After decades of delay, on February 18, Turkey ratified the Council of Europe's 1981 Strasbourg Convention for the Protection of Individuals with regard to Automatic Processing of Data.
The start of 2016 has been marked by a flurry of legislative activity with respect to the protection of personal data in Turkey. While still debating the draft Law on the Protection of Personal Data, expected to be adopted any day now, the Turkish Parliament finally ratified the Convention. The much-anticipated ratification comes more than 35 years after Turkey signed the Convention.
What the Convention says
Consisting of 27 articles, the Convention is Turkey's first binding international agreement to protect individual personal data, regardless of nationality or residence, against abuses that may accompany the collection and processing of personal data, and to regulate cross-border data flows.
In addition to providing guarantees on the collection and processing of personal data, the Convention outlaws the processing of "sensitive" data on matters such as a person's race, politics, health, religion, sexual life, and criminal record in the absence of proper legal safeguards. The Convention also enshrines individuals' right to know that information about them is being stored and, if necessary, to have it corrected.
The rights outlined in the Convention can only be restricted when overriding interests (e.g., state security, defense, etc.) are at stake.
The Convention also requires signatory states to take the necessary measures in their domestic laws to give effect to the basic principles of data protection as set out in the Convention. One of the main reasons Turkey had not ratified the Convention until now was because it had failed to take the necessary measures, including enacting a domestic data protection law.
What Turkey's ratification signifies
Until now, out of the 47 countries that had signed the convention, Turkey remained the only country yet to ratify it.
The Turkish Constitution recognizes the right to the protection of personal data as a fundamental right, and the draft law would provide legal protections for, and sanctions for violations of, this fundamental right. Within this framework, the Convention's ratification is significant as the Turkish Constitution states that in case of a conflict between ratified international agreements concerning fundamental rights and national laws, the provisions of international agreements prevail. This means the Convention supersedes domestic laws on data protection where the two conflict.
From a substantive law perspective, in ratifying the Convention Turkey made declarations in accordance with Article 3(2) of the Convention:
- First, the Convention is not applicable to the automatic processing of personal data by individuals exclusively for personal or household purposes. The Convention is also not applicable to personal data processed by state authorities for the purposes of national security and defense or the prevention of crime.
- Second, the Convention applies to personal data not processed automatically as well as data processed automatically.
The Turkish Data Protection Authority, which will be established after the draft law enters into force, will be responsible for supervising the application of the Convention in Turkey.
The ratification's significance will become more apparent once the draft law is adopted and the Data Protection Authority becomes functional.
The Convention's ratification is one of the most significant steps taken so far to ensure legal protection of personal data in Turkey, and indicates that the legislative activity will continue apace.
The Convention, and the principles that it introduced, were mainly adopted in the EU Data Protection Directive (95/46/EC). Therefore, the draft law, which is based on the EU Data Protection Directive, is also expected to be compliant with the rules and standards set forth in the Convention with minor exception. Regardless of the draft law's compliance with the Convention, however, now that the Convention has been ratified, in case of a conflict, the Convention will prevail over national laws addressing the protection of personal data.