Legal analysis of Turkish Data Protection Authority's decision on Amazon Turkey

Turkish Data Protection Authority ("DPA") fined Amazon's Turkish subsidiary ("Amazon Turkey") for TRY 1.2 million.

DPA's decision on the fine, which was published DPA's website on 7 May 2020 ("Decision"), gives insights on DPA's view on some important matters.

This Decision is particularly important as it is the first decision that DPA has fined a data controller on "data transfer abroad" and "cookies".

We share our analysis below:

Subject Decision Our comment
A. Commercial electronic messages DPA states in the Decision that:

  1. Although, Ministry of Commerce is authorized to regulate and supervise commercial electronic messages under the commercial messages legislation, DPA is also authorized to regulate and supervise personal data processing activities relating to commercial messages. However, Amazon Turkey based its defence that DPA is not authorised to impose a fine on commercial electronic messages.
  2. Amazon Turkey is required to obtain "explicit consent" to send commercial electronic messages for marketing purposes but it does not.
  3. The function to uncheck the already checked boxes for not receiving commercial electronic messages (opt-out) after registering with the website does not meet the "explicit consent" criteria. The function must be designed to check the unchecked boxes to receive commercial electronic messages (opt-in).
  4. DPA also noted that when customers register with the website they are deemed to approve "Privacy Notice". According to DPA using this method means that (i) obligation to inform is performed together with obtaining explicit consent and (ii) explicit consent is obtained for processing activities that do not require explicit consent. Also the Privacy Notice is a general informative text on data processing (in other words, does not meet the privacy notice criteria). DPA found all these to be against the Turkish Data Protection Law ("DPL").
  • Unlike GDPR and E-privacy Directive, under Turkish law, save for very limited exemptions, sending commercial electronic messages for marketing purposes is subject to the recipient's "explicit consent" (i.e. there is no soft opt-in mechanism).
  • Hence Amazon Turkey must have used "opt-in" method for getting consent for sending these messages. This is also an established practice in Turkey.
  • In this regard, the Decision includes no surprise on the conclusion on breach to Turkish law with respect to commercial electronic messages while division of powers between Ministry of Commerce and DPA remains uncertain.
B. Rule of Honesty and Proportionality DPA found that:

  1. the below expressions in the Privacy Notice are against DPL's general principles of "legality and honesty" and "proportionality":
    • "You can choose not to provide certain information, but then you might not be able to take advantage of many of our Amazon Services." and
    • "If you block or otherwise reject our cookies, you will not be able to add items to your Shopping Cart, proceed to Checkout, or use any Services that require you to Sign in."
  2. Amazon Turkey's collection and processing of "friends' and other people's e-mail addresses" breaches DPL as such data is collected and processed without the explicit consents of those data subjects.
  3. Amazon Turkey's collection and processing of "credit history information, status details, corporate and financial information" are against the principle that processing must be "connected to the purpose, limited and proportional".
  • We are of the view that some sentences in the Privacy Notice are indeed not clear but it is disputable to directly conclude that having these sentences in the Privacy Notice qualifies Amazon Turkey's related data processing activities to be against DPL.
  • For instance, if one's friend's e-mail address is processed to send a gift to such friend, then explicit consent should not be required, this processing should be carried out based on the "legitimate interest".
  • In anyway, it is fair to say that DPA expects data controllers to (i) match the collected data with the data processing purposes and (ii) use a plain, simple and understandable language in their privacy notices. Otherwise, facing fines may be inevitable.
C. Data Transfer
  1. Based on the following expression "Other than as set out above, you will receive notice when personal information about you will be shared with third parties, and you will have an opportunity to choose not to share the information." DPA concluded that such data processing activity is based on explicit consent.
  2. However, explicit consent must be obtained before commencing data processing activity at the latest. Hence obtaining consent after sharing data would be against the DPL.
  3. Allowing the withdrawal of consent after transfer would not be compliant with the DPL, and the consequences of withdrawal is uncertain.
  4. It is concluded that the transfer is in breach of DPL due to ambiguous statements on transfer.
  • In Amazon's Privacy Notice, legitimate reasons for transfer and the recipients of data are listed. Then there is the below statement, which is found to be against the DPL by DPA:
  • "Other than as set out above, you will receive notice when personal information about you "will be" shared with third parties, and you will have an opportunity to choose not to share the information."
  • When we look at Amazon website serving to the USA, we understand that this expression is simply caused from a translation error.
  • The English language version of Privacy Notice is as follows: "Other than as set out above, you will receive notice when personal information about you "might be" shared with third parties, and you will have an opportunity to choose not to share the information."
  • We are of the view that if it had been translated correctly, DPA may not find major breach of the DPL.
  • It is really notable that a global e-commerce giant is fined -among other reasons- due to a "translation error".
D. Data transfer abroad

