The Information Technologies and Communication Authority (“ITCA”) published the Draft Regulation on the Processing of Personal Data and Protection of Confidentiality in the Electronic Communications Sector (“Draft Regulation“) on 19 March 2020 on its website. The Draft Regulation, based on the ITCA’s decision of 17 March 2020, introduces significant arrangements in terms of the procedures and principles of personal data processing in the electronic communications sector.
The ITCA first regulated the processing of personal data and protection of confidentiality with a regulation published on 27 July 2012. However, the Constitutional Court canceled the basis of that regulation, Article 51 of the Electronic Communication Act; the regulation was considered null and void as of 26 January 2015. The ITCA further published and requested public opinion about a draft regulation in 2017, but it was not enacted.
The Draft Regulation adopts certain definitions from the Law No. 6698 on the Protection of Personal Data (“Data Protection Law“) such as “personal data,” “processing” and “explicit consent”, and brings additional obligations to operators in the electronic communications sector. Under the Draft Regulation, a “user” is defined as “a real or legal person benefiting from the electronic communication services, regardless if they are a subscriber or not,” whereas “subscriber” is described as “a real or legal person who is a party to a contract for the provision of electronic communication services by an operator.” Because the terms “user” and “subscriber” also involve legal entities, arguments could arise that the use of these terms contradict with the definition of “personal data”.
According to the Draft Regulation, operators must prepare a security policy regarding their personal data processing within the scope of the principles set forth in Article 51 of the Electronic Communication Act. Operators must implement the appropriate administrative and technical measures in line with national and international standards for any kind of risk associated with ensuring the security of their subscribers/users’ personal data and the services they provide. Operators must take reasonable measures against all risks, considering the technological limitations.
Operators are also obliged to ensure that only authorized individuals can access personal data and the security of the personal data retention systems.
Further, operators are required to keep records of access to personal data and other relevant systems by time stamping these records for at least thirty minutes every three hours. Operators must retain these records for two years.
The Draft Regulation foresees that operators are responsible for any losses arising from the breach of personal data transferred to third parties, and reserves the possible administrative sanctions that the ITCA may impose.
Another obligation the Draft Regulation introduces is the obligation to report personal data breaches and related risks. Accordingly, operators are obliged to notify the ITCA, the Data Protection Authority, subscribers, users and the related authorities immediately in case of a personal data breach risk. Further, if the operators’ measures cannot cover the relevant risk, operators are obliged to inform their subscribers and users on the scope of and methods to mitigate the risk within 72 hours. In addition, if a data breach occurs, operators are required to inform the ITCA and any related authority within 72 hours about the details and consequences of the breach, details of the information that will be provided to the subscribers and users, and the applied measures.
The Draft Regulation states that explicit consent cannot be a precondition for the provision of a service. That said, explicit consent can be requested as a precondition for the provision of an “additional benefit” such as voice, internet and text messaging services. If the explicit consent is obtained in exchange for an additional benefit, this benefit must be provided for the term of the data processing.
Operators must inform subscribers and users of the personal data type that will be processed, types of traffic and location data, scope, processing purpose and the term of the processing in a clear and understandable manner before obtaining explicit consent.
In addition, operators are required to keep records of the collection of explicit consent by time stamping these records for at least thirty minutes every three hours. These records must be kept during the subscription period, notwithstanding the periods stipulated in the relevant legislation. Explicit consent declarations will be deemed invalid if they are not timestamped.
The Draft Regulation includes more comprehensive information obligations for operators compared to the Data Protection Law regarding the personal data transfer to third parties, except for the authorities authorized by law. Accordingly, operators are obliged to inform their subscribers and users of “the scope of the data to be transferred; the identity and address of the person to be transferred; the purpose and duration of the transfer; how the data will be destroyed after storage; if the third party is abroad, the country where the data will be transferred, the purpose and duration of the retention abroad and the legislation and practice of the country to which the data will be transferred”; and obtain their explicit consent. If there are any changes to the foregoing information, operators must obtain the explicit consent of their subscribers and users again.
As per the Draft Regulation, in cases where traffic and location data processing are not subject to explicit consent based on the respective legislation or court decisions, operators must inform subscribers and users of the types of traffic and location data, the processing purpose, term and methods of the processing.
Additionally, every January, operators must inform all subscribers and users about the processing of personal data. Otherwise, they must cease their data processing activities until they inform subscribers and users. The Draft Regulation further states that, if the subscription is terminated, all explicit consents are deemed revoked unless the subscriber requests otherwise.
The Draft Regulation also regulates caller ID blocking. Operators are obliged to provide users the opportunity to hide their phone numbers, and the opportunity to hide their phone numbers for incoming calls, through a simple and free method. Operators must also give subscribers/users the opportunity to end an automated redirected call through a simple and free method.
As for subscriber directories, subscribers must be informed before they are included in the directory about the purpose(s) of the publication; the personal data included in the directories; and the enquiry options and usage possibilities, which may be provided in the electronic directories. Subscribers may be included in the directory if they provide their explicit consent after being informed.
Further, the Draft Regulation requires operators to omit certain digits of phone numbers in telephone bills, upon the subscriber’s request.
Finally, operators must provide their subscribers/users the opportunity to revoke their explicit consent for processing their personal data, including traffic and location data, by the same or an easier method at any time, free of charge. Information about the consent opt-out must be provided while obtaining their explicit consent.
As per provisional Article 2 of the Draft Regulation, if the Draft Regulation is published, consent obtained in accordance with the law before the Draft Regulation’s publication date is deemed valid. In additional, if the processing activity continues even if the subscription ended, the processing activity must cease within one month from the subscription end date.
The obligations in the Draft Regulation will come into force six months after the Draft Regulation is published in the Official Gazette. If operators violate these obligations, the ITCA may impose an administrative fine up to 3% of the operators’ net sales in the previous calendar year.
The Draft Regulation aims to determine the procedures and principles of personal data processing and the protection of privacy in the electronic communications sector. The Draft Regulation sets forth sector-specific regulations related to various matters, such as security measures for personal data processing, data breach and data breach risks, obtaining explicit consent, cross-border data transfers, traffic and location data, caller ID blocking, and automatic redirects.
The Draft Regulation contains provisions that differ from and are more restrictive than those in the Data Protection Law. It seems likely that operators will encounter certain difficulties in practice if the Draft Regulation comes into force in its current iteration. However, the Draft Regulation could change depending on stakeholders’ opinions, which can be submitted through the opinion submission form on ITCA’s website by 20 April 2020.