Personal Data Protection Regime In Turkey In Light Of The Newly Enacted Law No. 6668

PERSONAL DATA PROTECTION REGIME IN TURKEY
IN LIGHT OF THE NEWLY ENACTED LAW NO. 6668
Av. Ayşe Eda Biçer, Stj. Av. İlke Işın Süer
Fast-paced developments and technological advances highlight numerous questions about the status and fate of the personal information and data of individuals. As such, it is on the agenda of legislators worldwide and constitutes an increasingly important field of compliance for all kinds of organizations.
With Turkey’s status as an accession country to the European Union (the “EU”) and with the inclusion of a data protection mandate into the Constitution with the round of amendments seen in 2010, the adoption of a law on data protection has become high on the agenda of the Turkish legislator. Article 20 of the Constitution on the right to privacy regulates the right of individuals to seek protection of their personal data and covers surrounding issues such as the right to receive and access such personal data, to request change or deletion of personal data where justified and to receive information on whether the data is duly processed for lawful purposes. This constitutional provision required the adoption of a designated law to implement such a fundamental right.
Work on Law No. 6668 on the Protection of Personal Data (the “Law”) has been ongoing since 2012 and it was brought before the Parliament on 18 January 2016 for discussion and adoption. Upon its adoption by Parliament on 24 March 2016, the Law entered into force with its publication in the Official Gazette on 7 April 2016.
With the efforts continuing towards EU accession and the necessity to align legislation with the acquis communautaire in mind, the Law has been prepared taking into account main pieces of legislation applicable in the EU, being first and foremost the EU Data Protection Directive 95/46/EC (the “EU Directive”). Meanwhile it is noteworthy that within the EU, agreement has been reached on the text of a comprehensive Draft General Data Protection Regulation  which will likely be adopted within this year. With formal adoption of the Regulation, the EU will hold a legislative instrument that is directly applicable in all EU Member States.
Prior to enactment of the Law, Turkish legislation offered protections through various separate provisions found in different pieces of legislation such as the Constitution, the Turkish Civil Code and the Criminal Code, which will continue to remain applicable alongside the newly adopted Law. The primary protection is presented in the Constitution, which guarantees a certain catalogue of fundamental rights and freedoms, notably the right to privacy under Article 20.
Main features of the Law
Objective and definitions
The objective of the Law is the protection of fundamental rights and freedoms, notably the right to privacy on the one hand and the regulation of the duties of data processors on the other.
“Personal data” is defined under the Law as all kinds of information relating to an identified or identifiable person. The reasoning clarifies that personal data is not limited to information on the name, surname or place of birth of a person but includes all kinds of information pertaining to physical, economic or social characteristics. The term “identified or identifiable” relates to whether available data, such as cultural or social information, can be associated with a given person so as to lead to his identification. “Data processors” subject to the provisions of the Law are defined as those real and legal persons that process data via data recording systems on the basis of authority granted to them by data controllers. No distinction is made between these in terms of public or private enterprises. “Data controllers” are defined so as to comprise real and legal persons that determine the objectives and means of processing and that are responsible for the establishment and management of a data recording system. 
Article 6 of the Law relates to criteria for the processing of special personal data and contains a definition of “special personal data” and provides that information revealing an individual’s racial and ethnic origin, political opinion, philosophical beliefs, religious sect or other faiths, appearance, association, foundation or trade-union membership, health or sex life, criminal conviction or security measures and biometric information constitute special personal data.   
It is noteworthy that a definition of “express consent” has been included to the Law so as to provide clarity to the provisions requiring the data owner’s express consent. Pursuant to definition that is in conformity with the EU Directive, express consent means an informed consent, freely given in relation to a certain issue. The reasoning of the provision sets forth that the term shall be understood to indicate the consent of individuals to the processing of their information that is unambiguous and based on sufficient relevant information and limited to that specific process.
Establishment of an independent supervisory body
One of the main novelties the Law introduces is the establishment of (i) a Personal Data Protection Authority (the “Authority”) which, whilst being financially and administratively independent, is in fact affiliated to the Prime Ministry; and (ii) a Personal Data Protection Board (the “Board”) that constitutes the decision-making organ of the Authority. Main tasks of the Board involve general supervisory powers to assess whether personal data is processed in accordance with legal requirements, to deal with complaints, to issue sanctions and to furnish opinions regarding drafts of relevant secondary legislation.
