We all agree on the importance of “personal data“, the “oil” of the 21st century that is expected to steer the economy. “Data” is the number one item on the agenda for all meetings and summits regarding the future. Consequently, regulations and discussions on processing and protecting personal data, which are deemed highly valuable both economically and politically, are always a hot topic.
Once again, it was personal data that received highlight when some measures were introduced in the Presidential Circular (2019/12) promulgated in the Official Gazette of July 6, 2019 so as to “mitigate serious security risks that come with facilitated access to information, digitalization of network infrastructure and widespread use of information management systems in addition to ensuring the security of critical data“.
This Circular may be deemed as a positive attempt to remind “public institutions” on the security measures implemented by numerous private companies and organizations. However, we should ponder on why the government, which acts legally or illegally to collect and process incredible amounts of data, handles the “security” side of the matter so inefficiently.
Although the Law on the protection of personal data was adopted back in 2016, personal data have been explicitly or implicitly traded in Turkey for years. For instance, the Regulation drafted in order to “collect and process the data on persons and households applying for social welfare and share such data with public institutions and organization as well as real and legal persons that were deemed ‘eligible’ for data exchange” entered into force in 2014.
Thus, there were various Regulations regarding the processing and sharing of data at a time when there was no Law on the security and protection thereof. Not to mention the fact that these Regulations aimed to process the “personal data” of the millions benefiting from social assistance. These may be “the same old stories“. That does not dilute their impact, though.
The Law No. 6698 on the Protection of Personal Data enforced in 2016 filled a giant gap, so to say. Furthermore, the Personal Data Protection Authority (KVKK) was established with its dedicated law and started operations, quickly getting involved in processing procedures.
Electronic communications sector is one of the fields where sensitive personal data are processed the most. The processing and protection of not only the sector-specific “traffic data” but also the comprehensive personal data offered to operators so as to procure services have been discussed for a long time.
Especially after the coup attempt in 2016, the accusations and allegations that officials from the Information and Communication Technologies Authority (BTK) itself and the Presidency of Telecommunication and Communication (TİB) under BTK served/transferred to third parties almost all of Turkey’s personal data collected from operators back in the day (to that end, a huge number of employees were sacked) brought forward some key questions such as whether the personal data of millions of citizens are in “good” hands or whether BTK has the right and authority to request that such great amounts of personal data be collected under its roof.
Another development that exacerbated this discussion was the request that all personal data of subscribers available at operators be transferred to BTK in a continuous and up-to-date manner upon BTK resolutions rendered on the condition that they are not publicly disclosed or published on the Authority’s website.
While many other BTK resolutions were published on the Authority’s website, it was requested that a series of BTK resolutions titled “subscriber pattern”, the first of which was rendered in October 2018, not be published specifically. This series of resolutions by BTK mandates mobile operators such as Turkcell, Vodafone and Avea as well as Türk Telekom and alternative operators and broadband Internet service providers (ISP) to transfer personal data, partly on a daily and partly on a monthly basis, to BTK.
These personal data include, inter alia, subscribers’ line number, line status, type of service, type of customer, start of subscription, subscriber’s name/surname, ID number, passport number, title, tax ID number, MERSIS number, gender, nationality, father’s and mother’s name, mother’s maiden name, place of birth, date of birth, occupation, subscription plan, personal identity and address information in addition to the name/surname and ID number of authorized officials for corporate subscriptions.
The procedure stipulating the transfer of detailed user information for both individual and corporate subscriptions to BTK was launched on July 2, 2019. This recent practice will ensure that almost all personal data for millions of subscribers be transferred from operators to BTK. There is also a serious risk of termination of service if the missing information is not completed in the case of individual subscribers whose ID number information is missing as well as corporate subscribers with missing tax ID number information.
Just as in other countries, BTK has certain authorities over fighting crimes and offending behavior. However, continuously and regularly requesting the personal data of all subscribers using electronic communication services in a way suitable for profiling is not only illegal but also means that BTK will have sector-specific traffic information as well as a colossal pool of data “ready to be processed”.
Following the enforcement of the Law No. 6698 on the Protection of Personal Data, attempting to process such large amounts of data without the opinion and approval of the Personal Data Protection Authority (KVKK), which was established through its dedicated Law, in a period where the Law is fully and properly executed, does not appear to be a legal venture.
An annulment action was filed before the 13th Chamber of the Council of State against these resolutions by BTK that constitute “a disproportionate intervention” in the fundamental rights to privacy as well as to the protection of personal data guaranteed pursuant to Article 20 of the Constitution and that aim to process personal data without being subject to any limitations regarding the right to privacy.
Of course, the ultimate decision rests with the judiciary. However, BTK’s request and attempt to process such huge data by hiding the process from public opinion contradict the principles of transparency and good governance and indicate that there is still a long way to go in terms of “data security” which has just been taking root publicly following the Presidential Circular.
Citizens’ personal data need to be processed in order to provide effective, timely and accurate public services but the security of such data should be the number one priority. This can only be achieved by publicly, transparently and clearly declaring – in advance – the rules and responsibilities of authorities that process large amounts of data.
While the BTK should publicly disclose the aim, method and procedures of personal data processing activities and announce who at the Authority is responsible for data security to what extent, don’t you think the activities performed in a culture of absolute secrecy and non-accountability fuel long-existing suspicions about the Republic of Turkey’s commitment to the principles of the “state of law” and legal certainty?