Cybersquatting under Different Dispute Resolution Mechanisms
The World Intellectual Property Organization ("WIPO") defines cybersquatting as “the preemptive, bad faith registration of trademarks as domain names by third parties who do not have rights in such names”. Cybersquatting takes advantage of the "first come, first served" principle of domain name registration and in most cases, the primary motivation for cybersquatting is to receive commercial offers from the rightful owners. As a result, effective alternative dispute resolution mechanisms have had to be adopted to meet the needs and challenges arising from the disputes between domain name registrants and trademark owners.
While the Internet Corporation for Assigned Names and Numbers ("ICANN") adopted the globally recognized dispute resolution mechanisms, the Uniform Domain Name Dispute Resolution Policy ("UDPR") and the Uniform Rapid Suspension ("URS"); Turkey also adopted a dispute resolution mechanism for “.tr” domain names in 2022, called the TR Network Information System (“TRABIS”). The rules for TRABIS are regulated under the Regulation on Internet Domain Names (“Regulation”) and the Communiqué on Internet Domain Names Dispute Resolution Mechanism ("Communiqué"), which are secondary legislation to the Electronic Communications Law No. 5809 ("Law").
This article presents a comparative approach to the domain name dispute resolution mechanisms to be applied in the event of a cybersquatting incident.
UDPR
UDPR establishes the terms and conditions of a dispute between a registrant and a third party regarding the use of an Internet domain name. Under the UDPR, the following criteria must be met in order for the UDPR to apply:
- The domain name must be identical or confusingly similar to a trademark or service mark in which the third party has rights,
- The registrant must not have any legal interest in the domain name,
- The domain name must be registered and used in bad faith.
An important point to note is that the UDRP allows filing more than one application.
It should be noted that the UDRP costs applicants between USD 1,500 and 4,000. In addition, the entire process takes approximately 8 weeks to complete. Notably, the UDRP does not provide a quick resolution for the applicants.
URS
The URS was adopted by ICANN in 2013, to address the need to suspend the use of the domain name. The main difference between the UDRP and the URS is that the URS provides a temporary suspension of the domain name registration during the registration period. In addition, the URS is less expensive (approx. USD 375) and faster than the UDRP, as the process takes approximately 3 weeks to complete. Another element of the URS that differs from the UDRP is the burden of proof. In the case of the URS, the complainant only has to provide clear and convincing evidence, while the UDRP requires more detailed evidence.
It should be noted that, under the relevant ICANN provisions, a URS complaint may not be filed if there is a pending URS or UDRP proceeding involving the same domain name. Nevertheless, there is no impediment to filing a URS or UDRP complaint after the conclusion of the first case, provided it was filed before the other mechanism.
TRABIS
The Law has granted the Information Technologies and Communications Authority ("Authority") broad powers with respect to Internet domain names and cybersecurity. Pursuant to the Law, the Authority handles ".tr" domain name disputes through TRABIS. The Communiqué states that disputes arising from .tr domain names are resolved by an Internet domain name dispute resolution service provider (Currently, the Information Technologies and Internet Security Association (BTIDER) and the TOBB UYUM Mediation and Dispute Resolution Center), which follows a path similar to the UDRP.
The requirements for application are set out in the Regulation as follows:
- The disputed domain name is similar or identical to a trademark, trade name, business name or other identifying mark owned or used in commerce,
- The registrant has no legal right or connection to the domain name,
- Allocation or use of this domain name by the domain name owner is in bad faith.
It should be noted that TRABIS costs applicants between TRY 4.500 and 13.500 (approx. USD 145 and 440) depending on whether a single arbitrator or a panel of arbitrators is selected. In addition, the entire process takes approximately 3-4 weeks to complete.
Like the UDRP, the Internet Domain Name Dispute Resolution Service Provider allows multiple applications.
Conclusion
In light of all of the above, we can conclude that both the UDRP and the URS serve different aspects of domain name disputes, each of which is specific to the needs of Internet law. The URS, on the other hand, largely follows the principles set forth in the UDRP. As the threat of cybersquatting incidents increases by the day, it is critical for trademark owners to have a clear understanding of how to protect their rights.
Authors: Hatice Ekici Tağa, Sümeyye Uçar, Ebru Gümüş Karasu, Göksu Tuğrul
Küresel Ekonomide Rekabet Yasağı
Rekabet yasağı, işverenlere ticari sırların korunması ve çalışanların iş değiştirme sıklıklarının azaltılması açısından güvenli bir alan sağladığı için iş sözleşmelerinin temel taşlarından biri olmuştur. Öte yandan, rekabet yasağının kapsamını sınırlayan kurallar, çalışanlara hareket serbestisi sağlamakta ve dolayısıyla, ilgili sektörlerin gelişimine ve yenilikçiliğine katkıda bulunmaktadır.
Türkiye'de Rekabet Yasağına İlişkin Kurallar
Türkiye'de çalışanların işverenlerine karşı özen ve sadakat yükümlülüğü 6098 sayılı Türk Borçlar Kanunu'nda düzenlenmektedir. Bu kapsamda çalışanlar, işverenlerinin haklı menfaatlerini korumak için sadakatle hareket etmekle yükümlüdürler. İş ilişkisi devam ettiği sürece, çalışanların sadakat yükümlülüklerine aykırı olarak üçüncü kişilere ücret karşılığı hizmet vermeleri ve özellikle kendi işverenleri ile rekabet etmeleri yasaktır. Ayrıca, işverenin haklı menfaatlerinin korunması için gerekli olduğu ölçüde, çalışanlar iş ilişkisi sona erdikten sonra da ticari sırları saklamakla yükümlüdür.
