I. Introduction to Biometric Signatures in Turkey
Biometric signatures, a contemporary convergence of technology and personal identification, represent a new frontier in the world of electronic and digital validation. At their core, biometric signatures are an offshoot of biometric data. This data, renowned for its inherent association to an individual and its typically unchangeable nature, provides unique attributes that distinguish it from conventional data. Its inability to be altered or forgotten, rooted in its innate connection to the individual, renders biometric data distinct from other forms of information.
Yet, as we venture deeper into the realm of digital transactions and electronic authentication, we encounter a blend of different regulations that can vary significantly across jurisdictions. The European Union, with its systematic and broad-based approach, has developed a comprehensive regulatory framework encapsulating various forms of electronic and digital signatures. The eIDAS Regulation, a notable pillar in this construct, provides clear definitions between different levels of electronic signatures, ranging from 'simple' to advanced and qualified signatures.
On the contrary, biometric signatures in Turkey presents a contrasting picture. While the EU's regulatory framewokr offers clarity and comprehensive coverage, Turkey's approach appears narrower. The country's regulatory landscape, predominantly focusing on "qualified electronic signatures", leaves other types of electronic and digital signatures unregulated. This limited framework leads to significant gray areas, prompting questions about the validity, recognition, and enforceability of various e-signatures within the Turkish jurisdiction.
In this article, we'll dive into biometric signatures, looking at how they fit into the wider landscape of digital rules in both the EU and Turkey
II. Differentiating Types of Signatures: Electronic, Digital, and Biometric
Before we delve deeper into biometric signatures, it's pivotal to understand the distinction between electronic signatures, digital signatures, and biometric signatures. The eIDAS Regulation provides a structured approach to electronic signatures:
- 'Simple' electronic signatures: Defined as "data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign". Essentially, appending your name under an email could be a 'simple' electronic signature.
- Advanced electronic signatures (AdES): Beyond the basic electronic signature, an AdES is uniquely tied to the signatory and allows them complete control. Moreover, it's linked to its associated document in a way that any subsequent changes can be detected. The most prevalent technology ensuring this is public-key infrastructure (PKI), encompassing the use of certificates and cryptographic keys.
- Qualified electronic signatures (QES): A QES is an enhanced version of the AdES, created by a qualified signature creation device (QSCD) and founded on a qualified certificate for electronic signatures.
While electronic and digital signatures primarily revolve around data validation and user authentication, biometric signatures capitalize on the unique physical or behavioral characteristics of the signatory. It's crucial to note the position of Turkish regulations in this context. Turkish regulations only recognize "qualified electronic signatures" (QES) as valid signatures. Other forms, including simple and advanced electronic signatures, aren't fully acknowledged as official signatures in the country, rendering them with limited legal standing. This distinction becomes more pronounced when considering the evolution and the potential legal recognition of biometric signatures in Turkey
III. Understanding Biometric Signatures
Biometric signatures involve the use of specific biometric data to create signatures on a dedicated tablet or pad, with these data often securely linked to the signed document. It is important to clarify that while biometric signatures share some similarities with traditional handwritten signatures, they are distinct concepts. Unlike traditional wet signatures created with pen and paper, biometric signature solutions lack a standardized framework, resulting in diverse design features and differing functionalities.
The crucial differentiation between biometric signatures and traditional handwritten signatures lies in the manner in which they are evaluated. In the context of data privacy, the essence of biometric signature analysis hinges on dynamic characteristics, considering factors like the amount of pressure applied during the signature, the angle of writing, the speed and acceleration of the stylus, the formation of letters, the orientation of the signature, and other unique dynamic attributes. This contrasts with traditional signatures, which primarily focus on the visual appearance of the signature.
IV. Legal Aspects of Biometric Signatures: eIDAS, LPDP and Beyond
a. EU vs Turkey
The examination of biometric signatures in the context of legal and regulatory frameworks reveals a multifaceted landscape. Biometric signature solutions exhibit variations in design and implementation standards, largely due to the absence of a universal global standard governing their development and utilization. In contrast, the European Union has taken substantial strides in crafting a cohesive framework for electronic identification and trust services within the digital single market. This framework, known as the "Electronic Identification and Trust Services Regulation" (eIDAS), provides a structured approach to these matters, offering a measure of clarity within the EU.
However, when we shift our focus to Turkish legislation, we encounter a dearth of similar clarity. The distinctions between biometric and handwritten signatures and their compatibility with existing legal structures become increasingly pronounced. The absence of a specific legislative framework catering to biometric signatures within Turkey raises pertinent questions about their status and recognition under the law. This ambiguity underscores the necessity for a rigorous legal analysis to elucidate the position of biometric signatures within the Turkish legal landscape.
b. TCC, LPDP and the Data Protection Board Decision
The inclusion of biometric signatures within the legal framework poses intriguing questions, particularly regarding their compatibility with the provisions of Turkish Code of Obligations No. 6098 (the "TCC"). In the 14th and 15th articles of the TCC, which delineate the fundamental principles of contract formation, the requirement for signatures is stipulated as a handwritten act. This emphasis on the act of signing exclusively by hand prompts a pertinent query: Can biometric signatures be evaluated within the purview of Article 6, paragraph 3, of Turkish Law on the Protection of Personal Data No. 6698 (the "LPDP")?
