Please note that the extraterritorial scope of the General Data Protection Regulation adopted by the Member States of the European Union will not be discussed herein. The emphasis will be on Turkish Law and the legal instruments of the Council of Europe (“CoE”) to which Turkey is a member.
I. THE COUNCIL OF EUROPE
Big Data is a powerful form of data mining that relies on huge volumes of data, faster computers, and new analytic techniques to discover hidden correlations. Big Data refers to the novel ways in which organizations combine diverse digital datasets and use statistics and other techniques to extract hidden information and correlations.
For instance, an algorithm used by a social media company strives to expose its users to the most compatible content (i.e. similar posts on their timeline from other users) to their world perspective and preferences. Further, an algorithm used by a search engine enables the processing of search results and is thereby able to provide more relevant results and/or advertisements. Despite such significant economic and social benefits, Big Data and Big Data Analytics have given rise to concerns in terms of privacy rights.
Legal arrangements on Big Data mostly revolve around the legal norms applicable to data protection. As enshrined by Article 8 of the European Convention on Human Rights (“Convention”), everyone has the right to respect for his/her private and family life, home, and correspondence. Article 8 of the Convention was not drafted with data protection in mind at the outset; however, case-law on the ‘living instrument doctrine’ of the European Court of Human Rights (“ECHR”) provides that the Convention is interpreted in light of present day conditions so that the Convention does not fall behind technology.
The Convention for the Protection of Individuals with Regard to the Automatic Processing of Personal Data (“Convention 108”) of the CoE is the first internationally binding treaty that specifically addresses data protection. In its own words, the purpose of Convention 108 is ‘to secure in the territory of each Party for every individual, whatever his nationality or residence, respect for his rights and fundamental freedoms, and in particular his right to privacy, with regard to automatic processing of personal data relating to him.’ It is worthy to note that the scope of Convention 108 only covers the protection of individuals from the automatic processing of personal data. The Ad Hoc Committee on Data Protection is working on the modernization of the treaty.
In the meantime, the CoE has issued Guidelines on the Protection of Individuals with regard to the Processing of Personal Data in a World of Big Data (“Guidelines”) on 23 January 2017. The intention of these Guidelines is to recommend the measures that should be taken by the Contracting Parties, data controllers, and/or processors to prevent the potential negative impacts of Big Data on human dignity, human rights, and fundamental individual and collective freedoms as well as to mitigate liability.
The Guidelines’ approach is not limited to the traditional 3V paradigm (volume, velocity, and variety of data), which connotes the technological ability to collect, process, and extract large amounts of data. The Guidelines specifically indicate that “in terms of data protection, the main issues do not only concern the volume, velocity, and variety of processed data, but also the analysis of the data using software to extract new and predictive knowledge for decision-making purposes.” This means that Big Data analytics is also subject to the Guidelines.
II. DECISION IN REGARD TO BIG DATA BY THE TURKISH SUPERVISORY AUTHORITY
As per Article 20 of the Turkish Constitution, everyone has the right to request the protection of his/her personal data. This right includes being informed of, having access to, and being able to request the correction and deletion of his/her personal data and to be informed of whether or not the data is being used consistent with envisaged objectives. Accordingly, personal data can only be processed when prescribed by law or upon explicit consent in principle.
Additionally, the Law on the Protection of Personal Data (“Data Protection Code”) was drafted with the objective to protect fundamental rights and freedoms in the course of data processing and to set forth legal obligations, principles, and procedures applicable to data collectors. There is no specific reference to or a definition of “Big Data” in the Dara Protection Code. However, provisions laid down therein may be applicable in cases where Big Data is involved.
In fact, the competent supervisory authority in Turkey, namely the Board of Personal Data Protection (“KVKK”), rendered a prominent decision on December 2017 in this respect. The decision concerns popular mobile phone applications enabling its users to see the identity – as saved in other users’ phone books – of unknown callers. Those who download the application share all of the contact details in their phone book with the application provider without the consent of the data subjects. The application provider collects and gathers data from its users and reveals the callers identity each time an unrecognized number makes a phone call to the user.
The KVKK has ruled for immediate suspension of such activities with reference to the Data Protection Code and referred the incumbents to the competent judicial and administrative authorities. Although the KVKK did not explicitly mention “Big Data” in its decision, the subject matter of the dispute falls under the conventional Big Data definition based on the 3V paradigm. It should also be borne in mind that the information gathered through similar applications may be utilized for Big Data Analysis purposes.