“This is by far the most important law that will affect the biggest number of people in Turkey that the government has endorsed in the last couple of years,” said Hakkı Can Yıldız, from Esin Attorney Partnership.
The new commercial code, which came into force in 2012, and the law on consumer protection, which came into force in 2013, were also very important, but they consisted of amendments to the already existing laws, said Yıldız, adding that it was the first time Turkey has endorsed a law to protect personal data.
The critics of Turkey’s relations with the European Union do not want to see that a big majority of reforms in this country have taken place thanks to the membership process, even though the process has been disrupted many times. This is the case with the data protection law as well.
The Turkish public has become familiar with cyber security/information security issues only belatedly and unfortunately thanks to cyber-attacks and data breaches which have taken place in the past couple of years.
The most recent incident, a data breach about the information on the identity cards of 50 million Turkish citizens, would have led to a big scandal anywhere else in the democratic world. No one has so far assumed responsibility for the data breach, which took place in 2010 when the Supreme Election Board shared the information of the electorates with the political parties ahead of an election, as required by law. While the blame game continues between the government and the main opposition party, the fact remains that while the government was quick to endorse information technology on state affairs, it was not as quick to take measures against the downside of it.
The fact that Turkey did not have a personal data protection law until recently testifies to this laxity.
And, as usual, the law was not motivated by the need to protect personal data but by the urgency to fulfil the criteria in order to secure visa-free travel to Europe by June, in accordance with the refugee deal that was agreed between Turkey and the European Union.
According to Yıldız, the head of privacy practice at Esin, which is a member firm of Baker & McKenzie International, a whole new period is starting for international companies doing business in Turkey, as well as Turkish companies doing business abroad. Companies that are processing data above a certain limit will have to register to the data protection authority. In addition, companies will have to get the permission of the data protection authority when they exchange personal data with third countries which are not seen as an adequate interlocutor; in other words, countries which fail to have adequate levels of protection, like Russia or China for instance.
Failing to do so will lead to consequences, like administrative liability. So companies will have to take the necessary measures if they want to avoid penalties.
Meanwhile, the independence of the data protection authority will be open to debate, since all its members will be appointed by politicians. In the draft law, the authority consisted of seven persons, four appointed by the prime minister and three by the president. In the final version, the number increased to nine; five will be appointed by parliament, four by the cabinet and two by the president.
In the draft version, those eligible to be elected were required to not be a member of any decision making body of a political party. According to the final version, those eligible should not be a member of any political party.
The final version is better than the draft, but even with this composition the independence of the authority is not guaranteed. In this regard, experts have pointed at the difference between RTÜK (the Radio and Television Supreme Council) and the Turkish Competition Authority. All RTÜK members are elected by parliament, whereas some members of the Turkish Competition Authority are elected by institutions such as the Court of Appeals, the Court of Accounts and the Union of Chambers and Commodity Exchanges of Turkey (TOBB). While RTÜK is notorious for its controversial decisions and has often been accused of being biased, the same has not been the case for the Turkish Competition Authority.