The demands of 21st century business have made computers become more and more integral to business operations and as the networking grows, to sharing data while balancing the challenge for protect personally identifiable information.
Throughout the world governments have started to develop legislation regulating data privacy and its protection. Data protection strives to impose control on the improper usage or disclosure of personal data.
Even though Turkey does not have any independent and specific legislation concerning data privacy and its protection, there are several provisions in the Turkish Constitution, the Turkish Civil Code, the Penal Code, the Labor Law, the Banking Law and the Bank Cards and Credit Cards Law. There are also international sources of law, such as European Convention of Human Rights which has specific regulations regarding privacy and which is also binding on Turkey.
Personally identifiable information or data privacy are not defined in the Turkish legislation. However, according to the Turkish law doctrine, the disclosure, storage or transfer of personal data in any manner without consent of the relevant real or legal person is considered as violation of data privacy rights.
As a result of an unprecedented demand from consumers and businesses for internet usage and business mobility solutions, the telecommunication industry has enjoyed a spectacular success despite
today's troubled global economy. However the boom in the telecommunication industry may also lead to the exposure of personal data. The following are a few examples of violations of data privacy in the telecommunication industry:
Providing third parties with all the information that customers share with the telecommunication companies within the scope of their services;
Eavesdropping, keeping records, storing personal data without a court's decision;
Lack of technical infrastructure in the telecommunication companies for protection of their customers' data privacy;
Use of personal customer data for political and commercial purposes without customer consent.
This article examines the safeguards that currently exist under Turkish legislation to protect the personal data of telecommunication users.
As noted above, although there are numerous provisions about data privacy in several codes, they are generally sector based provisions. Other than the Turkish Constitution, Turkish legislation can be classified into three parts. Civil law legislation aims to ensure data privacy via private law tools such as indemnities, whereas criminal law legislation aims to ensure data privacy via penal sanctions, and finally ancillary legislation of the Turkish Telecommunication Authority ("TTA") intends to regulate the telecommunication companies via administrative fines.
The Turkish Constitution regulates personal privacy. Everyone has the right to request the protection of his/her personal data. This right includes being informed, having access to and requesting the correction and deletion of his/her personal data and being informed as to whether the data is being used according to the envisaged objectives. The Constitution also regulates the freedom of communication and underlines secrecy of communication. Communication shall not be impeded, and its secrecy shall not be violated unless there exists a decision duly rendered by a judge, or unless there exists a written order of an authorized agency in cases where delay is prejudicial.
The Civil Code remains the umbrella legislation for all kinds of violation of personal rights and provides an implicit protection for personal data. Under the Civil Code, an individual may request protection from the civil court in the event his/her personal rights, including data privacy, have been violated.
The Penal Code contains several provisions regulating and prohibiting improper usage of personal data. Storage of personal data without permission of the relevant person is a serious crime for which the offender may be sentenced to an imprisonment between 6 months to 3 years. Also, for offenders who obtain and disseminate personal data without permission will be sentenced between 1 to 4 years of imprisonment. If these crimes are committed by public officials, sanctions will be increased by half.
The Regulation on Protection of Personal Data in the Telecommunication Sector ("The Regulation") brings obligation of data protection for telecommunication companies. In accordance with the Regulation, telecommunication companies cannot obtain and use personal data for any purposes except their service activities. Telecommunication companies also have to delete all information regarding their customers following the accomplishment of their service. Companies are also under the obligation of keeping personal data of customers confidential. An administrative fine may be imposed by TTA on telecommunication companies in breach of the referred piece of legislation.
Under the foregoing legislation, there are three different procedures for safe guarding personal data in the Turkish legal environment.
In the first instance, there is protection of data privacy via civil actions. The Turkish law system enables an individual or a legal person to request prevention of a violation and also an indemnity for damages
incurred. The person whose personal data has been violated may demand the court to take action for prevention of a violation, elimination of such threat and the determination of unlawful consequences of the violation even though it has ceased. Further, the claimant may request indemnity for non-pecuniary damages that he/she suffered due to violation of personal rights. It should be noted that in addition to companies, employees of such companies who violate the data privacy rights of the customers are responsible from their actions as well.
Second, there are penal sanctions imposed on violators of data privacy. The commencement of an investigation and prosecution of data privacy crimes are not subject to complaint. The public prosecutor must commence it ex officio, if he/she is aware of the crime in any manner. These crimes may be committed by real or legal persons, but there is no provision as to legal persons in the Penal Code. The referred sanctions will be imposed on the authorized officials of the legal person.
Third, administrative sanctions are imposed by TTA on public or private companies that violate the data privacy rights of customers. Since the entry into force of the Regulation, TTA has imposed considerable administrative fines on the companies that have violated the data privacy principles of the Regulation. It may be worth to note that, administrative sanctions of TTA do not have judicial value and they are subject to the supervision of administrative courts. TTA may initiate an investigation as to violation upon a complaint or ex officio. Administrative fines may at most reach 3% of relevant company's annual turnover for the previous year.
A law specifically regulating data privacy and incorporating a data protection authority has been drafted by taking as the basis the European Union Data Protection Directive No.95/46/EC, but it has not been enacted yet. In order to strengthen customer confidence in telecommunication services, a complete reform of legislation regulating protection of data privacy is imminent.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.