Turkey’s data protection draft law open to abuse: Expert

Barçın Yinanç - barcinyinanc@hdn.com.tr

Who is Akın Ünver?

Akın Ünver is an assistant professor of International Relations at Kadir Has University and an executive and supervisory board member of EDAM – the Center for Economics and Foreign Policy Studies. Dr. Ünver completed his PhD at the University of Essex’s Department of Government and was awarded the Middle East Studies Association’s Malcolm Kerr “best dissertation in the field of social sciences” honor and the departmental nomination for the European Consortium for Political Research’s best dissertation in the field of comparative politics. His current research focuses on data politics, data nationalism and the diplomacy of data transfers.

Dr. Ünver was a Marcia Robins-Wilf Young scholar at the Washington Institute for Near East Policy from 2007 to 2008 and a dual post-doctoral research at the University of Michigan’s Center for European Studies and the Center for Middle East and North African Studies from 2008 to 2010. He was also named the Ertegün lecturer at Princeton University’s Near Eastern Studies Department. Dr. Ünver was a Marcia Robins-Wilf Young scholar at the Washington Institute for Near East Policy from 2007 to 2008 and a dual post-doctoral research at the University of Michigan’s Center for European Studies and the Center for Middle East and North African Studies from 2008 to 2010. He was also named the Ertegün lecturer at Princeton University’s Near Eastern Studies Department.



The government’s new draft personal data protection law is highly problematic and open to abuse, according to Akın Ünver, an assistant professor at Kadir Has University and an executive and supervisory board member of the Center for Economics and Foreign Policy Studies (EDAM).Although promoted as a step to harmonize Turkey’s law on data protection with the EU, it actually marks a regression on a 2014 draft of the law, Ünver said.“The 2014 version basically just needed minor revisions. What is shocking is that after collecting all the feedback from domestic groups, the government’s 2016 version is a regression from the 2014 law. One of the biggest problems is that it introduces too many exceptions to liberties and freedoms and to the government’s restrictions on collecting citizens’ data,” he told the Hürriyet Daily News.It all started in 2003 when Turkey had just started its EU accession process and one of the topics was how it would handle personal data. But up to 2008 basically nothing happened, mainly because Turkey had other major issues to deal with in the EU process. Also Turkey did not have the technical or technological infrastructure. In 2008 there was another push but the issue was again sidelined. The fact that this has come onto the agenda again now is related to the Syrian refugee crisis. Issues have arisen about how to handle refugees’ data, who is a refugee and who is not, and how to share this information with the EU.In 2014 the first major draft law was submitted to international and local organizations, as Turkey wanted to coordinate its personal data protection law with EU data protection law, so Turkish police and EUROPOL and EUROJUST can cooperate on the issues of both refugees and terrorism. After feedback on the law, we now have a new 2016 version.The 2014 version of the law was well-intended. Technically it was imperfect but when you read it you could see they really wanted to make progress. Personal data is such an integral part of our new identities in the cyber age that it is not only about cooperation between Turkish police and its EU interlocutors, it is also about how to do business in Turkey. For example, if you are a Swiss insurance company in Turkey you collect the personal data of Turkish citizens, but are you going to store the data in Turkey or in Switzerland?The Turkish government never felt the need. It could give reasonable assurances to international companies and international banking groups who deal with Turkish citizens’ personal data and it could uphold these assurances quite well. But the Turkish system on personal data is hybrid, similar to Russian and Chinese policies on the topic. And if you want to look inviting to international companies, you have to give them proper assurances.But you can also use personal data and problematically collected information against people who you deem internal security threats. There may also be domestic business corporations that you deem to be a threat to your national security, or companies deemed to be political business competition.There have been several parliamentary inquiries. There were allegations that the Turkish police and the National Intelligence Organization [MİT] were collecting personal data and the confidential information of business networks deemed to be political rivals. After the December 2013 corruption allegations, previously friendly business interests became the enemy, and the personal information of CEOs, CFOs, and other business contacts - which normally a government would have no interest in - were being collected. This was the allegation made by opposition parties.Turkey can no longer sustain that hybrid positioning. If you want to cooperate with Europe, you need to establish a good working mechanism.The 2014 version was very good and it basically just needed minor revisions. What is shocking is that after collecting all the feedback from domestic groups, the government’s 2016 version is a regression from the 2014 law. One of the biggest problems is that it introduces too many exceptions to liberties and freedoms and to the government’s restrictions on collecting citizens’ data. It is not the kind of law that enables coordination with the EU, rather it is a Turkish law. Despite that, the cabinet has said the number one necessity of the law is to coordinate with the EU.The 2014 law came very close to meeting the conditions, but the 2016 law is such a big step back that it is far from fulfilling its original intended aim.For instance, the exceptions that are introduced on the state’s limits to accumulating personal data - the legal rationale on why and how it should accumulate personal data - should be very well established so that it conforms to EU norms. Normally it is OK to have an exception and for limits to be relaxed - in the event that the state feels there is a particular national security problem. But in the Turkish context the issue of national security is easily abused and any form of dissent, criticism or non-compliance with a political position is regarded as a terrorism or security threat. Over the last four years we have seen that with regard to arbitrary imprisonment, closure of companies, or freezing their accounts on charges of national security threats, even though the legal process doesn’t ultimately find a national security threat. How these exceptions are going to materialize in the Turkish contest is a source of worry for the EU.The actual threat and the perception of threat are two different things, especially in Turkey. We have ample evidence that Turkey tends to overplay the national security issue. As a result, it pursues more heavy-handed policies that intensify security problems. Saying “I’m not like an EU country, so I can’t introduce a law in line with EU norms” essentially translates to meaning “I have no interest in cooperating with European agencies.”Article 5, 6 and 7 of the law relate to how the state can collect personal data and what the citizen can do in terms of objecting to what they may define as illegal. These articles are written in very liberal terms, but then articles 8, 9 and 10 argue that all freedoms and checks and balances in the previous articles can be discarded in the event of a national security threat. So you basically have six articles that define the limits to personal data collection and what the citizen can do, and another six articles that say every single article can be nullified due to national security threats.The draft law must first of all specify what “national security threat” actually means. There is a broad and fuzzy definition of how national security concerns are defined regarding personal data. But possible national security threats are defined in great detail regarding other countries.In the U.S., when it became apparent that the CIA had diverted personal data into its own surveillance network, which is illegal, the EU said it needed to establish clear laws eliminating any ambiguity. When the EU looks at Turkey, it sees a lot of ambiguity and the 2016 law makes it even more ambiguous. The EU can worry that if it sends the data of an EU citizen, it can’t be sure that data won’t be taken into the Turkish national intelligence database.The composition of the data protection council is problematic. It is intended to be made up of seven individuals. The EU said it should be a board of experts. It was supposed to be a technocratic board. Even in the 2014 version, four members were to be appointed by the cabinet while three were to be technocrats. Actually all seven should be politically independent, which is one of the things that would make the law credible. The 2016 version is a regression even from the 2014 version, foreseeing that four members will be appointed by the government and three will be appointed by the president.