Borçlar Kanunu ayrıca, çalışanların iş sözleşmesinin sona ermesinden sonra işverenleriyle rekabet etmekten kaçınmasını, yani kendi hesaplarına rakip bir işletme açmaktan, başka bir rakip işletmede çalışmaktan veya bunların dışında, rakip işletmeyle başka bir menfaat ilişkisine girmekten kaçınmasını, ek bir sözleşme imzalayarak veya iş sözleşmelerine buna ilişkin bir madde ekleyerek kabul edebileceklerini öngörmektedir. Öte yandan, rekabet yasağı yalnızca (i) iş ilişkisinin çalışana işverenin müşteri çevresi veya ticari sırları hakkında bilgi edinme imkanı sağladığı ve (ii) bu bilgilerin kullanılmasının işverene önemli ölçüde zarar verebileceği durumlarda uygulanabilmektedir.
Aynı zamanda rekabet yasağına ilişkin hükümler Borçlar Kanunu’nda, çalışanların ekonomik geleceklerinin haksız yere tehlikeye atılmasını önleyecek şekilde düzenlenmektedir. Buna göre, rekabet yasağı (i) yer, zaman ve işin türü bakımından uygun olmayan sınırlamalar içeremez ve (ii) özel durum ve koşullar dışında iki yıllık süreyi aşamaz.
Ek olarak rekabet yasağı, iş ilişkisinin sona ermesinden sonra çalışanların mevcut bilgi ve deneyimleri ile iş yapmalarını tamamen engellememelidir. Bu bağlamda mahkemeler, bütün durum ve koşulları değerlendirerek ve işverenlerin üstlenmiş olabilecekleri karşı edimi göz önünde bulundurarak, aşırı nitelikteki rekabet yasaklarını kapsam veya süre bakımından sınırlandırma yetkisine sahiptir.
Küreselleşen Dünyada Rekabet Yasağına İlişkin Kuralların Yorumlanması
Dünyanın dinamik yapısı göz önünde bulundurulduğunda, rekabet yasağına ilişkin bölgesel kısıtlamaların uygulanması hem çalışanlar hem de işverenler için önem teşkil eden zorluklar ortaya çıkarmaktadır. İşyerlerini ve müşterilerin alanlarını tanımlayan geleneksel sınırların giderek daha esnek ve sınırsız hale gelmesi, bu tür kısıtlamaların uygulanmasını ve pratikliğini zorlaştırmaktadır. Örneğin, bölgesel sınır kavramının neredeyse geçersiz olduğu dijital oyun sektöründe, rekabet yasaklarına konu olan bölgesel kısıtlamalar uygulanabilir olmamaktadır.
Bu konuda rekabet yasağına ilişkin mevzuat hükümleri yetersiz olsa da mahkemeler tarafından verilen kararlar bu alanda yön göstermektedir. Yargıtay Hukuk Genel Kurulu bir kararında (Esas No. 2019/667, Karar No. 2022/33), aşırı kısıtlayıcı rekabet yasaklarına mahkemeler tarafından müdahale edilebileceğini, böylece hem anlaşmanın canlı tutulabileceğini hem de aşırı kısıtlamaların önlenebileceğini belirtmektedir.
Sakarya Bölge Adliye Mahkemesi 7. Hukuk Dairesi’nin kararı ise (Esas No. 2022/1742, Karar No. 2023/1725) çalışanların işyerinin bir bölgede bulunuyor olmasının, fiilen aynı bölgede rekabet ettikleri anlamına gelmediğini vurgulamaktadır. Uzaktan çalışmanın benimsenmesiyle birlikte, bir işyerinin bulunduğu bölge ile rekabet edilen bölgenin aynı olduğu şeklindeki geleneksel anlayış geçerliliğini yitirmiştir. Bunun yerine Türk mahkemeleri, ilgili tarafların fiziksel işyerlerine bakmaksızın, fiili rekabetin gerçekleştiği yerlere vurgu yapmaktadır.
Her ne kadar mahkeme kararları yol gösterici olsa da mevzuat hükümleri ve içtihatlar, küreselleşen rekabetin karmaşıklığını ele almakta yetersiz kalmaktadır ve rekabet yasağının hedeflenen amaçlara ulaşabilmesi için mevzuat değişikliklerinin yapılması gerekmektedir.
Authors: Hatice Ekici Tağa, Begüm Alara Şahinkaya, Göksu Tuğrul
Non-Compete Clauses in a Borderless Economy
Non-compete clauses have been one of the cornerstones of employment agreements as they provide a safe space to employers in terms of safeguarding know-how and reducing employee turnovers. On the other hand, rules restricting the scope of non-compete clauses are applied to liberate the employee mobility, which also contributes to the development and innovation of the relevant sector.
