Database

The Federal Trade Commission Act (FTC Act) provides penalties of up to 16,000 USD for each offence. The FTC Act can also obtain an injunction, restitution to consumers, and repayment of investigation and prosecution costs. Criminal penalties include imprisonment for up to ten years.

Previously, as per the Electronic Communication Privacy Act (EPCA), US public administration organs could only access data stored over seas through mutual legal-assistance treaties (MLATs), which could be brokered with one or several countries at a time, and which require Senate approval.

Since March 2018, an alternative to MLATs, the Clarifying Overseas Use of Data (CLOUD) Act, allows law enforcement officials at any level (from local police to federal agents) to force US firms to turn over user data regardless of where it is stored. The CLOUD Act also gives the executive branch the ability to enter into “executive agreements” with foreign nations, which could allow each nation to access user data stored in the other country, regardless of the hosting nation’s privacy laws. These agreements don’t require congressional approval. In effect, this means that foreign law enforcement officials who need access to data of US companies that enter into an agreement with the US president, the State Department, or the Attorney General to grant them permission to directly contact tech firms to request access.

It is reported that foreign communications infrastructure providers have been asked to sign Network Security Agreements (NSAs) in order to operate in the US. These agreements ensure that U.S. government agencies have the ability to access communications data when legally requested.

The agreements reported range in date from 1999 to 2011 and involve a rotating group of government agencies including the Federal Bureau of Investigation (FBI), Department of Homeland Security (DHS), Department of Justice (DoJ), Department of Defense (DoD) and sometimes the Department of the Treasury.

According to the Washington Post, the agreements require companies to maintain what amounts to an “internal corporate cell of American citizens with government clearances” ensuring that “when U.S. government agencies seek access to the massive amounts of data flowing through their networks, the companies have systems in place to provide it securely.”

Moreover, the agreements impose local storage requirements for certain customers data as well as minimum periods of data retention for data such as billing records and access logs.

The Foreign Intelligence Surveillance Act allows US intelligence agencies to access personal data of foreigners either with a court order or in certain cases without.

There is no federal security breach notification law, but 47 states and the District of Columbia, Puerto Rico and the US Virgin Islands have enacted security breach notification laws. These laws typically require to disclose any breach of the system security to all residents whose unencrypted personal information was acquired by an unauthorised person and may also require notification to state Attorneys General.

It is reported that foreign communications infrastructure providers have been asked to sign Network Security Agreements (NSAs) in order to operate in the US. These agreements ensure that U.S. government agencies have the ability to access communications data when legally requested.

The agreements reported range in date from 1999 to 2011 and involve a rotating group of government agencies including the Federal Bureau of Investigation (FBI), Department of Homeland Security (DHS), Department of Justice (DoJ), Department of Defense (DoD) and sometimes the Department of the Treasury.

According to the Washington Post, the agreements require companies to maintain what amounts to an “internal corporate cell of American citizens with government clearances” ensuring that “when U.S. government agencies seek access to the massive amounts of data flowing through their networks, the companies have systems in place to provide it securely.”

Moreover, the agreements impose local storage requirements for certain customers data as well as minimum periods of data retention for data such as billing records and access logs.

While in the United States there is no national law on data privacy, the state of California has passed in 2018 a privacy law that will apply to all firms established in the state. California's Consumer Privacy Act of 2018 demands that firms give consumers the opportunity to learn the categories of personal information that they collect, sell, or disclose about them, and to whom information is sold or disclosed. The Act also gives consumers right to prevent businesses from selling or disclosing their personal information. Individuals must therefore be informed that their information may be sold, and that they have a "right to opt out."

There are few limits on the transfer of personal data outside the US. Several states have enacted laws that limit or discourage state agencies or state contractors from outsourcing data processing beyond US borders, but these laws are typically limited to state government agencies and private companies that contract to perform services for or provide goods to state agencies.

It is reported that foreign communications infrastructure providers have been asked to sign Network Security Agreements (NSAs) in order to operate in the US. These agreements ensure that U.S. government agencies have the ability to access communications data when legally requested.

The agreements reported range in date from 1999 to 2011 and involve a rotating group of government agencies including the Federal Bureau of Investigation (FBI), Department of Homeland Security (DHS), Department of Justice (DoJ), Department of Defense (DoD) and sometimes the Department of the Treasury.

According to the Washington Post, the agreements require companies to maintain what amounts to an “internal corporate cell of American citizens with government clearances” ensuring that “when U.S. government agencies seek access to the massive amounts of data flowing through their networks, the companies have systems in place to provide it securely.”

Moreover, the agreements impose local storage requirements for certain customers data as well as minimum periods of data retention for data such as billing records and access logs.

The Turkish e-commerce law bans commercial messages sent electronically by email, text messaging (sms), fax, and autodial machines to consumers without their prior approval.

According to the Data Protection Law, administrative fines of up to TRY 1,000,000 (EUR 311,000) and/or imprisonment of one to four years may be imposed for breaches of the Law.

According to the Regulation on Administrative Sanctions in the Electronic Communications Sector, administrative fines may reach 3% of relevant company's annual turnover for the previous year. Moreover, the Turkish Criminal Code provides for various fines and terms of imprisonment, which go up to six years.

According to the Data Protection Law, institutions and third parties are compelled to hand over any data to intelligence agencies and police without a warrant.

Law No. 5651 on Regulating the Internet was amended in September 2014, broadening the scope of administrative blocking and allowing the authorities to access user data without a warrant. While the Constitutional Court overturned these provisions a month later, they were once again passed in March 2015.

Under certain circumstances, telecommunications operators must inform, in an efficient and timely manner, the Information Technologies and Communication Authority (ITC Authority), the National Computer Emergency Response Centre (USOM) and the data subjects of cyber security breaches.

The Turkish courts accepted the existence of the right to be forgotten in 2015 (cases 2014/4-56 E and 2015/1679 K dated 17 June 2015). The Assembly of Civil Chambers of the Court of Appeal held that the right includes digital data, as well as non-digital personal data kept in publicly accessible mediums. This decision adopts and applies a similar scope of the ruling of the Court of Justice of the European Union which recognized the right to be forgotten.