The interplay of Big Data, data protection regulations, and personal rights is a matter of debate in many legal systems all over the world, and following the entry into force of the Turkish Data Protection Code, arguments over whether Big Data practices comply with national laws has become a serious issue in Turkey

TODAY most companies, both public and private, use Big Data practices in their decision-making processes. Big Data is used to develop operational efficiency, reduce expenses, and improve the ability to make profitable decisions based on the latest up-to-the-moment information on markets and consumers.[1]

While there are many definitions of Big Data,[2] it can generally be defined by its size, which is comprised of a large, complex, and independent collection of data sets, each with the potential to interact with one other.[3] One of the major ways to collect such a large amount of data is by transmitting it from personal internet usage. Every social media account, Google search, website, and blog can be a source of Big Data. For instance, a restaurant owner can easily detect the most popular locations visited by a specific target market simply by viewing location data obtained from navigation applications and google searches. Large companies like Netflix, a leading internet entertainment company, use Big Data to understand consumer habits in order to predict their future habits and better manage investments.

Decision makers of companies implement Big Data in their day to day business strategies. Big Data can be thought of as a large scale survey that is being conducted every second among thousands of people. According to some, it is the most realistic and reliable way to understand market dynamics, and the most efficient way to determine business strategy.

The rising popularity of Big Data in modern business has sparked legal arguments over whether Big Data practices should be regulated and whether the existing data protection regulations are applicable to Big Data practices.[4] Extremists suggest that legislators should go beyond traditional data protection laws and adopt sui generis regulations for Big Data practices, while others believe that existing data protection laws may be applied in their current state.[5]

Current Regulation of Big Data in the EU and US

The European Union has played a leading role in Data Protection Regulation. A new General Data Protection Regulation (“GDPR”) will replace Directive 95/46, consolidating and innovating existing data protection laws of the European Union.[6] Companies, regardless of location, will be required to comply with the GDPR when it comes into force on May 25, 2018. The GDPR will set forth new obligations that will directly apply to Big Data practices. Within the scope of these new obligations, operators collecting and processing personal data on a large scale will have to fulfil stricter requirements concerning data subjects’ consent. The data subjects will also have the ability to restrict the processing of their personal data and even to prohibit processing activities. Data controllers will be subject to a new accountability requirement where the controller must be able to verify its processing actions after the data collection takes place and show that the practice was compliant with the GDPR at any time.[7] In an effort to combine existing data laws with the amendments imposed by GDPR, the European Commission stated at the workshop on governance and funding for the European Open Science Cloud (“EOSC”)[8] in Brussels that it is necessary to incorporate these recent amendments in privacy, data protection, and copyright rules to the research data domain.[9]

In the US, there is currently no comprehensive federal law regulating Big Data practices, although some states such as California have enacted their own laws.[10] Pursuant to the California Online Privacy Protection Act (“CalOPPA”), [11] operators of commercial web sites or online services that collect personal information from California consumers must display a privacy policy on their web site and act in compliance with this policy. The privacy policy must specifically identify the types of personally identifiable information collected from site visitors and identify any third parties with whom the operator may share collected information with.[12] These changes in both European and American law show a trend in regulating Big Data through new policies rather than holding it to the standard of the current data protection regulations.

Turkish Legislation on Big Data Practices

Under Turkish law, there have not yet been any specific regulations imposed with respect to Big Data practices. Thus, the general data protection codes and regulations are the only laws currently applicable to Big Data practices in Turkey.

The protection of personal data is an issue of an individual’s right to privacy, which is protected under the Constitution of Republic of Turkey (“Constitution”). As per Article 20 of the Constitution:

Everyone has the right to request the protection of his/her personal data. This right includes being informed of, having access to and requesting the correction and deletion of his/her personal data, and to be informed whether these are used in consistency with envisaged objectives. Personal data can be processed only in cases envisaged by law or by the person’s explicit consent…

In addition to the aforementioned constitutional regulation, the Data Protection Code (“DP Code”) entered into force on April 7, 2016. The DP Code sets forth that personal data can be processed only with the data subject’s explicit consent, apart from the specific exceptions defined under Turkish law.[13] Therefore, the general principle stipulated under the DP Code is a general prohibition on the collection and/or processing of personal data by third parties without the explicit consent of the data subject.

However, as mentioned above, the main purpose of Big Data is the collection of large scale anonymous data and the processing of such data to reach a specific conclusion. Although in principle the data collected and processed for Big Data purposes is anonymous, the data subject, who is both the provider and owner of data, is generally unaware of the collection or the underlying purpose of the collection of his or her data. Therefore, the use of Big Data would almost certainly be in violation of current data protection regulations in Turkey. The essential question then becomes whether or not, as anonymous data collection, the data protection regulations are still applicable for Big Data. Although anonymity is thought to be a main feature of Big Data, some data specialists have successfully uncovered the true identity of data subjects whose data is used for Big Data purposes.[14] As such, the current capacity for anonymity would not remove Big Data from the scope of the Data Protection Code.

Conclusion

Due to its distinctive structure and unique features, Big Data should be regulated specifically and maintain the current data protection principles. Just as the European Union has done, Turkey should consider enacting innovative and comprehensive laws with regards to new technological tools like Big Data. Nevertheless, until specific regulations are enacted, the general data protection principles must be applied to Turkish Big Data practices. In order to ensure compatibility with the Data Protection Code, the explicit consent of data subjects must be obtained prior to processing the collected data for Big Data purposes, the content of the consent should be made clear to the data subject,[15] and the purpose of the data collection should be explained in detail to the data subject when seeking their consent. Data controllers must also refrain from processing any data excessively or beyond the scope explained to the data subjects. Overall, there needs to be the development of a technical infrastructure in Turkish law that supports the protection of personal data used in Big Data practice.