Rules on Non-Compete Clauses in Turkey
In Turkey, employees’ duty of diligence and loyalty to their employers are regulated under the Code of Obligations with no. 6098, where employees are obliged to act faithfully in protecting the rightful interests of the employer. As long as the employment relationship continues, employees are prohibited to serve third parties for a fee contrary to their loyalty duty and in particular, to compete with their employer. Additionally, to the extent necessary for the protection of employers’ rightful interests, employees are also obliged to keep trade secrets after the employment relationship end.
The Code of Obligations further sets forth that employees may agree to refrain from competing with their employer after the termination of the employment agreement, i.e. from establishing a competing business on their own account, working for another competing business or entering into a relationship of interest with a competing business, by signing an additional agreement or including a clause in their employment agreement. On the other hand, the non-compete clauses are only applicable in cases where (i) the employment relationship provides the employee with the opportunity to obtain information about the employer’s customer portfolio or trade secrets, and (ii) the use of this information will cause significant harm to the employer.
The terms of non-compete clauses are also defined under the Code of Obligations in a way to prevent unfairly jeopardizing the economic future of employees. Accordingly, the non-compete clauses may not impose (i) unreasonable restrictions in terms of place, time and type of work, and (ii) its duration may not exceed two years, except in special circumstances and conditions.
Furthermore, non-compete clauses should not completely restrict employees from performing work with their existing knowledge and experience after the termination of the employment relationship. In this regard, the courts have the authority to limit the excessive non-compete clauses in terms of its scope or duration, by evaluating all the circumstances and conditions and considering the counteraction that employers may have undertaken in return.
Interpretation of the Rules on Non-Compete in a Globalized Landscape
Considering the dynamic nature of the world, the application of territorial restrictions in non-compete clauses present significant challenges for both the employees and the employers. The traditional boundaries defining workplaces and customer residencies have become increasingly fluid and limitless, complicating the enforcement and practicality of such restrictions. For instance, the territorial restrictions in non-compete clauses are hardly applicable in the gaming industry, which stands out as one of the most global and interconnected sectors, where the notion of territorial boundaries is virtually obsolete.
Although the rules on non-compete clauses lack sufficiency in this regard, the case-law provides a direction in individual cases. The Court of Cassation’s decision (No. 2019/6672) underlines that excessive restrictions in non-compete clauses may be intervened and amended by the courts, where the agreement of the parties is kept alive, but the excessive restrictions are prevented.
Another decision by a Regional Courts of Justice (No. 2023/1725, File No. 2022/1742) emphasizes that the workplaces of employees do not indicate that they are actually competing in that region. With the adoption of remote work policies, the traditional understanding of a workplace, where the workplace of an establishment is the region where it competes, has become obsolete. Instead, the Turkish courts are placing emphasis on the locations where actual competition occurs, regardless of the physical workplaces of the parties involved.
Even though the case-laws may provide a guidance, legislative rules and legal precedents still fall short in adequately addressing the complexities of competition in a globalized context; and legislation changes are a necessity to achieve the objective of non-compete clauses.
Authors: Hatice Ekici Tağa, Begüm Alara Şahinkaya, Göksu Tuğrul
Turkish Data Protection Board Decision: Processing Special Categories of Employee Data
In its decision dated August 10, 2023 w. no 2023/1356, the Turkish Personal Data Protection Board (“Board”) evaluated a complaint regarding an employer that submitted the camera footage of its employee praying in a masjid in a reinstatement lawsuit.
In summary, the employee (“Data Subject”) argued that the employer (“Data Controller”) recorded the footage of the Data Subject praying in a masjid without obtaining their explicit consent and without providing information regarding processing of their personal data, which is considered as a special category of data within the scope of the Personal Data Protection Law No. 6698 (“DPL”). The Data Subject further claimed that they were forced to sign an explicit consent form regarding the retrospective processing of their personal data by writing the date of employment, for fear of being dismissed and that this consent did not reflect their free will.
On the other hand, in its defense, the Data Controller stated that camera footage subject to the complaint was processed for security purposes at the workplace, as the workplace was classified as "very dangerous" in terms of occupational health and safety due to its production activity. In this regard, the employees were informed about the recording through visitor safety sign and camera warning signs at the entrance of the Data Controller’s workplace. Moreover, the Data Controller emphasized that the employees were informed regarding (i) the camera footage is processed due to physical place safety, (ii) the purposes of such processing, (iii) to whom and for what purpose the data may be transferred, (iv) the methods of data collection and (v) the rights of the data subjects. Accordingly, the Data Controller stated that the video footage is processed with the purpose of physical place safety data to track any incident that may occur in the masjid, which is a part of the workplace. However, the Data Controller further argued that its employees’ special categories of data, i.e. personal data regarding religion, sects and other beliefs, are not processed and thus, explicit consent of the employees were not obtained.
In this regard, the Board primarily evaluated and decided that as the Data Controller's processing of the video footage inside the place of worship is a data processing related to the religious belief of the Data Subject, the video footage falls within the scope of special categories of personal data and explicit consent of the Data Subject must have been obtained. Furthermore, the Board underlined that camera surveillance of a place of worship would not be lawful data processing as the employees would have a reasonable expectation of privacy in terms of changing rooms, toilets, showers, prayer rooms, rest rooms and breastfeeding rooms; and that the masjid does not have any characteristics that would oblige it to be monitored with regards to the working area of the Data Controller.
