International Transfer of Personal Data in Light of the Amazon Decision of the Personal Data Protection Board
Introduction
Today, the globalization of economic activities leads to the transfer of numerous personal data internationally during the daily operations of companies. Therefore, like many national and international data legislations, Law No. 6698 on the Protection of Personal Data (“PDPL” or “Law”) includes protective regulations regarding cross-border transfers. Furthermore, it is noted that data protection authorities worldwide, including Türkiye, place immense emphasis on cross-border transfers and levy substantial administrative fines for infringements detected.
One of these is the decision of the Personal Data Protection Board (“Board”) dated 27.02.2020 and numbered 2020/173 (the “Amazon Decision”).[1] In the relevant decision, the Board decided to impose an administrative fine of 1.200.000,00 Turkish Liras in total on Amazon Turkey Perakende Hizmetleri Limited Şti. (“Amazon Türkiye”) based on the following grounds:
- The general principles specified in the Law were not complied with and there was no explicit consent obtained for sending commercial electronic messages.
- No valid explicit consent was obtained from data controllers for transferring personal data abroad.
- The processing of cookies did not recieve adequate disclosure.
The Amazon Decision is significant as it provides detailed clarification on numerous controversial subjects. While each matter discussed in the Decision is worthy of individual analysis, this newsletter presents a concise explanation of the systematic approach for cross-border transfers under the Law and discusses the Board’s evaluation solely regarding international transfers.
International Transfer of Personal Data Pursuant to the PDPL
Article 9 of the PDPL regulates international data transfers and offers three lawful transfer options to data controllers. Data controllers may rely on (i) the existence of adequate protection in the relevant country, (ii) a written undertaking approved by the Board, or (iii) explicit consent. Additionally, personal data transfers require a legal ground under the Law, similar to other processing operations.
Adequate Protection
Personal data may be transferred without the explicit consent of the data subject as long as the foreign country provides adequate protection and there is one of the legal bases set out in Articles 5/2 and 6/3 of the PDPL. Pursuant to the Law, the list of safe countries is determined and announced by the Board. In making this determination, the Board evaluates the international conventions to which Türkiye is a party, the reciprocity between the country to which the data will be transferred and Türkiye regarding the transfer, the nature of the personal data and the purpose and duration of processing for each concrete personal data transfer, the relevant legislation and practice of the country to which the personal data will be transferred, and the measures undertaken by the data recipient in the relevant country. However, despite this provision in the Law, the Board has not yet announced the list of safe countries. Therefore, although it is actually the most applicable data transfer mechanism for data controllers, it is not practically possible for them to rely on the condition that there is adequate protection in the relevant country.
Nevertheless, the Presidential Decree on the Approval of the Medium Term Program (2024-2026)[2] states that the work on the harmonization process of the PDPL with the acquis of the European Union, in particular the General Data Protection Regulation (“GDPR”), will be completed in the last quarter of 2024. Within this framework, it is envisaged that the list of safe countries will be announced and at the same time, the rules on cross-border transfers of personal data will be updated and made more applicable to data controllers.
Signing an Undertaking
Another method for international data transfer for the transferor residing in Türkiye and the relevant overseas recipient is to provide a written commitment to ensure adequate protection and obtain the Board’s authorization. The Undertaking must comply with the minimum elements established by the Board on issues such as the language to be used in the Undertaking, the matters to be considered, the groups of data subjects, and the categories of data. Following the approval of the undertaking by the Board, personal data may be transferred to the foreign recipient who signed the undertaking.
Although not explicitly stated in the Law, the Board’s announcement on 10.04.2020[3] states that the undertaking is not applicable for data transfers among multinational group companies. As a result, binding corporate rules were identified as an additional method to be utilized by such businesses. Accordingly, multinational group companies may apply to the Personal Data Protection Authority (“Authority”) for approval of their binding corporate rules by completing the application form found on the official Authority website and following the provided instructions. Similar to bilateral undertakings, binding corporate rules take effect only after the Board grants approval.
Explicit Consent
Another method for transferring personal data abroad is the data subject's explicit consent. As defined by the Law, explicit consent refers to consent regarding a specific subject, based on information and expressed with free will. Therefore, for valid explicit consent, data subjects must be informed about the processing activity, the scope of explicit consent must be limited, and finally, the consent must be based on free will. Therefore, as a rule, the provision of a service cannot be conditioned on explicit consent. Since the safe country list has not yet been announced by the Board and very few undertakings have gained the Board’s approval, in practice, transferring data abroad with the explicit consent of data subjects seems to be the most feasible method.
However, due to technological developments, it is very difficult for data controllers not to take personal data abroad. Therefore, in practice, it is seen that data can be transferred within the scope of explicit consent obtained compulsorily. It is argued by data controllers that the only option to continue their activities is through compulsorily explicit consent and it should not be evaluated as conditioned service. In a recent decision of the Board on this matter, it was acknowledged that, indeed, obtaining explicit consent from the data subject in compulsory situations where the services cannot be realized without the personal data processing activities based on explicit consent, will not nullify the free will requirement. However, the Board also considers it contrary to the rule of good faith and the general principles to obtain explicit consent in a mandatory manner on a continuous basis without resorting to a letter of undertaking or binding corporate rules and without informing the data subjects that temporary mandatory explicit consent will be obtained during the Board’s examination.[4] Therefore, the Board states that mandatory explicit consent can only be obtained after the application process for a written undertaking or binding corporate rules has been initiated and the data subjects have been informed. As a result, while in practice, data controllers rely often on the explicit consent of data subjects, the Boards approach is that explicit consent should be considered as an exceptional remedy.
