The Turkish Physicians Association and the Turkish Dentists Association (together referred to as the "Plaintiffs") brought an action against the Ministry of Health ("Ministry") and the Turkish Data Protection Authority ("DPA") before the Council of State requesting the suspension of the execution of the Amendment to the Regulation on the Processing and Privacy of Personal Health Data ("Amendment") and certain provisions of the Regulation on the Processing and Privacy of Personal Health Data ("Regulation"), which were amended by the Amendment. Although the Ministry and the DPA argued that the legislation in question was in compliance with all the relevant laws, the Council of State granted the Plaintiffs' request and stopped the execution of the Amendment with its decision (No. 2018/1490 E.) on October 9, 2018 ("Decision").
According to the Decision, the Plaintiffs stated that the Regulation had come into force on October 22, 2016, and the Council of State had stopped the execution of the Regulation, which was issued without obtaining the opinion of the Turkish Data Protection Board ("Board"), and the Ministry had subsequently amended several provisions of the Regulation through the Amendment. Therefore, the Plaintiffs argued that the Amendment subject to the case was related to a legislation, the execution of which had already been halted. Accordingly, the Plaintiffs asserted that such an amendment was improper and inapplicable, as there was already a stay of execution decision regarding the amended legislation, and thus, the Amendment was completely unlawful.
The Plaintiffs further argued that processing health data through such a legislation was also illegal, since the Board had not decided upon the measures that should be implemented for processing personal health data, which concerns the most private and confidential information relating to individuals' health and sexual lives, which cannot be changed during the course of their lives.
The primary issue underlying the Plaintiffs' claims was clearly the fact that the Regulation (and, in a similar vein, the Amendment) required a vast amount/scope of health data to be submitted to a central system without any limitation or predefined purpose, and that such health data would be transmitted in an unencrypted form. In that regard, the Plaintiffs argued that health institutions and organizations, including the Ministry and all other relevant parties, are obligated to comply with the principles set forth under the Law No. 6698 on the Protection of Personal Data ("DPL") while processing personal data, and pointed out that it is especially necessary and important to comply with the principle set forth under the DPL stating that any personal data, which is processed, must be (i) relevant, (ii) limited, and (iii) not excessive in relation to the purposes for which it is processed. Consequently, the Plaintiffs claimed that collection of the health data of every citizen in a central system, by requiring all relevant parties that might possess such data (e.g., for providing health care services, as it is in the case of hospitals) to transfer their data to the central system without allowing any exceptions, cannot be considered as personal data processing that is relevant, limited and not excessive in relation to the purposes of processing.
According to Article 5/8 of the Regulation, health service providers will be required to transfer health data to the central health data system in accordance with the procedures and principles designated by the Board and the Ministry, along with the mandatory rules set forth under the DPL. In this regard, the Plaintiffs argued that, although this provision requires compliance with the mandatory rules, principles and procedures set forth under the DPL, and even though it is more feasible and reasonable compared to the former wording of the relevant provision prior to the Amendment, the fundamental illegality of the provision still persists. According to the Plaintiffs, the common ground between Articles 7/1 and 8/1 is that both provisions declare that it is obligatory to transfer personal health data to the central health data system established by the Ministry, without recognizing any distinctions or allowing for any exceptions. The Plaintiffs also pointed out that the Regulation further allows the Ministry to transfer such data to other public institutions and organizations, without setting forth any limits or specifications.
Furthermore, the Plaintiffs noted that, while the Regulation requires people who are responsible for providing health services to process personal health data only within the scope of the particular health services to be provided, this limitation does not appear to be applicable for the administration's access to the central health data system containing all special categories of personal data, which are collected from every available source.
Additionally, the Regulation does not require the anonymization of health data before such data is transmitted to the central system. Moreover, the Regulation does not offer any clarifications for health service providers regarding the categories of data to be shared with the central system, or any explanations as to how the data will be transferred to the central data system. The Plaintiffs argued that no balance had been sought or struck between the transfer requirement introduced for the health service providers and their fundamental confidentiality obligations, and remarked that it posed an obvious data security risk to keep the personal health data of all citizens in a central system without anonymizing such data. Lastly, the Plaintiffs contended that Articles 5/8, 7/1 and 8/1 of the Regulation concerning the transfer of personal data to the central system without any limitations was not consistent with the purposes declared by the Ministry and that these provisions would harm the essence of the fundamental rights of citizens protected under the Turkish Constitution.
Due to the foregoing reasons, the Plaintiffs claimed that issues which should be regulated under national laws were not regulated in any way by the Regulation and the Amendment, and argued that there were no clear, explicit, understandable and framework-specific rules governing the implementation of the obligations set forth under the Regulation. Therefore, the Plaintiffs requested a stay of execution to be granted on this matter.
In the reasoning of its Decision, the Council of State referred to the international legislations on this matter, and concluded that the provisions in the Regulation, which required the processing of health data as a rule (but not as an exception), were against the law. The Council of State reached this conclusion because the exceptions for processing health data only include the ones enumerated under Article 9 of the Convention 108 ("Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data").
As per Article 25 of the Convention 108, contracting parties have no discretion with respect to modifying these exceptions, and thus, processing health data outside the designated framework and purposes of the Convention clearly constitutes a breach of the Convention, which Turkey signed nearly forty years ago in 1981.
The Council of State also mentioned that the DPL is a framework law that covers and is applicable to all sectors, including public and private institutions, and that the Board has a general authority with regard to controlling and auditing the protection of personal data in all such sectors and areas. Furthermore, the Decision declared that one of the duties of the Board is to express its opinion on the legislations drafted by other governmental institutions or organizations that contain provisions concerning personal data, and that it is necessary to take the adequate measures specified by the Board when processing personal health data.
However, as the Regulation was issued by the Ministry without waiting for the establishment of the Board (and thus, without consulting the Board), the Council of State found the Regulation to be in violation of the DPL, and granted a stay of execution for all of the provisions of the Regulation. In response to this decision, the Ministry argued that (i) the Board members could only be appointed by January 2018, and thus, it was not possible to obtain the Board's opinion on this matter, (ii) the Ministry had begun negotiations on the matter as soon as the Board had been established, and (iii) the Ministry had obtained the oral opinions of the Board members and it had revised the legislation in light of these opinions, before the stay of execution decision was granted.
The Council of State did not find the Ministry's arguments to be sufficient or persuasive, and asserted that it was not legally possible to restore or revive a piece of legislation, which was found to be unlawful and suspended from execution, by making partial amendments to it. The Council of State explicitly stated that a new legislation would need to be drafted and passed in order to ensure full compliance with the laws, rather than making amendments to an annulled legislation. In that regard, the Council of State noted that the Ministry had abstained from implementing the Council of State's previous decision as is and without delay.
Accordingly, the Council of State granted the Plaintiff's request and decided to stop the execution of the Amendment and the relevant provision of the Regulation on October 9, 2018. In summary, both the Regulation and the Amendment are currently ineffective and inapplicable legislations, and, according to the Council of State's decision, the Ministry is now required to draft a new regulation from scratch by taking into account the applicable laws and procedures (such as the DPL), along with the Council of State's decisions.
This article was first published in Legal Insights Quarterly by ELIG Gürkaynak Attorneys-at-Law in March 2019. A link to the full Legal Insight Quarterly may be found here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.