The Law No. 6698 on Protection of Personal Data ("DP Law") which came into force on April 7th, 2016 is applicable to real persons whose personal data is processed and to the real persons and legal entities that process such data, wholly or partly, by automatic means and, if the data is part of a data filing system, by non-automatic means. Therefore, the general scope of the DP Law is wide, similar to the European Union's Data Protection Directive 95/46/EC ("EU Directive").
The Article 28 of the DP Law regulates the exemptions to which the DP Law does not apply. The DP Law does not apply in cases where personal data are processed (i) by real persons in the course of activities that are completely personal or related to the family members living in the same household; provided that the personal data is not shared with third parties and the data security obligations are fulfilled and complied with, (ii) for purposes of research, planning or statistical operations after being anonymized with official statistics, (iii) for artistic, historical, literary or scientific purposes or within the scope of freedom of speech; provided that national defense, national security, public safety, public order, economical safety, privacy of private life or personal rights are not violated and the processing does not constitute a crime, (iv) within the scope of preventive, protective and intelligence activities for national defense, national security, public safety, public order or economical safety, (v) with respect to investigation, prosecution, trial and execution procedures by judicial organs or execution authorities.
For instance, the statistics of "people living in Istanbul who use smartphones", where the data is anonymized by the Turkish Statistical Institute, may be an example for the exemption "processing personal data for research, planning or statistical operations and such data is anonymized with official statistics". If the data is anonymized for statistical purposes and the data subjects are not identifiable, the DP Law should not apply to aforementioned type of processing personal data.
The exemptions in the DP Law differ from the EU Directive in that, they provide national defense, national security, public safety or within the scope of preventive, safety and informative activities for economical safety, as the grounds for exemption. The activities regarding public safety, defense, security of Member State or the activities of the state in the area of criminal laws fall outside the scope of the EU community law, and processing of personal data that is necessary to safeguard the economic well-being of the a Member State does not fall within the scope the EU Directive where such processing relates to security matters of the Member State. Therefore, this provision is not in full compliance with the EU Directive in this respect.
Even though national defense, national security and public safety's objective might be deemed legitimate to be used as exemption of the DP Law, this should be explained in detail and the limitations should have been prescribed by the DP Law. Keeping the scope of exemptions broad might result in violation Article 20 of the Turkish Constitution as well as Constitutional Court decisions where the privacy of private life and protection of personal data are protected as basic human rights. To prevent such violations, amending these exemptions in a way to limit the scope of exemptions would be necessary, in a similar way to the data protection legislations of the EU Member States. Data protection laws of EU Member States provide exemptions from some of the EU Directive's provisions in matters of: (i) national security and defense; (ii) the prevention, investigation, detection and prosecution of criminal offences; (iii) the protection of data subjects and the rights and freedom of others. For similar reasons, the following obligations may be lifted: (i) obligation to inform the data subject about processing his/her personal data; (ii) duty to reveal certain data processing operations to the data subject; the right of the data subject to access his/her data; (iii) the right of access to statistical or research data; (iv) obligation to ensure basic principles of good data management.
Therefore, exemptions regulated under the DP Law should be narrowed down to the specific rights and they should not be used as a "general exemption rule". For example, personal data may be exempted from the non-disclosure provisions if the disclosure is aiming to protect national security. However, "national security" should not be a general exemption legal basis within data protection legislation.
Even though the DP Law was regulated based on the provisions within the EU Directive, there are some points which must be examined and clarified in order to avoid the aforementioned conflicts with the EU Directive. In other words, the exemption on the applicability of the DP Law, which was drafted under the paragraph (c) of Article 28 (1) grants excessive rights by means of the wide exemptions granted to governmental authorities. For example, if personal data are processed by public institutions and organizations "which are authorized by law within the scope of their preventive, protective and intelligence activities for national defense, national security, public safety, public order or economical safety", such as police forces, the DP Law would not be applicable. However, the data may be also processed in a way that it is not related with the legal grounds of "national defense, national security, public safety, public order or economical safety". Therefore, this provision excludes certain governmental authorizes to comply with data protection measures.
This article was first published in Legal Insights Quarterly by ELIG, Attorneys-at-Law in September 2016. A link to the full Legal Insight Quarterly may be found here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.