The Board further referred to the Guidelines on Explicit Consent and underlined that explicit consent is a declaration of consent given by the data subject (i) freely, (ii) with sufficient information on the subject matter, (iii) in a clear manner that leaves no room for hesitation and (iv) limited. Accordingly, the Guidelines on Explicit Consent highlights that in an employment relationship where there is a power imbalance and one party has influence over the other, and the employee is not given the opportunity to effectively withhold consent, the explicit consent obtained from the employee will not be considered as freely given consent.
Accordingly, the Board decided to impose an administrative fine of TRY 300,000 (approx. EUR 9,148) on the Data Controller due to:
- The failure of the Data Controller to process data within the scope of data processing conditions under the DPL as the explicit consent obtained from the Data Subject was based on the fear of dismissal and thus the Data Subject did not provide their explicit consent for the process of their special categories of data,
- Even if the explicit consent was obtained from the Data Subject, the Data Controller did not act in compliance with the principles regulated under the DPL, namely, being relevant, limited and proportionate to the purposes for which the data is processed and thus, did not take all necessary technical and administrative measures to ensure the appropriate level of security in order to prevent unlawful processing of personal data.
Authors: Burak Özdağıstanli, Sümeyye Uçar, Begüm Alara Şahinkaya
Turkish Data Protection Board Decision: Data Processing Activities of an Online Game
In its decision dated September 28, 2023 and numbered 2023/1645, the Turkish Personal Data Protection Board (“Board”) evaluated a complaint regarding a local distributor of a massively multiplayer online game due to its unlawful processing of personal data.
In summary, the complainant (“Data Subject”) argued that the distributor of an online game (“Data Controller”), who is the sole authorized person responsible for making all transactions on behalf of the owner of the game and generates commercial revenues in Turkey, failed to provide a comprehensive response to their information request within the scope of the Turkish Personal Data Protection Law No. 6698 (“DPL”). Moreover, the Data Controller allegedly stated to the Data Subject that their personal data is not transferred to third parties, neither in Turkey nor abroad. However, the Data Subject claimed that pursuant to Data Controller’s privacy policy and cookie policy, the personal data collected from the players are transferred abroad. Additionally, the Data Subject stated that the Data Controller is using a third-party software to prevent cheating and fraud, which runs during each login to the game and scans all files and software on the computer and continues to run as long as the game remains open. The Data Subject further stated that their personal data was illegally obtained and transferred abroad through this third-party software.
On the other hand, in its defense, the Data Controller stated that the gaming sector is built upon the digital game contracts of which the parties are based abroad and thus, cross-border transfers are obligatory in terms of business processes. However, all servers used within the scope of gaming services are kept in Turkey. Moreover, the Data Controller underlined that the only personal data processed are e-mail address, IP address and if secure login application is selected by the data subjects, mobile phone number data and the processing is based on (i) the necessity due to compliance with a legal obligation to which the Data Controller is subject and (ii) necessity due to the legitimate interests pursued by the Data Controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subjects within the scope of DPL. The Data Controller further emphasized that the personal data of data subjects are not shared with anyone, except for the purpose of fulfilling legal obligations and sharing personal data with judicial authorities pursuant to DPL.
Regarding the claims of third-party software, the Data Controller stated that such software does not scan all files on the players’ computer nor access the camera and microphone. Additionally, the personal data of the players are not transferred abroad through the software.
Last of all, the Data Controller set forth that only necessary cookies are used, and the cookie policy is displayed on the screen as a "pop-up" when the website is visited. On the other hand, as the privacy policy has been prepared prior to the entry of the DPL into force, a new compliance process has been initiated to update the privacy policy to make it compatible with the current data processing activities.
Subsequently, the Board evaluated the claims of both parties and decided to carry out an on-site inspection by visiting the office of the Data Controller and the headquarters of another company from which it receives services, as the Board could not reach a definitive conclusion as to whether the personal data of the Data Subject are transferred abroad by the Data Controller. As a result, the Board concluded that the personal data of players are not transferred abroad.
In this regard, the Board reached the following conclusions concerning the claims of the parties:
- Unlawful processing of personal data through surveillance software: The Board determined that the surveillance software used by the Data Controller tries (i) to determine whether the player is using a bot software by analyzing the executable files opened in the computer at the moment the game is launched and (ii) to distinguish the type of executable files are open on the computer. Accordingly, the Board decided that the Data Controller only uses the special software to determine whether the players resort to cheating and fraud, and that there is no unlawful personal data processing activity by accessing the personal data on the players' computers during this use.
- Data Controller’s Obligation to Inform: The Board determined that the privacy policy of the Data Controller is not compliant with the provisions of the DPL and underlined that it should be updated as soon as possible.
- Cross-Border Data Transfers: As a result of the on-site inspection, the Board concluded that the game servers are kept domestically by the Data controller and the personal data of the Data Subject is not transferred abroad, as the Data Controller (i) purchased game servers to keep personal data domestically, (ii) concluded an agreement with a company for services related to servers, such as security and hosting services, and (iii) backed up the information within the scope of online games, such as game level, items used in the game, on a cloud computing platform, except for the players’ personal data.
- Personal Data Processing Carried Out Through Cookies: The Board determined that the Data Controller’s processing of personal data through cookies is not incompliance with the provisions of the DPL, since:
- The Data Controller uses necessary cookies, functional cookies, analysis/performance cookies and targeting/advertising cookies but only provides two options to the players, i.e. "use only necessary cookies" and "allow all cookies" and thus, obtains collective explicit consent and data subjects are not given the opportunity to choose.
