Understanding Dark Commercial Patterns – Turkey

Dark Commercial Patterns (“dark patterns”) refer to deceptive and manipulative tactics exercised by businesses and advertisers to influence consumer behaviors and preferences. These tactics often exploit individuals’ psychological vulnerabilities, manipulate their emotions, and exert pressure to make decisions they might not otherwise have made. While there is no strict legal definition for dark patterns, these patterns are widely recognized as unethical practices that undermine the principle of transparency and although many implementations are accepted as one, the primary objective of a dark pattern is considered to have an effect on consumers’ will.

The main key elements of dark patterns are accepted as manipulation, deception, pressure, influence on free will, and the exploitation of vulnerability. These elements may manifest in various forms, but their primary objective is to establish dominance over consumers. For instance, online retailers frequently use countdown timers during sales to create a sense of urgency and encourage impulse purchases. With this tactic, consumers often find it challenging to use their time effectively to make informed decisions, leading them to make purchases hastily to avoid missing out on discounts. Another example involves some service providers using emotional tactics, such as displaying sad images when users attempt to cancel a subscription. This emotional manipulation makes it difficult for users to unsubscribe or compels them to continue using the service. Additionally, in certain cases, service providers may analyze user data to identify vulnerabilities, such as a user's affinity for animals, children, or the environment. This information is then used to tailor the users’ approach and influence their decisions.

Dark patterns are deemed unethical and illegal in many jurisdictions because they exploit human psychology to influence decisions against individuals' free will and act against their best interests. Furthermore, dark patterns can lead to the loss of customers for businesses in the long term due to their aggressive, misleading, and abusive nature, creating an unfavorable customer experience.

On the consumer side, in response to growing concerns over dark patterns, various legislations and regulations have been put in place to ensure fair commercial practices and prevent manipulation of consumers against their free will. The Digital Services Act (“DSA”), the Unfair Commercial Practices Directive (“UCPD”), and data protection regulations in the European Union are essential legislations that specify rules and principles for data processing and marketing tactics. UCPD prohibits unfair commercial practices affecting consumers' economic interests before, during, and after the conclusion of a contract, including dark patterns. Additionally, data protection legislations such as the General Data Protection Regulation and its directives regulate the processing of personal data and the obtaining of consent for cookies or marketing communications. On the other hand, the DSA prohibits misleading and deceptive methods, including, but not limited to, dark patterns, that may have consequences on consumers by urging users or influencing their free will.

In Turkey, unfair commercial practices are comprehensively regulated by the Turkish Consumer Protection Act with no. 6502 and the Regulation on Commercial Advertising and Unfair Commercial Practices ("Regulation"). On February 1, 2023, the Regulation was amended in a way that specifies and provides examples for misleading activities and unfair practices that may affect consumers. Notably, the Regulation now explicitly prohibits dark patterns, which are defined as 'methods that adversely affect the consumers’ will to make a decision or choice by means of tools such as guiding interface designs, options, or expressions regarding a good or service on the internet, or that aim to cause changes in favor of the seller or provider in the decision the consumers would make under normal conditions'.

Additionally, on August 10, 2023, the Turkish Ministry of Trade issued an announcement stating that the Turkish Advertisement Board ("Board") had conducted an investigation for websites using practices such as offering pre-selected options to consumers and making other options difficult in order to steer consumers towards certain preferences; and as a result, imposed sanctions on the relevant companies.

According to the decision of the Board Meeting with No. 336 dated August 08, 2023, the dark patterns practices that were subject to sanctions include the following:

  1. A firm selling tickets for sports games and events was found to have significantly inflated prices and even sold tickets for non-existent events. The website also displayed notifications indicating that many consumers/users were trying to purchase tickets during the purchasing phase. The Board concluded that these practices adversely affect the consumers' decision-making process by utilizing tools such as guiding interface designs, options, or expressions related to a good or service on the internet. Such practices aim to induce changes in favor of the seller or provider, contrary to what consumers would decide under normal conditions.
  2. A television broadcaster was discovered to default-select an option offering a 43% discount on annual subscription fees without customers’ consent. The Board decided that this practice leads to forcing consumers to become a party to a contract to which they would not be a party under normal circumstances and to subscribe to the platform for a long term.
  3. A computer software company advertised an updated version of its services. However, it was observed that, the 'keep this version' button was placed in an inconspicuous outer corner of the screen, making it visually small and hard to notice. The Board was decided that this situation caused consumers to be forced to become a party to a contract to which they would not be a party under normal circumstances and to update the operating system by making it difficult for consumers to continue using the existing one.

In today's digital age, dark patterns have become a significant concern, which spurred national and international authorities to implement protective measures. Initiatives such as the DSA are just one example of the numerous laws and regulations aimed at maintaining ethical and transparent practices. Turkey, too, is actively advancing such mechanisms, as evidenced by the decisions of the Board. In this regard, in the near future, it is possible to see increase in the number of investigations and sanctions imposed by the Board, due to dark patterns.

