1. Introduction
The intersection of personal data protection law with various legal fields is evident. Any interference with personal data is generally considered illegal. According to our Constitution, the primary exception for processing personal data is the explicit consent of the individual. The Law on the Protection of Personal Data №6698 (KVKK) provides a framework for explicit consent without considering the personal characteristics of the data subject. If the data subject is a consumer, the general principles of consumer law and protective provisions established by other laws apply directly. The “power imbalance” between the data controller and the consumer must be considered, and an appropriate approach must be adopted. This article will discuss the explicit consents obtained from consumers by data controllers and the validity conditions of such consent.
2. Definition of Consumer
The Law on Consumer Protection №6502 (TKHK), in parallel with the repealed Law on Consumer Protection №4077, states that legal persons acting for non-commercial or non-professional purposes can also be considered consumers. Since the regulations brought by the KVKK pertain to natural persons, evaluations in this study will be made based on natural person consumers.
For any law to belong to consumer law, it must be applicable to consumers. It does not need to be stipulated in the Consumer Law. Thus, even though there are no provisions in the TKHK concerning personal data protection, the rules set out in the KVKK must be evaluated considering the purposes of consumer law when applied to consumers. Protecting the consumer’s health, safety, and economic interests are primary objectives of the TKHK. Although personal data is protected under the KVKK, if the data subject is also a consumer, they can benefit from the protective provisions provided by consumer law’s general principles and legal regulations.
3. Explicit Consent
Processing personal data begins from the moment the data is first obtained and includes all operations performed on the personal data. Under the KVKK, explicit consent can serve as a legal basis for both general and special categories of personal data.
According to the GDPR, one of the legal bases for the lawful processing of personal data is the consent of the data subject (Art. 6/1/a). While consent is considered sufficient for processing general personal data under the GDPR, explicit consent is required for processing special categories of personal data (Art. 9). A comparison between the KVKK and GDPR reveals that the KVKK does not include the phrase “unambiguously” in the definition of explicit consent. The characteristics of explicit consent need to be assessed on a case-by-case basis, making the legislative technique adopted by the lawmaker highly appropriate.
The GDPR specifically regulates the consent of minors (Art. 8/1), stating that the processing of personal data of minors is only lawful if they are at least 16 years old, with parental consent required for those under 16. Member states have the flexibility to set a lower age limit, provided it is not below 13 years (Art. 8). The KVKK does not stipulate an age limit for data subjects, making the provisions of the Turkish Civil Code regarding legal capacity directly applicable. Consent must be independent; if multiple consents are required, each must be given separately
The first condition for the validity of the consent given by the data subject is that it must be related to a specific subject (KVKK Art. 3/1a). This implies that the subject must be concrete and well-defined. It is impossible to obtain explicit consent for undefined matters. Processing personal data for potential future needs is considered unlawful. Data controllers must clearly explain the specific subject for which they seek explicit consent from the consumer. The consent given must also delineate its boundaries, linking the specific subject to a specific purpose, which must be clear, specific, and legitimate (KVKK Art. 4/c).
A statement of will expressed by the data subject for unlimited and undefined matters is invalid. In the literature, this is referred to as blanket consent. For instance, a statement like “I accept the processing of my personal data for all data processing activities mentioned above” would not be considered explicit consent.
We must also discuss “cookies” frequently encountered in consumer transactions over the internet. Cookies are alphanumeric markers. During online browsing, individuals leave traces on the sites they visit. These traces are tracked to profile the individual. Information is provided to the individual by goods and service providers based on their needs. Cookies provide opportunities for goods and service providers to offer relevant advertisements to the data subjects based on their needs.
Consent for cookie usage is requested each time a site is visited, accompanied by information texts. However, checking boxes indicating that the information texts have been read or understood does not necessarily mean that the consent obtained is valid. It is commonly observed that information texts about cookie usage are not read. Accepting the use of cookies creates the perception of consent, which poses a threat to personal data security. Internet providers may use the information obtained through cookies for their purposes. Detailed information on this can be found in the Authority’s Guide on Cookie Practices. in Turkish.
4. Characteristics of Explicit Consent in Consumer Personal Data
In the ordinary course of life, the parties to a contract do not always have the same opportunities. For instance, the conditions under which a merchant buys raw materials for their business differ from those under which a consumer buys a product. Due to these characteristics of contractual relationships, lawmakers have introduced protective provisions through special legal regulations, as frequently seen in labor law and consumer law.
In contracts involving consumers, an unfair term is sufficient for the invalidity of the relevant provision. Unlike general terms and conditions, an unfair term does not need to be prepared for use in many similar contracts to be considered invalid. “An unfair term is a term that is included in the contract without negotiation with the consumer and causes an imbalance to the detriment of the consumer, contrary to the principle of good faith, in the rights and obligations arising from the contract” (TKHK Art. 5/1).