- In line with the Cookie Policy of the Data Controller, various cookies are used by third party cookie providers abroad in the category of necessary cookies and thus, the Data Controller failed to obtain the explicit consent of the data subjects, contrary to the Guidelines on Cookie Practices.
In the light of the above explained, the Board decided to impose an administrative fine of TRY 750,000 (approx. EUR 22,946) on the Data Controller due to its failure to (i) obtain separate explicit consents for different types of cookies and (ii) obtain the explicit consent of the data subjects for cross-border data transfers via cookies.
Authors: Burak Özdağıstanli, Sümeyye Uçar, Begüm Alara Şahinkaya
Turkish Data Protection Board Decision: Confidentiality Obligations of Banks
In its decision dated June 15, 2023 and numbered 2023/1050, the Turkish Personal Data Protection Board (“Board”) evaluated a complaint regarding a bank’s failure to fulfill a customer’s request to provide the transcript of the conversation between the bank’s customer representative and the customer.
In summary, the customer (“Data Subject”) argued that the bank (“Data Controller”) failed to provide information regarding the Data Subject’s stolen personal data, as their virtual card had been copied. In this regard, the Data Subject requested from the Data Controller the voice recording or the transcript of their conversation with the customer representative, in line with the data subject rights under the Personal Data Protection Law No. 6698 (“DPL”). However, in its defense, the Data Controller denied the Data Subject’s request and did not share the voice recording or the transcript of the conversation due to the provisions of the Banking Law No. 5411 (“Banking Law”) and the Regulation on Sharing of Secret Information (“Regulation”).
In this regard, the Board evaluated the facts of the case in line with the provisions of DPL, the Banking Law and the Regulation. While underlining the rights of the data subjects, including the right to demand for information as to if their personal data have been processed, the Board underlined that the data controllers are under the obligation (i) to finalize the data subjects’ requests free of charge, as soon as possible and within thirty days at the latest or (ii) to reject the data subjects’ requests by explaining the reason and notify the data subject in writing or electronically. The Board determined that the Data Controller did not provide any response to the first inquiry by the Data Subject; and provided response to the second inquiry after the thirty day period.
Furthermore, within the framework of the Banking Law and the Regulation, the Board stated that the confidentiality obligation of the Data Controller requires not to provide “customer secrets” (natural and legal persons’ data after the establishment of a customer relationship with banks specific to banking activities) to third parties about the information and events obtained due to the commercial connection with the customer. On the other hand, this obligation does not prohibit disclosing the Data Subject’s own personal data within the scope of the rights of data subjects regulated under the DPL. The Board also mentioned that the data subject right to request information if their personal data have been processed, includes the right of access to such data.
Accordingly, the Board instructed the Data Controller to share with the Data Subject the transcript of the conversation between them and the customer representative by taking measures such as removing/masking the personal data of others, in line with the rights of data subjects regulated under the DPL.
Authors: Burak Özdağıstanli, Sümeyye Uçar, Begüm Alara Şahinkaya
Turkish Data Protection Board Decision: Processing Former Employee’s Email Data
In its decision dated August 3, 2023 and numbered 2023/1321, the Turkish Personal Data Protection Board (“Board”) evaluated a complaint regarding a company’s continued processing of e-mail data of a former shareholder.
In summary, the former shareholder of a company (“Data Subject”) argued that the company (“Data Controller”) has continued to process their e-mail data, as their former work e-mail address is still active, and the Data Controller has been reading their e-mails. The Data Subject further claimed that such processing of their personal data creates unfair competition for their new company and caused material damage; and that their applications to the Data Controller remained unanswered.
On the other hand, the Data Controller stated that the e-mail address in question was closed and recorded as an "undefined email address” in its system and as the extension of the Data Subject’s e-mail address belongs to the Data Controller, the new emails have been directed to the email addresses of the relevant executives of the Data Controller. Moreover, the Data Controller claimed that the emails received after the resignation of the Data Subject do not contain any personal data.
In this regard, the Board evaluated that as the messages are still being sent to the e-mail address previously used by the Data Subject, which is currently inactive, the e-mail data has the quality of personal data, and such personal data continue to be processed by the Data Controller by accessing the sent emails, without relying on the conditions of personal data processing regulated under the Personal Data Protection Law No. 6698, and decided to impose an administrative fine of TRY 50.000 (approx. EUR 1520).
Authors: Burak Özdağıstanli, Sümeyye Uçar, Begüm Alara Şahinkaya
Removal of and Blocking Access to Online Contents: Constitutional Court Annuls Internet Law Provisions
The Constitutional Court’s decision with no. 2023/172 (“Decision”) was published on the Official Gazette on January 10, 2024. The Decision concerns the application for the annulment of several provisions under the Law on the Regulation of Broadcasts via Internet and Prevention of Crimes Committed through Such Broadcasts (“Internet Law”).
While the Constitutional Court decided to annul the Internet Law provisions on removal of content and blocking access based on (i) the publication of criminal content online (Article 8) and (ii) the violation of personality rights (Article 9); it evaluated that the following provisions are in compliance with the Constitution of the Republic of Turkey (“Constitution”): (i) the definition of the social network providers, (ii) the delivery of notices of administrative fine decisions to relevant parties residing abroad, (iii) the administrative fines to be imposed on hosting providers failing to fulfill their obligations, (iv) several obligations of social network providers.
