Blog: Q&A: cloud computing law in Turkey – Lexology

Legislation and regulation

Recognition of concept

Is cloud computing specifically recognised and provided for in your legal system? If so, how?

There is no legal definition of cloud computing technologies. Yet, there are references to cloud computing technologies or services within the scopes of personal data protection, data localisation and cybersecurity for public institutions and companies operating in certain sectors such as finance, energy and electronic communications.

Governing legislation

Does legislation or regulation directly and specifically prohibit, restrict or otherwise govern cloud computing, in or outside your jurisdiction?

Presidential Circular No. 2019/12 (Circular), published and entered into force on 6 July 2019, sets out information and communications security measures to be applied by public institutions, public organisations and undertakings providing critical infrastructure services. Critical infrastructure sectors are listed as energy, electronic communications, banking and finance, transportation, water management and critical public services (eg, national security, healthcare). As per the Circular, public institutions and organisations shall not store their data in cloud storage services except for their own private systems or local service providers controlled by the institutions themselves. The Circular indicates that all email data servers of public institutions should be located in Turkey, although there is no specific reference to cloud computing systems. Relying on the Circular, the Digital Transformation Office at the Presidency (DTO) published its Information and Communication Security Guide in July 2020 and the Audit Guide in October 2021. DTO explains that the provisions of the Circular aim for data localisation. In other words, as long as the data is stored in local data centres and the mentioned security measures are taken, the Circular does not ban local or foreign providers from providing cloud computing services. The Guides contain general security measures and audit specifications for the provision of cloud computing services which are binding for the public institutions and any other companies operating in critical infrastructure sectors.

Separately, in its Guidelines on Biometric Data Processing, the Turkish DPA states that biometric data shall be stored in cloud systems only when cryptographic methods are used.

Additionally, there are directly applicable sector-specific provisions regarding cloud computing in Turkish law. These are as follows:

  • As per the Regulation on the Information Systems of Banks and Electronic Banking Services, banks can use private cloud computing services for their information systems. However, the use of community cloud services is subject to obtaining permission from the Banking Regulation and Supervision Agency (BRSA).
  • Financial leasing companies, factoring companies and financing companies incorporated in Turkey may use private cloud services for their information systems. These companies may use community cloud services only after obtaining permission from BRSA.
  • As per the Communique on the Information Systems of Payment and Electronic Money Institutions and Data Sharing Services of Payment Service Providers in Payment Services, payment and e-money institutions can process sensitive customer data and personal data only through private cloud systems. These institutions may use cloud computing technologies established in Turkey to process, store and transfer all other data.
  • Capital market regulations prohibit the data storage institutions from using cloud computing services concerning the data reported to them due to statutory requirements.
  • As per the Regulation on Websites to be Operated by Stock Corporations, companies and central database service providers may use cloud computing services outside Turkey.

What legislation or regulation may indirectly prohibit, restrict or otherwise govern cloud computing, in or outside your jurisdiction?

Indirect prohibition or restrictions can be found in the legislations generally in the form of data localisation requirements. Examples are as follows:

  • The Law on Regulation of Publications on the Internet and Prevention of Crimes Committed by Means of Such Publication numbered 5651 requires social network providers that track over 1 million daily users from Turkey to implement the necessary measures on hosting the data of users located in Turkey within the country.
  • As per the Regulation on Electronic Scooters, operators of shared e-scooter providers are required to locate their servers within Turkey to obtain a licence.
  • Publicly listed companies and banks are required to maintain their primary and secondary information systems in the country as per the Communique on the Management of Information Systems, the Regulation on the Information Systems of Banks and Electronic Banking Services and the Regulation on Banks’ Internal Systems and Internal Capital Adequacy Assessment Process.
  • Payment institutions and electronic money institutions shall keep the documents and logs referred to in the Law domestically for at least 10 years pursuant to the Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions No. 6493.

Breach of laws

What are the consequences for breach of the laws directly or indirectly prohibiting, restricting or otherwise governing cloud computing?

State officials responsible for implementing the measures included in the Circular, the Information and Communication Security Guide and the Audit Guide may face a judiciary or an administrative disciplinary proceeding due to non-compliance.

