Internal investigations and the many issues posed by Turkish law
Dr Elvan Sevi Bozoğlu
Bozoğlu İzgi Attorney Partnership, Istanbul, Turkey
sevi.bozoglu@bi.legal
Necdet Can Artüz
Bozoğlu İzgi Attorney Partnership, Istanbul, Turkey
can.artuz@bi.legal
Ata Umur Kalender
Bozoğlu İzgi Attorney Partnership, Istanbul, Turkey
ata.kalender@bi.legal
Introduction
Internal investigations are never easy, in that either in-house legal counsel or external counsel must gather and process copious information and make accurate and quick judgements. In tandem, company management must make risk-based decisions which may sometimes cause penalties to be incurred, employees to be terminated or company reputation to be damaged, in pursuit of legal and ethical practices.
However, sometimes, the law itself can become a thorn in the side of companies and lawyers in conducting investigations, in addition to these existential issues. Turkish law certainly presents a number of issues to be considered, as discussed briefly below.
Issue 1: data privacy
The starting point is the data privacy law-related assessments. Since Turkey is not a member of the European Union, the General Data Protection Regulation is not applicable and, instead, Turkey has its own legislation. The Personal Data Protection Law No 6698, in addition to secondary legislation and authority decisions, regulate the field in Turkey, with similarities to EU Directive EC/95/46.
The most important problems in this perspective are: enlightenment and consent requirements; transfer of personal data abroad; and the processing of third-party personal data.
Companies will usually have privacy notices on employee data processing in place. However, it is required for privacy notices to depend on prior, specific information.
The Constitutional Court has decided in the past that reviews of company email accounts belonging to employees is possible depending on prior, explicit information being provided to employees, and no objections being raised by employees. Any review must also be proportional.[1]
Companies must have also obtained consent in advance regarding transfer of personal data abroad.[2] Such consent needs to be given with the free will of the individual, and be based on clear, explicit prior information. However, this consent may be withheld by employees, in which case the transfer of personal data can rely on the other two alternatives provided by Turkish privacy law, which are largely impractical.[3]
All of this needs to be considered regarding third parties as well. For example, if a case occurs where improper payments will be made by a vendor on behalf of a company and this causes an internal investigation, privacy issues arise. It will be quite unlikely for a company to have prior notices given to, and consents obtained from vendor employees, not to say recipients of improper payments. To make matters worse, those persons will be hesitant to provide consent, or any information for that matter, after they become aware of an investigation. This will make it harder to obtain and process data.
So, assuming a third-party whistleblower discloses personal data regarding illegal behaviour of a company employee and a vendor employee, the transfer of information on that transaction abroad will require prior consent (or anonymisation of the data). The company conducting the investigation will also need to provide privacy notices to both individuals, despite the potential confidential nature of the investigation. In addition, to go through the email accounts or work computer of its employee, the company will need to have previously provided explicit information to the employee.
If these requirements are not fulfilled, there could be consequences hampering the investigation or causing penalties against the company. For one, it is forbidden for evidence obtained illegally to be used in judicial proceedings. Such evidence is considered inadmissible in criminal enforcement or private law. It may also be a criminal offence to obtain or process personal data in breach of the law. Finally, violations of the privacy rights of data subjects could cause administrative penalties.
Issue 2: whistleblower protections … or lack thereof
The past decades have seen whistleblower protections strengthened and expanded in the United States and in Europe, with the likes of the 1989 Whistleblower Protection Act, Sarbanes-Oxley Act or the Dodd-Frank Act in the US and the recent EU Directive 2019/1937 on the protection of persons who report breaches of EU law. These laws, among others, protect employees from retaliation after they report unethical or illegal behaviour. Some also provide financial incentives for disclosures under certain circumstances. The clear aim is that illegal activities are brought to the attention of company decision-makers who may be able to correct unfair activities, or to the attention of the public, if such decision-makers choose not to take required actions.
However, Turkish law does not place the same emphasis on whistleblower protections, and it would be fair to say that whistleblower culture is lagging, despite many multinational companies operating in Turkey having established internal hotlines. Employees do not feel they are sufficiently protected, leading to illegal activities to potentially being swept under the rug.
There are of course some provisions of Turkish law applicable to such internal reporting. For example, the Labor Law sets forth that the employee initiating or joining applications before administrative or judicial authorities against the employer, seeking to obtain employee rights or to fulfill employee obligations caused by law or the employment contract, cannot be terminated with valid reason. This may apply to a crime being reported by an employee. Terminations in breach of this rule may cause unfair dismissal claims and potential termination obligations on employers. Some other protections exist with regard to employees notifying occupational health and safety issues.
Even if a whistleblower report is issued despite there being little incentives and unclear protections, the privacy aspect again comes into play. In such a case, it is also important to identify how the whistleblower collected the information they report, so as to ensure investigations are not built on inadmissible evidence.
Yet again, there may be cases where employees are compelled to disclose criminal activities, bringing us to the next issue.
Issue 3: self-reporting obligations or the crime of not reporting criminal activity
As is the case with many other legal systems, Turkish nationals cannot be compelled to report self-incriminating information, also known as the ‘nemo tenetur’ principle. As per the Turkish constitution, no one may be forced to self-incriminate, or to provide statements and evidence incriminating relatives.
