I. Legal framework
Constitutional privacy and data protection framework
Article 20 of the Turkish Constitution deals with individual privacy and states, "Everyone has the right to demand respect for his private and family life. Privacy of individual and family life cannot be violated."1 Article 20 prohibits the search or seizure of any individual, his private papers, or his belongings unless there exists a decision duly passed by a judge in cases explicitly defined by law, and, in cases where delay is deemed prejudicial, that there is an order by an agency authorised by the law. Article 22 preserves the secrecy of communication and states that, "Communication shall not be impeded nor its secrecy be violated, unless there exists a decision duly passed by a judge in cases explicitly defined by law, and unless there exists an order of an agency authorised by law in cases where delay is deemed prejudicial."2 In October 2001, in a move aimed at improving its chances of joining the European Union, Turkey passed the Constitutional Amendment Bill, containing 34 proposed amendments to the Constitution.3 Several of the proposals strengthen the basic rights and freedoms of individuals, including increased protection for privacy of the person and the home.4
Subsequently, the Turkish Government presented a new constitutional amendment package (Anayasa DeÄŸiÅŸiklik Paketi) to Parliament in March 2010, which included proposed changes to 26 articles of the 1982 Constitution.5
A new section will be added to Article 20 regarding privacy and data protection issues. Pursuant to the proposed amendments, obtaining, storing, and using personal data for any means shall require the data subject's prior and explicit consent. It shall also grant every person the right to access related data without any delay or obstacle, and shall provide the right to demand a high level of protection for stored data and to have full control over one's personal data. The proposed amendment package was accepted by the Parliament and approved by the President in May 2010. However, because it was accepted without the three-fifths or two-thirds qualified majority according to Article 175 of the Constitution, a nationwide referendum will be held to approve the amendment package in September 2010.
Privacy and data protection laws and regulations
As part of Turkey's 2005 Accession Partnership with the European Union, Turkey is required to "[a]dopt a law on protection of personal data" and "establish an independent supervisory authority."6 According to the European Commission's latest progress report in late 2006, there have been no developments in Turkey regarding the protection of personal data.7 The EU partially suspended accession negotiation with Turkey in December 2006.8
Thus the situation is as follows. The 2003 Draft Data Protection Act (DDPA) has been sent to the relevant legislative commission at the Parliament; it is pending and has not yet been adopted.9 The draft establishes the protection of privacy in the public and private sphere on a new legal basis. It protects the personal data handled either by persons or entities, with the aim of protecting natural persons. The law will be applicable to both automated and manual data processing. It aims to protect the right of personhood and the fundamental rights of persons who are the subjects of data processing. The draft addresses the following: general conditions for the legal standard of data processing; rules regarding the rights of personal data subjects; rules for data processing under private and public law; the establishment, structure, membership and obligations of the supervisory authority; data registry; registration of data collection; data transfers to other countries; the obligation to register data transmission; and penal provisions. Regarding the last, the legislature intends to regulate offences against privacy, which will be subject to civil, administrative and criminal sanctions.10
This draft is in accordance with the Council of Europe's Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, which Turkey signed but has not yet ratified. Its crucial sections, regarding data processing, transfer, and storage are very much in line with Directive 1995/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data.11 The OECD Guidelines on the Protection of Privacy and the Transborder Flows of Personal Data are also taken under consideration. Though there are still some loopholes in the Draft Act, it can be considered an important step toward Turkey's harmonisation with EU legislation in terms of data protection and privacy.
For the time being, the protection of personal rights within the Turkish national legislation is regulated in the Civil Code. Pursuant to Article 24 of the Civil Code, an individual whose personal rights are unjustly violated has a right to civil action. Furthermore, disclosing, transferring, or misusing personal or confidential data in any way is deemed an invasion of personal privacy, and consequently, as an infringement of personal rights. Any unlawful invasion of an individual's privacy, including personal or confidential information, will incur legal consequences. The scope of personal or confidential data is determined by a court under its sole discretion, unless such scope is defined within the terms of a confidentiality agreement or any other agreement between the parties, or is specified by a special regulation. As consequence of such act, an aggrieved party may receive indemnification of their material and immaterial damages pursuant to Article 49 of the Code of Obligations (Borçlar Kanunu).12 However, there is little criminal liability for such violations of personal rights.
