In the information age we live in, with the rapid increase in the development of information technologies, the digitalization and globalization of societies and economies have started to keep up with the technologic developments and resulted in big data, personal data, protection of personal data and privacy to become increasingly important. Technological developments have brought the providing of the daily needs of individuals to the digital medium, and this has reflected as an immense increase in the use of social media as well as e-commerce platforms. This growth, change and transformation created by the information age has deeply affected not only technology but also many fields such as law, economy, trade and advertising.
The transformation and development process from traditional ways of doing business to digitalization shows us that it is an undeniable fact that one of the most important assets of information societies is data. The digitalization trend has carried “data” to one of the highest points throughout human history, and the importance of data continues to increase every day. Data has become the main source not only in digital environments but on all platforms. As is known data is not only essential for the development of business and platforms, but also for them to function and operate accurately.
Especially, since the 1990s, the widespread use of the internet on an individual basis has led to concerns regarding the protection of personal data and privacy. It is a well-known fact that all kinds of orientations, behaviours and habits of individuals can be analysed and easily directed by way of accessing and using individuals’ personal data. The fact that data and information are free from time and space limitations and that it can be used for a variety of purposes including calculation and manipulation, affecting individuals’ decision-making is proof of the sensitivity of the use of personal data. The person holding and controlling data is in a position to interfere with the fundamental rights and freedoms and personal rights of individuals.
Legal Regulations Regarding Personal Data Protection in the European Union and Turkey
The necessity of law and legal regulations to always keep up with current developments and changing circumstances, and protecting individuals, when necessary, has led to the need of the emergence of regulations on protection of personal data and privacy. The European Union and the member states of the European Union have been and still are the forerunner in the implementation of legal regulations on the protection of personal data. General Data Protection Regulation (“GDPR”), which regulates data protection and privacy for individuals in the European Union and the European Economic Area entered into force on 25 May 2018. GDPR has served as the basis for data protection regulations in the domestic laws of many countries, including Turkey.
In the European Union, secondary regulations have followed the GDPR, and draft regulations continue to be on the agenda. One of the secondary regulations is the Data Governance Act which was adopted in May 2022 and will be applicable in September 2023 and aims to promote the transferring of personal and non-personal data by setting up intermediation structures. On 23 February 2022, the European Commission proposed the Data Act which constitutes of the new rules on who can use, and access data generated in the European Union across all economic sectors and which aims to ensure fairness in the digital environment, stimulate a competitive data market, open opportunities for data-driven innovation and make data more accessible for all. Additionally, the European Commission has also proposed the Artificial Intelligence Act with the specific objectives of ensuring that AI systems placed on the Union market and used are safe and respect existing law on fundamental rights and Union values; ensuring legal certainty to facilitate investment and innovation in AI; enhancing governance and effective enforcement of existing law on fundamental rights and safety requirements applicable to AI systems; facilitating the development of a single market for lawful, safe and trustworthy AI applications and preventing market fragmentation.
Finally, the EU Cybersecurity Act entered into force on 27 June 2019; supplementary to Directive 2016/1148 (“Directive“) which was adopted by the European Parliament and the Council in 2016 and is the first legal regulation of the European Union in the field of cybersecurity. The Cybersecurity Act introduces an EU-wide cybersecurity certification framework for ICT products, services, and processes; and further makes ENISA a key player in establishing and maintaining this framework and its objectives include protecting and enhancing the ability of EU Member States to respond comprehensively to cyber threats, including cross-border incidents; strengthening EU cybersecurity structures; and improving cooperation, information sharing, and coordination between EU bodies, offices, and agencies.
In Turkey, the right to the protection of personal data has been guaranteed by the Constitutional amendment made in 2010 with the Law numbered 5982 Amending Certain Provisions of the Constitution of the Republic of Turkey, by adding a clause to Article 20 of the Constitution. With this amendment, individuals are constitutionally guaranteed within the scope of the “right to privacy and protection of private life”. In the period until the constitutional amendment in 2010, personal data was mostly protected by the provisions and sanctions for the protection of personal data, the right of personality included in the general legal regulations in the Turkish Civil Code and the Turkish Penal Code. With the third paragraph of Article 20 of the Constitution, a law was required for determining the procedures and principles regarding the right to protection of personal data. The Convention Numbered 108 on the Protection of Individuals Against Automatic Processing of Personal Data (“Convention”), which was drafted by the Council of Europe to protect personal data at the same standards in all member countries and to determine the principles of cross-border data flow, was submitted for signature on 28 January 1981 and was also signed by Turkey. The main purpose of the Convention is to secure the fundamental rights and freedoms of natural persons, regardless of their nationality or residence, in each member state, and their right to private life, especially against the automated processing of personal data concerning them. After all these legal developments, the Personal Data Protection Law Numbered 6698 regulating the rights and obligations of natural and legal persons in terms of the processing personal data and the procedures and principles to be followed to protect the fundamental rights and freedoms of individuals, was adopted on 24 March 2016, and entered into force on 7 April 2016.
