Technical ReportPDF Available

Cross-Border Data Transfers and Data Localization



This paper offers an introduction to the debate on data transfers and localization, why companies store data and how regulation-versus-localization shape the debate on data transfers. Then, it discusses more technical aspects of how governments regulate data transfers, why they want to localize data and the pitfalls of overregulation in data management. Finally, we look at the specifics of Turkey’s data localization requirements for foreign companies and how the recently passed law on personal data protection falls short of addressing Turkey’s data policy needs. We argue that the only way forward for Turkey is to adjust its data protection law into a more democratic, transparent and technocratic code, with a special emphasis on freedoms, rather than surveillance intent.
EDAM Cyber Policy Paper Series
Data Transfers and
Data Localization
June 2016
Asst. Prof. H. Akın Ünver
Board Member, EDAM
Faculty Member, International Relations,
Kadir Has University
Grace Kim
Research Assistant, EDAM
In March 24, Turkish Parliament approved the Law
on the Protection of Personal Data, which was put
into eect by April 7. e much debated law entered
into eect with profound problems, most notably in
aspects such as the denition of personal data, a broad
list of exceptions to the law and the composition of
the Personal Data Protection Board as a political body,
instead of a technical one. Most recently, the e-money
operator PayPal withdrew from Turkey, citing incom-
patible regulatory requirements, the most important
of which was data localization.
is paper oers an introduction to the debate on data
transfers and localization, why companies store data
and how regulation-versus-localization shape the de-
bate on data transfers. en, it discusses more techni-
cal aspects of how governments regulate data transfers,
why they want to localize data and the pitfalls of over-
regulation in data management. Finally, we look at the
specics of Turkey’s data localization requirements for
foreign companies and how the recently passed law
on personal data protection falls short of addressing
Turkey’s data policy needs. We argue that the only way
forward for Turkey is to adjust its data protection law
into a more democratic, transparent and technocratic
code, with a special emphasis on freedoms, rather than
surveillance intent.
e history of trade evolves around means and meth-
ods that render the transfer of goods and services in
the most ecient way possible. During the Silk Road
period for example, the development of the idea of a
caravan – a mutually supporting group of traders and
journeymen – substantially improved the economies
of scale in trade and allowed luxury goods to reach
parts of the known world that they otherwise never
could. en the invention of sailing and the rise of
merchant ships substantially increased the volume of
goods being transferred to an even wider geography.
A single early-medieval cargo ship for example, could
transport three times more goods than a 500-camel
caravan across the Silk Road. In response, not only
did the scale of trade and size of the economies of
the known world expand, but the center of gravity
for world trade also changed, leading to the rise of
new powers. In the subsequent centuries, inventions
of more ecient methods of sailing, of ight, and of
steam engines all contributed to globalization, the
expansion of trade, and the rise and demise of world
Likewise, the rapid development of digital technology
has revolutionized the way the world approaches in-
ternational trade. e costs and prots associated with
transferring data have skyrocketed as digital technol-
ogy becomes more aordable and omnipresent. Some
gures estimate that the value of European citizens
personal data will grow to nearly €1 trillion annu-
ally by 2020.1 In a highly computerized and digitally
interconnected world, not only are goods and services
(such as ordering, cataloging, and record-keeping)
handled electronically, but the goods and services
themselves (software, e-consultation and download-
able products) can be digitally transferred, reducing
the time spent between purchase and ownership to
1 15-3802_en.htm
an instantaneous click. Today, almost all business
transactions, whether they are online or oine, rely
on some form of digital management that may come
in the form of inventory records, order status tracking
information, or employee data. is type of data is
transmitted within, between, and among companies,
sometimes with the aid of a third party data processor.
While digital technology has facilitated the rise of a
number of large-scale and highly protable technol-
ogy companies, the plethora of digital management
options have also made it easier, faster, and cheaper
for small and medium-sized enterprises (SMEs) to
operate on a daily basis and eventually scale their busi-
nesses to reach a larger customer base. When top-level
legislative agreements are scrutinized and even invali-
dated, SMEs are the hardest hit. For example, when a
European court struck down the EU-US Safe Harbor
Agreement in 2015, it doomed thousands of Ameri-
can businesses into legal limbo for several months as
SMEs struggled to determine whether or not their
business practices that involved sending, processing, or
storing data on EU citizens were illegal.
e speed of data transfers across the Internet contin-
ues to increase. As companies and individuals develop
even faster and more ecient ways of facilitating
international digital transfers, the need to agree on a
uniform method of regulating the countless number
of cross-border data transfers becomes even more
pressing. e debate over how to regulate interna-
tional data transfers brings with it a host of other
salient topics that are important to consider, such as
how to store, process, and access large volumes of data
from anywhere in the world. is paper will focus on
European data legislation and how data privacy and
transfer standards in countries like Turkey and the
United States measure up to them.