 

Authors: Hatice Ekici Tağa, Sümeyye Uçar, Bensu Özdemir, Göksu Tuğrul


Elektronik Ticaret Mevzuatındaki Güncel Gelişmeler - 2

07 Temmuz 2022 tarihinde Elektronik Ticaretin Düzenlenmesi Hakkında Kanun’un (“Kanun”) değiştirilmesi ve bu doğrultuda Elektronik Ticaret Aracı Hizmet Sağlayıcı ve Elektronik Ticaret Hizmet Sağlayıcılar Hakkında Yönetmelik’in (“Yönetmelik”) yürürlüğe girmesi ile elektronik ticaret aracı hizmet sağlayıcıların (“ETAHS”) ve elektronik ticaret hizmet sağlayıcıların (“ETHS”) yükümlülükleri, elektronik ticarette haksız ticari uygulamalar, hukuka aykırı içerik, aracılık sözleşmesi, elektronik ticaret lisansı ve elektronik ticarete ilişkin diğer hususlar düzenlenmiştir.

Söz konusu gelişmeler birçok tartışmayı beraberinde getirmesinin yanı sıra Danıştay'da, Yönetmelik için yürütmenin durdurulması istenmiş ve Anayasa Mahkemesi'nde ise Kanun'un ilgili hükümlerinin iptali için de iptal davası açılmıştı.

28 Temmuz 2023 tarihli ve “Elektronik Ticaret Mevzuatındaki Güncel Gelişmeler” (https://www.iptechlegalblog.com/post/elektronik-ticaret-mevzuat%C4%B1ndaki-g%C3%BCncel-geli%C5%9Fmeler) adlı makalemizde de değindiğimiz üzere Anayasa Mahkemesi’ne,  Kanun’a eklenen ek 2. maddenin ve ek 4. maddenin 1.,3.,4. ve 6. fıkralarında yer alan “net işlem hacmi” ibarelerinin iptali için başvurulmuştu. Anayasa Mahkemesi, ilgili hükümlerin anayasaya uygun olduğuna karar vererek iptal talebini reddetmiştir ve gerekçeli karar 22 Eylül 2023 tarihli Resmi Gazete’de yayınlanmıştır.

Anayasa Mahkemesi’nin gerekçeli kararda yer alan aşağıdaki açıklamaları dikkat çekmektedir:

  • Bilgi teknolojilerinin hızla gelişmesi sosyal ve ekonomik hayatını da etkilemekte ve bunun sonucu olarak da ticaret kanalları boyut değiştirmektedir. İnternetin ticari amaçla kullanılmaya başlanması elektronik ticaret kavramını ortaya çıkarmış ve yeni regülasyonlara ihtiyaç duyulmasına sebebiyet vermiştir. Bu noktada ihtiyaçları karşılayabilmek adına ETAHS, ETHS başta olmak üzere birçok yeni kavram ve konsept de gelişen teknoloji ile birlikte Kanun’a eklenmiştir.
  • Kanun’a eklenen ek 2. madde, ETAHS yükümlülüklerini net işlem hacmine göre belirlemektedir. İlgili yükümlülükler, temel hak ve özgürlük olan çalışma hakkının sınırlandırılması niteliğindedir. Ancak söz konusu sınırlama, sadece bu malların elektronik ticaret aracı hizmet sağlayıcısının kontrolünde olan elektronik ticaret pazar yerinde satışa sunulamamasından ibarettir. Buna göre anılan işletmelerin bu malların satışını yapma, satışına aracılık etme veya bu malların tanıtımını yapma konusundaki teşebbüs özgürlüğü ortadan kaldırılmamış, ayrıca bu özgürlük önemli ölçüde zorlaştırılmamıştır. Nitekim elektronik ticaret aracı hizmet sağlayıcının iktisadi ve ticari faaliyette bulunma imkânı devam etmektedir. Bu durumun ise elektronik ticaret aracı hizmet sağlayıcının özel teşebbüs özgürlüğünü anlamsız kılacak nitelikte olmadığı açıktır. Dolayısıyla kurallarla öngörülen sınırlamalar, elektronik ticaret aracı hizmet sağlayıcıların rekabet güçlerini makul olmayan düzeyde düşürmeyecek ve ekonomik yönden orantısız bir kayba uğramalarına neden olmayacaktır.
  • Sonuç olarak kurallarla özel teşebbüs özgürlüğüne bir sınırlama getirilmiş ise de bunun kişilere makul olmayan bir külfet yüklemediği, bu çerçevede kurallarla ulaşılmak istenen amaca ilişkin kamu yararı ile özel teşebbüs özgürlüğüne ilişkin kişisel yarar arasında bulunması gereken makul dengenin gözetildiği anlaşılmıştır. Bu itibarla kuralların orantısız bir sınırlamaya neden olmadığı, dolayısıyla özel teşebbüs özgürlüğüne ölçüsüz bir sınırlama getirmediği değerlendirilmiştir.
  • Kanun’a eklenen ek 4. maddedeki yer alan “net işlem hacimleri” ibareleri de dava konusudur. Söz konusu Kanun’un ek 4. maddesinde elektronik ticaret aracı hizmet sağlayıcıların hangi durumlarda lisans ücretini ödemekle yükümlü olacakları, lisans ücretinin ne zaman tahsil edileceği, lisans ücretinin hangi ölçütün esas alınmak suretiyle hangi oranlar üzerinden hesaplanacağı açık ve net bir şekilde düzenlenmiştir.
  • Bu itibarla kurallara konu lisans ücretine ilişkin işlemlerde uygulanacak hükümler, lisans ücreti yükümlüleri, konusu, matrahı, oranı ve ödenme zamanının açık, net, anlaşılır, uygulanabilir ve nesnel şekilde düzenlendiği ayrıca net işlem hacmi kavramından ne anlaşılması gerektiği hususunun açık bir şekilde ifade edildiği, bu kavramın genel çerçevesinin çizildiği ve temel ilkelerin belirlendiği anlaşılmıştır. Bu nedenle mülkiyet hakkı ile teşebbüs özgürlüğüne sınırlama getiren kuralların keyfiliğe izin vermeyecek şekilde belirli, ulaşılabilir ve öngörülebilir nitelikte olduğu ve kanunilik ölçütünü sağladığı sonucuna varılmıştır.

