Turkey’s data protection draft law open to abuse: Expert

Barçın Yinanç - barcinyinanc@hdn.com.tr

The government’s new draft personal data protection law is highly problematic and open to abuse, according to Akın Ünver, an assistant professor at Kadir Has University and an executive and supervisory board member of the Center for Economics and Foreign Policy Studies (EDAM).

Although promoted as a step to harmonize Turkey’s law on data protection with the EU, it actually marks a regression on a 2014 draft of the law, Ünver said.

“The 2014 version basically just needed minor revisions. What is shocking is that after collecting all the feedback from domestic groups, the government’s 2016 version is a regression from the 2014 law. One of the biggest problems is that it introduces too many exceptions to liberties and freedoms and to the government’s restrictions on collecting citizens’ data,” he told the Hürriyet Daily News. 

Can you outline the background of the new draft law?

It all started in 2003 when Turkey had just started its EU accession process and one of the topics was how it would handle personal data. But up to 2008 basically nothing happened, mainly because Turkey had other major issues to deal with in the EU process. Also Turkey did not have the technical or technological infrastructure. In 2008 there was another push but the issue was again sidelined. The fact that this has come onto the agenda again now is related to the Syrian refugee crisis. Issues have arisen about how to handle refugees’ data, who is a refugee and who is not, and how to share this information with the EU. 

In 2014 the first major draft law was submitted to international and local organizations, as Turkey wanted to coordinate its personal data protection law with EU data protection law, so Turkish police and EUROPOL and EUROJUST can cooperate on the issues of both refugees and terrorism. After feedback on the law, we now have a new 2016 version.

Tell us about the new version.

The 2014 version of the law was well-intended. Technically it was imperfect but when you read it you could see they really wanted to make progress. Personal data is such an integral part of our new identities in the cyber age that it is not only about cooperation between Turkish police and its EU interlocutors, it is also about how to do business in Turkey. For example, if you are a Swiss insurance company in Turkey you collect the personal data of Turkish citizens, but are you going to store the data in Turkey or in Switzerland?

So would you suggest this was a long overdue law? Why has it taken so long to endorse it?

The Turkish government never felt the need. It could give reasonable assurances to international companies and international banking groups who deal with Turkish citizens’ personal data and it could uphold these assurances quite well. But the Turkish system on personal data is hybrid, similar to Russian and Chinese policies on the topic. And if you want to look inviting to international companies, you have to give them proper assurances.

But you can also use personal data and problematically collected information against people who you deem internal security threats. There may also be domestic business corporations that you deem to be a threat to your national security, or companies deemed to be political business competition.

Can you give a concrete example?

There have been several parliamentary inquiries. There were allegations that the Turkish police and the National Intelligence Organization [MİT] were collecting personal data and the confidential information of business networks deemed to be political rivals. After the December 2013 corruption allegations, previously friendly business interests became the enemy, and the personal information of CEOs, CFOs, and other business contacts - which normally a government would have no interest in - were being collected. This was the allegation made by opposition parties.

Would Turkey be able to maintain that hybrid position if it endorses the law?

Turkey can no longer sustain that hybrid positioning. If you want to cooperate with Europe, you need to establish a good working mechanism. 

The 2014 version was very good and it basically just needed minor revisions. What is shocking is that after collecting all the feedback from domestic groups, the government’s 2016 version is a regression from the 2014 law. One of the biggest problems is that it introduces too many exceptions to liberties and freedoms and to the government’s restrictions on collecting citizens’ data. It is not the kind of law that enables coordination with the EU, rather it is a Turkish law. Despite that, the cabinet has said the number one necessity of the law is to coordinate with the EU.

What does this tell us?

The 2014 law came very close to meeting the conditions, but the 2016 law is such a big step back that it is far from fulfilling its original intended aim.

Can you give us an example?

For instance, the exceptions that are introduced on the state’s limits to accumulating personal data - the legal rationale on why and how it should accumulate personal data - should be very well established so that it conforms to EU norms. Normally it is OK to have an exception and for limits to be relaxed - in the event that the state feels there is a particular national security problem. But in the Turkish context the issue of national security is easily abused and any form of dissent, criticism or non-compliance with a political position is regarded as a terrorism or security threat. Over the last four years we have seen that with regard to arbitrary imprisonment, closure of companies, or freezing their accounts on charges of national security threats, even though the legal process doesn’t ultimately find a national security threat. How these exceptions are going to materialize in the Turkish contest is a source of worry for the EU.

The Turkish government claims that it faces several threats. Is that unconvincing?

The actual threat and the perception of threat are two different things, especially in Turkey. We have ample evidence that Turkey tends to overplay the national security issue. As a result, it pursues more heavy-handed policies that intensify security problems. Saying “I’m not like an EU country, so I can’t introduce a law in line with EU norms” essentially translates to meaning “I have no interest in cooperating with European agencies.”

Can you give us a specific example showing how the law will not conform to EU norms?

Article 5, 6 and 7 of the law relate to how the state can collect personal data and what the citizen can do in terms of objecting to what they may define as illegal. These articles are written in very liberal terms, but then articles 8, 9 and 10 argue that all freedoms and checks and balances in the previous articles can be discarded in the event of a national security threat. So you basically have six articles that define the limits to personal data collection and what the citizen can do, and another six articles that say every single article can be nullified due to national security threats.

The draft law must first of all specify what “national security threat” actually means. There is a broad and fuzzy definition of how national security concerns are defined regarding personal data. But possible national security threats are defined in great detail regarding other countries.

In the U.S., when it became apparent that the CIA had diverted personal data into its own surveillance network, which is illegal, the EU said it needed to establish clear laws eliminating any ambiguity. When the EU looks at Turkey, it sees a lot of ambiguity and the 2016 law makes it even more ambiguous. The EU can worry that if it sends the data of an EU citizen, it can’t be sure that data won’t be taken into the Turkish national intelligence database.

What are the other problematic aspects of the draft?

The composition of the data protection council is problematic. It is intended to be made up of seven individuals. The EU said it should be a board of experts. It was supposed to be a technocratic board. Even in the 2014 version, four members were to be appointed by the cabinet while three were to be technocrats. Actually all seven should be politically independent, which is one of the things that would make the law credible. The 2016 version is a regression even from the 2014 version, foreseeing that four members will be appointed by the government and three will be appointed by the president.