The Turkish Constitutional Court's decision in the complaint of M.I.I., addresses a complaint concerning a violation of the right to property due to an administrative fine imposed for failing to take necessary technical and administrative measures to secure personal data.

The case revolves around a holding company operating hotels in various countries, which acquired another company in 2016. In 2018, it was discovered that unauthorized access had occurred in the guest reservation database of the acquired company, leading to a data breach of approximately 500 million customer records.

The Turkish Personal Data Protection Board (Kişisel Verileri Koruma Kurulu) evaluated the company's notification of the breach and decided to impose an administrative fine of 1.45 million TL for failing to take necessary measures to protect data security and for not reporting the breach in the shortest time as required by Article 12 of Law No. 6698 on the Protection of Personal Data.

The Analysis of the Constitutional Court on the Violation of Right to Property

The Constitutional Court's analysis is centered on whether the imposition of the administrative fine constituted a violation of the right to property as enshrined in Article 35 of the Turkish Constitution.

The Court acknowledged that the administrative fine resulted in a reduction of the complainant's assets, thus constituting an interference with the right to property. The Court emphasized that such interference must comply with the principles of legality, pursuit of a legitimate aim (in this case, the public interest), and proportionality.

The Court determined that the administrative fine, based on the violations of Law No. 6698, aimed to prevent unauthorized access to and ensure the protection of personal data, thus serving a public interest. The fine was deemed to meet the criteria of legality and pursuit of a legitimate aim.

Regarding proportionality, the Court acknowledged the need for a balance between the severity of the penalty and the seriousness of the breach, while also recognizing the discretionary power of public authorities in determining the most effective and efficient means to achieve the intended goal. The Turkish Constitutional Court's analysis in paragraphs 56 to 63 emphasizes the importance of procedural safeguards in the context of right to property violations, especially when one of the parties involved is a public authority. The Court underlines that for the protection of right to property to be deemed effective in a given case, court decisions must contain relevant and sufficient reasoning.

It's essential that the courts carefully consider and address the fundamental claims and objections that significantly influence the outcome of the case related to right to property. This requirement does not mean that every allegation must be answered, but key claims and objections must be meticulously evaluated and addressed by the judicial authorities.

In the application of these principles to the case at hand, the Court notes that the right to the protection of personal data is an extension of the right to human dignity and the freedom to develop one's personality. The distinction between the protection of personal data and data security is highlighted. While the former concerns the safeguarding of fundamental rights and legal limits during data processing, the latter pertains to technical and administrative measures required to protect the data itself against unauthorized access, alteration, or disclosure.

The Law No. 6698 mandates data controllers to implement appropriate security measures to prevent unlawful processing of and access to personal data. The adequacy of security measures considers various factors, including the nature of the data, the size of the company, and the risks associated with the data processing activities.

The Court recognizes that administrative authorities have a degree of discretion in determining what measures are necessary for data security. However, this discretion is not unlimited. Excessively burdensome measures in comparison to the intended goal may be deemed unnecessary by the Constitutional Court. The chosen measures must be appropriate, necessary, and proportionate to the aims pursued.

The applicant argued that despite taking all necessary measures and having no fault, the imposition of the penalty was unlawful and disproportionate. The Court found that these significant claims were not adequately addressed by the judiciary, leading to the conclusion that the procedural safeguards related to the protection of property rights were not fulfilled in this case.

Key Takeaways

The Turkish Constitutional Court's decision in the case of M.I.I. provides significant takeaways for various stakeholders such as data controllers, supervisory authorities, and courts.

For Data Controllers:

Implementation of Adequate Security Measures: Data controllers are mandated under Law No. 6698 to take appropriate technical and administrative measures to safeguard personal data against unauthorized access, alteration, or disclosure.

Proportionality of Security Measures: Measures taken should be proportionate to the risks associated with the data processing activities, considering factors like the nature of the data and the size of the company.

For Supervisory Authorities:

Exercise of Discretionary Power: While supervisory authorities like the Personal Data Protection Board have discretion in determining necessary security measures and imposing fines, this power is not unlimited.

Proportionality in Sanctions: Fines or penalties should be proportionate to the severity of the breach and should aim to balance the need for security with the rights of data controllers.

Ensuring Adequate Justification: Decisions and penalties should be well-justified, with a clear legal basis and sufficient reasoning, especially in cases involving significant financial penalties.

For Courts:

Importance of Procedural Safeguards: Courts must ensure that procedural safeguards are in place, particularly in right to property disputes involving public authorities.

Meticulous Consideration of Claims and Objections: It is essential for courts to carefully consider and address the fundamental claims and objections that significantly influence the outcome of the case.

Requirement for Sufficient Reasoning in Decisions: Decisions should contain relevant and sufficient reasoning, especially when they concern the imposition of administrative fines and the rights of the parties involved.

Balancing Public Interest and Individual Rights: Courts must balance the public interest in data security with the individual rights of data controllers, ensuring that measures are appropriate, necessary, and proportionate.

In conclusion, the decision highlights the need for a balanced approach to data security, compliance with legal obligations, and the importance of procedural fairness in judicial proceedings. It serves as a reminder that while data security is paramount, the measures taken should be proportionate and justified, ensuring the protection of individual rights and interests.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.