Q&A: cloud computing law in Turkey – Lexology

admin on September 15, 2022 Leave a Comment

Legislation and regulation

Is cloud computing specifically recognised and provided for in your legal system? If so, how?

There is no legal definition of cloud computing technologies. Yet, there are references to cloud computing technologies or services within the scopes of personal data protection, data localisation and cybersecurity for public institutions and companies operating in certain sectors such as finance, energy and electronic communications.

Does legislation or regulation directly and specifically prohibit, restrict or otherwise govern cloud computing, in or outside your jurisdiction?

Presidential Circular No. 2019/12 (Circular), published and entered into force on 6 July 2019, sets out information and communications security measures to be applied by public institutions, public organisations and undertakings providing critical infrastructure services. Critical infrastructure sectors are listed as energy, electronic communications, banking and finance, transportation, water management and critical public services (eg, national security, healthcare). As per the Circular, public institutions and organisations shall not store their data in cloud storage services except for their own private systems or local service providers controlled by the institutions themselves. The Circular indicates that all email data servers of public institutions should be located in Turkey, although there is no specific reference to cloud computing systems. Relying on the Circular, the Digital Transformation Office at the Presidency (DTO) published its Information and Communication Security Guide in July 2020 and the Audit Guide in October 2021. DTO explains that the provisions of the Circular aim for data localisation. In other words, as long as the data is stored in local data centres and the mentioned security measures are taken, the Circular does not ban local or foreign providers from providing cloud computing services. The Guides contain general security measures and audit specifications for the provision of cloud computing services which are binding for the public institutions and any other companies operating in critical infrastructure sectors.

Separately, in its Guidelines on Biometric Data Processing, the Turkish DPA states that biometric data shall be stored in cloud systems only when cryptographic methods are used.

Additionally, there are directly applicable sector-specific provisions regarding cloud computing in Turkish law. These are as follows:

What legislation or regulation may indirectly prohibit, restrict or otherwise govern cloud computing, in or outside your jurisdiction?

Indirect prohibition or restrictions can be found in the legislations generally in the form of data localisation requirements. Examples are as follows:

What are the consequences for breach of the laws directly or indirectly prohibiting, restricting or otherwise governing cloud computing?

State officials responsible for implementing the measures included in the Circular, the Information and Communication Security Guide and the Audit Guide may face a judiciary or an administrative disciplinary proceeding due to non-compliance.

The Personal Data Protection Authority is authorised to impose administrative fines to companies in breach of personal data protection legislation.

The Ministry of Trade is authorised to enforce administrative fines to companies violating consumer protection measures.

What consumer protection measures apply to cloud computing in your jurisdiction?

Since there are no consumer protection measures specific to cloud computing, general consumer protection measures would apply to cloud computing products and services. The Law No. 6563 on Regulating Electronic Commerce and the Law No. 6502 on Consumer Protection regulate contracts with consumers that are formed and concluded electronically (distance contracts). Service providers are obliged to provide certain information to consumers before concluding contracts electronically. Among others, consumers must be informed on any technical safeguards that might affect the functionality of the digital software or application. Additionally, service providers are required to ensure that the consumer has the technical means for identifying and correcting input errors prior to the placing of the order and access to contract terms. Distance contracts shall also entail certain rights in favour of consumers, such as consumers right of withdrawal from the contract within 14 days following the delivery of services without giving any grounds and paying any fines. If the provider fails to inform the consumers on their right of withdrawal, consumers can exercise their right of withdrawal in one year following the expiration of 14 days. Service providers shall store the electronic logs regarding electronic commerce transactions for three years following the transaction date and submit these logs to the Ministry of Trade upon request. Finally, as per International Private and Procedure Law No. 5718, Turkish Courts at the consumers residence have jurisdiction if any claims are brought against the consumer. When the consumer files a claim against the service provider, Turkish courts in places where the consumers domicile or ordinary residence or the other partys domicile or ordinary residence is located are competent. Parties have the freedom to decide on the applicable law subject to the mandatory provisions of the law at the consumers ordinary residence.

Describe any sector-specific legislation or regulation that applies to cloud computing transactions in your jurisdiction.

There are several provisions regarding cloud computing in sector-specific legislation such as:

Outline the insolvency laws that apply generally or specifically in relation to cloud computing.

Turkey does not have specific insolvency laws applicable to cloud computing transactions. Enforcement and Bankruptcy Law No. 2004 (EBL) would be applicable to cloud computing suppliers as well. The EBL contains no explicit prohibition with regards to contractual early termination or automatic termination clauses based on insolvency-related events (except for concord situation). Yet, it is also generally accepted under Turkish law that the bankruptcy administration has a cherry picking right, so that it can cherry pick certain non-monetary obligations and demand their performance. Since it is not clear how customers can obtain their data back from an insolvent cloud computing providers server, they are advised to opt for contractual measures to mitigate their risk. Reflecting on this risk, cloud computing contracts usually allow parties to immediately terminate the contract if either party becomes insolvent. In some instances, the cloud computing provider may be obliged to transfer the customers data to another provider immediately when its credit rating is withdrawn or downgraded, or it does not fulfil financial requirements or when there is a decline in its tangible net worth. Customers can also buy services from multiple providers or have back-up servers to avoid a single point of failure.

Read the original post:
Q&A: cloud computing law in Turkey - Lexology

Related Posts
Posted in Cloud Servers

Comments are closed.