rudi1976 - Fotolia

'Citizens will be stripped naked' by Turkey’s data law

Turkey's data protection law, introduced in March 2016, will make Turkey a near total surveillance state, yet the EU, apparently more concerned about securing Turkey's help in controlling immigration, is turning a blind eye

Turkey’s 80 million citizens have never had a data protection law. For the past few decades, Turks have been safeguarded from unwarranted intrusion only by the country’s outdated constitution, implemented by the military in 1982, two years after its violent and murderous coup.

But in late March 2016, the Turkish government pushed the first data protection bill through parliament, sweeping aside concerns from opposition MPs and human rights groups that it will be used by the state to amass unprecedented quantities of information on its citizens’ private lives.

Turkey’s deal with the EU

The Protection of Personal Data law, which passed 254 to 29 votes in favour on 24 March 2016, is the first of a number of benchmarks the AKP (Justice and Development Party) government hopes to rush through in five weeks before 1 May 2016.

The law is designed to bolster the March agreement with the EU to end Europe’s migration crisis.

In return for Turkey blocking the influx of Syrian refugees to Europe, the EU has promised a €6bn payout and the prioritisation of the country’s Schengen application that will, in turn, allow Turkey to qualify for visa-­free travel in the European Union Schengen Area.

Citizens will be ‘stripped naked before the state’

Drafted by the Ministry of Justice, Turkey’s Protection of Personal Data law applies to Turkish citizens at home and abroad, as well as foreigners residing in Turkey.

It permits the collection of a broad range of information, including “race; ethnicity; political thought and philosophical beliefs; religious affiliation; outward appearance (read: headscarves); membership of foundations, associations and unions; health; sexual life; criminal record; security-related information; and biometrics” (see below: New law enables Turkey to collect highly personal information).

When it comes to protecting the civil rights of Turkish citizens and residents, the legislation is largely ineffective.

Although a central tenet is that “sensitive personal data cannot be processed without the consent of the individual”, in practice a series of exceptions and omissions gives the state free rein to collect and use private data as it chooses.

The bill gives most government departments, including police, intelligence agencies and investigative and judicial bodies, the right to exploit the data for their own purposes, whatever they might be, with little effective oversight.

President Recep Tayyip Erdogan meets German chancellor Angela Merkel. Turkey’s new data protection law is linked to an agreement with the EU to address Europe’s migration problem and expedite visa-free travel for Turkish citizens

Opponents argue that the law as it stands will push Turkey towards a near total surveillance state, with almost no enshrined protections.

“This law is the embodiment of Orwell’s 1984,” said Cemal Okan Yuksel, MP for the Republican People’s Party (CHP), an original member of Justice Commission responsible for designing the draft. “It will lead us to a totalitarian regime. Citizens will be stripped naked in front of the state.”

Turkey’s poor track record in protecting personal data

The bill comes barely a month after the hacking collective Anonymous leaked the entire citizen database held by the General Directorate of Security (EGM), Turkey’s police agency. Now anyone with an internet connection and some coding skills can access the names, addresses, dates of birth and ID numbers of nearly 47 million Turks –­ a potential goldmine for criminals and fraudsters, or even those with more violent intentions.

But even this massive data leak, occurring during the first parliamentary debates, was not enough to inspire AKP lawmakers to impose security requirements on people who handle data, except in the case of the Ministry of Health, which must set up a secure system. Nor are there specific protections for children or vulnerable people.

In another incident in 2014, the Turkish Social Security Institution (SGK) sold patient information on 76 million citizens to Datamed, a private health insurance company owned by ex­-MP Burhan Isen, for £16m, to plug a hole in the department’s budget. The Supreme Court of Public Accounts investigated the sale and deemed it unlawful.

Yet, the law appears to offer wide latitude for the use and potential sale of patient data for reasons that include “protection of public health, medical diagnosis, treatment and services of medical care, also for planning, management and finance of health services”.

Payday for Turkey’s intelligence services

By far, AKP lawmakers’ greatest gift is to the security services, particularly MIT, the country’s chief intelligence organisation. A blanket exception – Article 28 – renders citizens’ rights immaterial when it comes to “protection and intelligence activities related to national defence, national security, public security, public order or economic security”.

Turkish security forces respond to students protesting against Turkish prime minister Recep Tayyip Erdogan in 2013 in Istanbul

Institutions and third parties are compelled to hand over any and all data to intelligence agencies and police without a warrant, and there are no restrictions on how it can be exploited. Citizens are not entitled to know what personal information the security services collect, or how it is used.

The minister in charge of the data protection bill, Bekir Bozdag, told the Turkish Parliament: “If we get rid of the exceptions then it means we will tie the hands and feet of MIT. They won’t be able to do anything. How can an intelligence service that can’t reach its citizens’ information do its job?”

MPs fear the Erdogan regime will exploit law to suppress critics

The fear among MPs and civil rights organisations is that the law will be misused to protect president Recep Tayyip Erdogan’s regime from criticism and challenge. The AKP government has been condemned in recent years for its aggressive rhetoric and attacks on everyone from dissidents to academics, journalists and lawyers.

