Turkey’s Islamist rulers have effectively neutered the draft bill on the protection of personal data by entrusting the implementation and monitoring of the legislation to hand-picked members of the Personal Data Protection Board who will be selected by Turkey’s autocratic president, Recep Tayyip Erdoğan, through direct and indirect appointments.
After delaying for years the adoption of Turkey’s first-ever bill on the protection of personal data and even disregarding the 2010 constitutional referendum that included a robust amendment for the strict protection of personal data and which required the implementing legislation be adopted soon afterwards, Turkey’s Islamist-rooted Justice and Development Party (AKP) government finally brought the bill to Parliament’s agenda on Jan. 18. The belated move came after intensified pressure from the EU as well as the Council of Europe and the United States on decades-long foot-dragging by Turkey.
However, given the fact that neither Erdoğan nor the AKP government has any interest in limiting themselves to a strict ban on the abusing of personal data to discredit their critics and opponents, the architects of the bill in the Justice Ministry inserted a sort of “kill switch” in the legislation that effectively rendered the protections in the whole bill ineffective. Justice Minister Bekir Bozdağ, an Erdoğan loyalist who has helped the president and his family survive serious legal troubles by hushing up investigations on massive corruption schemes, personally appeared at the Justice Commission in Parliament to ensure that this kill switch remained intact. He vigorously defended maintaining the way members get selected for the board and helped AKP lawmakers beat down an amendment offered by the opposition on this topic.
Therefore, the practical impact of the bill on protecting personal data became meaningless when the Justice Ministry was reluctant to tailor the bill according to the norms and standards in the EU and the Council of Europe. If the draft bill is approved in the General Assembly in its current form, which is quite likely, it will be far from satisfying the letter and spirit of the EU’s 1985 Directive 95/46/EC on personal data or the General Data Protection Regulation (GDPR), a new regulation in the making in the EU. The serious shortcomings of the bill undercut the role of independent regulators by effectively giving the government and President Erdoğan an absolute say on how the legislation functions.
The fundamental problem with the bill is embedded in Article 21, which sets rules and procedures on the selection and operation of the seven-member board. Of the seven, four will be selected by the prime minister and the three by the president. Considering the fact that the whole Cabinet was staffed by President Erdoğan’s loyalists after the Nov. 1 election last year, the president will be effectively naming all seven members of the board. Moreover, the president and the vice president of the board are selected directly by the Cabinet instead of empowering the board with the selection. Hence, the independence of the board from the executive branch was put in serious question and a big blow was dealt to its autonomous structure from the start.
The bill also requires that the investigation of board members will depend on the permission of the prime minister, giving Erdoğan loyalists in the board blanket immunity from any criminal investigation into alleged abuse of authority. The similar yet equally controversial protection was also granted to members of the Turkish National Intelligence Organization (MİT) in the aftermath of the criminal exposure in January 2014 when MİT was revealed to have been transporting illegal arms to rebel groups in Syria under personal orders from then-Prime Minister Erdoğan. In other words, the board members would be provided with broad immunity and will act with impunity and a lack of accountability without any checks and balances.
The rationale behind this is Erdoğan’s desire to continue using, or rather abusing, personal data to discredit his critics and opponents. He wants to maintain the massive profiling of unsuspecting citizens according to their ideology, beliefs, philosophy, political affiliation and other factors. Not a single day passes in Turkey without some revelation of data on the personal and private lives of those people who simply exercise their right of dissent against the government. On many occasions, personal information on health problems, travel itineraries and shopping patterns of known government critics have been plastered all over pro-government media publications. The government not only provides political cover for such egregious violations of the right to privacy but also acts as an accomplice by sharing the information with its propagandist media.
There are other troubling signs in the bill. For example, Article 6 states that the personal data categories include “religious sect” and “dress code,” raising concerns that the government is profiling people according to their sectarian identity or on how they dress. The opposition said no such description exists in comparable European legislation and argued that the abuse of such personal data would further divide an already polarized nation. The same article allows great leeway to the board on registering such personal attributes without even seeking the consent of those who get profiled. Article 8 allows the sharing of personal data with third parties without consent by invoking the exceptional powers given to the board listed in Article 6. In other words, Erdoğan’s gang is trying to frame what they had been doing illegally for years within legislative terms in order to avoid legal troubles when they get ousted from power.
Article 9 gives the board sweeping powers on how to share the personal data with foreign countries, suggesting that the Islamists want to control the flow of information to outside in a way that suits them. Major corporations have been protected by the government, setting the cap on the highest fine to TL1 million (some $340,000). The opposition proposed that an additional fine of 1 percent of annual turnover for companies with at least 250 employees should be introduced to better deter violators. But that suggestion was rejected by governing party the AKP’s majority votes in the commission. The government also refused to increase jail terms by 50 percent in the case of board members themselves committing a violation.
Many of the 33 articles in the bill appear to be in line with EU norms, at least at face value. However, the crucial ones are not. Most stakeholders on the bill were invited to attend the debates in the commission in order to give an impression that it was not a solo show by Islamists. Yet neither the opposition’s challenges nor the suggestions made by outside participants have resulted in any change on most critical articles, including Article 21. Using its majority in both hearings held at the parliamentary Justice Commission’s main and sub commissions, the AKP prevented any substantial amendment from succeeding during the vote. The AKP-controlled Justice Commission also gave just one day for the opposition to examine a 137-page draft bill, which prompted an outcry from the opposition deputies.
The bill, as it stands, won’t satisfy the concerns of the European and American governments when it comes to sharing sensitive personal data with Turkey, hampering the effective cooperation of Turkish security and intelligence agencies with foreign ones, including EUROPOL and EUROJUST. This will further complicate Turkey’s troubling coordination on refugee flows to Europe. American and European security services have already developed quite a mistrust for Turkey’s Islamists who have pursued their own clandestine projects with radical groups in other countries. The lack of rigid protection on the safeguarding of personal data will make it worse.
The absence of robust guarantees on protecting personal data will also have quite a negative impact on foreign investment in Turkey. How do you think foreign investors will feel when they see Turkish President Erdoğan spilling the beans on Cansen Başaran-Symes, the chairwoman of the Turkish Industrialists and Businessmen’s Association (TÜSİAD) — Turkey’s wealthiest business club — after Symes’ justified criticism of the government on the rule of law, specifically on judicial independence and impartiality? Erdoğan publicly threatened to expose this woman for what he alleged she had committed as the PricewaterhouseCoopers (PwC) Turkey manager. The next day, pro-government media ran a smear campaign against her by raising claims of tax evasion and money laundering over failed banks in the 2001 home-grown economic crisis.
It is clear that Erdoğan and his associates do not want the protection of personal data for their own critics and opponents. They have no interest whatsoever in establishing a robust legislative and regulatory mechanism to support privacy. The draft bill on the protection of personal data in its current form is a charade and nothing but lip service to the EU and the Council of Europe as the country’s rulers ostensibly try to fulfill the government’s commitments to Turkey’s allies and partners as well as to international conventions.