1. Introduction:

This article analyzes the Constitutional Court's decision dated 12/10/2023, with the application number 2020/7518, addressing the violation of the right to property due to an administrative fine imposed by the Personal Data Protection Board (the "Board"). The case pertains to the well-known Marriott data breach incident.

  1. Incident Summary:

The applicant, an international hotel holding company, acquired another accommodation company in 2016. In 2018, the applicant detected unauthorized access to the acquired company's guest reservation database, leading to a data breach affecting 500 million users. The applicant reported the incident to the Personal Data Protection Authority ("Authority"). Following investigations, the Board imposed a fine of 1,450,000 TL on 16/05/2019, citing lapses in security measures and delayed notification.

  1. Applicant's Legal Actions:

The applicant contested the Board's decision on 26/07/2019, arguing inadequate notification, disputing data controller status, and asserting the lack of reasoning in the Board's decision. Initial objections were rejected, exhausting ordinary remedies. Subsequently, the applicant appealed to the Constitutional Court on 19/2/2020.

  1. Constitutional Court Review:

The Constitutional Court assessed the complaint as a violation of the right to property and examined procedural guarantees. Admitting the complaint's admissibility, the Court found the fine reduced the applicant's assets, constituting interference with the right to property. The Court evaluated the sanction's proportionality, legality, and public interest aspects, noting insufficient consideration of the applicant's arguments by the lower court.

  1. Court's Decision

The Constitutional Court declared Criminal Court of Peace's decision unlawful, citing limited examination and inadequate consideration of the data controller's identity. The right to property under Article 35 of the Constitution was deemed violated. The case was remanded to the Istanbul Anatolian 1st Criminal Court of Peace for retrial. The decision underscores the need for a more comprehensive review of Board decisions and the establishment of an effective supervisory mechanism in the context of Administrative Judiciary discussions.

  1. Implications:

The Constitutional Court's decision emphasizes the importance of thorough examination of data protection cases, especially concerning the role of data controllers and timely notification. It contributes to ongoing discussions on the need for enhanced oversight of administrative decisions, urging a more qualified review process. In this era of heightened scrutiny on data protection, the legal landscape is evolving, and decisions such as this underscore the significance of robust legal frameworks and effective judicial review mechanisms.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.