Every time a credit card is swiped at a store, a plane
ticket is purchased, or a GPS navigation device is used,
personal data is transferred. As everyday transactions
in business, politics, and our personal lives become
increasingly dependent on digital technology and the
Internet, our personal information becomes more
widely available and, therefore, increasingly vulnerable.
Giving away personal information like full names,
birthdates, addresses, and phone numbers to un-
known third parties has been normalized to the point
where we no longer think twice about volunteering
our personal information when prompted to online.
Whenever someone creates an account on a social net-
working website or downloads a messaging app onto
their smartphone, they are not only sharing private
information with the people they connect with but
also giving companies’ the right to store and use their
private information as outlined in their user terms and
Companies engaged in cross-border data transac-
tions transport data from one point to another, often
using multiple nodes of data transit points scattered
throughout the world to relay the information in
the process. e Internet automatically locates and
funnels data through the closest available data node,
switching directions and transferring packets of data
in seconds. ese data nodes are located in dierent
countries and are shared by Internet users all over
the world. Because origin and destination points are
scattered across every corner of the globe, one single
piece of legislation cannot account for all the neces-
sary measures that need to be in place in order to
enforce the protection and privacy of transferred data.
However, having disjointed or overlapping legislation,
especially when dealing with an issue with drastic
international repercussions, further exasperates the
already dicult problem of trying to gure out a way
to deal with the novel challenges of handling data and
emerging digital technologies.
e safe and secure storage of data is just as important
as the safe and secure transfer of data. As data trav-
els from Point A to Point B, data handlers must also
ensure that personal data stays private before, dur-
ing, and after the transfer. Recently, a hacking attack
published the personal information of about 50 mil-
lion Turkish citizens, more than half of the country’s
population, exposing national identication numbers,
addresses, and phone numbers, which the Associated
Press veried.2 Although the highly sensitive nature
of Turkish national ID numbers, the equivalent of
US social security numbers, should have raised more
than a few eyebrows within the Turkish government,
members of the Turkish government tried to down-
play the gravity of the data breach and instead seemed
to chide journalists reporting on the hack instead.3 In
the words of Binal Yildirim, the Turkish Transporta-
tion, Communication and Maritime Aairs Minister,
“is is a very old story. A similar allegation was made
in 2010. e issue is brought to the agenda from time
to time. It is now being served like a new story. ese
outdated reports are not newsworthy.4
ese unconcerned reactions by the government often
mislead the general population about the dangers of
data privacy breaches. By downplaying the severity of
the consequences of privacy violations, average citi-
zens remain unaware of how rampantly and frequently
their personal data is exposed. In addition, people do
not fathom how much they rely on digital technology
to go about their daily lives. Perhaps, because of this
2 turkey-breach- spills-info-
allegedly- containing-id- numbers-of-50m-turks- posted-online
4 calls-massive-
data-leak- report-an- old-story.aspx?PageID=238&NID=97321&
lack of awareness, people are generally loath to organ-
ize and demand greater privacy protections from their
political leaders.
ere are numerous sectors that illustrate how vital
data transfers are for business and personal health.
One key sector is that of digital medical devices,
which store personal and health data for diagnostic
and treatment purposes. For example, devices that
are too large to transport for repairs and maintenance
need to be accessed by authorized repair personnel
remotely, gaining access to the personal and health
data of patients who depend on these medical devices.
Storing such sensitive information about patients is
often viewed with suspicion as the engineer or repair
crew handling medical device repairs are usually not
legally authorized to access such sensitive data.
