Data Protection Law was published in the Official Gazette dated April 7th, 2016 and some of its provisions entered into force along with its publication. Yet, the Data Protection Authority is to be established until October 7th, 2016 and some of the most significant provisions of the Law (including the provisions regarding criminal acts and misdemeanours) will enter into force on that date. Thus the "new era" will actually begin on October 7th, 2016.
The 6-month-period between the publication of the Law and its full entry into force has been an important timeframe for all relevant parties that will be subject to the new law and their consultants. Many companies in the private sector worked extensively to adapt their business models to the new structure. Law firms and technical consultancy firms also improved themselves and are getting ready for the provision of comprehensive services to their clients.
Yet, despite all these preparations no one knows exactly what to expect since the Law only sets forth the abstract principles and a lot is to be determined via the secondary legislation of the Data Protection Board, and the case law to be established thereafter. Still, this does not mean that it is not possible to design a fully compliant business model prior to the establishment of the Board and the publication of the relevant secondary legislation.
When the Data Protection Law is examined, it is seen that the Law is quite similar with the EU Data Protection Directive and it is highly probable that the Data Protection Authority to be established in October would take into consideration the best practices in the EU while creating its own legal framework. A similar approach was adopted by the relevant authorities while establishing the legal frameworks in competition law, telecommunications law and energy law and the Turkey Progress Reports published by the EU Commission indicate that the legislations in Turkey are mostly harmonized with the EU.
In that respect, the most plausible strategy for now seems to be internalizing the EU legislation whilst taking into consideration the well-established case law of the Court of Justice of the European Union (CJEU), European Court of Human Rights (ECtHR), data protection authorities of the EU member states and the detailed studies of the Article 29 Working Party. By doing so and acting in a proactive manner, it might be possible to mitigate most of the risks associated with the current state of legal uncertainty. However, it should always be kept in mind that Turkey has its own dynamics and characteristics. Thus it is vital significance to reconcile the EU law with the Turkish law while determining the roadmap to be followed.
It is now a critical time especially for the companies that intensively deal with personal data to initiate compliance programs. International firms should aim to fine-tune their global compliance policies in accordance with the framework in Turkey whilst domestic firms should focus on creating their own policies. Working with international law firms and consultancy firms that are already providing similar services in many different jurisdictions and that possess dedicated human resources specialized in compliance matters would bring a competitive advantage to their clients. It is also critical to keep in mind that compliance in the field of data protection requires a combination of legal and technical expertise.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.