The distinction between traditional handwritten signatures and biometric signatures hinges on the evaluation process. Traditional handwritten signatures rely on static or geometric attributes—how they visually appear. In contrast, biometric signatures focus on dynamic characteristics, scrutinizing the process of signature creation. A comprehensive analysis of biometric signatures considers dynamic elements such as the pressure applied during signing, the angle and speed of the stylus, the formation of characters, the direction of the signature, and an array of other distinctive dynamic features.
In a pivotal decision with the docket No. 2020/649, the Turkish Data Protection Board weighed in on this very matter. Their perspective emphasized that the term "signature" within the TCC includes the traditional handwritten signature and the secure electronic signature. While these two types of signatures produce similar legal outcomes, the board noted that the legislator distinctively regulates both. Expanding the TCC provisions to cover biometric signatures might lead to an overly broad reading of the exception in Article 6, paragraph 3, of the LPDP, potentially clashing with the principle of proportionality. As such, the board suggested careful handling of biometric signatures, requiring:
- Express consent from related individuals,
- Proper notification under Article 10 of the LPDP,
- Adherence to the "Adequate Measures" determined by the Board when processing sensitive personal data, as per Article 6, paragraph 4, of the LPDP.
In light of these points, it's clear that biometric signatures raise intricate legal questions that demand thoughtful analysis within the existing Turkish framework.
V. Using Biometric Data & Biometric Signatures
In the realm of data protection, the use of biometric signatures is intertwined with intricate legal considerations. LPDP categorizes biometric data as a special subset of personal data. Such data's processing, devoid of explicit consent, is sanctioned solely when other laws authorize it. A prime example is the provision for collecting biometric data for health services under Article 67 of Law No. 5510, Social Security and General Health Insurance Law.
For a deeper exploration into the intricacies of biometric data in Turkey, including critical insights from the European Court of Human Rights (ECHR) and the Turkish Data Protection Authority (DPA), readers are encouraged to consult our detailed article: "Unlocking the Use of Biometric Data in Turkey: Critical Insights from ECHR and the Turkish DPA".
When processing biometric data, it is crucial to adhere to the following conditions:
- Explicit Consent: Biometric data processing generally requires explicit consent from data subjects.
- Information Obligation: Data controllers must provide clear and comprehensive information to data subjects about the data processing.
- Measures for Data Security: To protect the integrity and confidentiality of biometric data, stringent security measures must be in place.
a. Biometric Data in the Healthcare Sector
In the healthcare sector, Article 67 of Law No. 5510 allows state hospitals to request biometric data to verify patients' identities when receiving healthcare services. This practice has sparked debates over privacy rights. However, the Constitutional Court ruled that this provision does not violate the Constitution, emphasizing the significance of preventing corruption in public offices and the enhanced security offered by biometric verification.
b. Biometric Data for Employee Shift Controls
Large companies and holdings often employ biometric data for tracking employee working hours. However, the use of fingerprint scanners for such purposes raised legal challenges. The Council of State ruled that fingerprints are an integral part of an individual's private life and thus protected under the right to privacy (Article 20 of the Constitution). It was determined that other equally effective methods exist for tracking employee shifts, and forcing employees to use fingerprint scanning systems was deemed unconstitutional.
c. Biometric Data for Secure Rooms
The implementation of secure rooms, especially in tech companies for safeguarding confidential information, has led to the demand for biometric data. Companies may require employees to provide biometric data for access to these rooms. While high courts have yet to provide specific rulings on this matter, the Council of State's decision regarding biometric data for employee shift controls suggests that employees cannot be compelled to provide such data for secure room access. Consent-based data collection remains a viable option, provided that consent is obtained meticulously.
The intersection of biometric signatures and Turkish law is marked by both promise and ambiguity. While technology paves the way for innovative and secure means of authentication, the regulatory landscape in Turkey remains cautious, emphasizing the imperatives of explicit consent and robust data protection measures. Different scenarios, be it healthcare, employee management, or secure areas, each come with distinct legal nuances, underscoring the importance of a judicious approach. As we stand on the cusp of a digital transformation, the evolving narrative of biometrics in Turkey serves as a compelling testament to the intricate dance between technological advancement and legal adaptation. The path forward beckons a harmonized approach, championing both individual rights and the burgeoning potentials of biometrics.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.