Anayasa Mahkemesi açıklanan gerekçelerle kuralların Anayasa’ya aykırı olmadığına ve iptalleri talebinin reddine karar vermiştir.

Anayasa Mahkemesi’nin kararının İdari Dava Daireleri Genel Kurulu’nun, Yönetmelik’in uygulanmasına ilişkin kararına da yol gösterici olacağı beklenmektedir.

Yazarlar: Hatice Ekici Tağa, Bensu Özdemir


Recent Developments in Turkish E-Commerce Legislation – 2

On July 7, 2022, the Law on the Regulation of Electronic Commerce (“Law”) was amended. Accordingly, the Regulation on Electronic Commerce Intermediary Service Providers and Electronic Commerce Service Providers (“Regulation”) was published. In this regard, the obligations of electronic commerce intermediary service providers (“ETAHS”) and electronic commerce service providers (“ETHS”), unfair commercial practices in electronic commerce, illegal content, intermediation agreement, electronic commerce license and other issues related to electronic commerce are regulated.

In addition to the discussions on e-commerce legislation, the stay of execution has been requested for the Regulation at the Council of State, and a lawsuit has been filed for the cancellation of relevant provisions of the Law at the Constitutional Court.

As we mentioned in our article(https://www.iptechlegalblog.com/post/recent-developments-in-turkish-e-commerce-legislation ) titled “Recent Developments in Turkish E-Commerce Legislation”, dated 28 July 2023, a lawsuit was filed for the cancellation of the additional Article 2 and additional Article 4/1, 3, 4, and 6, which involve the term "net transaction volume". The Constitutional Court has decided that the provisions comply with the Constitution and rejected the request for the cancellation of these provisions. The reasoned decision of the Constitutional Court has been published in the Official Gazette dated September 22, 2023.

The Constitutional Court’s justifications given in the reasoned decision are briefly as follows:

  • The rapid development of information technologies is significantly impacting both social and economic life, leading to changes in trade channels. The use of the internet for commercial purposes has given rise to the concept of electronic commerce, necessitating new regulations. Consequently, to address these evolving needs, various new terms and concepts, particularly ETAHS and ETHS, have been introduced into the Law to keep pace with advancing technology.
  • Additional Article 2 of the Law outlines ETAHS obligations based on net transaction volume. These obligations essentially involve limitations on the right to work, a fundamental right and freedom. However, these limitations only restrict the sale of these goods within the electronic commerce marketplace under the control of ETAHS. This means that the freedom of these enterprises to sell, mediate, or promote these goods remains intact and has not been unduly complicated. In fact, electronic commerce intermediary service providers can still engage in economic and commercial activities. Therefore, these provisions do not unreasonably diminish the competitiveness of electronic commerce intermediary service providers or subject them to disproportionate economic losses, as the freedom of private enterprise in this sector remains meaningful.
  • Consequently, it has been understood that although the rules place restrictions on the freedom of private enterprise, these restrictions do not impose an unreasonable burden on individuals. Within this context, a reasonable balance has been struck between the public interest in achieving the intended goals of the rules and the personal benefits associated with the freedom of private enterprise. In this regard, it was determined that the rules do not result in a disproportionate restriction and therefore do not constitute an excessive limitation on the freedom of private enterprise.
  • The phrases "net transaction volumes" in the additional Article 4 of the Law are also subject to lawsuit. Additional Article 4 of the Law clearly specifies the circumstances in which electronic commerce intermediary service providers will be obligated to pay the license fee, the collection process for the license fee, and the criteria and rates at which the license fee will be calculated.
  • In this respect, the provisions governing transactions related to the license fee, including the entities obliged to pay it, its scope, calculation basis, rate, and payment schedule, have been established in a clear, comprehensible, enforceable, and objective manner. Additionally, the concept of "net transaction volume" has been clearly defined, providing a general framework and establishing fundamental principles. Therefore, it has been determined that these rules, which limit the right to property and the freedom of enterprise, are specific, accessible, and predictable, avoiding arbitrariness and complying with the criterion of legality.

For the reasons explained above, the Constitutional Court has decided that the provisions subject to the cancellation request are not in violation of the constitution and has thus rejected the request for cancellation.

It is anticipated that the Constitutional Court's decision will also offer guidance in the decision-making process of the Plenary Session of Administrative Case Chambers concerning the implementation of the Regulation.

Authors: Hatice Ekici Tağa, Bensu Özdemir


Çevrimiçi Tüketici Yorumları Artık Denetime Tabi

Reklam Kurulu'nun 12 Eylül 2023 tarih ve 337 sayılı kararına istinaden Tüketici Yorumları Hakkında Kılavuz (“Kılavuz”) 19 Eylül 2023 tarihinde T.C. Ticaret Bakanlığı internet sitesinde yayımlandı.

Bu Kılavuz ile Ticari Reklam ve Haksız Ticari Uygulamalar Yönetmeliği'nde düzenlenen genel hususlar örneklerle açıklanmış ve Reklam Kurulu'nun kararlarındaki yaklaşımı somutlaştırılmıştır.