The 2005 Criminal Code regulates felonies against the private life and the private sphere. These felonies may be pursued ex officio, where the offences concern the storage, illegal transfer or retention of data. The following felonies on data protection are established in Section 9 of the Turkish Criminal Code: violation of the secrecy of a communication; wire-tapping; storage of personal data; and illegal transfer of personal data.13
A Turkish law extending the state press restrictions to the Internet was passed amid much opposition in May 2002.14 The law, called the Supreme Board of Radio and Television Bill No. 4676,15 places the Turkish Internet under the regulatory authority of the Supreme Radio and Television Board (Radyo ve Televizyon Üst Kurulu or RTÜK).16 Former Turkish President Ahmet Necdet Sezer has expressed disapproval of the provisions.17 The President first rejected the law and sent it back to the Parliament, and proclaimed the law to be unjust and unfair supporting his opinion with a long list of motivations.18 The Parliament insisted on the necessity of such legislation and the President had compulsorily to undersign it, according to the Constitution. However, having declared his disapproval, he has taken the law to the Constitutional Court for annulment. This situation caused great discontent among the public and put pressure on the highest Court. Eventually, the number of the Bill changed to 4756 but most of the critical articles -- such as Article 31, which gives authority to the RTÜK for regulating dissemination on the Internet -- remained unchanged. In particular, Article 26 of the Bill No. 4756, which integrated Article 9 at the current RTÜK Bill No. 3984 -- has inserted a very debatable provision to the Press Law (with this article the provisions regarding the defamatory claims in the RTÜK Bill, shall cover the actions that will be taken via the Internet). Fortunately, these particular controversial provisions have not been used very often by the prosecutors since they were adopted.
The Electronic Signature Act came into force on 23 July 2004. The Act was prepared under the guidance of the EU Directive and took into account the practice of member states such as Germany, France, Austria, and Belgium. The Electronic Signature Act mainly provides that e-signatures have the same value and effect as actual written signatures and thus validate proceedings concluded in the electronic environment. With regards to the privacy and data protection, Article 12 of the Act regulates data collection and data processing and Article 16 underlines the importance of express consent from the provider and penalises contrary receipt of data without the consent.
In addition, the E-signature Regulation and Communiqué entered into force on 6 January 2005.
According to its provisions, e-signature certificate providers are commissioned to issue such electronic documents by fulfilling certain conditions stated in the law, and they are subject to the following obligations related to data protection: (a) The certification service provider may collect personal data only to the extent necessary for the purpose of issuing a certificate. Sharing data with a third party is permissible only with the consent of the person whose personal data is being processed; (b) The certification service provider may not disclose the certificate to third parties without the consent of the certificate owner; and, (c) The certification service provider has to prevent third parties from collecting personal data without the written consent of the owner of such personal data. The certificate service provider may transfer/use personal data only with consent of the owner of such data.19
The Telecommunications Council, established in 2000, is the main institution responsible for data protection and privacy issues in the telecoms sector. It has been authorised by the Turkish Government. Under the supervision of the Council, a regulation was enacted in 2004 by the Parliament in terms of data protection in the telecommunication sector as Regulation on Personal Data Processing and the Protection in Telecommunication Sector (Regulation). The Regulation is in principle a summary of the European Union's Directive 2002/58/EC on data protection in electronic communications.20 It regulates the following topics: security of communication; duty to disclose the risks with regard to network security; privacy of communication; processing of data; call number display; lists of participants; and spamming. In Article 20 of the Regulation, it is clearly stated that "you shall not obtain any personal data without the data subject's express consent; and process it in terms of communicating by telephone, fax, mobile phone and electronic mailing or any other electronic communication device." It has also been stated that the data subject should always have easy access to an option to opt in or opt out whenever he or she wants.
