Göksu Tuğrul, Author at IP Tech Legal

Turkish Data Protection Board Decision: Mandatory Storage of Debit/Credit Card Data in E-Commerce Platforms

In its decision dated April 11, 2023 and numbered 2023/567, the Turkish Personal Data Protection Board (“Board”) evaluated a complaint regarding an e-commerce platform that requires consumers to record their debit/credit card data (“Card Data”) in order to make a purchase.

In summary, the consumer (“Data Subject”) argued that the e-commerce platform (“Data Controller”) required them to record their Card Data to be able to complete a purchase. Moreover, the Data Subject claimed that the Data Controller did not have any valid data processing condition regulated under the Turkish Personal Data Protection Law No. 6698 (“DPL”) for the storage of Card Data and did not fulfill its obligation to provide proper notice. The Data Subject also stated that they did not provide their explicit consent for such processing.

On the other hand, in its defense, the Data Controller stated that when a customer wants to make a purchase on the platform, they must add their Card Data to their wallet before continuing for payment, and that their Card Data is used to receive the payment in accordance with the customer's request, in line with the conditions for processing personal data regulated under the DPL, namely, “the necessity for the establishment or performance of a contract”. The Data Controller further claimed that it processes the Card Data to fulfill its obligations regulated under the Law No. 6563 on the Regulation of Electronic Commerce, which corresponds to the data processing condition of “necessity for compliance with a legal obligation to which the data controller is subject” under the DPL. Additionally, the Data Controller stated that the Card Data is processed for:

Detecting fraud and abuse to protect the security of the consumers in line with the data processing condition of “the legitimate interests pursued by the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject” under the DPL,
In the event that the customer is a Premium customer on the platform, collecting the monthly Prime membership fee in line with the data processing condition of “the necessity for the establishment or performance of a contract” under the DPL.

Moreover, the Data Controller emphasized the following regarding the claims of the Data Subject:

Customers who have provided payment instrument information can remove their cards and change their information at any time in account settings, which demonstrates the control customers have over their accounts,
The Data Controller fulfilled its obligation to inform with the Privacy Notice which includes the data processing conditions regarding the execution of payment processes, located at the bottom of each page that customers visit on the platform, on the account creation page and on the login page.

The Board evaluated the claims of both parties by creating an account on the Data Controller’s platform and testing out the purchasing process. Accordingly, the Board determined that the purchase could not be completed without recording the Card Data in the system and that the Card Data continued to be registered in the wallet section after the purchase was completed. In this regard, the Board stated that the Data Controller shall not rely on the same data processing conditions for obtaining credit card information to complete the purchase and for storing Card Data, after the purchase is completed.

Correspondingly, the Board made a reference to the European Data Protection Board’s Recommendations 02/2021 on the Legal Basis for the Storage of Credit Card Data for the Sole Purpose of Facilitating Further Online Transactions (“Recommendations”), which underlines that data controllers may only rely upon consent of the data subjects for the continued processing of card details to facilitate purchases. In line with the Recommendations, the Board stated that continued processing of Card Data after the completion of the current purchase shall only be executed within the scope of the data subjects’ explicit consent obtained in accordance with the DPL.

The Board further evaluated that the Data Controller did not act in accordance with the principles regulated under the DPL, namely, (i) principle of legality and good faith, (ii) processing for specified, explicit and legitimate purposes and (iii) being relevant, limited and proportionate to the purposes for which the data is processed.

In the light of the explanations above, the Board decided to impose an administrative fine of TRY 500,000 (approx. EUR 15,345) to the Data Controller due to:

the Data Controller’s failure to obtain explicit consent of the Data Subject for the storage of debit/credit card data after the completion of a purchase,
the Data Controller’s failure to comply with the above-mentioned general principles of data processing, regulated under the DPL.

The Board also instructed the Data Controller to develop a system that ensures obtaining active consent from data subjects to record the Card Data in membership accounts; and accordingly, to make necessary arrangements in the privacy notices and inform the Board about the outcome.

Authors: Burak Özdağıstanli, Sümeyye uçar, Begüm Alara Şahinkaya

by Göksu Tuğrul

Turkish Data Protection Board Decision: Mandatory Storage of Debit/Credit Card Data in E-Commerce Platforms

Detecting fraud and abuse to protect the security of the consumers in line with the data processing condition of “the legitimate interests pursued by the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject” under the DPL,
In the event that the customer is a Premium customer on the platform, collecting the monthly Prime membership fee in line with the data processing condition of “the necessity for the establishment or performance of a contract” under the DPL.

