Turkish Constitutional Court has issued a landmark decision on the Individual Application with application number 2018/14040 dated June 30, 2021 ("the Decision")1 wherein it laid out procedurally valid options for introducing liability actions against data controllers. Even though the Constitutional Court dismissed the case -due to not exhaustion of ordinary legal remedies -without going into the merits, the decision is noteworthy since the Constitutional Court, for the first time, established the procedural guidelines for individual complainants who raise issues of liability and compensation in data protection actions.
The background of the Individual Application is a claim by the Applicant who requested that the Constitutional Court establishes the criminal liability of three private legal entities ("Companies") and Information and Communication Technologies Authority, ("ICTA"), due to having stored and unlawfully processed the Applicant's internet traffic data for a period longer than what is allowed under the law. The data at issue dated back to years 2014 and 2015, but was produced by the Companies in 2017 to respond to a writ from ICTA. ICTA, on the other hand, requested the data from the Companies in order to respond to an information request from Istanbul 14th High Criminal Court.
Without going into whether the Applicant's claim had any merits, the Constitutional Court stated that an action in civil court for damages, rather than an action in criminal law is the correct legal avenue for the Applicant to seek redress for losses that he suffered due to unlawful processing of his personal data. Furthermore, the Constitutional Court explained that actions for violation of protection of personal data may either be brought in both civil and administrative courts, depending on the nature of liability alleged.
The issue of damages has yet not been explored by the Turkish Data Protection Authority ("DPA") either. Article 14(3) of the Law No. 6698 on Protection of Personal Data ("Data Protection Law") states that "request for compensation for damages under general provisions is reserved for those whose personal rights have been violated." However, the Data Protection Board ("the Board") has yet stayed silent on the issue by stating that "courts with general jurisdiction must resolve the issue of awarding damages to data subjects."
Thus far, there have only been a handful of published cases wherein the Board has made any reference to compensatory damages at all. In one decision2, the personal data at issue was information on the creditworthiness of the data subject. In its capacity as the data controller, the bank shared data subject's personal data with the data subject's father without the data subject's consent. Consequently, the data subject requested 30,000 Turkish Liras of non-pecuniary damages for moral suffering. The Board stated that this specific issue must "be adjudicated before courts of general jurisdiction" and issued a decision that stated "no action shall be taken with regards to the damages claim by the Board." Likewise, in another decision3 that concerned data regarding the credit status of the data subject being shared with his employer by the bank acting as a data controller, the Board held that the claim for 10,000 Turkish Liras in non-pecuniary damages must be heard by general courts.
As also validated by the binding Decision of the Constitutional Court, it is understood that courts of "general jurisdiction" for purposes general liability claims related to data protection are either administrative courts of first instance or civil courts of first instance. However, whether the correct venue for bringing a complaint against the data controller for damages is an administrative court of first instance or civil court with general jurisdiction appears to depend on whether the harm at issue occurred as a result of an administrative act, or as a result of personal fault or negligence.
Thus, in order to determine the correct legal avenue that will hear a data subject's claims on the merits, the data subject must first correctly assess the party against whom he/she is bringing an action for liability. Due to the nature of data protection actions, picking the correct court to file their liability/damages action may turn out to be a complex task for data subjects.
For instance, 4th Civil Chamber of the Supreme Court of Appeals in its decision dated November 24, 2014, with number E. 2014/11608, K. 2014/158004 reviewed a lower court's decision that dismissed a data protection action for "not having stated the correct adversary party." The issue in that case was whether rights of personal data protection of the data subject was violated by a public officer who was carrying out a public duty, or whether the violation occurred as a result of a private person's negligence or fault. The 4th Civil Chamber of Supreme Court of Appeals stated "as a general rule, damages caused by civil servants in performance of their duties are "neglect of duty claims" (.) However, acts that (i) can under no circumstances be associated with the public duty; (ii) are so obviously separate from the necessities and boundaries of the public duty, and (iii) are acts and transactions that are outside of the domain of public duty so determined by objective rules of law; may not be considered "neglect of duty" even if they were committed during the commission of public duty." The 4th Civil Chamber of Supreme Court of Appeals further stated that the act was one in which dissemination of personal data without consent worked to the benefit and well-being of the parties involved, and thus these acts could not be evaluated to be performed within context of the civil servant's duty. The Supreme Court of Appeals issued an order for the lower court to assess non-pecuniary damages based on the moral loss of the data subject.
Moreover, in actions to establish the liability of a public entity (i.e. government actor) as result of neglect of duty, administrative courts require a higher burden of proof to establish the damages suffered by the data subject (i.e. "strong pain and suffering") and further require causal link between the government actor's act and the damage to be established by the data subject. Besides, the government interference in all such cases tend to be justified due to the existence of both the authority to request information and a legal duty thereof, namely to ensure national security by promoting the continuance of police's intelligence activities.
The issue of establishing damages for harm caused by public entities' breach of data protection rights has been elaborated in European Court of Human Rights' ("ECHR") decision Karabeyoglu v. Turkey, numbered 30083/10, dated June 7, 2016. In the decision, ECHR held that right to protection of personal data had been violated when telecommunications data of the data subject was stored for a time longer than permitted for the purposes of the criminal investigation for which it was retained, and was unlawfully used beyond the purpose for which it was retained by the government when it was used later during an irrelevant disciplinary proceeding. In that case, the ECHR awarded the data subject 7,500 Euros of non-pecuniary damages.
All in all, a data subject's roadmap to getting their complaint on damages heard in Turkey appears to be as the following: (i) data subjects must first file their data protection actions in the correct court (i.e. administrative court of first instance or civil court) depending on the status of the party who violated their right on protection of personal data (i.e. private party or public entity); (ii) if the opposing party is a public entity, data subjects must overcome a higher burden of proof to be awarded damages (i.e. "strong pain and suffering" and actual causation). Presently, these burdens appear to be especially stringent on the data subjects, especially considering that actions that may raise concerns for data subjects due to potential data protection rights violations are usually based and found upon the private laws that regulate the public entities.
1. Constitutional Court, Ertan Ercikti, Application No 2018/14040, June 30, 2021, Accessible at https://kararlarbilgibankasi.anayasa.gov.tr/BB/2018/14040?BasvuruNoYil=2018&BasvuruNoSayi=14040. (Last accessed on September 20, 2021)
4. See 4th Civil Chamber of Supreme Court of Appeals; Decision with number E. 2014/11608, K. 2014/15800, dated November 24, 2014 . Available at https://www.lexpera.com.tr/ictihat/yargitay/4-hukuk-dairesi-e-2014-11608-k-2014-15800-t-24-11-2014 (Last accessed on September 20, 2021)
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.