Tüketici değerlendirmeleri Kılavuz’da “Satın alınan bir mal veya hizmete ya da satıcı veya sağlayıcı ile aracı hizmet sağlayıcıya ilişkin tüketiciler tarafından internet ortamında yapılan her türlü tüketici deneyimini belirten ifade, onay ve derecelendirme uygulamaları” olarak tanımlanmıştır. Bu tanıma göre çevrimiçi alışveriş sitelerindeki tüketici yorumları, puanları veya yıldızları tüketici yorumu olarak değerlendirilmektedir. Kılavuz aynı zamanda ana faaliyet alanı tüketici şikayetlerinin yayınlanmasını sağlamak olan şikayet platformlarındaki değerlendirmeler bakımından da uygulanır.

Ancak aşağıdaki hususlar Kılavuz kapsamı dışında tutulmuştur:

  • Bir satıcı veya sağlayıcı adına hareket etmeyen gerçek ve tüzel kişiler tarafından çevrimiçi olarak yapılan tüketici değerlendirmeleri ve bir mal, hizmet, satıcı veya sağlayıcıya ilişkin deneyim hakkında bilgi sağlamak ve,
  • Tüketici işlemleri kapsamına girmeyen satın alma ve uygulamalara ilişkin değerlendirmeler.

Kılavuz’a göre incelemelerin yalnızca ilgili mal veya hizmeti satın alanlar tarafından yapılmasına izin verilmektedir. Sipariş iptali, sözleşmenin feshi veya cayma hakkının kullanılması durumlarında, satın alma süreci aşamasına kadar olan deneyimlerle sınırlı olarak yapılan değerlendirmeler de satın alma kapsamında değerlendirilir.

Öte yandan, Kılavuz’daki diğer hükümlere uymak kaydıyla tüketici değerlendirmeleri satıcılar, sağlayıcılar veya aracı hizmet sağlayıcılar tarafından aşağıdaki durumlarda çevrimiçi olarak yayınlanabilir:

  • Satıcının veya sağlayıcının fiziksel mağazasından satın alınması durumunda, satıcının veya sağlayıcının web sitesi veya platformunda yer alan bir ürün veya hizmete ilişkin tüketici değerlendirmeleri
  • Taraflar arasında yapılan sözleşmeye istinaden, satıcının online mağazasındaki bir mal veya hizmete ilişkin, fiziksel mağazadan veya internet sitesinden satın alınmışsa, aracı hizmet sağlayıcının online platformunda yer alan tüketici değerlendirmeleri
  • Tüketicilerin bir mal veya hizmeti satın alırken deneyimlerini paylaştığı, mal/hizmetin nereden satın alındığını belirten veya bağlantı sağlayan bir web sitesindeki tüketici değerlendirmeleri.

Kılavuz ayrıca tüketici değerlendirmelerine ilişkin aşağıdaki konuları da düzenlemektedir:

  • Tüketici değerlendirmeleri satıcı, sağlayıcı veya ara hizmet sağlayıcı tarafından tarih, yorum puanı, sıralama gibi objektif kriterlere göre, yönlendirici olmadan, en az bir yıl boyunca olumlu-olumsuz ayrımı yapılmadan yayınlanmalıdır.
  • Tüketici yorumlarının ilgili mevzuata aykırı sağlık beyanları içermesi durumunda bunlar yayınlanamaz.
  • Tüketicinin incelenen mal veya hizmete ilişkin şikayeti satıcı veya sağlayıcı tarafından çözümlenmişse bu durum gecikmeksizin ilk değerlendirmenin yapıldığı yerde yayınlanmalıdır.
  • Gerçeği yansıtmayan inceleme veya onayı gösteren ifade ve simgelerin kullanılması konusunda üçüncü kişilerden hizmet alınması konusunda anlaşma veya işbirliği yapılamaz.

Kılavuz’a göre satıcı, sağlayıcı veya aracı hizmet sağlayıcılar, değerlendirmelerin yayınlanma kriterleri, değerlendirme süreci ve puanın nasıl hesaplandığı konusunda tüketicilere bilgi vermekle yükümlüdür. Ayrıca aracı hizmet sağlayıcıların, incelemenin o mal veya hizmeti satın alan tüketici tarafından yapıldığını “Satın alınan…” veya “Doğrulanmış kullanıcı” gibi ifadelerle belirtmeleri gerekmektedir.

Kılavuzda ayrıca yanıltıcı tüketici incelemeleri ve bu incelemelere ilişkin usul ve esaslar da düzenlenmektedir. Buna göre, satıcı veya sağlayıcının sosyal medya hesabında yapılan paylaşımlara menfaat sağlamak amacıyla yapılan beğeni veya onayı gösteren sembol ve ifadeler yanıltıcı tüketici değerlendirmesi olarak kabul edilir ve yanıltıcı değerlendirmeler yayınlanamaz. Ayrıca Kılavuz, yanıltıcı tüketici yorumlarıyla ilgili olarak aşağıdaki hususları da düzenlemektedir:

  • Tüketicinin satın aldığından farklı bir satıcı veya sağlayıcıya veya farklı bir mal veya hizmete ilişkin yorumlar yanıltıcı olarak kabul edilir ve yayınlanamaz.
  • Satıcılara veya sağlayıcılara fayda sağlayacak belirli bir fayda karşılığında, olumlu tüketici yorumlarının görünürlüğünü artırmaya veya incelemelerin objektif sıralama sonuçlarını değiştirmeye yönelik eylemlerde bulunulamaz.
  • Tüketici yorumlarının toplanması, işlenmesi ve diğer sitelerle bağlantı kurulması sürecine müdahale edilerek olumsuz yorumların yayınlanması engellenemez, ilgili veriler manipüle edilerek işletmelerin arama motorları aracılığıyla görünürlüğü yanıltıcı şekilde artırılamaz, mal satın almayan kişiler veya kişiler hizmetler inceleme yapmaya veya onayı belirten semboller kullanmaya yönlendirilemez ve bu değerlendirmelerin tümü farklı mecralarda yayınlanamaz.
  • Eğer yayınlanmış bir kullanıcı değerlendirmesinin yanıltıcı olduğu tespit edilirse, bu değerlendirme derhal yayından kaldırılır.

Ayrıca yanıltıcı tüketici yorumlarından ve Kılavuz hükümlerinin uygulanmasından yalnızca satıcılar, tedarikçiler ve aracı hizmet sağlayıcıların değil, reklam verenler, reklam ajansları ve medya kuruluşlarının da sorumlu olacağı düzenlenmiştir.

Online alışveriş platformlarında sıklıkla kullanılan tüketici yorumları, tüketicinin korunması açısından pek çok sorunu da beraberinde getirdi. Bu Kılavuz, tüketicilerin yanıltıcı yorumlara ve gerçekçi olmayan puan sıralamalarına aldanmasını önlemeyi amaçlamaktadır. Bu doğrultuda satıcı, sağlayıcı ve aracı hizmet sağlayıcıların yakın gelecekte yayınlayacağı tüketici değerlendirmelerine ilişkin kriterler merakla bekleniyor.

Yazarlar: Hatice Ekici Tağa, Sümeyye Uçar, Ebru Gümüş


Online Consumer Reviews are Now Subject to Audit

On 19 September 2023, Consumer Reviews Guide (“Guide”) was published on the Turkish Ministry of Trade’s website, based on the Turkish Advertising Board’s decision dated 12 September 2023 and numbered 337.

This Guide explains the general issues regulated in the Commercial Advertisement and Unfair Commercial Practices Regulation with examples and concretizes the Advertising Board’s approach in decisions.

The Guide covers and defines consumer reviews as “Expression, approval and rating practices that indicate all types of consumer experiences made by consumers on the internet regarding a purchased good or service or a seller or provider and intermediary service provider”. According to this definition, consumer comments, points, or stars on online shopping websites are considered consumer reviews. The Guide also applies to reviews on complaint platforms whose main field of activity is to enable the publication of consumer complaints.

However, the followings are not within the scope of the Guide:

  • Consumer reviews made online by natural persons and legal entities who do not act on behalf of a seller or provider; and provide information about the experience regarding a good, service, seller or provider, and
  • Reviews regarding purchases and practices that are not within the scope of consumer transactions.

According to the Guide, reviews are only allowed to be made by those who purchased the relevant goods or services. In case of order cancellation, contract termination, or exercise of the right of withdrawal, reviews made limited to the experiences up to the stage of the purchasing process are also considered within the scope of purchasing.

On the other hand, provided that it complies with other provisions in the Guide, consumer reviews may be published online by sellers, providers, or intermediary service providers in the following cases:

  • Consumer reviews regarding a good or service on the website or platform of the seller or provider, if purchased from the physical store of the same.
  • Consumer reviews regarding a good or service on the online store of a seller on an intermediary service provider’s online platform, if purchased from the physical store or website of the same, based on the agreement made between the parties.
  • Consumer reviews on a website where consumers share their experiences by purchasing a good or service, which indicate where the goods/services were purchased or provide links.

In addition, the Guide regulates the following subjects regarding consumer reviews:

  • Consumer reviews should be published by seller, provider or intermediate service provider according to the objective criteria such as date, review score, and ranking, without guiding, for at least one year, without distinguishment between positive or negative.
  • If consumer reviews contain health claims contrary to the relevant legislation, these cannot be published.
  • If the consumer's grievance regarding the reviewed goods or services has been resolved by the seller or provider, this situation should be published without delay in the same place as the first review.
  • No agreement or cooperation can be made regarding the procurement of services from third parties regarding the review that does not reflect reality or the use of expressions and symbols that indicate approval.

According to the Guide, seller, provider, or intermediary service providers are obliged to inform consumers about the publication criteria of the reviews, the review process, and how the score is calculated. Furthermore, intermediary service providers must indicate that the review is made by a consumer who purchased that good or service, with phrases such as “Purchased from…” or “Verified user”.

The Guide also regulates misleading consumer reviews and the procedures and principles regarding these reviews. Accordingly, symbols and expressions indicating liking or approval made in exchange for a benefit for the shares made on the seller's or provider's social media account are considered misleading consumer reviews and misleading reviews cannot be published. Further, the Guide regulates the following regarding misleading consumer reviews:

  • Reviews of a different seller or provider, or a different good or service than the one a consumer purchased, are considered misleading and cannot be published.
  • Actions cannot be taken to increase the visibility of positive consumer reviews or to change the objective ranking results of reviews in exchange for a specific benefit to benefit sellers or providers.
  • The publication of negative reviews cannot be prevented by intervening in the process of collecting and processing consumer reviews and establishing connections with other websites, the visibility of businesses through search engines cannot be increased misleadingly by manipulating relevant data, people who do not purchase goods or services cannot be directed to make reviews or use symbols indicating approval, and all these reviews cannot be published in different media.
  • If a published consumer review is found to be misleading, the review must be removed immediately.