In the light of the above, it can be deduced that there currently is no comprehensive regulation concerning data protection and privacy in Turkish law. There is not a concrete definition for "personal data" either. Only Article 3 of the Regulation on Personal Data Processing and the Protection in Telecommunication Sector gives a framework definition of "personal data" as "any kind of information such as ID number, any other direct and/or indirect physical, sociological, cultural, economical, ethnical, political information, and also other additional explanatory information regarding her/his genetic, religious and family status." So, in light of this very general and vague definition, in practice the name, postal address, email account information, phone numbers, age, and sex of a person are generally accepted as personal information. According to the abovementioned Regulation, digital information such as computer IP addresses, might also be considered indirect or direct information in the event of damage and loss. But this definition as such will be slow in coming, and shall definitely be at the discretion of the relevant courts. Moreover, there are more solid definitions in the key sectors like the banking and finance.
Major privacy and data protection case law
Relevant case law concerning privacy and data protection is cited infra in the text and categorised under the corresponding section.21
- 1. Constitution of the Republic of Turkey (as amended on 7 October 2001), Art. 20, available at http://www.anayasa.gov.tr/images/loaded/pdf_dosyalari/THE_CONSTITUTION_O....
- 2. Id., Art 22.
- 3. Nick Thorpe, "Mixed Reactions to Turkey's Reforms", BBC News, 5 October 2001, available at http://news.bbc.co.uk/hi/english/world/europe/newsid_1580000/1580238.stm.
- 4. US Department of State, Country Reports on Human Rights Practices - 2001, 4 March 2002, available at http://www.state.gov/g/drl/rls/hrrpt/2001.
- 5. Text available in Turkish at http://www.akparti.org.tr/media/www/Anayasa%20teklif%20metni.pdf.
- 6. European Commission, Council Decision of 23 January 2006 on the principles, priorities, and conditions contained in the Accession Partnership with Turkey (2006/35/EC), available at http://eur-lex.europa.eu/smartapi/cgi/sga_doc?smartapi!celexapi!prod!CEL....
- 7. European Commission, Turkey 2006 Progress Report, 8 November 2006, available at http://ec.europa.eu/enlargement/pdf/key_documents/2006/nov/tr_sec_1390_e....
- 8. European Commission, Questions and Answers -- Turkey, available at http://ec.europa.eu/enlargement/questions_and_answers/turkey_en.htm.
- 9. Turkish text at http://www2.tbmm.gov.tr/d23/1/1-0576.pdf.
- 10. Id.
- 11. See http://www2.tbmm.gov.tr/d23/1/1-0576.pdf (in Turkish).
- 12. Turkish text available at http://www.mevzuat.adalet.gov.tr/html/407.html.
- 13. Id.
- 14. Jonathan Evans, "Turkey Passes Strict Net Law," Wired News, 15 May 2002, available at http://www.wired.com/news/politics/0,1283,52558,00.html?tw=wn_story_related.
- 15. Yaman Akdeniz, Internet Governance and Freedom in Turkey 3 (2003). available at http://www.cyber-rights.org/documents/osce_turkey_paper.pdf.
- 16. Dorian Jones, "Turkey Tightens Controls on the Net", BBC News Online, 28 May 2002, available at http://news.bbc.co.uk/1/hi/sci/tech/2006759.stm.
- 17. Id.
- 18. See http://www.turkhukuksitesi.com/makale_38.htm (in Turkish).
- 19. Id.
- 20. Directive 2002/58/EC of the European Parliament and of the Council concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), 12 July 2002, OJ L 201, 31 July 2002, at 37-47, available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32002L0058:E....
- 21. Cfr. Sections "Cybercrime," and "International Obligations & International Cooperation," infra.