After decades of delay, on February 18, Turkey ratified the Council of Europe's 1981 Strasbourg Convention for the Protection of Individuals with regard to Automatic Processing of Data.
The start of 2016 has been marked by a flurry of legislative activity with respect to the protection of personal data in Turkey. While the Turkish Parliament is in the final stages of debating the draft Law on the Protection of Personal Data ("Draft Law") which is expected to be adopted any day now and will be Turkey's first comprehensive data protection law, the Turkish Parliament finally ratified the Convention. The much-anticipated ratification comes more than 35 years after Turkey signed the Convention.
What The Convention Says
Consisting of 27 articles, the Convention was the first, and so far remains the only, legally binding international data protection treaty with global scope (subject to ratification). The purpose of the Convention is to protect every individual regardless of nationality or residence, against abuses that may accompany the collection and processing of personal data, and to regulate cross-border data flows.
In addition to providing guarantees in relation to the collection and processing of personal data, the Convention outlaws the processing of "sensitive" data on matters such as a person's race, politics, health, religion, sexual life, and criminal record in the absence of proper legal safeguards. The Convention also enshrines individuals' rights to know that information about them is being stored and, if necessary, to have it corrected.
The rights outlined in the Convention can only be restricted when overriding interests (e.g., state security, defense, etc.) are at stake.
The Convention requires Convention parties to take the necessary measures in their domestic laws to give effect to the basic principles of data protection as set out in the Convention. One of the main reasons Turkey had not ratified the Convention until now was that it had failed to take such measures, in particular enacting domestic data protection legislation.
What Turkey's Ratification Signifies
Until now, out of the 47 countries that had signed the Convention, Turkey remained the only country yet to ratify it. Turkey’s ratification of the Convention demonstrates its commitment to enact a sound domestic data protection law which will provide legal protections for, and sanctions for violations of, the right to the protection of personal data. Until now, the Turkish Constitution recognizes the right to the protection of personal data as a fundamental right but except for a few data protection provisions splattered across other laws, Turkey does not have comprehensive data protection legislation.
The Convention's ratification is further significant as the Turkish Constitution states that in case of a conflict between ratified international agreements concerning fundamental rights and national laws, the provisions of international agreements will prevail. This means the Convention will supersede domestic laws on data protection in case of a conflict.
The Turkish Data Protection Authority, which will be established after the draft law enters into force, will be responsible for supervising the application of the Convention in Turkey.
The Convention's ratification is one of the most significant steps taken so far to ensure legal protection of personal data in Turkey, and indicates that the legislative activity will continue apace.
The Draft Law is largely based on the EU Data Protection Directive (95/46/EC) and is expected to be compliant with the rules and standards set forth in the Convention (subject to minor exceptions). However, regardless of the Draft Law's compliance with the Convention, now that the Convention has been ratified by Turkey, in case of conflict, the Convention will prevail over national laws addressing the protection of personal data.