Cross-Border Transfers After the 2024 Reform
For years the practical blocker for cloud AI in Türkiye was Article 9: in the absence of Board-approved mechanisms, transferring personal data abroad effectively leaned on açık rıza (explicit consent) — unworkable at enterprise scale. Law 7499 (March 2024) rewrote Article 9 into a tiered system much closer to GDPR:
1. Adequacy decisions — transfers are freest to countries (or sectors/ international organizations) the Kurul declares adequate. 2. Appropriate safeguards — absent adequacy, transfers may rely on instruments including standard contractual clauses (SCCs) published by the Authority (execution must be notified to the Authority within five business days), binding corporate rules for groups, or written undertakings with Board authorization. 3. Incidental transfers — narrow, occasional exceptions (e.g., explicit consent for a specific transfer after being informed of risks).
What this means for AI agent architectures
- Cloud LLM use is contractable. Since 2024, a Türkiye enterprise can use a foreign-hosted LLM under SCCs with the provider (as processor) — the design question becomes which data reaches the prompt, not whether any cloud is possible. Data minimization in the agent context window is the compliance lever: see Deployment Patterns — KVKK-Aware Agent Architecture.
- Consent-based transfer designs are legacy. If a 2023-era architecture memo says "we cannot use cloud AI because açık rıza," it predates the reform and should be reassessed.
- Residency can still be the right answer — for special-category data, regulated sectors (banking has its own outsourcing rules), or customer policy. The point is that it is now a choice among lawful options, priced against capability, not the only door.
---
Educational reference maintained by Avalanche AI — not legal advice. The SCC mechanics and notification windows are procedural details that change; verify at kvkk.gov.tr.