Moreover, the Data Controller emphasized the following regarding the claims of the Data Subject:

Customers who have provided payment instrument information can remove their cards and change their information at any time in account settings, which demonstrates the control customers have over their accounts,
The Data Controller fulfilled its obligation to inform with the Privacy Notice which includes the data processing conditions regarding the execution of payment processes, located at the bottom of each page that customers visit on the platform, on the account creation page and on the login page.

In the light of the explanations above, the Board decided to impose an administrative fine of TRY 500,000 (approx. EUR 15,345) to the Data Controller due to:

the Data Controller’s failure to obtain explicit consent of the Data Subject for the storage of debit/credit card data after the completion of a purchase,
the Data Controller’s failure to comply with the above-mentioned general principles of data processing, regulated under the DPL.

Authors: Burak Özdağıstanli, Sümeyye Uçar, Begüm Alara Şahinkaya

by Göksu Tuğrul

Turkey: Looking Back at the Legal Developments in 2023

2023 has marked many legal milestones and as the year comes to an end, we’ve rounded up the ones in the fields of technology, data protection, advertising, and intellectual and industrial property:

On January 1, the Regulation on Electronic Commerce Intermediary Service Providers and Electronic Commerce Service Providers, which regulates the obligations of electronic commerce intermediary service providers and electronic commerce service providers, unfair commercial practices, illegal content, intermediation agreement, electronic commerce license and other issues related to electronic commerce, (excluding few of its provisions) has entered into force (For details, please see our article).

On January 28, upon the publication of the Communiqué on Minimum Equity Requirement Amounts of the Institutions Providing Payment Services on the Official Gazette, the minimum equity requirements were increased for the electronic money institutions, payment institutions that perform payment services exclusively for the intermediation of invoice payments, and other payment institutions (For details, please see our article).

In 2022, specific obligations (such as electronic commerce license) were introduced for service providers exceeding certain thresholds set out under the Law No. 6563 on the Regulation of Electronic Commerce. On February 23, a Presidential Decree was published on the Official Gazette, increasing these thresholds by half (For details, please see our article).

The Personal Data Protection Board published its decision with no. 2023/134 and dated March 1, regarding an investigation upon user complaints and decision to impose an administrative fine of TRY 1.750.000 (approx. EUR 56.000) on the internet social media platform TikTok, based on the failure of the obligations concerning providing personal data security under the Law No. 6698 on Personal Data Protection.

On April 1, the Information Technologies and Communications Authority’s decision numbered 2023/DK-ID/119 adopting the Procedures and Principles for Social Network Providers, was published on the Official Gazette. With the publication, social network providers became obliged to fulfill certain requirements such as informing judicial authorities about certain crimes, providing segregated services for children, protecting user rights, and establishing an effective application mechanism. This decision also introduced additional obligations to the service network providers with more than one million daily access from Turkey (For details, please see our article).

On May 26, the Medicines and Medical Devices Authority published the Regulation Amending the Regulation on Medical Device Sales, Advertisement, and Promotion on the Official Gazette. This amendment brought new definitions such as “use life, usage error, technical service, and spare parts”; and introduced obligations for the sellers, importers, and manufacturers after the sale of medical devices (For details, please see our article).

On June 6, the Energy Market Regulatory Authority announced the Regulation on Cyber Security Competence Model in the Energy Sector, which repealed the Regulation on Information Security in Industrial Control Systems Used in the Energy Sector. The new regulation defines Industrial Control Systems as well as focuses on new competency models that differ in line with sub-energy sectors (For details, please see our article).

The Personal Data Protection Board, with its decision numbered 2023/1154 and dated June 6, increased the minimum “annual financial balance sheet total” amount, which is a criterion to be exempt from the obligation to register with the Data Controllers Registry (VERBIS), from TRY 25.000.000 (approx. EUR 800.000) to TRY 1.000.000.000 (approx. EUR 32.000.000) (For details, please see our article).

On August 11, the Communiqué Amending the Financial Crimes Investigation Board General Communiqué was published by the Ministry of Treasury and Finance. This communiqué regulates procedures and principles regarding the remote identification of customers (previously, only natural persons) in banking transactions and with the amendment, legal entities registered in the trade registry were included within the scope of remote identification (For details, please see our article).

