The Turkish Constitution now deems the protection of privacy and personal data as a fundamental human right based on a 2010 amendment. But unlike EU member states, — the country is a candidate state and has committed to ensure consistency with EU law, including those related to privacy — the Turkish Parliament has not yet passed a general data protection law in which the rules and principles are clearly defined.
Consistency with privacy regulations involves, in particular, adopting a law on the protection of personal data as well as establishing an independent supervisory authority.
As part of the EU accession process, Turkey’s Ministry of Justice prepared a Draft Data Privacy Code in 2005. The draft code is intended to harmonize Turkish data protection laws with the Council of Europe’s Convention (No. 108/1981) for the Protection of Individuals with Regard to Automatic Processing of Personal Data (i.e., European Data Protection Convention) and EU Directive 95/46/EC. To date, however, the Parliament has not yet adopted it.
Amid increasing consumer sensitivity about privacy issues, however, the Turkish Parliament is expected to accelerate its efforts to adopt the draft code. Indeed, Turkish Prime Minister Recep Tayyip Erdoğan. declared in September 2013 that the Draft Code will soon be on the Parliament’s agenda.
While there is no unified code on privacy, a regulatory framework does exist. Several Turkish laws, primarily the Civil Code, the Code of Obligations, the Labor Law and the Criminal Code, contain provisions on data protection. These laws provide that, as a general rule, the illegal processing of personal data is prohibited and may be subject to civil and criminal sanctions. None of these codes, however, clearly define “illegal processing.” Moreover, compliance with these provisions cannot be assured as there is no general data protection law, and no authority has been assigned to detect or remedy violations.
In addition to the codes listed above, certain sectoral laws also provide a more detailed regulatory framework for specific sectors such as banking, telecommunications, and healthcare. These sector-specific rules exist in selected market segments primarily to stand in for a much-needed general data protection law, as well as to address certain sector-specific concerns. Particularly in the banking and telecoms sectors, for example, the enormous imbalance in interactions between large corporations and individual consumers would benefit from clear and measured regulation of data processing and data retention.
Are sector-specific rules too strict for cross-border data flows?
There is no general restriction on the international transfer of personal data under Turkish law, although strict sector-specific rules and, to a certain extent, even prohibitions are in place. Arguably, the strictest regulation is found in the banking and telecoms sectors, presenting regulatory and practical obstacles.
For obvious reasons, a global data flow between data centers both inside and outside Turkey is essential for cloud computing to be technically and economically viable. Recent legislative developments in Turkey have allowed businesses to move some of their operations online and develop creative electronic services (including electronic invoicing, electronic general assembly and executive board meetings, electronic bookkeeping and new payment and e‑money services). In reality, though, cloud offerings cannot be widely used by banks or telecoms operators due to restrictions on cross-border data flows. Turkish banks, for example, are required to keep the “primary and secondary copy” of their data on their own servers physically located and maintained in Turkey. Similarly, telecoms companies operate under a strict prohibition on the international transfer of user and consumer data related to telecommunications activities.
These rules prove that, absent a general data protection law, sectoral regulators adopt stricter approaches and impose draconian rules on data protection. Although one might expect the opposite, strict sector-specific rules may tend to be insensitive to the commercial and operational realities and needs of companies operating in those sectors. Moreover, these harsh regulatory approaches have significant financial consequences. Due to regulatory barriers, which prevent placing data centers outside Turkey and the effective management of international data flows, the future of cloud services, as well as Turkey’s potential profits, are limited.
The lack of a general data protection law setting out the general framework is one of the main reasons why sectoral regimes contain such strict provisions. The current version of the draft code includes restrictions on international data transfer, which are more or less in line with EU rules. Under the draft code, personal data may be transferred abroad only under special circumstances — for example, if the foreign country to which the data will be transferred provides equivalent data protection.
That Turkey does not qualify as a country providing data protection at the level of the EU is another consequence of failing to adopt a general data protection law. The lack of protection, therefore, further restricts data transfer as most jurisdictions require reciprocity. For example, even within same group of companies having entities both in EU and Turkey, internal data transfers can be problematic.
Turkey’s current regulatory regime does not help its aspiration to become a global IT hub as data transfers into Turkey may be limited under the laws governing multinational companies. As an example, a multinational company may be restricted by its home jurisdiction’s law from outsourcing a call center business to Turkey. If the draft code is adopted, however, Turkey’s data protection regime will be similar to the EU’s, which should make it easier to transfer data in and out of Turkey.
What are the other main problems?
The problems due to lack of a general regulatory framework are not limited to cross-border data flows. Indeed, a major problem is the uncertainty companies and their advisers face when identifying, assessing and mitigating risks associated with their privacy policies — a relatively easier task in sectors where privacy issues are regulated.
In unregulated sectors, however, in-house lawyers, privacy and compliance officers and their advisers must make decisions based only on broad principles without guiding precedent, law or regulation. Companies operating in Turkey may, therefore, fail to strike the proper balance, resulting in policies either more onerous than legally required or which inadvertently run afoul of unstated regulatory opinion.
The current regulatory framework in Turkey also affects businesses operating through the Internet. Not surprisingly, the Internet now plays an increasingly significant role in the Turkish business world.
Widespread use of the Internet, both for professional and personal purposes in Turkey, further necessitates adopting a general data protection law.
As an example, the current regulatory framework offers little assurance to consumers engaged in e‑commerce. Not only is there no general data protection regulation, there is also no specific regulation on e-commerce, often leaving these issues to general Turkish contract and commercial rules.
Under these circumstances, where local firms’ data protection and e‑commerce-related operations are often minimally regulated or simply unregulated, multinational e-commerce firms fear they cannot efficiently compete with their local competitors since they must follow more strict internal policies.
What should international companies do?
Even though there is no unified code, data protection is not totally unregulated.
The Turkish Constitution defines the right to privacy as a fundamental human right, and general laws address privacy rights.
The draft code may enter into force if and when adopted by the Parliament. For these reasons, foreign businesses operating in Turkey should be aware of the current and potential future privacy rules which could impact their businesses.
Few Turkish companies and only a minority of international companies, however, have privacy policies customized for Turkish privacy rules. Many international companies simply use their existing internal policies, often prepared on the basis of foreign law, which may result in inadvertent violations of Turkish law.
To ensure compliance, both local and foreign companies should, therefore, consider revising or implementing data protection practices and policies consistent with both the existing Turkish law and the upcoming draft code.
Hakki Can Yildiz is a senior associate at Esin Attorney Partnership.