A. The Evaluations of the Constitutional Court
The Definition of the Social Network Providers
| Definitions – Article 2
(s) Social network provider: Those natural or legal persons that provide opportunities for users to create, view or share textual, visual, audio, or location data, etc. for the purpose of social interaction. |
The grounds for the annulment application of this article were that the phrases “social interaction”, “create”, “view”, “share” are not clear and precise which results in unclarity for determining which internet medias are within the scope of this definition and so, wide discretion power for the administrative authority. Furthermore, the application stated that specific obligations for social network providers are unclear and that the provisions limiting the freedom of persons must be clear and foreseeable pursuant to the Constitution.
While the Constitutional Court accepted that the mentioned phrases are generalizations, it rejected the annulment of this article as these phrases are not unclear or unforeseeable; and that the reason for using such intangible phrases is to contain any solution aimed with the provision, which can vary depending on a concrete case occurring on the Internet, a virtual environment where the borders are hard to define.
The Delivery of Notices of Administrative Fine Decisions to Relevant Parties Residing Abroad
| Obligation to Provide Information – Article 3
(5) In the event that the addressee is abroad, administrative fines given per the provisions of this (Internet) Law may be issued by the (Information Technologies and Communication) Authority directly to the addressee by way of the procedure laid out in paragraph 3. Such issuance will be held as a notice issued as per Notification Law No. 7201 dated 2/11/1959. The notification is deemed delivered at the end of the fifth day following the issuance. |
This article stipulates that if the addressee of the administrative fines to be given per the Internet Law is located abroad, the Information Technologies and Communication Authority (“ITCA”) may issue a notice related to such administrative fines via (i) e-mail or (ii) other communication tools through information obtained from sources such as communication tools on internet pages, domain names, IP addresses and similar resources.
The grounds for the annulment application of this article were based on the fact that an e-mail or any other kind of notification will be accepted as an official notification, without understanding whether it has reached the addressee or on what date it has reached. It is claimed that such notification procedure (i) is incompatible with freedom to claim rights and right to effective remedy, (ii) is in violation of international conventions to which Turkey is a party, (iii) does not carry legal certainty, and lastly (iv) contradicts the principle of inequality.
In this regard, the Constitutional Court evaluated that the notification procedure regulated by the provision is in compliance with the Constitution, as the addressees subject to the Internet Law are under the following obligations:
- Content, hosting, access and collective use providers are under the obligation to keep their promotional information up to date on their website,
- Social network providers with more than one million daily accesses from Turkey are under the obligation to include their representative’s contact information on their website in a way that can be easily seen and directly accessed,
- Internet service providers are under the obligation to be a member of the Access Providers Association.
Accordingly, the Constitutional Court stated that since the addressees of the notification are under the obligation to provide a valid contact information as detailed above, the notifications to be made in line with this article is in compliance with the Constitution and fulfills the purposes of written notifications, i.e. informing the addressee regarding the action taken against them and documenting the date on which the notification was made.
The Administrative Fines to Be Imposed on Hosting Providers Failing to Fulfill Their Obligations
| Liabilities of Hosting Provider - Article 5
(6) The President (of ITCA) shall impose an administrative fine from 100.000 Turkish Liras to 1.000.000 Turkish Liras on the hosting provider who fails to submit a hosting provider notification or fulfil its obligations under this (Internet) Law. |
The grounds for the annulment application of this article were that the administrative fine amounts were increased ten times, this increase was disproportionate, and that the President has an arbitrary discretion in imposing the administrative fine, which is in contrary to the Constitution.
While the Constitutional Court agreed that the article does not state the criteria for determining the administrative fine amount, it referred to the Misdemeanor Law No. 5326, where all activities resulting in an administrative fine shall be subject to. Constitutional Court stated in its evaluation that the Misdemeanor Law regulates the criteria for determining an administrative fine amount (i.e. content of the misdemeanor, fault and the economic situation of the perpetrator) and that the President of ITCA must apply such criteria; hence, does not have an arbitrary discretion.
Furthermore, the Constitutional Court noted that with the consideration of the size of the economic value occurring in the internet environment in the recent years, the fine amounts are not deemed as an excessive burden to the hosting providers.
Lastly, the Constitutional Court mentioned that the mentioned provision acts as a deterrent by regulating the imposition of administrative fines in the event that hosting providers, which fulfil a major function in the internet environment, fail to fulfil their obligations that also serve the public sphere. Hence, the administrative fine provision is based on a legitimate purpose and necessary and appropriate with the provision’s aim.
Obligations of Social Network Providers
The Constitutional Court did not examine the Provisional Article 4 of the Internet Law which regulates the obligations of the social network providers subject to the claim due to the fact that the said article had already been amended with the Amendment Law No. 7418 on the Press Law and Certain Laws, published on the Official Gazette on October 18, 2022.