The Advertisement Board imposed administrative sanctions on advertisements that were created by the artificial intelligence ChatGPT, at its meeting numbered 337 and dated September 12. The Board concluded that advertisements including statements such as “...is also Turkey’s largest fashion retail brand according to ChatGPT”, “…we’ve asked ChatGPT and got the right answer”, “the most iconic TV channel…” were not up to date and accurate and were misleading to consumers (For details, please see our article).

On September 19, the Ministry of Trade published the Consumer Review’s Guide, which mainly focuses on matters related to the Regulation on Commercial Advertisement and Unfair Commercial Practices, namely misleading reviews or unrealistic score ratings (For details, please see our article).

Amendments on the Regulation on Payment Services and Electronic Money Issuance and Payment Service Providers and the Communiqué on Information Systems of Payment and Electronic Money Institutions and Data Sharing Services in the Field of Payment Services Providers, entered into force on September 30, which was priorly extended several times. With the amendments, liabilities such as data sharing technical requirements regarding payment and obtaining an operating permit, equity and collateral liability, protection of payment funds, and protection of funds collected in return for electronic money entered into force and payment institutions and electronic money institutions operating as of December 1, 2021 became obliged to comply with the amended provisions (For details, please see our article).

On October 7, (i) the Regulation Amending the Regulation on Payment Services and Electronic Money Issuance, Payment Service Providers; and (ii) the Communiqué Amending the Communiqué on the Management and Supervision of the IT Systems of Payment and Electronic Money Institutions and Data Sharing Services of Payment Service Providers in Payment Service Area were published on the Official Gazette. Both regulations include significant provisions, including equal treatment rule, deadlines on license applications, cross-border data transfers and digital wallets, which is regulated under the Turkish law for the first time (For details, please see our article).

On October 13, the Personal Data Protection Authority published a new Guideline on Matters to Consider when Processing Genetic Data, which deemed Genetic Diseases Evaluation Centers as data controllers under the Law No. 6698 on Personal Data Protection; and set out that, data controllers must explain the genetic data processing activities and their consequences to the data subjects, clearly and comprehensively (For details, please see our article).

With its decision dated October 27, the Constitutional Court has annulled the provision that regulates the Advertisement Board’s criminal jurisdiction. The Court has concluded that the Advertisement Board’s authority contradicts Article 26 of the Constitution which ensures freedom of expression. The annulment will enter into force in July 2024 (For details, please see our article).

On November 4, the Regulation Amending the Distance Contracts Regulation was published on the Official Gazette. This regulation has postponed the specific obligations regarding sellers’ obligation to inform consumers preliminarily and consumers’ right of withdrawal, to January 1, 2025; which was initially introduced on August 23, 2022 (For details, please see our article).

On November 13, the Personal Data Protection Authority published an announcement regarding personal data processing activities where a verification code is sent to data subjects via SMS while shopping in stores. The Announcement focuses on the data controllers’ non-compliant data processing practices during face-to-face shopping and provides recommendations (For details, please see our article).

Authors: Hatice Ekici Tağa, Burak Özdağıstanli, Ebru Gümüş

by Göksu Tuğrul

Turkish Data Protection Board Decision: Mandatory Checkboxes for Cross-Border Data Transfers

In its decision dated June 15, 2023 w. no 2023/1041, the Turkish Personal Data Protection Board (“Board”) evaluated a complaint against a service provider selling medical devices online for failure to provide proper notice on data processing activities to data subjects and forcing data subjects to provide explicit consent as a prerequisite of sale.

In summary, the consumer (“Data Subject”) argued that, in order to purchase medical devices, the service provider (“Data Controller”) requires data subjects (i) to provide personal data for commercial and marketing purposes and (ii) to provide explicit consent for cross-border data transfers.

On the other hand, in its response, the Data Controller stated that providing national identity number is optional and under no circumstance, the customers’ health data are requested; and the customers are only required to provide:

name, surname and address information, for the purpose of issuing an invoice in line with the provisions of the Tax Procedure Law No. 213,
e-mail address, for the purpose of creating an account for customers to track shipment,
phone number, to be provided to the cargo company, for the delivery of the medical device.

Moreover, the Data Controller emphasized that customers are provided with two checkboxes in an opt-in format, the checkbox for commercial communication is optional and even if customers have consented, they can withdraw their explicit consent at any time and without the need for any justification. The Data Controller further highlighted that providing consent does not constitute an obstacle to shopping on the website and is not a prerequisite for sales.