In addition, not only sellers, suppliers, and intermediary service providers, but also advertisers, advertising agencies and media organizations are regulated to be responsible for misleading consumer comments and the implementation of the provisions of the Guide.

Consumer reviews, which are frequently used on online shopping platforms, brought many problems along in terms of consumer protection. This Guide aims to prevent consumers from being deceived by misleading reviews and unrealistic score rankings. In this regard, the consumer review criteria that sellers, providers and intermediary service providers will publish in the near future are eagerly awaited.

Authors: Hatice Ekici Tağa, Sümeyye Uçar, Ebru Gümüş


NFTs used for in-game purchases under Turkish Law

Introduction

Although there is no clear definition of the term non-fungible tokens (NFT) in Turkish law, NFTs are considered non-fungible data units in the blockchain system. Some examples are:

  • collectibles;
  • in-game items;
  • digital art;
  • event tickets;
  • domain names; and
  • ownership records for physical assets.

The use of NFTs in games is a topic that has been discussed under different angles, especially with the storm that NFTs have created recently. Some of these games allow in-game purchases, and players may pay for their in-game items with NFTs. Due to lack of regulation and a clear definition, the question is whether these purchases are valid under Turkish law.

Legislation on payments

The Regulation on Non-Use of Crypto Assets in Payments (the regulation), published in the Official Gazette No. 31456 on 16 April 2021, regulates that crypto assets cannot be directly or indirectly used for payments.

The regulation defines crypto assets as:

"intangible assets that are created virtually and distributed over digital networks using distributed ledger technology or similar technology, which do not qualify as fiat money, bank money, electronic money, payment instruments, securities, or other capital market instruments."

NFTs may fall under this definition. If so, it can be deduced that NFTs cannot be used for payments in Turkey, and payment is not valid according to Turkish law if a sales agreement including in-game purchases are paid for by NFTs. That said, only paying through NFTs should not invalidate the agreement between the player and publisher.

According to the Turkish Code of Obligations (TCO), which regulates main debt relations under Turkish law, parties have a "freedom of contract", meaning parties are free to choose the contracting party and determine the subjects of the contract in signing a contract. The limits of this freedom are mandatory provisions of the law, morality, public order, personal rights or impossibility.

Although receiving payments where NFTs are used as the payment method is prohibited according to the regulation, this prohibition should only apply to the vendor's or payment provider's detriment and cannot be to the detriment of the consumer who purchased an in-game item by using NFTs.

Agreements and exceptions

Another aspect to consider is the type of agreement that the sale entails, which may circumvent the payment issue above, rendering NFT payments invalid.

Due to the freedom of contract principle in the TCO, it is possible for the parties to form an agreement that is not clearly defined in the TCO. It is also possible to interpret an agreement defined in the TCO by analogy. Under the TCO, an agreement may be used in goods exchange contracts whereby one party undertakes to transfer the possession and ownership of one or more items to the other party, and the other party undertakes to transfer the possession and ownership of another or more items in return. In this sense, since NFTs are considered assets, in-game purchases with NFTs can be considered as a goods exchange contract and would be valid under Turkish Law.

Authors: Burak Özdağıstanli, Ebru Gümüş


Companies Can Now Be Remotely Identified in Their Banking Transactions

On 11 August 2023, the Communiqué Amending the Financial Crimes Investigation Board General Communique (“Communiqué”) was published by the Ministry of Treasury and Finance on the Official Gazette numbered 32276.

The Financial Crimes Investigation Board General Communique regulates the procedures and principles regarding the remote identification of natural persons and natural person merchants in banking transactions. However, with the Communiqué, this scope was expanded and new regulations regarding the procedures and principles came into force.

With the Communiqué the definition “legal entities registered in the trade registry” was added to the definition of customers that could be identified remotely, in addition to natural persons and natural person merchants.

The Communiqué also added the following regulations:

  • Remote identification shall be completed before a continuing business relationship is established.
  • Remote identification shall be conducted online, continuously, in video, and in real-time. The entire remote identification process shall be recorded and stored in a way that includes all steps of the process and ensures that it is auditable.
  • If the remote identification process is carried out partially or completely through service procurement, the service providers must have a TS EN ISO/IEC 27001 Information Security Management System certificate.
  • For artificial intelligence-based applications in remote identification:
    • In remote identification, the customer representative’s transactions can also be made with artificial intelligence-based methods, fully or partially, with the condition of online and real-time recording. Necessary measures shall be taken to ensure the integrity and confidentiality of visual and audio communication regarding the identification process. For this purpose, video verification is carried out with end-to-end secure communication, and in any case, video identification is completed without interruption. The obligor shall check that the remotely identified person is a real person and verify the applicant is the owner of the submitted identity by comparing the photo and images on the ID card.
    • In cases where an artificial intelligence application is used to verify the remotely identified person's identity or where the online real-time video call is made entirely with an artificial intelligence-based application without a customer representative, the Turkish Standards Institute report showing that the artificial intelligence algorithm’s false approval rate is less than one in ten million, shall be obtained. There is no need to obtain a Turkish Standards Institute report if the artificial intelligence algorithm is received from an organization abroad and the said organization has an internationally valid certificate.

