Information technology law (also called “digital law”) concerns the law of information technology, including computing and the internet. It is related to legal informatics, and governs the digital dissemination of both (digitalized) information and software, information security and electronic commerce aspects. It raises specific issues of intellectual property in computing and online, contract law, privacy, freedom of expression, and jurisdiction.

Different names

IT Law is called by many different names. For example, ICT law, IT law, information technology law, technology law, tech law, computer law, electronic law (or e-law), social or new media law, digital media law, Internet law, cyber law and web law. 

IT Law comprises elements of various branches of the law. It does not constitute a separate area of law rather it encompasses aspects of contract, intellectual property, privacy, artificial intelligence and data protection laws. 

Intellectual property

Intellectual property is an important component of IT law, including copyright, rules on fair use, and special rules on copy protection for digital media, and circumvention of such schemes. The related topics of software licenses, end user license agreements, free software licenses and open-source licenses can involve discussion of product liability, professional liability of individual developers, warranties, contract law, trade secrets and intellectual property.

There are rules on the uses to which computers and computer networks may be put, in particular there are rules on unauthorized access, data privacy and spamming. There are also limits on the use of encryption and of equipment which may be used to defeat copy protection schemes. 

Laws

There are laws governing trade on the Internet, taxation, consumer protection, and advertising.

There are laws on censorship versus freedom of expression, rules on public access to government information, and individual access to information held on them by private bodies. There are laws on what data must be retained for law enforcement, and what may not be gathered or retained, for privacy reasons.

In certain circumstances, computer communications may be used in evidence, and to establish contracts. New methods of tapping and surveillance made possible by computers have wildly differing rules on how they may be used by law enforcement bodies and as evidence in court.

Advising clients

With respect to information technology law, we advise our clients on the aspects of privacy and data protection, artificial intelligence, e-commerce, e-money, licensing, software procurement, services agreements, registered electronic mail, secured electronic signature, mobile applications including the regulatory and compliance matters. As regards intellectual property law, we advise our clients on the aspects of licensing, trademark registration, infringements, patents and designs, invalidation of trademarks and injunctive reliefs. 

Information technology law operates across jurisdictions, and a cross-fertilisation of regulatory responses occurs at the interface between domestic, regional and international law.

Information security

Much of the problem that occurs in the field of information technology results from enterprises failing to keep customer and employee information secure. Now that it is primarily stored in digital format, sensitive information is susceptible to theft on a scale unimaginable in previous generations. Hackers and other cyber criminals routinely target financial institutions, e-commerce websites, and ordinary businesses, sometimes gaining access to thousands of customers’ data all at once. This can lead to various legal claims, from government enforcement actions to class action consumer lawsuits.

Electronic signatures

Another growing area of concern for many businesses involves electronic signatures. Like digital storage, electronic signature software has the potential to dramatically streamline operations for businesses willing to embrace new technology. At the same time, care must be taken to avoid compromising sensitive customer data and/or violating government regulations on the subject.

Our services include data protection, GDPR and cyber security compliance, social media law, e-commerce, website compliance, software licensing, data privacy and freedom of information.

Data protection

The Data Protection Law has introduced solid principles of data protection in Turkey that are in line with compatible principles of European Union regulations. The Data Protection Law aims to protect fundamental rights and regulate the transfer, processing and storage of personal data. It applies to individuals whose personal data are processed and to individuals or legal entities who process personal data wholly or partially through automatic means or through non-automatic means, provided that the process is a part of a data registry system.

In principle, pursuant to the Data Protection Law, personal data cannot be processed or transferred (domestically or abroad) without the explicit consent of the data subject. However, there are some exceptions to this rule.

Sensitive personal data

The Data Protection Law classifies certain data as “sensitive personal data” which includes biometric and genetic data of individuals together with data regarding their race, ethnic background, philosophical and political view, religion, union ailiations, health and/or sexual life.

The major difference between personal data and sensitive personal data is that the general exceptions to the prohibition on processing personal data under the Data Protection Law do not apply to certain types of sensitive personal data (such as personal date related to health and sexual life) and consequently such sensitive personal data can only be processed upon the data subject’s explicit consent or only for the purpose of the protection of public health, rendering preventive medicine, medical diagnosis, treatment and care services, planning and management of healthcare services and inancing.

Data Protection Authority

The Data Protection Authority has been established in order to supervise implementation of the Data Protection Law and publish its secondary legislation. Data controllers either individuals or legal entities, (i) residing abroad or (ii) who employ more than 50 employees annually or (iii) have an annual balance-sheet total exceeding 25,000,000 TRY have to register to the data controllers registry by 30 June 2020.

Turkish residents which do not meet this threshold are not subject to such registry obligation, unless they process sensitive personal data, data controllers registry will include the identity of data processor, the purpose of processing, receiver groups to which personal data are transferred, personal data considered to be transferred to foreign countries, measures taken for personal data security, and the maximum time for personal data to be stored.

Following registration, data processors must ensure that processed data is collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Within this context, while processing personal data the data controller must hold an inventory, which includes the details of data processing with a company policy covering how and when the personal data, retained by the data controller will be destroyed.

Authorized representative 

Legal entities residing abroad must appoint a representative authorized to communicate with the Data Protection Authority and notify necessary information during registration. Additionally, the data subject must be informed of the identity of the controller; the purpose of the data processing; third parties to whom the data may be transferred and the purpose of such transfer; the methods and legal reasons for collection of personal data; and data subject’s rights. Data subjects have the right to apply to data controller to:

• (i) learn whether their personal data are processed;
• (ii) request information if their personal data are processed;
• (iii) learn the purpose of the processing of their personal data and whether this data is used for intended purposes;
• (iv) know who the third parties are to whom their personal data is transferred within Turkey or abroad;
• (v) request rectification of incomplete and inaccurate data;
• (vi) request the deletion or destruction of personal data under certain conditions;
• (vii) request notiication of their requests and actions taken in relation to (e) and (f) to whom personal data have been transferred;
• (viii) object to the processing, exclusively by automatic means, of their personal data, which leads to an unfavourable consequence for data subject; or
• (ix) request compensation for damages arising from the unlawful processing of their personal data.

Non-compliance with the aforesaid principles and procedure may lead to a monetary fine of up to TRY 1,000,000 and a custodial sentence from 1 to 4 years.

How we can Help?

Our legal advice offers strategic solutions with the broader commercial context in mind. We respond quickly giving advice on multiple fronts to help your business; respond and adapt to new technology trends, work through regulatory landscapes, implement digital transformation strategies and address and manage cyber threats, both proactively and responding to an incident. We have extensive experience advising major corporate clients on the most significant technology transactions and cyber incidents and we have specialised resources with extensive experience advising on data and cyber security related issues.

We have all of your digital, cyber and technology needs covered and we leverage our network to provide an integrated solution across the following areas of expertise;

• Technology transformation, outsourcing and large scale strategic procurement,
• Cyber security: security of critical assets and incident response,
• Data: data protection, analytics, commercialisation & privacy,
• Intellectual property and software licensing,
• The internet of things,
• Telecommunications services and technology infrastructure,
• Emerging technologies: Artificial intelligence, blockchain & robotics,
• Complex commercial arrangements and M&A transactional support,
• Cloud contracting and ‘as a service’ sourcing models,
• Agile and output based contracting.