Additionally, the Data Controller mentioned that, as a subsidiary of a global group company, due to the obligation to participate in the international systems, the explicit consent needs to be obtained for cross-border data transfers in line with provisions of the DPL. However, the Data Controller explained that although customers are required to provide their explicit consent for cross-border data transfers to make purchases through the website, it is possible for customers who do not want to provide their explicit consent, to obtain the products from a sales channel other than the website by contacting the customer services, without additional costs.

In this regard, regarding the claim about Data Controller using Data Subject’s health data for commercial and marketing activities, the Board decided that as it cannot be assumed that the purchaser has diabetes, it cannot be concluded that the requested information is personal data within the meaning under the DPL or the purchasers’ health data are processed. Considering that the purchase and membership mechanisms function without providing consent to the personal data processing for commercial or marketing purposes, the Board evaluated that the Data Controller’s practices are in compliance with the DPL.

Moreover, the Board evaluated the practice of the Data Controller obtaining explicit consent for cross-border data transfers for sales made through the website and concluded that, for customers who do not give explicit consent to the transfer of their personal data abroad, there is an alternative sales channel available through customer services and this channel offers shopping opportunities to customers without any additional cost. In this context, the Board stated that as the Data Subject is able to obtain the product without any loss and without being forced to allow the transfer of their personal data abroad, the service cannot be deemed to be conditioned on explicit consent. However, the Board instructed the Data Controller to clearly and understandably show the alternative sales channel on the membership and sales screens, in order to ensure transparent information.

Authors: Burak Özdağıstanli, Sümeyye Uçar, Begüm Alara Şahinkaya

by Göksu Tuğrul

An Important Decision by the Constitutional Court: Lack of Adequate Judicial Assessment for Privacy Related Fine

The Constitutional Court’s Decision No. 2020/7518 (“Decision”) was published on the Official Gazette on December 15, 2023. The Decision pertains to the violation of property rights resulting from an administrative fine imposed by the Turkish Personal Data Protection Board due to a data breach. The Constitutional Court did not delve into the merits of the case but emphasized that the lack of assessment made by the first instance courts led to violation of the applicant's property right.

Accordingly, while highlighting that the Turkish Personal Data Protection Authority has the discretion to impose proportionate sanctions to those who fail to take the necessary technical and administrative measures to ensure the appropriate level of data security, the Constitutional Court emphasized the significance of the applicant's arguments, which must be examined as they affect the judicial process. In this regard , the Constitutional Court concluded that the first and second instance courts did not assess the objections of the applicant and thus, the procedural safeguards for the protection of the right to property were not fulfilled in the concrete case. In respect to its evaluations, the Constitutional Court decided that the applicant’s right to property was violated by the Turkish Personal Data Protection Authority and decided to remit the case to the first instance court.

The Decision may lead to an increase in challenges against the Turkish Personal Data Protection Authority's administrative fine decisions imposed on data controllers and may force first instance courts to thoroughly evaluate these decisions.

Authors: Burak Özdağıstanli, Sümeyye Uçar, Begüm Alara Şahinkaya

by Göksu Tuğrul

Data Breach Notification Process: A Short Comparison Between EU and Turkish Law

The General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) and Law No. 6698 on Protection of Personal Data (“DPL”) of Turkey are the key pieces of legislation applied in the relevant jurisdictions.

DPL is similar to the EU Data Protection Directive (Directive 95/46/EC), which the GDPR replaced; and is based on the same general data protection principles. Still, certain differences between legislations arise, and one of the most prominent differences is the process for notifying data breaches.

Data Breach Definition.

GDPR defines data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed”. In contrast, DPL does not have a specific definition for data breach; however, “the acquisition of personal data illegally by unauthorized parties” triggers notification obligations for the data controllers. Thus, there are three specific aspects of a data breach under DPL:

illegality,
the acquisition of personal data, and
involvement of unauthorized individuals.

Notification to the Authority.

GDPR requires data controllers to notify "personal data breaches" to the relevant supervisory authority within 72 hours of becoming aware of the breach, unless there is likely to be no harm to the individuals concerned.

DPL requires data controllers to inform the Data Protection Authority (“DPA”) about any personal data breaches within 72 hours, regardless of whether such breach is likely to cause harm to the individuals concerned, by using the official form published by DPA.

This means that in the event of a data breach, while data controllers subject to GDPR must make an assessment about the risks to the rights and freedoms of natural persons resulting from the breach; for the data controllers subject to DPL, there are no specific thresholds or risk assessments required for making a notification to DPA and a notification is the natural consequence of a breach.

