Turkey: More Than Ticking Boxes, Adopting Privacy by Design Approach
As the news emerge regarding the International Organization for Standardization adoption of ISO 31700 on privacy by design in February 2023, an overview of the concept Privacy by Design from the Turkish Data Protection Law perspective seems integral to understand how the future privacy-friendly product designs will transpire.
It is globally recognized now that consumers are becoming more aware of how their data is used and that, now more than ever, they value their privacy.[1] Thus, creating privacy-friendly products, services and processes is becoming more than a regulatory compliance issue, it is becoming an “it factor” for consumers, which puts Privacy by Design into the spotlight for product developers.
Privacy by Design
The Concept
Privacy by Design is a globally recognized concept and a legal obligation under the General Data Protection Regulation (“GDPR”). The term Privacy by Design essentially means implementing data protection measures in early development stages of any product, service, or project.[2] As a key principle, Privacy by Design is rather a large concept encompassing other obligations under the GDPR. There are many definitions for Privacy by Design such as The Information Commissioner’s Office’s definition, “approach that ensures you consider privacy and data protection issues at the design phase of any system, service, product or process and then throughout the lifecycle”[3] and Ireland’s Data Protection Commission’s description “embedding data privacy features and data privacy enhancing technologies directly into the design of projects at an early stage. This will help to ensure better and more cost-effective protection for individual data privacy.”[4]
Privacy by Design is a principle, an approach which data controllers should internalize and implement as a culture because there is no one size fits all formula for data protection measures and considerations for developing services, products, or processes with all the encrypted laws which most non-lawyers do not understand.
Turkish DPL Perspective
The Turkish Data Protection Law numbered 6698 (“Turkish DPL”) is the main legislation regarding the protection of personal data which was adopted in line with the rules and principles under the GDPR. However, within the Turkish DPL, there are no direct references to principles such as Privacy by Design or any guidelines regarding the topic.
Although there are no explicit rules regarding Privacy by Design, the data processing principles under the Turkish DPL and decisions published by the Turkish Data Protection Board (“Board”) strongly suggest that data controllers should always consider Privacy by Design principle. Below is why:
Turkey: Reflections of Privacy by Design on Principles and Board Decisions
Data processing principles are set forth under the 4th Article of the Turkish DPL and further elaborated by the Turkish Data Protection Authority (“Turkish DPA”) in its publication on how these principles should be interpreted.[5]
An analysis of the Turkish DPA’s views on these principles indeed clearly indicate that data controllers should consider privacy and data protection in every step of product/project development, a.k.a. adopt Privacy by Design.
In its Publication regarding these principles, the Turkish DPA states the following: - Data controllers must pay regard to interests and reasonable expectations of data subjects whilst achieving their objectives on data processing. - If certain decisions are made regarding data subjects’ processed data, data controllers have active duty of care with regards to data they are processing. - Data collection must be done with valid purposes and legal grounds. Therefore, data controllers must determine data processing purposes clearly and accurately. - Data collected should not be processed for future possible purposes. |
In addition to Turkish DPA’s views on data processing principles, it is observed that the Board Decisions regarding web sites, mobile apps and similar projects reflect the need to adopt Privacy by Design as a principle. Although not directly mentioned, the facts of cases regarding data processing activities show that the failure to comply with the law stems from the failure to consider privacy and data protection implications from start to finish of product/project development.
An example of the Board’s Decision regarding a personal data processing activity on a mobile app that provides mobility services[6]: Following a complaint from a data subject regarding the mobility service mobile app’s feature which allows drivers to rate riders, the Board found that the privacy policy did not include information regarding the processing activity and such processing activity was unlawful. |
This Decision for instance highlights how a significant mobile app feature was created without considering data protection implications from the creation of a feature, which resulted in removing the feature of the app that the business invested in, and of course, an administrative fine.
In another Decision regarding a web site which provides an IMEI number inquiry form for users which reveals personal data of other users by changing only two digits of inquiry numbers[7]: The Board concluded that the company providing the web site did not take necessary technical measures to prevent other users from accessing other users’ personal data and the Board ordered the company to close the inquiry form, halt the data processing activities, and change the inquiry system entirely. |
In both decisions the core issues at hand are with regards to lack of implementation of data protection principles in products, a mobile app and a web site service. Although, the law is clear on how to legally process personal data, the practical failures of implementation and failure to adopt Privacy by Design as a culture resulted in both business’ operations to end for certain services.
Conclusion
As Privacy by Design gains momentum with the adoption of ISO 31700, international community of product developers and businesses shall undoubtedly even pay more attention to how their products, services or processers will live up to consumers’ standards. Without explicit rules on Privacy by Design in Turkey, it is expected that the Turkish DPA and the Board will surely recognize and take action regarding the issues stemming from lack of data protection considerations whilst developing processes.
[1] Consumers Want Privacy, Marketers Can Deliver, https://www.bcg.com/publications/2022/consumers-want-data-privacy-and-marketers-can-deliver
[2] Privacy by Design, https://gdpr-info.eu/issues/privacy-by-design/
[3] Guide to the UK General Data Protection Regulation, ICO, https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-by-design-and-default/#dpd3
[4] Data protection by Design and by Default, https://www.dataprotection.ie/en/organisations/know-your-obligations/data-protection-design-and-default
[5] Main Principles of Processing Personal Data, Turkish Data Protection Authority, https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/32ff74f6-9798-405a-b3d2-b42d28423fde.pdf
[6] Personal Data Protection Board’s Decision dated 27/10/2020 and numbered 2020/65 regarding “personal data processed in scope of a mobile app providing mobility services”
[7] Personal Data Protection Board’s Decision dated 05/03/2019 and numbered 2019/52