B. The Decisions of the Constitutional Court on Removal of Content and Blocking Access
The Publication of Criminal Content Online
| The Decisions to Remove Content and Block Access, and Their Implementation - Article 8
(4) The decision to remove the content and/or block access to publications whose content constitutes the crimes stated in the first paragraph[1] shall be given ex officio by the President (of ITCA). This decision shall be notified to the relevant content, hosting and access provider and shall be asked to carry out its requirements. (11) In the event that the decision to remove content and/or block access which is given as an administrative measure is not fulfilled, President shall impose administrative fines to the relevant content, hosting and access provider from 10.000 Turkish Liras up to 100.000 Turkish Liras. If the decision is not fulfilled by the access provider within twenty-four hours after the administrative fine is imposed, ITCA may decide to revoke the authorization. |
Constitutional Court evaluated this article based on the presumption of innocence regulated under the Constitution. Accordingly, while the adoption of various judicial and administrative measures in relation to a person suspected of a crime is not prohibited under the Constitution, such measures must be a temporary measure carried out in connection with the criminal proceedings. Measures that are completely detached from the criminal proceedings and have a final nature undermine the presumption of innocence, as they result in the person being treated as guilty before a criminal court decision.
In this context, the measure under the Article 8/4 of the Internet Law, i.e. the decision of removal of content, is considered a final measure that is detached from the criminal proceedings and is applied by the determination of the President of ITCA. Moreover, this measure cannot be examined during the criminal investigation process initiated in relation to the related offense that constitutes the justification for the administrative measure applied by the President, and that the injunction continues to stand even if the trial results in a verdict other than a conviction.
As a result, the Constitutional Court concluded (and decided to annul) the provisions regarding the decision to remove the content, which is in the nature of a final measure depending on the determination of guilt by an administrative authority, and the imposition of administrative fines in case of non-execution of this decision violates the presumption of innocence, without a finalized court decision determining that the acts regulated as crimes have been committed.
| Before the Decision | After the Decision |
| (4) The decision to remove the content and/or block access to publications whose content constitutes the crimes stated in the first paragraph shall be given ex officio by the President. This decision shall be notified to the relevant content, hosting and access provider and shall be asked to carry out its requirements.
(11) In the event that the decision to remove content and/or block access which is given as an administrative measure is not fulfilled, President shall impose administrative fines to the relevant content, hosting and access provider from 10.000 Turkish Liras up to 100.000 Turkish Liras. If the decision is not fulfilled by the access provider within twenty-four hours after the administrative fine is imposed, ITCA may decide to revoke the authorization. |
(4) The decision to remove the content and/or block access to publications whose content constitutes the crimes stated in the first paragraph shall be given ex officio by the President. This decision shall be notified to the relevant content, hosting and access provider and shall be asked to carry out its requirements.
(11) In the event that the decision to remove content and/or block access which is given as an administrative measure is not fulfilled, President shall impose administrative fines to the relevant content, hosting and access provider from 10.000 Turkish Liras up to 100.000 Turkish Liras. If the decision is not fulfilled by the access provider within twenty-four hours after the administrative fine is imposed, ITCA may decide to revoke the authorization. |
The Violation of Personality Rights
The Article 9 of the Internet Law, subject to the annulment, regulates that the natural person, legal entities, institutions and organizations claiming that their personality rights are violated due to a content published on the internet may ask to (i) the content provider, or (ii) (if they cannot reach the content provider) the hosting provider, to remove the content by using the warning method. They may also request access blocking by applying directly to the judge of the court of peace.
The Constitutional Court stated that the said article restricts (i) the freedom of expression, by enabling the removal of contents published on the internet and/or blocking access to these publications, and (ii) the freedom of the press, considering that these publications may also be within the scope of internet journalism. Pursuant to the Constitution, such restriction must be made by law and must comply with the reasons for restriction stipulated in the Constitution, the requirements of the democratic social order and the principle of proportionality.
Accordingly, the Constitutional Court referred to its Decision with No. 2018/14884[2], which concluded that, while implementing this provision, the criminal judgeships of peace (i) reached conclusions without conducting conflicting trial and without presenting the need for immediate and prompt disposal and (ii) without the approach ensuring the supervision of a fair balance between conflicting rights. Moreover, the reasoned decisions of criminal judgeships of peace contain general statements independent of the circumstances of the concrete events and do not examine how the publications violate personality rights. Within this framework, the Constitutional Court evaluated that the lack of certainty regarding the scope and limits of Article 9 of the Internet Law creates a wide margin of appreciation for the judicial authorities and that it is difficult to obtain results from the objections against these decisions.
On the other hand, the Constitutional Court observed that the said article does not provide a gradual intervention method for the restriction of internet content against attacks on personality rights, as the restrictions prevents access to a certain content on the internet indefinitely from the date of the decision. In this respect, the Constitutional Court concluded that Article 9 of the Internet Law:
- constitutes a severe interference with the freedoms of expression and the press,
- does not provide procedural safeguards to prevent arbitrary behavior by narrowing the discretionary power of public authorities,
- does not contain the guarantees that will ensure proportionate decisions in accordance with the requirements of the democratic social order.
In the light of the above explanations, the Constitutional Court decided that the Article 9 of the Internet Law is unconstitutional and thus, annulled.
The annulments will enter into force on October 10, 2024.
