The Regulation on the Process of Identity Authentication of Applicants in the Electronic Communications Sector (“Regulation“) of the Information Technologies and Communication Authority (ITCA) was published in the Official Gazette No. 31523 on 26 June 2021. The Regulation, which will enter into force on 31 December 2021, lays down the procedures and principles for authenticating identity during the creation of electronic documents for subscription contracts and applications for transfer of phone number, change of operator, qualified electronic certificate and SIM card change in the electronic communications sector. The Regulation is available here (in Turkish).
The Regulation brings four different methods for identity authentication for the electronic communications sector:
- authentication through e-Government System
- authentication through artificial intelligence compliant with ICAO 9303 standard
- authentication through Turkish Republic Identity Card (TCKK) by Enhanced PDF Electronic Signature compliant with TSI EN 319 142 standard
- authentication through video recording in face-to-face applications
As per the Regulation, operators/service providers using these identity authentication methods are obliged to take all measures to ensure that they use encryption when storing and transferring the data, protect the data against illegal alterations and keep identity data confidential, secure and integrated.
Identity Authentication by Artificial Intelligence or by Authorized Representative
The Regulation brings detailed regulations on the methods for identity authentication through artificial intelligence or video conference
As per Article 7, identity authentication via video conference must be conducted (i) in real time and uninterrupted video and (ii) through end-to-end secured communication. In addition, for identity authentication through video conference, an applicant’s explicit consent must be obtained within the scope of Law No. 6698 on the Protection of Personal Data. It is important to note that operators/service providers must fulfill their obligation to inform applicants separately. The Regulation also requires operators/service providers to inform applicants that they are allowed to conduct electronic authentication through either the e-Government System or face-to-face methods, while obtaining their explicit consent.
Annex 1 of the Regulation sets forth the principles regarding near-field communication where information of the applicant, including their identity card photo, will be collected. Annex 2, on the other hand, defines the criteria to be followed when comparing the applicant’s identity card photo with their real-time image, through artificial intelligence, whereas Annex 3 identifies the rules of comparison to be followed by an authorized representative of the operator/service provider.
Storage and Safety of Data
The operator/service provider that conducts the identity authentication must create a PDF document containing all authentication steps followed according to the Regulation. The operator/service provider must first obtain the applicant’s consent before creating the PDF document. The operator/service provider is responsible for the security of the data content located in the PDF document.
The operators/service providers conducting the identity authentication as per the Regulation must take all technical and administrative measures under the related legislation, including Law No. 5909 on Electronic Communication and Law No. 6698 on the Protection of Personal Data. The operators/service providers carry the burden of proof related to transactions conducted as per the Regulation.
For electronic documents containing personal data that were issued prior to the publication of the Regulation, for subscription contracts and applications for transfer of phone numbers, operator/service provider change, qualified electronic certificate, registered email and SIM card change in the electronic communications sector, the burden of proof on issues such as time stamp or execution date will lie with the operators/service providers. The operators/service providers are obliged to submit the ID number of the electronic document owner and phone, service and qualified electronic certificate number (three out of the last seven digits must be blacked out) or registered email to mobile electronic communications operators and e-Government System, within three months as of the entry into force of the Regulation (i.e., 31 December 2021). The electronic document owner will then be notified of the submission via SMS, email or the e-Government System.
Those who fail to comply with the Regulation will face sanctions under Articles 18 and 19 of Law No. 5070 on Electronic Signature as well as the Administrative Sanctions Regulation of the Information Technologies and Communication Authority, as per Article 12 of the Regulation.
New provisions brought by the Regulation signify important steps in terms of transparency in the electronic communications sector. Operators and service providers must assess the Regulation carefully and take the necessary steps to comply.