The new law regarding, inter alia, the international data transfer and special categories of data is new on 16 February 2024. Turkish National Assembly adopted the new law on 2 March 2024. It will be published by the Presidency of the Türkiye on the Official Gazette. It aims to align Türkiye's the Law on Personal Data Protection ("TPDPL") with General Data Protection Regulation (GDPR) in the EU. This short post make a comparison between the old and new versions of Article 9 of the TPDL regarding international data transfers highlights several key changes and expansions in the regulatory framework.
1. Conditions for International Data Transfer
In old TPDPL, personal data cannot be transferred abroad without the explicit consent of the data subject, except under conditions specified in Articles 5 and 6, and either with adequate protection in the foreign country or with adequate safeguards agreed upon in writing by data controllers in Turkey and the foreign country, subject to the Board's approval.
The new law adds that personal data can be transferred abroad by data controllers and processors under the conditions stated in Articles 5 and 6, and if the foreign country, international organization, or sectors within the country have been deemed adequate by a decision published in the Official Gazette. This broadens the scope by including international organizations and sector-specific adequacy decisions.
2. Adequacy Decision
In the old version, the countries offering adequate protection are determined and announced by the Board. The new law introduces a formal adequacy decision process by the Board, which is to be published in the Official Gazette and reviewed at least every four years. The Board may change, suspend, or revoke these decisions.
For the criteria for giving an adequacy decision, the old version of TPDPL specifies criteria for determining adequacy, including the reciprocal data transfer arrangements, the legal and practical protection of personal data in the recipient territory. The new law adds the criteria of the existence of an independent data protection authority and the administrative and judicial redress mechanisms.3. Transfer Under Adequate Safeguards
The old version of the TPDPL allows for data transfer without explicit consent if adequate levels of protection are undertaken in writing by the data controllers in both Türkiye and the recipient country, subject to the Board's approval. The new version expands the mechanisms for ensuring adequate safeguards, including binding corporate rules approved by the Board, approved standard contractual clauses, and written commitments to adequate protection, subject to the Board's approval.
4. Exceptional Circumstances for Data Transfer
The old version of TPDPL provides conditions under which personal data can be transferred abroad in exceptional circumstances, like protecting the vital interests of the data subject or public interest, with the Board's permission.
The new version of the law broadens the exceptional circumstances under which personal data can be transferred without adequacy decisions or appropriate safeguards, including explicit consent after informing the data subject of potential risks, necessity for contract performance, public interest, and protection of vital interests.5. Additional Provisions for Data Transfer
The new version of law introduces requirements for data controllers and processors to notify the Board of the conclusion of standard contractual clauses agreements within five business days. It details the conditions under which personal data may be transferred abroad in the absence of an adequacy decision or suitable guarantees, including for public authorities' public law activities, which are not subject to the same restrictions.
It reiterates that other laws regarding data transfers abroad remain applicable and that the procedures and principles for the data transfer will be further specified by a regulation adopted by the Board.
6. Conclusion: Remaining Reciprocity Criteria for the Adequacy Decision for the Data Transfers between the EU and Türkiye
The new version of Article 9 introduces more structured and detailed regulations for international data transfers, including formal adequacy decisions, expanded conditions for transfer without explicit consent, and clearer guidelines for exceptional transfers. It aims to provide more clarity, ensure higher protection standards for personal data transferred abroad, and align with international data protection norms.
On the one hand, the new changes to the TPDPL concerning international data transfers incorporate several principles and mechanisms that are closely aligned with the GDPR. This includes the detailed criteria for adequacy decisions, similar transfer mechanisms in the absence of adequacy, and conditions for exceptional transfers. These modifications reflect a convergence towards the GDPR's standards for data protection in cross-border data transfers, aiming to ensure a high level of protection for personal data when transferred outside Türkiye.
On the other hand, the dynamic of international data transfers between Türkiye and the EU will be continued to be influenced by the principle of reciprocity embedded in TPDPL. This principle underscores a nuanced stance in the relationship between EU and Türkiye: as long as the EU does not recognize Türkiye as providing an adequate level of data protection, Turkey, in turn, may not recognize EU countries as adequate. This tit-for-tat approach highlights the geopolitical and regulatory complexities surrounding data protection standards and international data flows.
Despite the reciprocity, the introduction of alternative mechanisms such as standardized contractual clauses and binding corporate rules in the new revision of Article 9 offers new avenues to facilitate the data transfers. These alternatives provide a pragmatic solution to the impasse created by the reciprocity requirement, facilitating the continued flow of personal data across borders while ensuring the protection of such data in line with high standards.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.