[1] The offenses specified under the Article 8 of the Internet Law are as follows:
a) The crimes under the Turkish Criminal Code dated 26/9/2004 and numbered 5237;
-
Encouragement of suicide (Article 84),
-
Sexual abuse of children (Article 103, first paragraph),
-
Facilitate the use of drugs or stimulants (Article 190),
-
Hazardous substance for health (Article 194),
-
Obscenity (Article 226),
-
Prostitution (Article 227),
-
Providing space and facilities for gambling (Article 228).
b) Crimes in the Law Concerning Crimes Committed Against Atatürk dated 25/7/1951 and numbered 5816.
c) the crimes regulated under the Law on Regulation of Betting and Games of Chance in Football and Other Sports Competitions dated 29/4/1959 and numbered 7258.
ç) the crimes regulated under first and second paragraphs of Article 27 of the Law on State Intelligence Services and National Intelligence Organization dated 1/11/1983 and numbered 2937.
[2] Keskin Kalem Yayıncılık ve Ticaret A.Ş. and other [GK], B. No: 2018/14884, 27/10/2021.
Authors: Burak Özdağıstanli, Sümeyye Uçar, Begüm Alara Şahinkaya
Turkish Data Protection Board Decision: Unlawful Voice Recordings in Labor Disputes
In its decision dated September 7, 2023 and numbered 2023/1548, the Turkish Personal Data Protection Board (“Board”) evaluated a complaint regarding an employer submitting voice recordings of an employee to the court, in relation to a labor dispute.
In summary, the employee (“Data Subject”) claimed that their conversation was recorded and given to their employer (“Data Controller”) by a customer and was retained and submitted to the court by the Data Controller without explicit consent. On the other hand, the Data Controller counterclaimed that they terminated the employment agreement due to the Data Subject’s behavior, as the voice recording of the Data Subject demonstrates attempt at bribery and after the Data Subject filed a lawsuit against the Data Controller with the claim that the termination was unlawful, the Data Controller submitted the voice recording to the court file as an encrypted disk, of which the password was not shared with the court.
In this regard, the Board stated that the issues regarding the Data Controller’s retention of the Data Subject’s voice recording which justifies the termination and its submission to the court file should be evaluated within the scope of the Turkish Personal Data Protection Law No. 6698 (“DPL”).
Accordingly, the Board underlined that although the Code of Civil Procedure No. 6100 prohibits the use of illegally obtained evidence in court; the unauthorized voice recordings may not be considered as a crime under the Turkish Criminal Code No. 5237 in certain cases. If the recording is made in self-defense during a sudden situation where obtaining evidence is not possible and there is no opportunity to report the incident to the authorities, it may be admissible as lawful evidence in accordance with the Court of Cassation's precedents. Moreover, in labor disputes, voice recordings may be accepted as lawful evidence if it is not possible to prove that the employer terminated the employment contract for just cause with another evidence or if there is an aim to prevent the loss of evidence. Therefore, the Board determined that the voice recording used to demonstrate the termination of the Data Subject's employment contract for just cause is admissible evidence. Additionally, the Board also stated that the voice recording was not made by the Data Controller but was kept by them due to its evidential value.
The Board further emphasized the Data Controller’s statements regarding the submission of the voice recording to the court, which sets forth that (i) the voice recording was not shared with any personnel, (ii) the voice recording was transferred to an encrypted disk and deleted from the insecure environment by taking the necessary administrative and technical measures, (iii) the voice recording was kept in an encrypted form limited to the legal retention period and lastly (iv) the voice recording was submitted to the court in an encrypted manner.
In this context, the Board decided that the Data Controller submitted the voice recording of the Data Subject to the court in line with the conditions for processing personal data regulated under the DPL, namely, “the necessity for the establishment, exercise or protection of any right”.
Turkish Data Protection Board Decision: Mobile App Requesting National ID for Verification
In its decision dated August 17, 2023 and numbered 2023/1430, the Turkish Personal Data Protection Board (“Board”) evaluated a complaint regarding a meal card service provider processing Turkish identity number of users on its mobile application.
In summary, the Board initiated an ex officio investigation against the meal card service provider (“Data Controller”) upon a notification stating that the Turkish identity number (“ID Data”) is requested while registering to use the Data Controller's mobile application. As a result of the investigation, the Board determined that when registering for the Data Controller’s mobile application, personal data, including name, surname, phone number, date of birth and e-mail were requested. However, when users wished to link their meal cards to their profile in the mobile application, ID Data was requested for authentication purposes.
In its defense, the Data Controller claimed that it is not necessary to be registered with the mobile application to use the physical meal cards, however if users prefer to benefit from the mobile payment feature by defining their physical meal card to the mobile application, the users’ ID Data is requested for verification and security purposes.
In this regard, the Board underlined the significance of ID Data due to its nature and possible damages for data subjects in case of a data breach and instructed the Data Controller to update its verification mechanism by ensuring that the verification in the mobile application is realized with data such as card information and phone number to be submitted to the Data Controller by the employer, in order to protect the interests of the data subjects. The Board further emphasized that using data such as card information and phone number for verification purposes would be compliant with (i) principle of privacy by design, (ii) data minimization and (iii) the principle of appropriate and proportionate processing of personal data.
Accordingly, the Board imposed an administrative fine of TRY 200,000 (approx. EUR 6,131) on the Data Controller due to:
- the processing of ID Data is not based on the conditions for processing personal data regulated under the Personal Data Protection Law No. 6698 (“DPL”),
- the processing of ID Data is not in compliance with the principle of appropriate and proportionate processing of personal data regulated under the DPL.