The Personal Data Protection Authority is authorised to impose administrative fines to companies in breach of personal data protection legislation.

The Ministry of Trade is authorised to enforce administrative fines to companies violating consumer protection measures.

Consumer protection measures

What consumer protection measures apply to cloud computing in your jurisdiction?

Since there are no consumer protection measures specific to cloud computing, general consumer protection measures would apply to cloud computing products and services. The Law No. 6563 on Regulating Electronic Commerce and the Law No. 6502 on Consumer Protection regulate contracts with consumers that are formed and concluded electronically (distance contracts). Service providers are obliged to provide certain information to consumers before concluding contracts electronically. Among others, consumers must be informed on any technical safeguards that might affect the functionality of the digital software or application. Additionally, service providers are required to ensure that the consumer has the technical means for identifying and correcting input errors prior to the placing of the order and access to contract terms. Distance contracts shall also entail certain rights in favour of consumers, such as consumer’s right of withdrawal from the contract within 14 days following the delivery of services without giving any grounds and paying any fines. If the provider fails to inform the consumers on their right of withdrawal, consumers can exercise their right of withdrawal in one year following the expiration of 14 days. Service providers shall store the electronic logs regarding electronic commerce transactions for three years following the transaction date and submit these logs to the Ministry of Trade upon request. Finally, as per International Private and Procedure Law No. 5718, Turkish Courts at the consumer’s residence have jurisdiction if any claims are brought against the consumer. When the consumer files a claim against the service provider, Turkish courts in places where the consumer’s domicile or ordinary residence or the other party’s domicile or ordinary residence is located are competent. Parties have the freedom to decide on the applicable law subject to the mandatory provisions of the law at the consumer’s ordinary residence.

Sector-specific legislation

Describe any sector-specific legislation or regulation that applies to cloud computing transactions in your jurisdiction.

There are several provisions regarding cloud computing in sector-specific legislation such as:

  • As per the Regulation on the Information Systems of Banks and Electronic Banking Services, banks can use private cloud computing services for the information systems. However, the use of community cloud services is subject to obtaining permission from the BRSA.
  • Financial leasing companies, factoring companies and financing companies incorporated in Turkey may use private cloud services for the information systems. These companies may use community cloud services only after obtaining permission from BRSA.
  • As per the Communique on the Information Systems of Payment and Electronic Money Institutions and Data Sharing Services of Payment Service Providers in Payment Services, payment and e-money institutions can process sensitive customer data and personal data only through private cloud systems. These institutions may use cloud computing technologies established in Turkey to process, store and transfer all other data.
  • Capital market regulations prohibit the use of cloud computing services of data storage institutions concerning the data reported to them due to statutory requirements.
  • As per the Regulation on Websites to be Operated by Stock Corporations, companies and central database service providers may use cloud computing services outside Turkey.
  • The Regulation on the Operational Principles of Digital Banks and Service Model Banking states that interface providers can only use private cloud computing services or community cloud services subject to permission from the BRSA.

Insolvency laws

Outline the insolvency laws that apply generally or specifically in relation to cloud computing.

Turkey does not have specific insolvency laws applicable to cloud computing transactions. Enforcement and Bankruptcy Law No. 2004 (EBL) would be applicable to cloud computing suppliers as well. The EBL contains no explicit prohibition with regards to contractual early termination or automatic termination clauses based on insolvency-related events (except for concord situation). Yet, it is also generally accepted under Turkish law that the bankruptcy administration has a cherry picking right, so that it can cherry pick certain non-monetary obligations and demand their performance. Since it is not clear how customers can obtain their data back from an insolvent cloud computing provider’s server, they are advised to opt for contractual measures to mitigate their risk. Reflecting on this risk, cloud computing contracts usually allow parties to immediately terminate the contract if either party becomes insolvent. In some instances, the cloud computing provider may be obliged to transfer the customer’s data to another provider immediately when its credit rating is withdrawn or downgraded, or it does not fulfil financial requirements or when there is a decline in its tangible net worth. Customers can also buy services from multiple providers or have back-up servers to avoid a single point of failure.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s