Evaluation of Commercial Electronic Message Applications within the Scope of Electronic Commerce and Personal Data Protection Legislation

Current Legislation

Before the enactment of the Law No. 6698 on the Protection of Personal Data (‘LPPD’), which is the fundamental step within the scope of personal data protection legislation in Turkey, regulations regarding the protection of personal data were regulated within the relevant legislation. The partial regulations made within this scope were also reflected in the Law No. 6563 on the Regulation of Electronic Commerce (‘E-Commerce Law’), and it can be said that the E-Commerce Law is a pioneering regulation in terms of the protection of personal data.

The E-Commerce Law essentially regulates the procedures and principles regarding electronic commerce. In this context, the implementation principles of commercial electronic messages are regulated by the Regulation on Commercial Communication and Commercial Electronic Messages, which came to the agenda again with the Message Management System amendments dated 4 January 2020. In this context, commercial electronic messages are defined as ‘messages containing data, audio and video content sent for commercial purposes and sent electronically using means such as telephone, call centres, fax, automatic dialing machines, smart voice recorder systems, electronic mail, short message service’. On the other hand, with the entry into force of the LPPD on 7 April 2016, some uncertainties and discussions have started to be experienced regarding which legislation will be applied to the transactions applied within the scope of direct marketing via SMS, e-mail, call or other commercial communication tools. Namely, the Personal Data Protection Board (‘Board’), the enforcer of the LPPD, has accepted the marketing/promotion activities of data controllers or data processors for advertising, campaign or promotion purposes by reaching the data subjects via call, SMS or e-mail within the scope of ‘processing’ of personal data, and has found the use of such data without the explicit consent of the data subjects in accordance with the legislation to be contrary to the LPPD and has taken many principle decisions in this regard.

Legislation Applicable to Commercial Electronic Messages

The ‘Decision dated 27/02/2020 and numbered 2020/173 on Amazon Turkey Perakende Hizmetleri Limited Şirketi (’Amazon‘)’ (‘Amazon Decision’), which is another of the Board’s decisions and which made a lot of noise, especially with an administrative fine of 1.200.000 TL, has added a new one to the commercial electronic message discussions. Although the Amazon Decision, which is quite long and contains deep judgements by the Board, has many aspects to be examined and discussed, this article will examine commercial electronic message practices within the scope of the conflict of KVKK and E-Commerce Law.

First of all, it should be noted that the aforementioned laws regulate the fundamental rights and freedoms regarding electronic commerce and the protection of personal data and are unique in this context. Although there are overlapping regulations such as the commercial electronic message approach, accepting them as inclusive for this reason alone will not coincide with both the legal practice and the spirit of the laws, and in the same direction, a general law-specific law distinction cannot be made between each other.

Pursuant to the E-Commerce Law, commercial electronic messages may only be sent with the prior consent of the relevant person. The method of obtaining consent is not subject to any formal limitation. Therefore, consent may be obtained by written or electronic means. The first exception to this rule is that the person may be contacted without consent, provided that it is ‘for changes, use and maintenance regarding the goods or services provided’, and the second exception is that commercial electronic messages may be sent to tradesmen and merchants without prior consent. As can be seen, while the E-Commerce Law approaches the relevant messages more commercially, the LPPD, without distinguishing between the qualifications, includes ‘provided that there is a personal data processing activity’ in terms of all kinds of messages. The LPPD, on the other hand, as a general rule, bases the personal data processing activity, including the sending of commercial electronic messages, on the explicit consent of the person and regulates the exceptions in this regard.

In this respect, the key to provide guidance is the determination of ‘personal data processing’ in terms of the essence of the activity and the presence of personal data in the service provider and/or data controller in some way and the use of this information within the scope of the definition of ‘processing of personal data’ in the LPPD. In summary, if the essence of the activity can be evaluated within the scope of ‘processing of personal data’, the LPPD should be applied, without prejudice to the exceptions. In this context, the limits of the Board’s review authority will be evaluated separately under the third heading, and these practices can be listed as follows: Whether the service provider has the title of data controller-data processor, evaluation of general principles, existence of disclosure and explicit consent mechanisms based on the submission and their validity at the second point, compliance with data security measures, etc.

The Board’s Limit of Authority Regarding the E-Commerce Law and Commercial Electronic Message Practices

In its defence to the Amazon Decision, Amazon argued that ‘the applicant should have submitted the said requests to the Ministry of Commerce, and while we accept and respect the Board’s principle decisions such as commercial electronic messages and the Board’s authority in this field, the procedures and principles regarding the subject matter are regulated exclusively within the scope of the legislation on electronic commerce’ despite the allegations that commercial electronic messages were sent unlawfully.

The LPPD sets out the framework provisions regarding the protection of personal data, and the implementing Board fills this framework within the scope of the LPPD as much as possible and according to the nature of the concrete case. As stated in the Amazon Decision, although there is a separate legislation on commercial electronic messages, sending commercial messages to individuals by storing information such as telephone numbers and e-mail addresses in a data recording system indicates a personal data processing activity. Therefore, although a commercial electronic message must be sent in accordance with the legislation on sending commercial electronic messages, the processes of sending commercial electronic messages must also comply with the personal data protection legislation, since the communication channels used for the transmission of these messages are personal data. In this context, the Board’s decision on the subject is a decision regarding the processing of personal data, not the sending of commercial electronic messages. On the other hand, as learnt from the decision, the Ministry of Trade referred the application to the Board to be evaluated within the scope of personal data protection legislation, and the Ministry considers that the essence of the activity is personal data processing.

In addition, it is seen that the Board can evaluate the relevant personal data violations within the scope of good faith and honesty rules and qualify them as abuse of right, not only due to the violation of processing conditions such as Article 5 or Article 6 of the LPPD, as in the decision on an asset management company sending debt reminder messages to debtors in a threatening and harassing manner. As a matter of fact, pursuant to Article 22/1/c of the LPPD regulating the duties and powers of the Board, the authority to ‘…examine whether personal data are processed in accordance with the law and to take temporary measures in this regard when necessary’, even if the activity in question is within the scope of the E-Commerce Law or other legislation, if it somehow includes personal data processing activity, it will not be considered as an interpretation that exceeds its purpose to say that the Board will fulfil and use its duties and powers independently under its own responsibility.