The Communiqué also brought new methods and obligations regarding the identification of natural persons and merchants:

  • While identification is carried out remotely, legally required information and written statement shall be obtained from natural persons and merchants via the procedure and method used for remote identification.
  • During the remote identification process, measures shall be taken to verify the person and identity document of the person. It shall be ensured that the photo and personal information on the identity document match the person.
    • The identity document shall be verified using near-field communication. If it cannot be verified by this method, the security elements in the identity document shall be verified in terms of form and content.
    • The biometric comparison of the person's face and the identity document photo shall be made and additional measures shall be taken to prevent the risks of fake face technology.
    • A one-time password specific to the identification process shall be sent to the person via electronic communication operators.

The general principles for legal entities, which are included in the remote identification for the first time with the Communiqué, are as follows:

  • The legal entity’s title, trade registry number, tax identification number, field of activity, full address, telephone number, fax number, and e-mail address and the legal entity’s authorized representative’s name, surname, place and date of birth, nationality, information on the type and number of identity document and signature sample, and additionally for Turkish citizens, mother’s, father’s name and Turkish ID number shall be obtained via the procedure and method used for remote identification.
  • The legal entity's information shall be verified through the Central Registry Registration System (MERSIS) and the Turkish Trade Registry Gazette, and the tax identification number shall be verified through the Revenue Administration’s database.
  • The representative authority of the person shall be confirmed by matching the information received with the updated information obtained by querying on MERSIS or the Turkish Trade Registry Gazette.
  • If there is more than one person authorized to jointly represent the legal entity, it is possible to identify these people in the same session or at different times.
  • In case the person authorized to represent the legal entity is also a customer of the obligor, they can make a request through the internet branch or mobile application, to establish a permanent business relationship with the legal entity that they represent.
  • Necessary measures shall be taken for the recognition of the real beneficiary.

Lastly, in addition to the methods to be used in the remote identification process in case the identity document cannot be verified using near-field communication, the Communiqué also regulates that the first financial transaction before establishing a permanent business relationship must be made from the account of the person in another financial institution where the principles of customer recognition are applied.

With this Communique, legal entities registered in the trade registry are included in the scope of the procedures and principles regarding remote identification, which were previously applied for only natural persons and natural person merchants. After this amendment, it is expected that the business and banking transactions of companies registered in the trade registry, especially joint stock and limited companies, will become easier.

Authors: Burak Özdağıstanli, Sümeyye Uçar, Ebru Gümüş


Turkish Data Protection Board Fines a Private Healthcare Institution for a Mandatory Checkbox

Turkish Personal Data Protection Board (“Board”) evaluated a complaint regarding a private health institution obtaining explicit consent from patients unlawfully, in its decision dated 02.05.2023 and numbered 2023/692.

In summary, the complaint subject to the decision was that while filling out the form to make an appointment on the healthcare institution’s website, the appointment process could not be completed unless the patients provide their explicit consent to be informed about the services and announcements of the healthcare institution.

The Board made the following evaluations regarding the complaint;

  • The appointment process cannot be completed until the box containing the phrase “I allow my personal information to be used and contacted to be informed about (data controller’s) services and announcements” is checked.
  • The appointment process, which constitutes a preliminary step for the data subjects to receive service, is subject to the condition of providing explicit consent for the promotion of the data controller.
  • Since the explicit consent must be based on free will, where providing an explicit consent is a condition to provide a good and/or service, it is necessary to evaluate the free will where the parties are not in an equal position or if one of the parties has an effect on the other.
  • Demanding explicit consent for an activity not directly related to the healthcare service and for the promotion of services where only the data controller benefits form, invalidates the data subjects’ free will.
  • Therefore, in this case, demanding explicit consent, which must be given with free will based on an informed decision, violated the principles of lawfulness and fairness under the Law on the Protection of Personal Data No. 6698.

In this regard, the Board adopted the following decision;

  • When the website is examined, it was seen that the patients who did not provide their explicit consent to processing of personal data within the scope of promotional activities could not continue the appointment process. This violates the principles of lawfulness and fairness under the Law on the Protection of Personal Data No. 6698, as the conditions for explicit consent (must be given with free will based on an informed decision) is not met.
  • Additionally, while it is possible that the personal data required in the appointment form can be based on processing conditions other than the explicit consent, it is deceptive and an abuse of right to base it on the explicit consent.
  • For above mentioned reasons, it was decided to impose an administrative fine of TRY 300.000 (approx. 10.362 EUR) on the data controller.
  • The Board also decided to instruct the data controller to amend the checkbox under the application form stating that “I have read the privacy notice on the processing of my personal data. I consent to the processing of my data in accordance with the Personal Data Protection Law", by removing the phrase "I give consent", as the data controller is obligated to provide that they have fulfilled their obligation to inform data subjects and the current wording gives the impression that the data subjects have approved the privacy notice.
  • In addition, the Board decided to instruct the data controller to prepare explicit consent texts separately, in case there are personal data processed with the explicit consent legal base.

Authors: Burak Özdağıstanli, Sümeyye Uçar, Ebru Gümüş


Turkish Data Protection Board Fines a Private Hospital for Making Videos about Patients’ Treatments

Turkish Personal Data Protection Board (“Board”) evaluated a notice regarding a private hospital obtaining explicit consent from patients for processing personal data, including health data, within the scope of advertising and promotion activities in its decision dated 11.05.2023 and numbered 2023/787.