Legal Regulations Regarding Digital Markets in the European Union and Turkey
Digital Markets Act (“DMA”) was adopted on 18 July 2022 and will enter into force on 1 November 2022. DMA stands as a new tool for the European Commission to deal with the concerns relating to online service providers and imposes new responsibilities on online platform giants, or gatekeepers.
Pursuant to the DMA, a provider of platform services will be considered a gatekeeper if it has a significant impact on the EU market, namely providing core platform services in three Member States and having an annual turnover in the European Economic Area (EEA) equal to or above €7.5 billion in each of the last three financial years. Other situations where a company may be considered a gatekeeper are when the core platform service it provides is an important gateway for business users to reach end-users; if it enjoys an entrenched and durable position or if it is foreseeable that it will enjoy such a position in the near future. According to the DMA, the list of gatekeepers will be reviewed regularly and at least every 3 years to verify its correctness and completeness.
As a result of being designated as a gatekeeper, companies will carry an extra responsibility to conduct themselves in a way that ensures an open online environment that is fair for businesses and consumers by complying with specific obligations imposed in the DMA.
Similarly, The Turkish Competition Authority seeks to introduce similar competition rules for digital gatekeepers alongside a general code of conduct for online marketplaces to ensure fair competition in the digital markets. The President of the Turkish Competition Authority announced that they are preparing a draft law on digital markets, focusing on protecting the user and the seller by regulating how the data will be collected and used transparently in digital markets. The draft law is expected to be finalized in the upcoming year.
The Intersection Between Data Protection Law and Competition Law
Within the scope of these developments, especially with the increase in the use of the internet and social media and the rapid growth of digital markets, processing of personal data has been indispensable for the functioning of the internet, social media platforms as well as digital e-commerce platforms. The use of personal data for commercial purposes creates an interaction between personal data protection law and competition law. Especially in digital platforms, where personal data processing is an indispensable element for the data controllers to maintain their existence, it is possible to encounter a variety of competition law violations and engaging in prohibited activities such as: agreements, concerted practices and abuse of dominant position. In 2014, the European Data Protection Supervisor published Privacy and Competitiveness in the Age of Big Data: The Interplay Between Data Protection, Competition Law and Consumer Protection in the Digital Economy document stating that “consumers are also data subjects, whose welfare may be at risk where freedom of choice and control over one’s personal information is restricted by a dominant undertaking.”
With the spread of e-commerce, the transfer of economic activities to the online medium has led to the emergence of the concept of “digital economy”, and personal data has become the cornerstone of this great power. In this new economy, personal data has become the backbone of many digital markets. Executive Vice-President of the European Commission Margrethe Vestager’s “new currency” expression relating to data also reveals the great role of data in the economy in this new age. Although the use of personal data for the operation of digital platforms provides many benefits to the undertakings such as analysis, promotion, advertising, marketing, processing of personal data may also cause many problems that may conflict with the interests of the data subject. Holding personal data may have effects such as monitoring and directing data subject’s habits, behaviours, preferences, and orientations in line with the request of the data controller. The increasing need for the use of personal data in the economy has also created new concepts such as “data driven economy”. According to the definition made by the Turkish Competition Authority, data-driven economy refers to “an economy system in which data is transformed into an economic value such as goods and services and the most important parameter used by undertakings while making their strategic decisions is data”. The value of the data-driven economy, which has a very important place in today’s economy, is estimated to reach approximately 1 trillion euros in the European Union in 2025 and this amount corresponds to 6.3% of the gross domestic product of the European Union. When all these are evaluated, it is seen that undertakings may have the power to abuse data for their own interests and become dominant, having major impact on the market in general.
The fact that personal data is an indispensable element, especially for social media and e-commerce platforms, may cause undertakings operating in these areas to take actions restricting competition in the relevant markets. Despite the significant economic potential of data-based business models, the control of individuals through their personal data may conflict with the protection of the privacy and protection of personal data, as well as violation of competition law.