Biometric Face Recognition Systems And Council Of State Decisions From the Perspective of Personal Data Protection Code

Biometric Face Recognition Systems And Council Of State Decisions From the Perspective of Personal Data Protection Code

A new era of change with important implications on our daily lives appears to begin with the highly anticipated Personal Data Protection Code finally coming into force. Given the immense pace of progress in internet technologies, internet based services have come to surround every aspect and moment of our lives. We actively and most of the time unconsciously use this new technology which we are far from producing.

As regards awareness, personal data is perhaps the most delicate of the issues. The new Code defines personal data as “any information relating to an identified or identifiable natural person”, meaning any kind of information that defines you is your personal data. Then there are “sensitive data”such as information on race, ethnicity, political opinion, philosophical beliefs, religion, sect, appearance, membership of association, foundation or union, health, sexual life, criminal convictions and security measures, biometric and genetic data, which cannot be processed without your permission.

Despite its’ overly technical resonations, “processing of personal data” is quite comprehensible: “any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, storage, protection, adaptation, alteration, rearrangement,  disclosure, transmission, making available, classification.

A typical instance of processing takes place daily in shopping, when stores gather and sort customers’ personal data into databases and mailinglists by the help of certain computer programs.

Today, use of computers and internet reached a point which allows most of personal data to be automatically processed. If you come across news, ads and messages that address you while you are surfing on the internet (so called “interest-based ads”), then you know that your browsing history had been subjected to a quick processing, by which your interests are measured, tracked and transferred to commercial enterprises so that you encounter ads of those commodities that you might need or be interested.

Contemporary rise in security concerns have led to new practices; “facial recognition systems” being one example. Formed by the use of biometric data obtained usually from photographs, such systems are now in place even in public institutions. Whether it is for employee surveillance or for security reasons, biometric data are continuously processed by these systems installed at the entrances of buildings.

Since biometric data is “sensitive data” within the meaning of the recently adopted Personal Data Protection Law, without the concerned person’s explicit consent, it cannot be processed- saving a few exceptions stipulated by law. Thus establishing a facial recognition system in a workplace requires the explicit consent of the employees concerned.

The said principle is also confirmed by the Council of State in one of it’s recent rulings. The case concerned a labour union’s challenge against the establishment of a facial recognition system in a public hospital for the purpose of tracking employee compliance with working hours. Although the case was not succesful before the first instance Administrative Court, The  5th circuit of the Council Of State found the measure asexplicitly against the Constitution.

According to the Council, the dispute was to be held in the light of article 20 of the Constitution titled “The Right to Privacy” as well as the article 8 of the European Convention on Human Rights titled “The Right to Respect for Private and Family Life”.  Although recognizing the facts that the Public Servants Code did not stipulate any specific rules addressing the survey of compliance with working hours and recourse to advanced technology by public institutions is today commonplace, the Council of State maintained that such processing of personal data must be in accordance with constitutional principles. Thus the absence of a legal basis defining the limitations, procedure and principles of such a measure, lack of any safeguards for the  data processed and violation of the principle of proportionality have led the Council to the conclusion that the impugned measure was unconstitutional.

Without a doubt, using advanced technology is crucial in the context of increasing security concerns and the fight against crime. A program in our favorite detective series that scans thousands of photographs and finds a match may comfort most of us, but we must also take into account certain basic rights that protect our personality, especially the right to privacy and establish a fair balance. For this reason, in the future, it seems like personal data protection will become an issue that is central to many other fields and that will ignite a lot of debate. (Translated by Gizem Koç – Ezgi Başak – Sezer Bostancı)