When it comes to the content of the notification, the GDPR allows the data controllers to provide information in phases if it is not possible to provide it at the same time. Similarly, the DPL also enables data controllers to make an initial notification with the available information to meet the 72-hour deadline, and provide further information with a follow-up notification to provide the remaining information.

Notification to Data Subjects.

The GDPR requires data controllers to notify data subjects if the data breach poses a high risk to individuals affected, unless there are effective technical and organizational protection measures that have been put in place, or other measures that ensure that the risk is no longer likely to materialize. The supervisory authority may also order the data controller to inform individuals about the breach.

The DPL, on the other hand, requires data controllers to notify data subjects if the data breach affected them, regardless of the level of risk or measures taken. Further, if the data controller has the affected data subjects’ contact information, the notification must be sent to their electronic or physical address. If not, data controllers may announce the breach on their own website. Additionally, DPA may inform the public about the breach as well and in practice the DPA choses to publish the data breach notification on its website (www.kvkk.gov.tr) if the number of data subjects that are affected are over a certain threshold.

Extra-Territorial Affect.

Data controllers that are not established in the EU but offer goods or services and/or monitor the behavior of data subjects in EU, are still bound by the data breach notification obligations under GDPR and the breach will need to be notified to every supervisory authority for which affected data subjects reside in their Member State[1].

Similarly, data controllers that are not resident in Turkey, but their processing affects data subjects residing in Turkey, are also bound by the data breach notification obligations under DPL and the breach must be notified to DPA and affected data subjects.

Examination by the Authority.

When determining the type and level of fine to be imposed, supervisory authorities in EU must take a series of factors into account; such as the nature, gravity and duration of the infringement, the categories of personal data affected, whether it had an intentional or negligent character; and the controller’s action to mitigate the damages along with the manner the authority to learn the infringement.

Further, under the GDPR, all supervisory authorities are competent to initiate ex officio investigations[2]. However, concepts of what constitutes an ex officio investigation may vary between the Member States, for instance based on national law.

In Turkey, based on DPA’s decisions, administrative fine may still be imposed for a data breach incident even if it does not create a high risk on individuals. Even though DPA accepts that the hundred percent protection is not possible when considering the ever-developing technology, its approach is constituting from the evaluation of whether the data controller could have taken additional technical and organizational measures or whether there was any action that the data controller could have taken to prevent the breach.

Further, if DPA becomes aware of an unnotified data breach incident through a complaint or other means, DPA may initiate an ex officio investigation. In this scenario, the data controller can also be held liable for failing to notify DPA, in addition to its obligations to provide an appropriate level of security.

Conclusion.

The evaluation of data breaches is very important for data controllers, given the sensitivity of the process. Therefore, the evaluation of data breach incidents on a country-by-country basis plays a crucial role for data controllers. Considering the given differences between GDPR and DPL, especially in the data breach notification process, the required actions should be taken immediately in data breach incidents affecting Turkish residents.

Authors: Burak Özdağıstanli, Sümeyye Uçar, Bensu Özdemir, Göksu Tuğrul

[1] EDPB - Guidelines 9/2022 on personal data breach notification under GDPR, https://edpb.europa.eu/system/files/2023-04/edpb_guidelines_202209_personal_data_breach_notification_v2.0_en.pdf

[2] EDPB - Overview on resources made available by Member States to the Data Protection Authorities and on enforcement actions by the Data Protection Authorities 2021 - https://edpb.europa.eu/system/files/2021-08/edpb_report_2021_overviewsaressourcesandenforcement_v3_en_0.pdf

by Göksu Tuğrul

Turkish Data Protection Authority’s Recommendations on Sending Verification Codes in Stores

Turkish Personal Data Protection Authority (“Authority”) published an announcement on November 13, 2023, regarding personal data processing activities where a verification code is sent to data subjects via SMS while shopping in stores (“Announcement”). The Announcement focuses on the data controllers’ non-compliant data processing practices during face-to-face shopping and provides several recommendations.

In this regard, the Authority highlights numerous complaints about data controllers that send commercial electronic messages to data subjects without their prior consent, after obtaining their phone numbers by sending a verification code via SMS at the register, on the grounds that it is necessary for completing the payment, creating invoices, transmitting invoices to the buyer’s contact address or updating information.