Similar to the Directive 93/13/EEC on unfair terms in consumer contracts dated April 5, 1993, the GDPR also stipulates in its recital 42 that consent declarations must be written in clear and plain language, easily accessible, and free of unfair terms.
Both the GDPR and KVKK have adopted an autonomous authority model. In this model, it is assumed that the data subject makes a conscious and free choice based on existing information. Research on consents given for processing personal data, especially over the internet, indicates that legal regulations do not sufficiently achieve their objectives. Studies highlight that consumers often ignore frequent messages and rarely read privacy notices.
4.1 The Consumer Must Not Be Under Any Pressure
To assert the presence of free will, the individual expressing their will must not be influenced by any external factors. The data subject must have the right to refuse the request for their personal data, and they must be assured that there will be no sanctions if they refuse.
The term “pressure” here encompasses a broader meaning than the concept of defects of will under the Turkish Code of Obligations (TBK). If defects of will exist under TBK, the will expressed is considered defective. In the presence of a defective will, it cannot be said that the expressed will is free. It is clear that when defects of will are present, free will cannot be said to exist. The will required for the formation of a contract and the explicit consent required for the processing of personal data are different concepts. Explicit consent for processing personal data is generally obtained during the formation of the contract, but it can also be obtained after the contract is formed but before performance. Therefore, in theory, the will required for the formation of the contract will be defective in the presence of a defect of will, but the explicit consent obtained for the processing of personal data may still be valid.
In cases where a defect of will exists during the formation of a contract, we encounter a situation of voidability. If the person whose will is defective approves the contract, the contract becomes valid despite the defective will. However, if explicit consent for processing personal data is obtained under pressure, this results in absolute nullity, indicating the presence of a void legal act. Therefore, the approval of the data subject will not change the outcome. In such a case, explicit consent for personal data processing must be obtained from the beginning.
The term “the consumer must not be under any pressure” means that the consumer should not have any concerns about facing adverse situations or attitudes if they do not give their explicit consent. For example, if a consumer knows they can purchase the product subject to the contract without giving their personal data but fears missing out on a promotional draw, it cannot be concluded that the consumer gave their explicit consent with free will. If there is a causal link between the consumer’s concern and the given explicit consent, the consent is invalid. The type of invalidity is absolute nullity.
In cases of “mistake” among defects of will, for the mistaken party not to be bound by the contract, the mistake must be “material” (TBK Art. 30). If a person is mistaken about any matter when giving explicit consent for processing personal data, the consent given will be invalid, regardless of whether the mistake is material. The essential criterion here is establishing a causal link between the mistake and the given explicit consent.
The GDPR also regulates the withdrawal of consent. The data subject has the right to withdraw their consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. Withdrawing consent should be as easy as giving consent (GDPR Art. 7/3). The KVKK does not regulate the withdrawal of consent. However, Article 12 of the Regulation on the Deletion, Destruction, or Anonymization of Personal Data, published in the Official Gazette №30224 dated October 28, 2017 (amended in the Official Gazette №30758 dated April 28, 2019), stipulates the periods for deletion and destruction of personal data upon the request of the data subject. According to the regulation, the data subject may request the deletion or destruction of their personal data by applying to the data controller under KVKK Articles 11 and 13. Three different scenarios are regulated in this case.
- The first scenario pertains to the complete disappearance of the conditions for processing personal data. In this case, the data controller deletes, destroys, or anonymizes the personal data subject to the request within thirty days at the latest and informs the data subject about the current situation (Regulation on Deletion, Destruction, or Anonymization of Personal Data Art. 12/a).
- The second scenario relates to the transfer of personal data to a third party. If the conditions for processing the personal data completely disappear and the personal data has been transferred to third parties, the data controller informs the third party of the request and ensures that the necessary actions are taken to fulfill the request (Regulation on Deletion, Destruction, or Anonymization of Personal Data Art. 12/b).
- The third scenario involves the partial disappearance of the conditions for processing personal data. The data controller may reject the request within thirty days at the latest, providing justification in writing or electronically, based on the partial continuation of the conditions for processing personal data (Regulation on Deletion, Destruction, or Anonymization of Personal Data Art. 12/c).
4.2. The Consumer Must Be Given a Choice
For the consumer’s free will to be acknowledged within the scope of a contract for a good or service, the consumer must have a choice. For instance, consider that XYZ Sports Center Inc., where consumer Mr. X is a member, uses a “fingerprint system” for security purposes. This system keeps security measures at a high level and prevents non-members from entering the sports center. The use of this system eliminates the need for additional security personnel at the entrances and exits, thus saving on costs. There are many beneficial aspects to the system implemented by the sports center management. However, the question that needs to be answered in our examination is whether it can be considered that the consumer has freely expressed explicit consent when asked for their fingerprint, despite the reasons being reasonable and legitimate, and no other alternatives being offered to the consumer.
