Personal data of nearly 50 million Turkish citizens leaked online and this intensified the debates on personal security. According to information technology law experts, Protection of Personal Data Law proposed by the government for solving the security problem will create a legitimate ground for government to use “sensitive data”.
Personal information of 49.611.709 Turkish citizens leaked online. This is the major leak that happened so far. In the leaked database, there are information including passport numbers, identity numbers, names, surnames, parents' names, sex, date of birth, date of place and residential address of the citizens.
It is estimated that this information is from 2008 and it is leaked from some governmental institutions. The database appeared to be published by an Icelandic group using servers in Romania. They also shared a note with the database: “Who would have imagined that backwards ideologies, cronyism and rising religious extremism in Turkey would lead to a crumbling and vulnerable technical infrastructure?”
The statements made by government officials after the breach started a debate about the responsibility of the state in protection of the personal data.
Minister of Justice Bekir Bozdağ said he doesn't know the source of the data, but he pointed at the Supreme Election Committee by saying that the number is close to the number of voters in Turkey. Minister of Transport, Maritime and Communications Binali Yıldırım said that the leak is not new and they have known about this issue. Ankara Chief Public Prosecutor's Office started an investigation.
“The state is responsible”
According to information technology law experts, the state has the legal responsibility about the security breach, since it has the responsibility to protect the personal data. Working on data protection and internet law, lawyer Serhat Koç said that the state is responsible for the breach, because it failed to fulfill its obligation to protect the data. “There is a report that was taken from State Supervisory Council during Abdullah Gül's presidency. In this report, it is stated that the governmental institutions breach the personal data, fail to protect its own data and there are serious problems. It seems that nothing changed since then.”
There are some legal procedures that the citizens whose personal data is leaked can initiate. Koç said, “An administrative action can be filed against the institutions that are thought be responsible for the leak and compensation can be demanded from them. These institutions might be Directorate of Population and Citizenship Affairs, Social Security Institution (SGK) or Supreme Election Committee (YSK). As far as we know, information obtained from YSK is combined with a database from SGK. It is also possible to file a lawsuit against individuals who leaked the data. A criminal action can be filed upon the related articles of Turkish Penal Code.”
“Personal data of 8 millions citizens on Official Journal”
Information technology law expert Gökhan Ahi reminded that Ministry of Health sold the patient records and Council of State found the ministry faulty. Stating that Ministry of Education also sold the parents' data to private companies, Ahi said that, in daily life, we found ourselves in some situations that enable the leaks: “When we enter a building, we leave our identity cards to security staff. We have no idea how our identities are secured. We give the copies of our identity cards to telecommunication operators, couriers and training centers. In 2008, the state itself published the personal data of 8 million citizen on Official Journal as the list of the payments for housing support.”
“Sensitive data exception”
While the debates on personal data leak continue, Protection of Personal Data Law that Minister of Justice Bekir Bozdağ mentioned may give rise to new debates. In the law that was passed by the parliament on March 24, there is a part which states that personal information like race, ethnicity, political view, philosophical belief, religion, sect and union membership, which are defined as sensitive data, “can be processed without the express consent of the individuals, when some situations stated in the laws require.” Lawyer Serhat Koç thinks that the law is not about protection. “In the law, there are serious exceptions about sensitive data. In situations like the protection of public interest, there is total exception. This law is not about the protection of the personal data. I think that an action of annulment will be filed to the Constitutional Court.” If the law goes into effect, processing the sensitive data without consent, which has penal sanction according to Turkish Penal Code, wouldn't be considered as an offense “under certain circumstances”.