Law 6563 on the Regulation of Electronic Commerce has finally been ratified in the National Assembly, after four years on the agenda. Although the law was ratified on October 23 2014 and published in the Official Gazette on November 5 2014, it will not come into force until May 1 2015.

The law focuses on two main issues:

  • the obligation to provide information regarding contracts which are entered into electronically and the liability and obligations of online service providers; and
  • unsolicited commercial electronic marketing.

The law is the first specific statute to regulate unsolicited commercial electronic marketing (eg, spam emails, direct marketing calls, call centre calls, marketing text messages). It represents a significant improvement in the Turkish legal landscape.

Purpose and scope of law

Article 1, Paragraph 1 states the purpose of the law as "regulating procedures and principles regarding electronic commerce". The scope of the law is described in Article 1 Paragraph 2 as encapsulating:

"commercial communication, liabilities of Service Providers and intermediary Service Providers, contracts which are entered into via electronic means and obligations to provide information regarding electronic commerce and the related remedies".

Therefore the law affects businesses and consumers alike.

In this regard, the law defines terms such as 'electronic commerce', 'commercial communication', 'electronic commercial messages', 'service provider' and 'intermediary service provider', in order to clarify its scope.

Definitions

Article 2 of the new law provides as follows:

  • 'E-commerce' is all online financial and commercial activity carried out in an electronic environment;
  • A 'commercial communication' is any communication regarding e-commerce aimed at deriving an income through financial and commercial activity, except for domain names and email addresses;
  • 'Electronic commercial messages' are all messages containing data, sound or images which are sent for commercial purposes by phone, fax or email;
  • A 'service provider' is a natural or legal person that performs an e-commerce activity; and
  • An 'intermediary service provider' is a natural or legal person that provides an electronic environment where others can conduct financial and commercial activities.

Service providers' obligations and liabilities

The new law imposes several obligations on service providers with regard to electronic contracts and orders, for consumer protection purposes. A service provider must:

  • provide up-to-date introductory information and information on the technical steps that must be taken in order to establish these contracts to recipients before they enter into such contracts;
  • inform the recipient whether the contract will be stored by the service provider and whether the recipient will be able to access the contract and the terms of such access;
  • provide information on the technical tools for identifying and rectifying mistakes;
  • specify the applicable confidentiality rules and alternative dispute resolution mechanisms, if any, after the contract has been entered into;
  • indicate the ethical rules of any trade association of which it is a member and the method of enforcing these rules online, if applicable; and
  • provide the means for the recipient to store the terms of the contract and the standard terms of the service.

Failure to comply with these obligations will result in monetary fines of between TRY1,000 and TRY5,000.

The law includes two exemptions to these obligations:

  • The parties of business-to-business activities may decide on alternative terms.
  • Contracts which are entered into exclusively using email and other personal means of communication are excluded.

These exemptions are directly adopted from Article 11 of the EU E-commerce Directive. However, while they are compliant with the directive, they do not reflect the exemptions as directly stated in the directive. Several obligations regulated by the directive are included in other Turkish laws; therefore, the new law does not include these obligations, as indicated in its preamble.

Purchase orders issued through electronic communication tools are regulated under the new law. A service provider must:

  • ensure that the terms and conditions of the agreement, including the total amount of the contract, are seen clearly by purchasers before confirmation of the order and before payment information is provided. Failure to comply with this obligation will result in fines of between TRY1,000 and TRY5,000;
  • send an electronic order confirmation message to the purchaser without delay. Failure to comply with this obligation will result in monetary fines of TRY1,000 and TRY10,000; and
  • allow for any mistakes in the data provided to be corrected before the order is placed. Failure to comply with this obligation will result in fines of between TRY1,000 and TRY10,000.

Electronic commercial messages

The E-commerce Law has been a hot topic in Turkey for some time, especially due to certain provisions on commercial electronic marketing and commercial communication. Anyone engaging in commercial communication within the scope of the new law must:

  • provide sufficient information to clearly identify the natural or legal person who is sending the communication. Failure to provide this information will result in fines of between TRY1,000 and TRY10,000; and
  • provide sufficient and clear information on promotions such as discounts, gifts and contests, in order to identify their features and the terms of participation. The information provided must be clear and understandable. Failure to comply with these obligations will result in fines of between TRY2,000 and TRY15,000.

The law also establishes the legal framework governing commercial electronic messages. Pursuant to Articles 6:

  • commercial electronic messages can be sent to individual recipients only with their prior consent, provided in writing or through electronic communication. No additional consent is needed for any further messages relating to goods and services already procured by the recipient, if the recipient provides his or her contact information. Failure to comply with this obligation will result in fines of between TRY1,000 and TRY5,000. However, personal information databases which were established to send commercial electronic messages with the data subject's consent prior to May 1 2015 are excluded from this obligation;
  • the content of commercial electronic messages must comply with the consent obtained from the recipient;
  • information identifying the service provider – irrespective of whether the relevant message is sent by the service provider itself or a third party, and depending on the form of communication chosen to convey the relevant commercial electronic message (eg, phone number, fax number and email address) – must be included in the message. Failure to include this information will result in fines of between TRY1,000 and TRY10,000;
  • recipients of commercial electronic messages must have the option to opt out of these services;
  • service providers must ensure that recipients can opt out of these services easily and without charge. Failure to do so will result in monetary fines of between TRY2,000and TRY15,000; and
  • service providers must stop sending commercial electronic messages within three days of receiving an opt-out message from the recipient. Failure to do so will result in monetary fines of between TRY2,000 and TRY15,000.

The new law also amends Article 50, Paragraph 5 of Law 5809 on Electronic Communications, which regulates electronic communications services and infrastructure. Article 50 governs subscription agreements between consumers and electronic communication service providers (ie, internet service providers and Global System for Mobile operators), while Paragraph 5 relates specifically to electronic commercial messages. The amendments mirror the provisions of the new law; therefore, providers of electronic communication services are subject to the same regime.

Protection of personal data

The new law includes specific provisions on the protection of personal data. Although Turkey does not yet have specific data protection legislation, there are certain general provisions on the subject in different laws, including Article 10 of the new law. Pursuant to Article 10, service providers and intermediary service providers are liable for the preservation and protection of personal data obtained through transactions within the scope of the law, and relevant personal data can be used or transmitted only with the consent of the data subject.

The law merely amplifies the main provision relating to personal data enshrined in Article 20(3) of the Constitution, which states that everyone has the right to request the protection of personal data. This encompasses the right to be informed of, have access to and request the correction and deletion of personal data, and to be informed whether the data is used in accordance with the envisaged objectives. Pursuant to Article 20(3), personal data can be processed only in cases envisaged by law or with the individual's explicit consent. The same protection is set out under Article 12 of the UN Universal Declaration of Human Rights and Article 12 of the Convention for the Protection of Human Rights and Fundamental Freedoms, both of which Turkey is party to.

Comment

The law introduces a new era for commercial electronic communication in Turkey. Although it will be completely new to local businesses and may cause compliance issues. European or US businesses that comply with EU legislation are unlikely to experience any issues, since they will already be in compliance.

Gönenç Gürkaynak

İlay Yılmaz

This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.