The Amazon Decision on Cross-Border Data Transfer
The Amazon Decision imposes an administrative fine on Amazon Türkiye for transferring data abroad in violation of the Law.
In the notification received by the Authority, it is stated in the “Does Amazon Share Your Personal Information?” section of the “Privacy Notice” page on Amazon Türkiye’s website that it is stated that personal data is transferred abroad, but no explicit consent is obtained for cross-border transfer neither when creating a membership account nor when shopping for the services offered through the amazon.com.tr website and connected mobile applications. In response to this allegation, Amazon Türkiye argued that when an Amazon account is created, the customer also accepts the “Privacy Notice” by clicking on the “Create Your Amazon Account” tab (“By creating an account, you agree to the practices set forth in this Privacy Statement”) and that when an order is placed through the site, the registered customer is reminded again that the privacy notice has been accepted. Amazon Türkiye therefore argued that registered customers are therefore not only aware of the transfer of their personal data but also explicitly consented by approving the privacy notice and that the correspondence regarding the undertaking for international data transfer was ongoing with the Authority.
The Board has determined that Amazon Türkiye has applied for an undertaking to obtain the Board’s approval for international transfers, but no decision has been made on this matter. The decision also emphasizes that the Board has not yet approved the said undertaking and that countries with adequate protection have not yet been identified. Therefore, the Board considers that the only means for transferring personal data overseas is through the explicit consent of the data subject.
In response to Amazon Türkiye’s assertion that they obtained explicit consent, the Board states that explicit consent cannot be obtained through an implicit declaration of intent. Namely, Amazon Türkiye argues that explicit consent is obtained through the statement “By creating an account, you agree to the practices set out in this Privacy Notice” that appears when data subjects click on the “Create Your Amazon Account” tab. According to this understanding, by creating an account on the website or mobile application and placing an order, data subjects implicitly consent to many data processing activities such as tracking with cookies, sharing, and storing, including transfer. However, the Board emphasizes that explicit consent means that the person gives consent to the processing of their data, either voluntarily or upon request from the other party. Consents of a general nature that are not limited to a specific subject or process are characterized as “blanket consent” and are deemed legally invalid.
The Amazon Decision stipulates that it would be unlawful to inform consent to the “Privacy Notice” and to approve multiple data processing activities including tracking with cookies, sharing, transferring, and storing, with a single statement. It emphasizes that data controllers should obtain consent separately for each processing activity for which explicit consent is relied upon, particularly for international data transfers.
Conclusion
The Amazon Decision contains valuable evaluations on controversial issues that we frequently encounter in daily life, such as sending commercial electronic messages, processing third-party data, and collecting personal data through cookies. In terms of cross-border transfer, it is very valuable for revealing many mistakes made in practice. To summarize; standard texts that include all processes such as the “Privacy Notice” published by Amazon Türkiye do not replace a proper disclosure. Data subjects should be informed about the purposes of processing and transferring personal data, the method of obtaining personal data, the legal reason, and the rights of the data subject. Additionally, the Board emphasizes that statements such as “By creating an account, you agree to the practices set out in this Privacy Notice”, “By placing an order, you give your consent” or “By visiting our website, you are deemed to have given consent” cannot be accepted as valid explicit consent; the service provided by the data controller cannot be conditioned on explicit consent and consent must be obtained separately for each processing activity.
- Summary of the Decision of the Personal Data Protection Board dated 27/02/2020 and numbered 2020/173 regarding the application about Amazon Turkey Retail Services Limited Company https://www.kvkk.gov.tr/Icerik/6739/2020-173 (Date of Access: 07.10.2023).
- Decision on the Approval of the Medium-Term Program (2024-2026), https://www.resmigazete.gov.tr/eskiler/2023/09/20230906M1-1.pdf (Date of Acess: 09.10.2023).
- Public Announcement on “Binding Corporate Rules”, https://www.kvkk.gov.tr/Icerik/6730/PUBLIC- (Date of Access: 07.10.2023).
- Ocak, Kasım: “Güncel Bir Kararı Işığında Kişisel Verileri Koruma Kurulu’nun Yurt Dışına Veri Aktarımı ve Zorunlu Açık Rızaya Yaklaşımı Hakkında Gözlemler” (https://dergipark.org.tr/tr/download/article-file/3019992, Access of Date: 09.10.2023).
All rights of this article are reserved. This article may not be used, reproduced, copied, published, distributed, or otherwise disseminated without quotation or Erdem & Erdem Law Firm's written consent. Any content created without citing the resource or Erdem & Erdem Law Firm’s written consent is regularly tracked, and legal action will be taken in case of violation.