As the main problem with the complaints is the lack of obtaining explicit consent for sending commercial messages, the Authority evaluates data controllers’ practices in line with the provision of the Personal Data Protection Law No. 6698 (“DPL”) by reminding data controllers the elements of explicit consent:

Explicit consent must be about a specific subject. Data controllers must clearly identify the subject for which the explicit consent is obtained. Where explicit consent is obtained for the processing of multiple categories of data, it is imperative that the explicit consent must cover different aspects of the processing, such as which data will be processed, for what purposes and potential consequences.
Explicit consent must be freely given. Data subjects must be aware of their decisions and not be under the influence of force, threat, mistake and deception that may impair their will. In this context, an explicit consent is not considered valid if it is provided as a prerequisite for the provision of a product/service, since the element of free will would be damaged.
Explicit consent must be based on an informed decision in line with the data controllers’ obligation to inform. Data controllers must inform data subjects regarding (i) their and if any, their representative’s identity, (ii) the purpose for which personal data will be processed, (iii) to whom and for what purpose the processed personal data may be transferred, (iv) the method and legal ground for collecting personal data, and (v) rights of data subjects, before obtaining data subjects’ explicit consent. Moreover, data controllers must perform the obligation to inform and obtain explicit consent separately.

Accordingly, the Authority provides the following recommendations for lawful processing of personal data by sending a verification code via SMS to data subjects during store transactions:

The authorized personnel in stores must inform the data subjects in a clear and understandable manner regarding (i) the purpose of the SMS and (ii) the potential outcomes of sharing the verification code. The necessary information channels must also be provided in the content of the SMS, in line with the obligation to inform.
Data controllers must cease the practices of obtaining explicit consent for different processing activities with a single action. In this regard, explicit consent of the data subjects must be obtained separately for different data processing activities.
Data controllers must carry out the procedures for obtaining explicit consent and fulfilling the obligation to inform separately.
Requesting explicit consent to process personal data for the purpose of sending commercial messages should not be presented to customers as a mandatory element for completing a purchase. Otherwise, such practices may compromise the elements of "informed decision-making" and "free will" which are essential components of explicit consent.
Data controllers must request explicit consent to process personal data for the purpose of sending commercial messages after the purchase is completed. Thus, provision of explicit consent for commercial messages will not be perceived as a necessary element for shopping.

Authors: Burak Özdağıstanli, Sümeyye Uçar, Begüm Alara Şahinkaya

by Göksu Tuğrul

Reklam Kurulu Yapay Zeka ile Oluşturulan Reklamları İnceliyor

Gündelik yaşamı etkileyen teknolojik ilerlemeler ile ticari reklamların oluşturulma ve tüketicilere sunulma şekilleri de çeşitlilik göstermeye başladı. Bunun neticesinde ortaya çıkan sonuçlardan bir tanesi de yapay zeka ile oluşturulan ticari reklamlardır. Ticaret Bakanlığı, 13 Eylül 2023 tarihinde yayınladığı duyuru ile yapay zeka kullanılarak oluşturulan reklamları Reklam Kurulu’nun gündemine ilk defa almış bulunduğunu kamuoyu ile paylaşmıştır. Yapılan açıklamada, oluşturulma şekli ya da yayımlandığı mecradan bağımsız olarak, tüketicilerin satın alma kararlarını doğrudan veya dolaylı olarak etkileyen, yapay zeka tarafından oluşturulan bu içeriklerin Reklam Kurulu tarafından incelemeye alındığı bildirilmiştir.

Bu kapsamda, 337 sayılı Reklam Kurulu toplantısında, “ChatGPT” adlı yapay zeka uygulaması tarafından oluşturulan, rakip ürün veya firmalara göre üstünlük algısı içeren ifadelere yer verilen ve nesnel araştırma sonuçlarına dayanmayan tanıtımlarla ilgili dosyalar hakkında yapılan incelemeler sonucunda idari yaptırım uygulanmıştır. İncelemede objektif bir araştırmanın gerçekleştirilip gerçekleştirilmediği araştırıldığı gibi, aynı zamanda reklamların doğrulanmasında yapay zeka da kullanılmıştır.