Criteria for personal data processing and the scope of protection
The Law contains rules on the processing of personal data and stipulates general principles and conditions. Personal data may only be processed provided that the principles and procedures mandated by law are adhered to. The Law enlists certain principles and stipulates that processing must be:
• lawful and in conformity with the principles of good faith,
• accurate and up to date where necessary,
• processed for specified, explicit and legitimate purposes,
• relevant, limited and proportionate to the purpose of processing, and 
• kept only for the time prescribed in relevant legislation or no longer than necessary.
Personal data may not be processed without the express consent of the data owner; however, the Law provides a list of circumstances that limit such precondition of express consent which are generally in parallel with the EU Directive. As such, the enlisted exceptions offer ways for data processing without the express consent. Some of these exceptions comprise for instance situations where processing is prescribed in legislation, processing is necessary for the establishment, exercise or protection of a right or processing is necessary for the purposes of the legitimate interests pursued by the controller, provided however that the fundamental rights and freedoms of the data owner are not prejudiced. Despite the reference to the rights and freedoms of data owners, these exceptions enable data processors to benefit from the enlisted situations with no requirement for obtaining any prior permission or court order. 
The Law envisages that processing of data that has been published by the data owner does not require obtaining of express consent of the data owner. The text of the Law however lacks a definition of “publishing”. Having said that the reasoning of the Law explains that information that is made public or made available to the public domain by the data owner may be processed. Thus, despite the existence of the contrary provision in the Law, it seems accepted that in situations where information is publicly available, the legal interest in the protection of information will be deemed as waived.
In addition to specifying circumstances in which the need for express consent is lifted, the Law also sets forth certain situations and conditions to which its provisions shall not apply. According to this much contested provision, personal data may be processed within the context of intelligence activities related to national security, defense and public order without being subject to provisions of the Law. Although this provision is also stipulated in the EU Directive, a narrower scope of application is set therein by requiring that the relevant protections shall be lifted only in the case that it is mandatory for maintaining national security, defense and public order.  It is also noteworthy to mention that the Law contains certain additional exceptions which are not provided for in the EU Directive.  For instance, the provision enabling processing of personal data in art and history studies or for scientific purposes provided that the relevant person’s right to privacy is not violated is rather questionable as one cannot easily ascertain what constitutes processing of personal data outside the relevant person’s express consent without violating his/her right to privacy.
Transfer of personal data
The Law sets limits relating to transfer of personal data to third parties and provides certain conditions that must be met. As in the data processing, the starting point is once again the requirement of express consent of the data owner. However, certain situations in which personal data may be transferred to third parties without a need for consent are also envisaged in the Law. 
The transfer of data abroad additionally requires the approval of the Board and that the recipient country offers an adequate level of protection. Otherwise transfer is only possible where exceptional circumstances enlisted in the Law are present. A further limitation regarding the transfer abroad relates to situations in which the transfer entails serious harm to the interests of the data owner as well as Turkey. In such cases, transfer is made conditional on the approval of the Board which shall consult with relevant state institutions and organizations.   
Transition period and entry into effect
The Law stipulates a transition period of two years in which all data processed prior to the entry into force of the Law shall be brought into compliance and data that is contrary to the Law shall be erased, destroyed or anonymized immediately.  Failing to do so will lead to the imposition of relevant criminal penalties contained in the Turkish Criminal Code and monetary penalties mentioned in the Law. In terms of entry into effect, except for certain provisions that shall enter into force six months after the effective date, the Law as a whole became effective as of the date of its publication in the Official Gazette.
Concluding remarks
In spite of uncertainties with regard to the application of the exceptions provided in some provisions, the fact that the Law has been closely inspired by the EU Directive constitutes a positive development with regard to the protection of the personal data in Turkey. It must however be noted that for the sake of ensuring security and protection of personal data, it would be important that exceptional circumstances in which the provisions of the Law will not be applicable are interpreted as strictly and narrowly as possible so as to prevent arbitrary storage, processing and transfer of personal data.