a legal obligation on processors to report a data breach to the Data Protection Authority and to notify the affected subject as soon as possible. There is no specific timeframe specified, but a company was fined for delaying by ten months before notifying the authority. The Data Protection Authority can make a data breach public knowledge, if necessary. Personal data should not be transferred outside Turkey without the consent of the data subject, except in strictly limited circumstances. Where the “interests of Turkey or the data subject will be seriously harmed” by a transfer of data outside Turkey, the approval of the Personal Data Protection Board is required.
“Although the Turkish data protection regime is largely based on EU law, it does have several distinct provisions that businesses operating in Turkey need to navigate carefully – not least since data breaches can result in criminal liability in Turkey” As with GDPR, data subjects in Turkey must generally opt in before they are sent commercial communications by electronic means. Every such communication must also provide a simple way to opt out. A significant exception to these general rules in Turkish law is that commercial traders and merchants may be sent commercial communications without their consent having first been obtained.
Criminal offence The penalties for data breaches in Turkey are not limited to fines. The criminal code allows for possible imprisonment for data breaches. Those illegally collecting personal data can be imprisoned for one to three years. This penalty rises if the data illegally collected is sensitive. Those who collect, illegally September 2019
FEATURE publish or transfer personal data may be imprisoned for two to four years. Penalties can be increased by half if offences are committed by public officials abusing their authority, or to secure a professional advantage. Even failing to delete data lawfully collected after the retention period expires can be punished by one to two years’ imprisonment. Once the VERBIS register of data processors is fully established, it will make the regulator’s task simpler and so enforcement actions are likely to increase.
Although the Turkish data protection regime is largely based on EU law, it does have several distinct provisions that businesses operating in Turkey need to navigate carefully – not least since data breaches can result in criminal liability in Turkey.
About the author Eren Can Ersoy is an associate at Turkish Law firm Kılınç Law and Consulting and has experience across a range of commercial and corporate legal practices. He
has expertise in advising joint stock and limited liability companies including company establishment, branch opening, general assemblies, capital increase, capital reduction, board of directors’ resolutions, internal directives, mergers & acquisitions, liquidation and other transactions. He also advises companies on general corporate and business law matters and assists companies in the coordination and implementation of multijurisdictional restructuring and joint venture transactions.
Just about managing: dealing with the threats to industrial systems
Ilan Barda
Ilan Barda, Radiflow Although studies and surveys from analyst firms Gartner and IDC differ slightly, there is an assumption that organisations spend around 10% of their IT budgets on cyber security.1,2 When differentiated by industry sector, financial services tend to spend more, leisure and hospitality slightly less. Industrial sectors including manufacturers that deploy industrial control system (ICS) solutions sit somewhere in the middle but often face a set of cyber security challenges that are harder to overcome. This includes budgets for upgrades often measured in five- to 10-year cycles that impose a major obstacle in the fast-changing world of IT-related security. A recent study by Pierre Audoin Consultants (PAC) suggests that within the industrial sector, mandatory cyber security regulations such as the Network and Information Security (NIS) Directive are given priority but are expensive to implement, which in turn consumes the bulk of IT security budgets. However, the same survey also found that the two biggest cyber security priorities for organisations with ICS was the “Hiring [of] ICS cyber security employees with the right skills” alongside “Finding reliable partners who could implement ICS cyber security solutions”. This climate suggests that a wholesale move to managed security serSeptember 2019
vices designed specifically for ICS environments could provide many benefits – but what are the compromises?
“Threat actors attributed to state-affiliated groups or nation states combined to make up 93% of breaches, with former employees, competitors and organised criminal groups representing the rest” ICS solutions are used extensively throughout the manufacturing sector, including petrochemical. ICS has evolved over the past few decades from largely mechanical systems to software-centric
platforms that tie into a broader range of local and remote systems. This interconnectivity has increased the flexibility and responsiveness of many of these systems but has also led to more potential attack surfaces for hackers to exploit.
The rise of cyber espionage According to the highly regarded ‘2018 Data Breach Investigations Report’, which examined 53,000 incidents and 2,216 confirmed data breaches, manufacturing victims suffered largely from cyber espionage.3 Incidents in this pattern included unauthorised network or system access linked to state-affiliated actors and/or exhibiting the motive of espionage. The report found that threat actors attributed to state-affiliated groups or nation states combined to make up 93% of breaches, with former employees, competitors and organised criminal Computer Fraud & Security
11