Data Privacy in Turkey


In 1981 Turkey signed a treaty addressing data privacy. It has a good chance of being ratified in this coming fall term, more than thirty years later. That treaty, along with another piece of legislation, would implement long awaited data protection in Turkey.

The treaty, as it is sometimes referred to, is actually a Convention – The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. It was sent to the Turkish Parliament at the end of July 2014, after 30+ years on the shelf, and put on the fast track for ratification.

The Convention was drawn up in 1981 by the Council of Europe, not to be confused with the European Union or its similarly named institutions. Unlike the European Union it cannot create binding laws, so Turkey was in no way compelled to ratify and implement the CoE Convention. The Convention would greatly strengthen privacy protection in Turkey, which at this time is only lightly regulated.

As of now the term “Personal Data” is not explicitly defined, nor is there a specific overarching law that addresses data privacy. Different facets of data protection are addressed in numerous regulations and general laws. The Turkish Constitution, Civil Code, Criminal Code and other regulations all contain provisions regulating some aspect of privacy. And as a rule, as a member state of the Universal Declaration of Human Rights, Turkey abides by its Article 12 which stipulates “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks“.

See the specifics of current law in DLA Pipers comprehensive handbook, Data Protection Laws of the World. http://www.dlapiperdataprotection.com/#handbook/law-section/c1_TR

Also moseying through Parliament is the “Draft Law”, first proposed in 2008. Expectations are that it will be finalized by the time the Convention is ratified. However, it too has been languishing for some years, and previous expectations have not been met.

The Draft Law follows the provisions of the EU’s Data Protection Directive. Turkey, eager to join the European Union, is currently in Candidate status. Adherence to EU standards for Data Protection law is one of many criteria that must be met for Turkey to gain member status.

One requirement of the Directive is the creation of a completely independent authority to administer local laws implementing the regulations as laid out in the Directive. This may prove difficult for Turkey, and in fact is considered by many to be the reason The Draft Law is taking so long to implement.

At first glance Turkey seems well positioned to create the required independent authority. The government has handed off control of economic sectors to independent agencies, which are quickly increasing in number. Upon closer examination however, certain features of these agencies’ structure actually ensure integration with the government to some degree. The way “independence” is currently defined in Turkish law would not meet the EU’s extremely strict criteria for complete independence of the governing authority.

Current Turkish law only lightly regulates data privacy. There is no consolidated piece of legislation; instead numerous general laws address different aspects of data privacy and protection. Two major data protection constructs have been in play for many years, but never implemented. Today hopes are high that both will be in effect by the end of 2014 or shortly thereafter. However the expectation of impending legislation has proven incorrect in the past. But it is likely that Turkish law will approach and ultimately meet the criteria laid out in the EU Data Protection Directive.

Although current regulation is minimal, marketers should diligently meet current compliance law, and keep a sharp eye on two things moving through Parliament: The Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, and The Draft Law. The latter is based on the EU Data Protection Directive No.95/46/EC, so familiarity with data privacy in the EU is a big bonus.

Some links for in depth reading on this topic and some other relevant info are below.

The Council of Europe
A bit of background on the Council of Europe, which is less familiar to some readers than the EU: The Council of Europe is an international organization focused on fostering cooperation between member states in several areas including  democracy, human rights, pharmaceutical standards, and more. It was founded in 1949 and has 47 member states. Unlike the EU it cannot create binding laws.

Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data
The Convention stipulates that personal data undergoing automatic processing shall be

“…obtained and processed fairly and lawfully; stored for specified and legitimate purposes and not used in a way incompatible with those purposes; adequate, relevant and not excessive in relation to the purposes for which they are stored; accurate and, where necessary, kept up to date; and preserved in a form which permits identification of the data subjects for no longer than is required for the purpose for which those data are stored.”

“Personal data revealing racial origin, political opinions or religious or other beliefs, as well as personal data concerning health or sexual life, may not be processed automatically unless domestic law provides appropriate safeguards. The same shall apply to personal data relating to criminal convictions.”

www.mondaq.com/x/308428/Data Protection Privacy/Data Protection Laws In Turkey
www.mondaq.com/x/228120/data protection/LongExpected Transition In Data Protection Law