Reklam Kurulu’nun 337 sayılı toplantısında alınan kararda yer aldığı üzere, gerçekleştirilen inceleme ve değerlendirmeler şu şekildedir:

“ChatGPT’ye göre de Türkiye’nin en büyük moda perakende markası …” şeklinde ifadelerle reklam ve tanıtım yapıldığı; ancak reklamda yer alan ifadeleri doğrular nitelikte araştırma sonuçlarına yer verilmediği anlaşılmıştır. Ayrıca ChatGPT'ye sorulduğunda "Özür dilerim son verilerim 2021 yılına kadar olduğu için mevcut durumu tam olarak bilemiyorum. 2021 yılında …, Türkiye'nin en büyük moda perakendecilerinden biriydi. Ancak, moda sektöründe rekabetin hızlı bir şekilde değiştiği bir alan olduğunu unutmamak önemlidir. Dolayısıyla en güncel bilgilere ulaşmak için güncel kaynaklardan doğrulama yapmanızı öneririm" şeklinde cevap verdiği görülmüştür. Dolayısıyla, uygulamanın verdiği cevapların güncellik ve kesinlik taşımadığı ve rakip ürün veya firmalara göre üstünlük algısı içeren ifadelere yer verilen söz konusu tanıtımların tüketicileri yanıltıcı nitelikte olduğu değerlendirilmiştir.

“ChatGPT'ye sorduk, tek doğru cevap aldık! Dünyanın her noktasına hızlı, güvenli ve uygun maliyetli tüm lojistik işlemleriniz için siz de hemen … ile tanışın” şeklinde ifadelerle reklam ve tanıtım yapıldığı; ancak reklamda yer alan ifadeleri doğrular nitelikte araştırma sonuçlarına yer verilmediği anlaşılmıştır. Ayrıca ChatGPT'ye sorulduğunda "Dünyanın her noktasına hızlı, güvenli ve uygun maliyetli lojistik hizmeti sağlayan birçok firma bulunmaktadır. Bu nedenle, belirli bir firmanın adını belirtmek zordur. DHL, UPS, FedEx, TNT, Maersk, DB Schenker gibi büyük lojistik şirketleri, küresel çapta yaygın olarak bilinen ve geniş hizmet ağlarına sahip firmalardır. Ancak, hızlı, güvenli ve uygun maliyetli lojistik hizmeti sağlayan firmaların sayısı oldukça fazladır ve piyasada sürekli değişiklikler olabilir. Bu nedenle, en güncel ve en uygun firmanın adını öğrenmek için yerel ve uluslararası lojistik hizmet sağlayıcılarının web sitelerini veya kaynaklarını araştırmanızı tavsiye ederim" şeklinde cevap verdiği görülmüştür. Dolayısıyla, uygulamanın verdiği cevapların güncellik ve kesinlik taşımadığı ve rakip ürün veya firmalara göre üstünlük algısı içeren ifadelere yer verilen söz konusu tanıtımların tüketicileri yanıltıcı nitelikte olduğu değerlendirilmiştir.

“Yapay zekaya dayalı en popüler sohbet robotu olan ChatGPT'ye göre Türkiye'nin en ikonik özel televizyon kanalı…!” şeklinde ifadelerle reklam ve tanıtımlar yapıldığı; ancak reklamda yer alan ifadeleri doğrular nitelikte araştırma sonuçlarına yer verilmediği anlaşılmıştır. Ayrıca ChatGPT'ye sorulduğunda "Türkiye'nin televizyon kanalları arasında en ikonik özel televizyon kanalı olarak pek çok farklı görüş bulunabilir" şeklinde kesinlik içermeyen cevap verebildiği görülmüştür. Dolayısıyla, söz konusu tanıtımların tüketicileri yanıltıcı nitelikte olduğu değerlendirilmiştir.

İlgili kararlar değerlendirildiğinde, Reklam Kurulu’nun yapay zeka ile oluşturulan ticari reklamların doğruluğunu ve güvenirliği incelerken yapay zeka tarafından verilen cevapları da göz önünde bulundurduğu görülmektedir. Yapay zeka ile oluşturulan bu reklamlar, aynı yapay zeka programı ile dahi doğrulanabilir nitelikte olmadığı için, söz konusu reklamların Ticari Reklam ve Haksız Ticari Uygulamalar Yönetmeliği’nin (“Yönetmelik”) doğruluk ve dürüstlük ilkelerini düzenleyen 7. maddesine, karşılaştırmalı reklamlara dair ilkeleri düzenleyen 8. maddesine aykırılık teşkil ettiği tespit edildiği gibi; üniversitelerin ilgili bölümlerinden veya akredite ya da bağımsız araştırma, test ve değerlendirme kuruluşlarından alınmış araştırma sonuçlarına yer verilmediği için reklam verenin ispat külfetini yerine getirememesinden dolayı Yönetmelik’in 9. maddesine de aykırı olduğuna karar verilmiştir.

