In order to explain this awkwardness better, I have to start with the applicable legal measures on data protection before the entry into force of Turkish Data Protection Law’ (“DPL”).
Before the DPL, the Turkish Constitution has already had provision for the protection of data personal data. It is somewhat a summary of the general principles set forth in the current DPL. It even stipulates that an explicit consent of the data subject must be obtained in order to process his/her personal data.
Moreover, even the Turkish Criminal Code (“TCC”), which entered into force as of 1 June 2005, introduced several sanctions on breach of privacy rights of individuals such as obtaining, recording, transferring personal data illegally. Well, believe it or not when the DPL was published in 7 April 2016, these provisions were already in place and in force (I intentionally avoid to explain data protection provisions in some sectoral regulations back then, as they are not relevant to the subject matter of this article).
Of course, without a dedicated data protection law; there was no clear definition of personal data. Hence, it was very hard to enforce these provisions and most of the public prosecutors were hesitant to do so. Also, this ambiguity was highly criticized from a criminal law perspective on the ground that it was against the “no punishment without law” principle (lat. nulla poena sine lege). However please note that, the Constitutional Court recently decided that there was no need for a written definition of a data protection for application of TCC. Well, this decision is highly criticised as well.
Now, we are ready to talk about the DPL: As some of you may know, (at least the ones, who are into data protection, privacy and all that jazz…) the DPL was published in the Official Gazette on 7 April 2016. This law includes some administrative fines for the non-fulfillment of certain requirements; and refer to TCC for criminal sanctions.
Well, what you would normally expect from a regulatory law was to introduce a time period for the application of certain requirements. Yes, it did for some; but not for the major requirements such as obtaining an explicit consent or informing data subject on data processing activities. These provisions entered into force on the date of the DPL’s publication… Why? Because Turkey was trying to secure a deal with the EU for visa exemption; and data protection was one of the main subjects…
So, what the law did was to introduce a transition period for 6 months for the application of (i) administrative sanctions, -well, unusual choice, but okay, understandable- (ii) also a transition period for its reference to criminal sanctions (!)
Well, let’s observe the current situation, requirements are in force; but without any sanctions.
According to some criminal law experts, the DPL even indirectly provides a general exemption from the TCC provisions during such transition period.
From this perspective, current ambiguous situation may be interpreted as everyone is free to breach TCC provisions during this 6-month-transition-period of DPL. Such actions may be defended based on the grounds that “recent/dedicated law prevails over general former law” as well as “there should be no punishment without law”. So, currently what we have at hand is an ambiguous criminal sanctions on data protection, created by recently enacted data protection law…
Please finally note that this article is not intended to encourage anyone to commit any breach of the DPL or the TCC. This article is only intended to point out the ambiguity created by the 6-month-transition period in the DPL... And just to give the readers a humble advice: In Turkey, if you are in an ambiguous legal position, don’t blame yourself; blame the system…
Publication Date: 02 September 2016