What are the restrictions for international corporations if they transfer data to the US?

As of 7 October 2016, Turkish Data Protection Law numbered 6698 (“Law”) will require that explicit consent is obtained for the transfer of personal data overseas. Certain exemptions exist for processing of sensitive and non-sensitive personal data without the explicit consent of the data subject and they are also applicable for transferring of data. But transfer of data overseas is further restricted. The Law prohibits the transfer of data to countries which do not have adequate data protection controls. Under the Law, in the absence of adequate data protection, personal data can only be transferred if (1) the foreign data controller undertakes in writing to ensure security of the data and (2) the Data Protection Board’s (“DP Board”) approval for such transfer is obtained.  In other words, both of these conditions must be met for due transfer of personal data overseas.

The DP Board will be the authority to determine white listed countries for the transfer of data overseas. In this respect, we believe that it can be assumed that all EU countries and countries included in the white list of EU will be safe for transfer of data. But for the US companies, or international group’s transferring their data to the US the situation will be different.

As of the date of this article, we are still awaiting the formation of the DP Board which is expected to be completed latest by 7 October. Once the DP Board is established we will have more understanding on their approaches to different jurisdiction. But for now, we may assume that they will most likely follow the footsteps of the EU and an arrangement similar to EU-US Privacy Shield will be put in effect in due course.

For an update on EU- US Privacy Shield and detailed explanation on its background as well the critiques made by the EU Article 29 Working Party, you can view Greenberg Traurig’s  article on 4/14/16: WP29: Thumbs Down to Draft EU-US Privacy Shield.