The Criminal Procedure Code also identifies certain individuals as those who may recuse from witness statements, including the spouse, children or parents, as well as attorneys, with regard to information they obtain in a professional capacity (as will be discussed later). Among Turkish scholars, it remains a topic of contention whether legal entities may benefit from this right.
On the other hand, other persons may be requested to provide evidence or testimony. Even more importantly, it is a crime for individuals not to report a criminal offence. The Turkish Criminal Code sets forth that a person who does not report to the authorities a crime being committed, or a crime which has been committed but the consequences of which may still be limited, shall be subject to an imprisonment sanction up to one year.
Therefore, excluding the nemo tenetur principle, or cases where a person may recuse from testimony, Turkish persons and, in this case, Turkish employees are compelled to disclose criminal activities to authorities. As this is a criminal offence regulated by the Criminal Code, it may not be restricted via employment contracts.
It is contested whether legal entities are compelled to report criminal activities as per the Turkish Criminal Code. This confusion stems from the fact that the Criminal Code does not include an explicit provision that legal entities committing this crime (of not reporting a crime) shall be subject to security measures.[4] Still, it is accepted that legal entities are not legally compelled to self-report.
Another consideration among these lines is whether an employee is compelled to disclose a crime to the employer company itself. While the Criminal Code provisions discussed above are concerned with reporting of criminal offences to authorities, employees may also be required to disclose criminal (or non-criminal, but illegal or unethical) activity to their employees. This is caused by the obligation of employees to act in good faith and loyalty towards their employees. As regulated under the Turkish Code of Obligations, employees must perform their work with care and to act with loyalty where necessary to protect the legitimate interests of the employer.
Issue 4: attorney-client privilege
The Advocacy Law prohibits attorneys disclose information trusted to them or learned by them during the performance of their duties. Further, it requires attorneys to obtain consent from clients when producing witness statements and allows attorneys to recuse from testimony even when such consent is given.
Meanwhile, the Criminal Procedure Law regulates the protection of documents and items seized during searches of attorney’s offices or houses. Accordingly, attorney’s offices can only be searched based on a court decision and the presence of a public prosecutor, as well as the Bar president or a nominee. This is interpreted as extending to vehicle or body searches.
However, it is important to keep in mind the circumstances under which potentially privileged information is obtained by the attorney; it is made clear by the Advocacy Law, for example, that such information must be obtained in a professional capacity. In some of its decisions, the Competition Authority sought further conditions, stating that ‘a written correspondence must occur between a client and external counsel’ and ‘the written correspondence must be to the benefit of the client and within the right of defense’.[5] In a similar decision, the Competition Authority decided that a report produced by a company being audited by external counsel regarding competition law would not benefit from privilege, however, this decision was later annulled by administrative courts.[6]
In addition to this, the existence of an attorney-client relationship is crucial. In some cases, internal investigations may result in information being conveyed between parties other than an attorney serving as external counsel and the company hiring them. For example, perhaps information can be exchanged between an attorney serving a subsidiary, and the parent company of the subsidiary, despite the two parties not having a legal consultancy agreement or other professional relationship. Similarly, when information is being exchanged by employees or former employees of a company, it may be claimed no attorney-client privilege exists, as the attorney is not providing services involving the right of such employees to defence. There can be attempts to rectify this, potentially by appointment letters or confidentiality agreements, although they will not have the same effect of attorney-client privilege.
Conclusion
Internal investigations in Turkey have quite a few sensitive aspects that need to be considered. Practical considerations may differ from those of other systems.
In any case, it is critical to consider what information is obtained and how, as well as how such information can be used and protected, and come up with tailored solutions.
As in all jurisdictions, Turkey has its own legal issues to consider in designing internal investigation strategies and plans. On the other hand, divergences from EU legislation in privacy law and the lack of proper whistleblower protection mechanisms mean there is room for updates. It remains to be seen if Turkish law will align with EU and US systems, and whether internal investigations become more widespread locally.
Notes
[1] Turkish Constitutional Court decision on Application No: 2018/31036.
[2] Transfer of data abroad means transfer of any data identifying an individual to any country other than Turkey, including transfers to technical infrastructure such as email or cloud storage servers.
[3] These alternatives are an authority-approved mutual undertaking between Turkish and foreign data controllers guaranteeing sufficient protection being present, and data being transferred to countries deemed ‘safe’ by the Turkish Authority (no list exists so far).
[4] Turkish criminal law does not recognise corporate criminal liability, in line with certain European systems. Criminal responsibility is ‘personal’ and only natural persons can be perpetrators of a crime and only natural persons can be subject to criminal sanctions. Criminal sanctions cannot be imposed on legal entities.
In case a criminal offence is committed by someone acting in the name, or on behalf, of the entity, this may cause the said legal entity to be subject to security measures regulated under the Turkish Criminal Code, which are: cancellation of a licence/permission in the event the legal entity performs activities based on a permission given by a public institution; and confiscation of properties or revenue.
[5] Competition Board decision, File No 2015-1-54, Decision No 15-42/690-259, decision date 2 December 2015.
[6] Competition Board decision, File No 2016-1-65, Decision No 16-42/686-314, decision date 6 December 2016.