In our opinion, in this case, it must be acknowledged that the consumer has given their explicit consent with free will. When requesting personal data from the consumer, having reasonable and beneficial reasons is not sufficient. Explicit consent cannot be requested in the absence of reasonable and beneficial reasons. Therefore, alternative options should be provided to the consumer. For example, the consumer should be offered the option to enter with a card and should not face any restrictions on using this option. A consumer who has the option to choose between carrying a card or giving their fingerprint because they want to avoid the burden of carrying a card or because they believe it is more secure may demonstrate the existence of their free will.
We can expand on the example provided. It is also possible for the same sports center to offer the option of entering based on a retina recognition system. It is up to the consumer to evaluate this possibility. The consumer may choose to allow the processing of their retina data, which is also personal data.
If providing personal data becomes an element of the contract the consumer is a party to, it is necessary to clarify how this situation should be evaluated. We can modify the example provided to clarify the situation. Let’s assume that XYZ Sports Center Inc. has been a sports center where entrance and exit are done via a fingerprint system for security reasons for the past year. Mr. X wants to become a member of this sports center. Let’s accept that among the conditions for forming the contract that Mr. X reviews is “providing a fingerprint.” Let’s also accept that the company has very important reasons related to security, cost, and sales policies for including this condition in the contract. In this situation, it is not mandatory for the consumer to become a member of that sports center. There are other companies offering the same service. The idea that the consumer can choose another sports center might come to mind.
The main issue that needs resolution in all these evaluations is whether it is possible to make personal data a condition for forming a contract. The processing of personal data must primarily serve the purpose of the contract. Personal data that is not essential for the formation of the contract will render the given consent invalid if it is made a condition for the formation or performance of the contract. In such cases, the will for processing personal data is obtained under compulsion. In other words, consent should be kept separate from other “terms and conditions” and should not be made a precondition unless necessary for the service. In consumer law, personal data cannot be made a condition for forming a contract. To discuss an exception to this rule, the collection of personal data must be essential for forming the contract. The presence of reasons and benefits that eliminate the option of choice in uniform arrangements will not change the conclusion reached. Even if Mr. X becomes a party to such a contract and shares his personal data with the company, we cannot speak of the consumer’s free will.
Similarly, if accepting the use of cookies is made a condition, the validity of the explicit consent given cannot be discussed. Making the use of cookies a condition renders the area of use for the obtained data uncertain.
GDPR Article 7/4 provides clear regulation on whether the consent obtained within the scope of the contract is necessary for the contract. According to this regulation, when evaluating whether consent has been freely given, utmost consideration should be given to whether the consent relates to personal data processing not necessary for the performance of a contract, including the provision of a service.
5. Conclusion
At a constitutional level, protection has been established for personal data to safeguard fundamental rights and freedoms, particularly the right to privacy. The Turkish Data Protection Law (KVKK) does not provide regulations based on the personal characteristics of data subjects. Instead, the legislator has preferred to include general provisions.
The primary objective of personal data protection law is to protect personal data. As a rule, processing personal data is prohibited. One of the most significant exceptions to this rule is the consent of the data subject. Although the KVKK distinguishes between general and special categories of personal data, “explicit consent” is required for processing both types of data. The granting of explicit consent is not subject to any particular form. Narrowly construed implied consent, such as silence, is insufficient to constitute explicit consent. However, broadly construed implied conduct reflecting a deliberate expression of will may be sufficient to constitute explicit consent.
The protection of personal data intersects with multiple branches of law. To achieve the objectives of personal data protection law, its relationship with other legal regulations must also be examined. The KVKK is enacted to protect the personal data of natural persons. Whether the natural person is a trader or a consumer, they will benefit from the protection provided by the KVKK. It is crucial not to overlook the following point:
If the data subject is a consumer, the protective provisions brought by the Consumer Protection Law (TKHK) for consumers should be directly applicable in the implementation of the KVKK. The relationship between these two branches of law is particularly important in the application of “explicit consent” required for processing personal data. The elements of explicit consent are outlined in the KVKK. These elements are inherently general. Therefore, each element must be evaluated concerning the specific case. If the data subject is a consumer, the assessment should consider the “imbalance of power” between the consumer and the data processor. It should be assumed that a consumer does not act with free will. Many personal data of consumers also represent economic value. Goods and service providers seek to process consumers’ personal data at every opportunity. When evaluating the validity of explicit consent given by the consumer, these factors must be taken into account.
Due to the widespread use of e-commerce applications, consumer transactions are also commonly conducted over the internet. We frequently encounter cookie applications when accessing many websites. Cookie applications have reached a level that threatens personal data protection law. Those who obtain cookies argue that consent obtained for cookies should not fall within the scope of the KVKK, as they cannot identify natural persons through cookies. However, advancing technology facilitates access to all kinds of information. Therefore, amending the law to recognize cookies as personal data is the most balanced solution. In the proposed regulation, if the burden of proving that a cookie is not personal data is placed on the entity requesting the cookie, the issue will be largely resolved.