Why the EU should be more aware of Turkish data protection law?*
Last year was the first time I attended IAPP Europe's Data Protection Congress in Brussels, and my first impressions were of how many people were overwhelmed by the storm of the EU General Data Protection Regulation and the uncertain future of Brexit.
As a Turkish lawyer, I was asked repeatedly why I was there and if Turkey has a data protection law. There were sessions about third countries, including the Latin American countries, India, Japan and the U.S., but none on Turkey. It seems many people are unaware the European Union and Turkey are linked by a Customs Union agreement, which came into force Dec. 31, 1995; that Turkey has been a long-time official candidate for EU membership since the Helsinki Conference in 1999; and has an unofficial demand since the Ankara Agreement in 1963. According to European Commission figures, Turkey is the EU's fifth-largest export market and sixth-largest provider of imports, making Turkey the EU’s number one import and export partner. Despite some minor differences in the perspective of democracy and politics, Turkey is an important partner for Europeans.
So, why do most Europeans seem unaware of Turkish data protection legislation? It took a long time to answer this question. However, I am sure this is because people did not have time to think about the effects of the GDPR on other countries or which countries would be most affected. Turkey is obviously one of them. It is Europe’s neighbor and has been a close ally since the 1950s. The country seeks to gain full membership of the EU, and in an effort to ease international trade activities between Turkey and European countries, many European laws have already been implemented in local legislation. The regulations include data protection laws and the Turkish Data Protection Law, which was adopted in April 2016 and came into force after a two-year grace period. The TDPL is similar to the provisions in the 95/46/EU Directive with some differences, such as the scope of consent and the context of special categories of data. The Turkish data protection authority is an independent authority accountable to the Ministry of Justice and the president of Turkey.
So, everything seems proper on paper, right? But that’s not the case; let’s look at the facts.
Even Turkish citizens were unaware of the DPA
The Turkish DPA was officially formed at the end of 2016, eight months after the adoption of the legislation; however, it was not visible to the public until the end of 2017. There are many reasons for the delay, notably, the country had a failed coup attempt in the summer of 2016, which devastated the legal system as thousands of judges were dismissed due to their alleged ties with terrorist organizations. It would have been optimistic to expect international interest while the local awareness about the data protection legislation was so low.
Turkey was late to adopt a data protection law
Since the mid-2000s, Turkey has spent much effort to pass a law about data protection to meet the requirements of the EU chapters; however, we had to wait until 2016 for it to actually come out. At the same time, the EU applied pressure on Turkey to reach an agreement concerning the exchange of personal data between Europol and Turkish authorities to fight serious crimes and terrorism. A short, “useful” text was adopted at the 11th hour to meet the requirement, but it is not in line with EU standards and will have to be revised before the implementation of the operational agreement with Europol that is currently being negotiated.
A European Commission report from 2019 states, “Turkish data protection is still not in line with European standards and will have to be revised in order to ensure the implementation of the operational agreement with Europol currently being negotiated. Turkey should develop and implement a more comprehensive and coherent legal framework for the confiscation of the proceeds of crime and improve its capacity to manage frozen assets.” On top of that, no legislative changes have taken place to ensure the law is harmonized with the EU, in particular, the GDPR and Law Enforcement Directive 2016/680, which entered into force in May 2018. This concerns among other things, the application of data protection in law enforcement and the powers of the DPA. Turkey has not signed or ratified that 2018 Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Council of Europe, CETS No. 223).
Based on a poll in 2016 after the failed coup attempt, almost 85% of the people in Turkey believes justice varies depending on what connections you have and there is no standard about the enforcement of law.
Once, “Justice is fundamental for the State” was real.
Sometimes it might even be better to know someone who has good relations with authorities instead of hiring the most intelligent lawyer. For this reason, not only the local companies but even the international companies located in Turkey waited until the end of the grace period, just to see if the legislation is for real and would be enforced as it is written in the law.
Brexit talks overshadowed the release of DPL
It has been almost three years since the U.K. voted “no” to Europe, but the formalities and struggles are still there waiting for remedies. Once (or if) the U.K. separates from the EU, it becomes Europe’s biggest business partner and a third country, meaning there will be international data transfers in terms of the GDPR. There has been so much discussion about Brexit and what might happen, the unveiling of the Turkish DPL was not a top story when it was enacted.
Despite the above facts, the Turkish DPA is trying much harder to be recognized by its European equivalents and has applied for accreditation to the European DPAs. The application was submitted during the Spring Conference of European DPAs, held 8-10 May 2019, and shortly before the Turkish DPA fined Facebook $280,000 for violating Turkish data protection laws based on a data breach from September 2018. The Turkish supervisory authority ruled Facebook did not issue breach notifications, did not take technical measures to prevent further breaches, and violated the consent regime under TDPL.
It seems that we will be seeing similar fines against international companies in Turkey, through which I believe the Turkish DPA will want to come out and declare to the world that they are here.
*This article was first published on iapp.org.