In more extreme cases, patient data can be leaked or
sold to the pharmaceutical industry for marketing
and research. Such an extreme case in Turkey was
recently covered by the press, whereby Turkish Social
Security Institution (SGK) sold a large volume of
personal medical data stored in the Medical Tracking
System, the centralized state database on medical dose
and coverage of patients, to a private pharmaceuti-
cal company called Datamed, which belonged to a
former member of parliament. Although the legal case
was rejected by the court, the evidence provided to
the court, namely the Court of Auditors audit report,
validated the sale of medical data to private third party
Another controversial sector pertaining to the stor-
age of and access to sensitive data is the energy sector.
International Oil and Gas Companies (IOCs) collect
and store geographic and geopolitical data on a large
number of pipeline, upstream, and downstream facili-
ties in order to optimize their exploration, extraction,
and export operations. e ability to conduct proper
assessments requires storing and processing data on to-
pography, climate, politics (i.e. cases of riot, attack or
sabotage), and key technical data that belong to other
countries. is begs the question of whether such key
strategic data should be accessed or stored by private
companies and how privacy protection safeguards can
prevent these companies from selling such informa-
tion to other third parties or foreign intelligence agen-
cies that originally were not the intended recipients of
such data.
Similar debates occur in the insurance sector, where
foreign insurance companies store and process the
data of beneciaries in other countries. Insurance
companies usually cite the need to back up beneciar-
ies’ personal data in a secondary location abroad to
ensure ecient processing of data and the physical
protection of the data. In other words, if indigenous
data centers are harmed physically, such as through
natural disasters like hurricanes and tornadoes, data
redundancy ensures that copies of the same informa-
tion are readily available to access at other locations.
ese and many more cases of data processing and
storage brought about the need for governments to
step in and establish certain rules and regulations.
Such intervention served two purposes: one, to protect
citizens’ privacy, and two, to protect sensitive national
data that may be dened as ‘strategic data.’ e debate
on restriction versus freedom of data ows is polarized
along two lines. e rst is that governmental restric-
tions are necessary to prevent abuse and mishandling
of such data, preventing privacy abuses and ensuring
protection of sensitive strategic data. e second is
that excessive governmental restrictions on data ows
impair business speed – just like how high taris and
excessive border controls stie trade – and hurt a
countries’ business competitiveness. Indeed, compa-
nies that feel too much intrusion into their handling
of data will be inclined to move their businesses to
countries where they have more conducive environ-
ments in terms of collecting, processing, and storing
data. To that end, restrictions on data ows have a
direct impact on business and investment.
More detailed and
complex set of laws and
regulations that aim to
protect privacy and
minimize abuse, without
imposing localization
Main Arguments Criticism
Private companies are not the only ones that may
abuse or mishandle personal data of citizens. Per-
haps an even more important question is how much
personal data governments should collect, store, and
process on their citizens and what kind of legal pre-
cautions should be taken to protect privacy. In order
to render citizenship services, bureaucracy, and secu-
rity more ecient, governments have also begun col-
lecting, storing and processing citizens’ personal data,
such as address, national identity, nancial, and legal
background information.
e rationale, scope, and legal framework for data col-
lection are widely disputed among countries. However,
many also wrestle with whether countries that lack the
sucient technical infrastructure to protect citizens
from cyberattacks should be collecting personal data
on their citizens in the rst place. For example, in
February 2016, the hacker group Anonymous released
a large database under Turkey’s General Directorate of
Security, intending to punish the Turkish government
for its human rights abuses. e 18 gigabytes of data
that was subsequently released contained a substantial
volume of personal data on Turkish citizens as well.
One of the oldest debates in politics, freedom-versus-
security, is perhaps more relevant today in the debate
between government surveillance versus individual
privacy. Since the 1990s, a growing number of coun-
tries have adopted data protection and privacy laws
or regulations, although commonly shared denitions
for personal data, data collection, and data processing
dier, rendering these laws incompatible and geared
towards disparate outcomes. An important analyti-
cal problem arising from these dierences is how to
approach the issue of data collection. How much data
should be collected by the governments and private
companies and which legal and ethical constraints
should be imposed upon them to prevent collection
and processing abuses?
