Turkey has no general data protection law at present. There is a draft Law on the Protection of Personal Data (draft law) meant to harmonize Turkish data protection laws with the Council of Europe's Strasbourg Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data 1981 (the Data Processing Convention) and the EU Directive 95/46/EC on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of Such Data (the directive). Turkey has signed, but not yet ratified, the Data Processing Convention due to the absence of a parliamentary act addressing data protection concerns, which is necessary to complete the ratification procedure. Similarly, Turkey has not yet incorporated the directive into its national laws.
The draft law aims to harmonize the Turkish legislative framework with that of the EU and is regarded as a significant development for Turkey. To compensate for the lack of detail in its scope, the draft law is expected to provide general rules and principles and lay the foundation for secondary regulations as well as other sector-specific acts. Significantly, the draft law provides rules on cross-border data flows that are similar to those under the EU directive. The draft law also provides for the establishment of a data protection authority.
At this stage, it is not possible to draw an accurate picture of how the draft law, once enacted, will be applied in practice. Similarly, it is uncertain how the law will mesh with the existing sector-specific rules currently in force, such as regulations on financial institutions pertaining to cross-border data flows.
While the draft law has not yet been adopted, recently, it was referred to the Legislative Commissions of the Turkish Parliament to be finalized for parliamentary discussions. Official and unofficial resources state that the adoption of the draft law is among the top priorities of the government. As such, we are expecting it will be adopted soon, probably in Spring 2016.
Following the referral to the Legislative Commissions, the most recent version of the draft law has been made publicly available. Below you may find our initial comments on some of the amendments to the previous version.
- Definition of Explicit Consent: Explicit consent is now defined in the draft law. Lack of this definition was one of the major inadequacies of the previous version. Explicit consent is defined as "specific, informed and freely given consent," parallel with the definition of "consent" under the EU law.
- Definition of Data Controller: The definition of data controller has also been amended to ensure better alignment with the EU.
- Legitimate Purposes for Data Processing: A significant exception has been introduced to the conditions of processing personal data absent of the data subject's consent. Accordingly, personal data may also be processed when "processing is necessary for the data controller's legitimate interests, as long as such interests do not harm the fundamental rights and freedoms of the data subject." The directive also contains a very similar exception, and the lack of this exception in the previous version of the draft law was highly criticized by data controllers. The other exceptions, where data can be processed in the absence of data subject's consent, remain to be similar to those provided under the EU law.
- Sensitive Data: The draft law now defines biometric data as "sensitive personal data." Although the directive does not categorize biometric data as sensitive personal data, there are member states which have made such a categorization under their national laws and regulations. Note that the EU General Data Protection Regulation (as defined below) categorizes biometric data as sensitive personal data.
- International Transfer of Personal Data: There have been some amendments to the transfers of personal data abroad. However, the system is elementarily unaltered.
- Retention Periods: As you may know, personal data cannot be kept any longer than is necessary for the purposes for which the data were collected. Therefore, data controllers are required to delete outdated data. In the previous version of the draft law, data controllers were obligated to inform the data subject if the personal data was deleted, destructed or anonymized. This obligation was highly criticized for the operational troubles it would bring. The current version of the draft law has removed this obligation.
- Rights of Individuals: Complaint system has been subject to a few amendments; however, there are no critical differences from the previous version.
- Criminal Liability: The provision which stated that violations of the Data Protection Law could have criminal repercussions has been clarified. Accordingly, the violations which would lead to administrative sanctions under the Data Protection Law and criminal sanctions under the Turkish Criminal Code have been completely set apart. This is not to say that the Criminal Code will not apply to non-compliance with the Data Protection Law; but rather, it means that non-compliance with the Data Protection Law will not automatically amount to a crime. This is good news for data processors as it provides further legal certainty. Interestingly, the draft law still dictates that Turkish Criminal Code will be directly applicable for failure to delete or anonymize outdated data.
- Data Protection Authority: Previous drafts of the law provided that a Secretary General Office would be established under the Ministry of Justice to function as the data protection authority. The current version, however, envisages the establishment of a Data Protection Authority (DPA) as an independent administrative authority, which would be affiliated with the Prime Ministry and have financial independence. This organizational structure is similar to that of the Competition Board and the Banking Regulation and Supervision Agency, etc. The inception of the Data Protection Board as a financially and administratively independent body was among the top priorities of the EU and we expect that this amendment will be well received.
- Signs of High Level of Enforcement: Previous versions of the draft law provided that the DPA would have 100 staff members; however, this number has now been increased to 195. This increase can be regarded as an indication that the board is expected to be more active than what was foreseen in the previous versions. Moreover, the current version indicates that the DPA will have six staff lawyers, while the previous version included none. When taking into consideration that lawyers are employed to represent public authorities in annulment lawsuits concerning their decisions, we can argue that the law will be implemented seriously and that data subjects and/or controllers are expected to frequently file lawsuits requesting the annulment of the board decisions.
- Entry into Force: The gradual entry into force procedures and transitional period obligations remain unaltered.
Apart from these, as you might know, the General Data Protection Regulation (GDPR) is expected to be soon enacted in EU, replacing the directive. Once the GDPR is enacted, the draft law in its current state will not be in line with the EU regime. This will surely be discussed in commission meetings prior to the adoption of draft law. However, taking into account the GDPR's highly complex and detailed structure, refraining from adopting it at this stage may be advantageous for Turkey. Indeed, Turkey's level of experience, be it as a regulator or a data controller, is currently arguably not apt for rules that envisage fines up to 4 percent of global revenues. Instead, amendments to the law or secondary legislation may be adopted in the future to ensure compliance with GDPR.
The list above does not include all the amendments made to the draft law, and the views on the amendments are of our own, and do not reflect the opinions of any public authorities. Please also note that the draft law may be subject to changes following the discussions at the Legislative Commissions as well as during the parliamentary discussions. Therefore, we recommend that you to seek further advice on the law once it is adopted.
image credit: RGB, NYT Word Frequency, Jer Thorp, 2011