Değişen tüketici alışkanlıkları neticesinde ticari reklamların da değişime uğraması sonucunda ortaya çıkan yeni tarz reklamların da Reklam Kurulu’nun gündemine girdiği gözlemlenmektedir. Bu durum, güncel gelişmelerin Reklam Kurulu tarafından takip edildiğini ve Reklam Kurulu’nun incelemelerinin değişen koşullara adapte olduğunu göstermektedir.

Yazarlar: Hatice Ekici Tağa, Sümeyye Uçar, Bensu Özdemir

by Göksu Tuğrul

Turkish Advertisement Board Examines Ads Created with AI

As technological advances affect everyday life, the ways the commercial advertising is created and presented to consumers began to change as well. One of the results of this change is the emergence of commercial advertising created with artificial intelligence. On September 13, 2023, Ministry of Commerce informed the public with an announcement that for the first time on the Advertisement Board’s (“Board”) agenda, they had advertisements created using artificial intelligence. The statement reported that the Board reviewed the AI-generated contents that directly or indirectly influence consumers' purchasing decisions, regardless of how they are created or the medium in which they are published.

In this context, at the meeting numbered 337, the Board imposed administrative sanctions after examining the promotions created by the artificial intelligence application called "ChatGPT". While the Board examined if there is objective research for advertisements containing statements that create the perception of superiority over competing products or companies, they have also used artificial intelligence to verify the statements used in the relevant advertisements.

As set out in the decision taken in the Board's meeting with no. 337, the Board found that advertisements and promotions using the expressions such as:

"… is also the Turkey's largest fashion retail brand according to ChatGPT", did not include research results that confirming these statements. Additionally, when the Board asked ChatGPT, the answer was that "I'm sorry, I don't know the exact current situation because my latest data is until 2021. In 2021, ... was one of the largest fashion retailers in Turkey. However, it is important to remember that the fashion industry is an area where competition is changing rapidly. Therefore, I recommend that you check with current sources to obtain the most up-to-date information". As a result, the Board considered that the responses provided in the application were not up to date and accurate and that the promotions in question, which contained expressions suggesting superiority over competing products or companies, were misleading to consumers.

“We asked ChatGPT and got the only right answer! For all your fast, secure and cost-effective logistics operations to any point in the world, meet ... right now", did not include research results confirming these statements. In addition, when the Board asked ChatGPT, the answer was "There are many companies that provide fast, reliable and cost-effective logistics services to any point in the world. It is therefore difficult to single out any one company. Large logistics companies such as DHL, UPS, FedEx, TNT, Maersk, DB Schenker are well known worldwide and have extensive service networks. However, the number of companies offering fast, secure and cost-effective logistics services is quite large and the market may be constantly changing. Therefore, I recommend that you research the websites or resources of local and international logistics service providers to find out the name of the most up-to-date and suitable company". Therefore, the Board considered that the responses provided in the application were not up to date and accurate and that the promotions in question, which contained expressions suggesting superiority over competing products or companies, were misleading to consumers.

"Turkey's most iconic private television channel ... according to ChatGPT, the most popular artificial intelligence based chatbot”, did not include research results confirming the statements made in the advertisement. When the Board asked, ChatGPT provided uncertain answers such as "There can be many different opinions as to the most iconic private television channel among Turkey's television channels". Therefore, the Board considered that the promotions in question were misleading to consumers.

Analysis of the above-mentioned decisions shows that the Board examined the answers provided by artificial intelligence in order to verify the accuracy and reliability of commercial advertisements created by artificial intelligence. Since these AI-generated advertisements cannot be verified even by the same AI program, the Board found these advertisements to breach the principles of accuracy and honesty, and the principles of comparative advertising of the Regulation on Commercial Advertising and Unfair Commercial Practices (“Regulation”.) Additionally, the Board decided the advertisements to be in breach of Article 9 of the Regulation, since the advertisers could not fulfill the burden of proof by not providing any research result obtained by relevant university departments or accredited or independent research, testing and evaluation organizations.

It seems that new types of advertising have entered the Board's agenda, as commercial advertising changes as a result of change in consumer habits. This situation shows that the Board is following recent developments and that the Board’s investigations adapts to the changing conditions.

Authors: Hatice Ekici Tağa, Sümeyye Uçar, Bensu Özdemir

by Göksu Tuğrul