In the notice, the data subject demanded action to be taken by stating that the private hospital data controller, through the patient consent forms, request explicit consent from the patients in order to share their photographs and videos with the contracted media organs for advertising and promotion purposes.

The Board made the following evaluations regarding the notice;

  • In the case, patients’ explicit consent is requested with the “Informed Consent Form for the Protection of Personal Data Specific to Photograph/Video” presented by the data controller and in the form, it is stated that for marketing, advertising and promotion purposes, the photos/videos will be recorded and can be transferred to third parties, national, local and international media organs and social media platforms with which services are received, cooperated or contracted.
  • Pursuant to the Law on the Protection of Personal Data with no. 6698 (“DPL”), explicit consent must be given with free will based on an informed decision; on the other hand, the processing must comply with the principles of lawfulness and fairness and the processing for specific, clear and legitimate purposes regulated in the DPL. Pursuant to the opinion of Article 29 Data Protection Working Party dated 03/2013, in the broadest sense, the principle for the processing for specific, clear and legitimate purposes means that the purposes must comply with legislations. In other words, if the personal data processing violates a sector-specific regulation, processing activity cannot be accepted to be lawful.
  • The Private Hospitals Regulation allows promotion and information by private hospitals if the information is about protecting and improving health; but prohibits carrying out promotional activities in the nature of advertising, with the purpose to create demand. Statements about the successful outcome of a treatment that include the patient's health problem and the doctor's explanations about the patient are beyond the scope of the information and promotion activities of health institutions allowed in the same legislation. In this respect, although private hospitals are prohibited from advertising pursuant to the sector-specific regulation, it is clear that health data and other personal data are processed by the data controller for advertising purposes, and the said processing activity is not in compliance with the legislation and does not have a legitimate purpose.
  • Further, the principle of processing to be related, limited and proportionate means that personal data that is not suitable or related to or necessary for the purpose, should not be processed; and principle of proportionality means establishing a reasonable balance between the data processing activity and the intended purpose. Therefore, even if personal data is processed related to a specific purpose based on the data subject’s explicit consent, the explicit consent does not legitimize excessive collection of data.
  • Therefore, although it was stated by the data controller that video recordings were made with the patients’ explicit consent, in order to raise public awareness of diseases that are rarely known in the society, and to provide information about the characteristics and treatment process of these diseases in a way that protects and improves health, processing health data is not necessary to achieve said purposes. Considering that there are alternative ways to achieve these purposes that do not require personal data processing and that the personal data processing is not necessary, this personal data processing activity violates the principle of proportionality.

In this regard, the Board adopted the following decision;

  • Special categories of personal data is processed by the data controller by shooting videos about the data subject’s diseases and treatment processes and sharing them on its social media accounts. Although this data processing activity is based on the explicit consent of the data subject, private hospitals are prohibited from advertising according to the Private Hospitals Regulation. Therefore, the data subjects’ explicit consent is not valid and the data subjects’ personal data has been processed unlawfully, without any legal base. For this reason, the Board decided to impose an administrative fine of TRY 250.000 (approx. 8.635 EUR) on the data controller on the grounds that the data controller did not take the necessary technical and administrative measures for processing personal data lawfully.
  • The Board decided to instruct the data controller to terminate the processing of personal data for mentioned purposes; to destroy such personal data in accordance with the Regulation on the Deletion, Destruction or Anonymization of Personal Data; and if such personal data was transferred to third parties, to inform these third parties about these transactions.

Authors: Burak Özdağıstanli, Sümeyye Uçar, Ebru Gümüş


A Fitness Center Processing Data Subject’s Blood Type

The Personal Data Protection Board (“Board”) evaluated a complaint regarding the processing of blood type information - which falls under the scope of the special categories of personal data - without the data subject's explicit consent by the data controller fitness center, in its decision dated 23.12.2022 and numbered 2022/1357.

The complaint subject to the decision is that the fitness center processes health data, biometric data, and camera images of the customers without presenting a privacy notice, obtaining explicit consent, and taking necessary security measures to ensure the protection of personal data within the scope of the Law No. 6698 on the Protection of Personal Data (“DPL”).

The Board made the following explanations regarding the complaint;

  • The fitness center also processes the data subject's blood type information in the contract signed for being a member. No explicit consent text is presented for this category of special personal data which can be processed with explicit consent.

  • The allegations that a fingerprint, which is biometric data, is taken at the entrance of the fitness center in addition to data such as fat and weight performance measurements, frequency of hospital visits, height, etc., could not be proven. Therefore, no evaluation could be made.

  • The allegations that the data subject's information cards are easily accessible by everyone in the fitness center, not stored properly and are lost from time to time, and the security camera footage in the fitness center can be accessed by unauthorized persons could not be proven. Therefore, no evaluation could be made.

  • The e-mail sent by the data subject to the data controller was not responded to. Thus, the data controller violated the obligation to respond to the data subject requests.

In this regard, the Board adopted the following decision;

  • Considering that for fitness center membership the blood type information, which is a special category of personal data, is processed and explicit consent is not obtained, it has been decided to impose an administrative fine of TRY 100.000 (approx. EUR 3.377) on the data controller for not fulfilling the obligations stipulated in Article 12 of the DPL.

  • The data controller is instructed to present the privacy notice and explicit consent separately to comply with the DPL and the Communiqué on the Procedures and Principles to be Followed in Fulfilling the Obligation of Clarification.

Authors: Burak Özdağıstanli, Bensu Özdemir, Ebru Gümüş