“MIT is completely exempt from this law. They will be able to do whatever they wish with the data. You know how close the head of MIT is with Erdogan. The data collected by MIT will become a tool for the president to use. This law is very dangerous and objectionable,” said Cemal Okan Yuksel, MP for the CHP.

Dossiers created of human rights group members

Turkey has a history of targeting its Kurdish, Armenian, Alevi, communist, anti­-government and leftist citizens and organisations, creating dossiers on dissidents and their families. Some human rights groups and opposition politicians in Turkey argue that the AKP government made this practice, known as “flagging”, more systemic.

Ozturk Turkdogan, a lawyer and president of the Ankara-­based Human Rights Association, said the new law will legalise the “flagging” of citizens, legitimising surveillance of opposition groups.

Turkey’s intrusive surveillance infrastructure

Turkey already operates one of the most intrusive spying and surveillance infrastructures, ­able to tap phones and conduct deep package inspection on internet traffic, storing it for up to two years.

By law, citizens must provide their official National ID when purchasing SIM cards. Subscriber data is then sent to the General Directorate of Security and held on a database.

The state can, at a moment’s notice and without a court order, block any website deemed a threat to national security, through Turkey’s telecoms regulator, the Presidency of Telecommunication and Communication (TIB). It is a power it uses freely to shut down not only atheist and pornographic websites, but also legitimate journalism and embarrassing revelations.

In December 2013, YouTube and Twitter were temporarily banned to block Turks from accessing leaked telephone recordings allegedly showing AKP ministers, including president Erdogan, fixing public contracts and discussing bribes.

Last year, the TIB censored reports on how MIT funnelled weapons and munitions to fighters in Syria,­ prompting Erdogan to personally file a criminal complaint against the paper’s editor, and journalist, demanding he serve two life sentences.

Their trial started in March 2016, and Erdogan publicly criticised a British diplomat for attending proceedings and taking a selfie with the accused editor.

Teenagers and journalists face trail for ‘insulting’ Erdogan on Twitter

But the sensitivities of Turkey’s president go beyond national security matters and include petty insults on the web.

On 23 February, Turkish authorities boasted that after nine months it had finally identified a citizen they say insulted the president online ­– a crime in Turkey punishable by fines and up to four years in prison.

In the middle of the night, anti-terrorism forces raided the home of a 13­-year-old boy who allegedly called Erdogan a “son of a bitch” on Facebook. They later released him without charge because of his age. The scandal occurred almost one year after police arrested another 13-year-old for insulting Erdogan on Facebook.

These are just two of more than 1,800 criminal investigations opened against citizens, journalists and celebrities accused of disrespecting Erdogan since he became president 18 months ago, after serving nearly 12 years as prime minister, according to figures released by Bozdag.

Gezi Park – where Turkey’s clampdown began

Although advertised as a device to ensure Turkey obtains its coveted Schengen Agreement, it is only the latest in a number of authoritarian surveillance and anti­-terrorism laws introduced over the past few years, largely stemming from concerns over the civil unrest of the Gezi Park protests that swept the country in the summer of 2013.

Gezi Park protests in Istanbul. Turkish protestors clash with police under excessive use of violence and tear gas, turning a small demonstration into a national uprising

The demonstrations were the first serious public threat to Erdogan’s rule. The state responded by granting almost limitless power to the police and security services, who are now able to search and arrest citizens without cause and use deadly force against protesters more freely.

Part of a legislative package introduced in 2015 was a secret discretionary fund for the president to conduct covert security operations.

EU turns a blind eye

The EU, likely not wanting to risk the refugee deal by upsetting the country’s leaders, ­and Erdogan in particular, has conspicuously ignored the creeping authoritarianism of the Turkish state.

The EU has yet to officially comment on the Protection of Personal Data bill, but MPs and human rights organisations argue that law, written without reference to Turkey’s constitution, EU or human rights commissions, fails to comply with EU standards as set out in Europe’s Data Protection Directive, soon be replaced by the upcoming European General Data Protection Regulation.

The Human Rights Association’s Turkdogan said it had previously submitted critical consultation papers when the Turkish government tried to pass almost identical legislation in 2008 and 2014. This time, its own and other dissenting voices were shut out.

Protection of Personal Data law enables Turkey to collect highly personal information

Personal information includes: Name, surname, date of birth, place of birth, physical/family/economic/social/psychological characteristics of a person, ID info, tax, social security numbers, phone numbers, passport info, CV, photo, visual data, voice records, fingerprints, genetic information.

Sensitive personal information includes: Race, ethnicity, political thought, philosophical beliefs, religious sect or other beliefs, outward appearance, membership of foundation/association/union, health, sexual life, criminal record, security-­related information and biometric information.

Read more on Privacy and data protection

CIO
Security
Networking
Data Center
Data Management
Close