---

Method for obtaining consent

  1. For the purpose of obtaining permission for data transfer abroad, Amazon Turkey has submitted to DPA the standard undertakings executed with non-Turkish recipients of personal data. However, as DPA has not yet granted a permission on such transfer and as DPA has not yet announced the list of safe countries, DPA stated in the Decision that the transfer could only be based on "explicit consent".
  2. Amazon's defence that consent is obtained with the following statements "By creating an account, you hereby accept the practices stated in this Privacy Notice", and "by placing an order, you accept Amazon.com.tr Privacy Notice, Terms of Use and Sale and Cookie Notice" was not accepted and DPA stated in the Decision that the consent cannot be obtained by "implicit statement".
  3. Also, consents, which are not limited to a specific subject and necessities of the relevant processes are considered as "blanket consents" and deemed invalid. In this context, DPA concluded that the approval of all "data processing activities" (tracking with cookies, transfer, sharing, storage etc.) with a single consent statement by the approval of the "Privacy Notice" would not be compliant with DPL.
  • Under Turkish law, personal data may be transferred abroad based on "explicit consent".
  • For data transfer abroad based on legal reasons other than explicit consent the following methods are applicable: (i) transfer to safe countries (to be announced by DPA), (ii) executing a standard form undertakings and obtaining permission from DPA or (iii) obtaining approval from DPA for Binding Corporate Rules (for transfer between group companies).
  • DPA has not yet announced the safe countries. As per DPL, one of the criteria that DPA must consider for determining the safe countries is "reciprocity". In fact, this condition ties DPA's hands. For this particular reason, even the EU countries, from which Turkey had derived its data protection legislation, cannot be considered as safe countries.
  • DPA does not accept the argument that data may be transferred on the basis of the Convention No. 108, which facilitates data transfers among the signatory countries (Turkey is a party to such convention).
  • The other option, "obtaining permission from DPA by signing the standard undertakings published on DPA's website" is not practical. As far as we are aware, there is not a data controller who has convinced major data processor such as Microsoft, Google etc. to execute an undertaking.
  • DPA was aware of this problem in the market and was "tolerating" transfers to foreign countries; and had not yet impose a fine on this matter.
  • This Decision is very important as it is the first time of imposing a fine for data transfer abroad. It is particularly striking that the fine was imposed when the undertaking executed by Amazon Turkey was in review for permission by DPA. We are of the view that this Decision is a message to the players in the market, most of which transfers data abroad.
E. Cookies
  1. It is stated that the data processing activity related to cookies starts upon entry to the site.
  2. Consequently, it is concluded that, if a website visitor does not shop or create account, merely visiting the site would not mean acceptance of processing data through cookies.
  3. In this framework, it is seen that there is no information notice on collection of personal data through cookies (e.g. pop-up messages) and there is no request of permission for the processing (e.g. "You should approve the cookie notice to continue visiting our site").
  4. Consequently, it is concluded that neither information nor explicit consent requirements related to cookies are being complied with.
  • Unlike the EU, there is no specific legislation on "cookies" under Turkish law.
  • However, "cookie data" is listed as one of the marketing data in DPA's guidelines.
  • Due to lack of legislation, data controllers in Turkey has found the solution by "imitating" the cookie policies used in the EU.
  • Data controllers was expecting a guidance, a legislation from DPA on cookies.
  • However, with this Decision, DPA made it clear that it considers use of cookies as personal data processing method within the meaning of DPL, and that a cookie notice must be provided and an explicit consent must be obtained, if required.
  • The cookies that require consent must be "marketing/tracking" cookies, and that the "mandatory/functionally cookies" can be used based on "legitimate interest" legal basis.
  • Due to lack of specific legislation on cookies, the content of cookie notice still remains uncertain; but in any case, after this Decision, it would be wise to add to the websites serving Turkish market the cookie policies (in line with the privacy notice principles under the DPL, to the extent possible) and to obtain explicit consents for "marketing/tracking cookies".
F. Penalty
  1. In light of the above, due to breach to rules on commercial messages, General Principles, Data Transfer and Data Transfer Abroad, DPA decided to fine Amazon Turkey for TRY 1,100,000 for not taking the necessary technical and administrative measures under the DPL;
  2. to fine for TRY 100,000 as the Privacy Notice contains many information, and is a general information on processing of data (i.e does not meet the criteria to be a privacy notice under DPL), and does not fulfil the information obligation related to cookies;
  3. to instruct Amazon Turkey to update the "Privacy Notice", "Terms of Use and Sale" and "Cookie Notice" and publish on Amazon Turkey website.
  • It is no surprise that DPA found that Amazon Turkey's activities relating to commercial messages are in breach of rules on commercial messages while division of powers between Ministry of Commerce and DPA remains uncertain.
  • We are of the view that the Privacy Notice contains some sentences that are not very clear; but this should not directly mean that Amazon Turkey carries out illegal data processing activities.
  • The violation about "transfer of data" is caused by a translation error.
  • It is surprising that Amazon Turkey is fined for the data transfer abroad while Amazon Turkey's application for permission to data transfer abroad is pending before DPA.
  • It is also surprising that cookies are subject to fine while there is no specific legislation on cookies under Turkish law.
  • Our experience shows that DPA is open to dialog and to listening the problems of the sector. On the other hand, maybe Amazon Turkey didn't have the opportunity to communicate with DPA its position on the matters that are subject to the fine in question.

You can reach the Turkish language version of the decision via the following link: https://kvkk.gov.tr/Icerik/6739/2020-173

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.