Moreover, who does data belong to? Governments,
companies, even computer games collect and store
personal data, which in turn, can be accessed, pro-
cessed, and stored surreptitiously by government sur-
veillance agencies. While the digital age has brought
about new freedom frontiers and liberty zones for
citizens, it has also provided governments with better
tools to respond positively or negatively to the grow-
ing scope of electronic liberties. e emergence of
multiple data collection bodies and institutions and
their overlapping and sometimes competing data stor-
age policies bring in the question of what happens if
personal data is lost, damaged, or misused? Although
countries approach this question individually, as is
their sovereign right, data ownership is usually divided
between three legal fronts: copyright, condential-
ity, and contract. Data copyright implies intellectual
property, assigned automatically to the creator, and
prevents unauthorized copying and publishing of an
original work. Data condentiality is dened by the
United Nations Economic Commission for Europe
(UNECE) as ‘a property of data, usually resulting
from legislative measures, which prevents it from
unauthorized disclosure.5 Finally, a data contract, as
dened by Microsoft, is ‘a formal agreement between
a service and a client that abstractly describes the data
to be exchanged. A data contract precisely denes, for
each parameter or return type, what data is serialized
(turned into XML) to be exchanged.’6
Regardless of the source or purpose of the stored data,
emerging markets like Turkey must align their data
protection legislation with the standards of their trad-
ing and political partners. As a European country and
aspiring EU member, Turkey must shape its laws to t
the mold of Europe. With the Law on the Protection
of Personal Data newly ratied by parliament, Turkey
is starting to take steps toward reforming its outdated
or nonexistent data protection laws to better respond
to the challenges of the 21st century.
A mix of international, regional, and national leg-
islation regulates data transfers within and across
international borders. Perhaps the most notable piece
of legislation is the Organisation for Economic Co-
operation and Development (OECD) Guidelines on
the Protection of Privacy and Trans-Border Flows of
Personal Data (1980). e OECD Guidelines were
the rst international attempt at tackling the issue of
data privacy, guaranteeing privacy rights to individuals
and contains details on the collection, processing, and
dissemination of data for international data transfers.7
“Principle-based and technology-neutral,” the OECD
adopted the guidelines after recognizing the impor-
tance of personal information in the global economy
and over concerns of the potential impact of emerging
computer technology.8
For over a decade, the European continent speci-
cally has adopted a number of regulatory mechanisms
to address the issue of data privacy and data trans-
fers, which arguably are the most stringent of privacy
protection measures existing today. e Council of
Europe Convention for the Protection of Individuals
7 pg. 3
with regard to Automatic Processing of Personal Data
(1981) was the rst binding international instrument
that protected individuals against abuses accompany-
ing collection and processing of personal data. As the
Conventions summary states, “is Convention is the
rst binding international instrument which protects
the individual against abuses which may accompany
the collection and processing of personal data … In
addition to providing guarantees in relation to the col-
lection and processing of personal data, it outlaws the
processing of ‘sensitive’ data on a persons race, politics,
health, religion, sexual life, criminal record, etc., in
the absence of proper legal safeguards.9
en, in 1995, the EU Data Protection Directive
went into force, setting up “a regulatory framework
which [sought] to strike a balance between a high level
of protection for the privacy of individuals and the
free movement of personal data within the European
Union.10 e Directive protects data subjects, or the
people whose personal data are being processed, from
unlawful and unfair use of their personal data. Data
subjects are allowed three rights: the right to obtain
information, the right of access, and the right to ob-
ject. ese rights gave EU citizens the right to obtain
information about their own personal data being
processed by data controllers, the right to access their
own personal data, and the right to formally object
when they felt that their personal data was being pro-
cessed unfairly and unlawfully. e Data Protection
Directive allowed Member States to transfer personal
data to a third country with an “adequate level of
In addition, the European Charter of Fundamental
Rights (2000), legally binding to all EU member
9 Council of Europe, “Details of Treaty No.108”
10 “Protection of Personal Data,” European Union, accessed 18 April 2016.
11 Ibn al.
states, specically protects rights to privacy, data
protection, and eective judicial remedy in the case of
wrongdoing. After the Lisbon Treaty went into eect
in 2009, data protection became a fundamental right,
further cementing European privacy laws against
government proclivity for loosening privacy protec-
tion mechanisms in favor of more invasive security
In 2000, the EU and the US agreed on the Safe Har-
bor Agreement, which provided the “adequate level of
protection” necessary for data to be legally transferred
between EU Member States and the US. Given the
crucial political and economic alliance between the
United States and the European bloc, this agreement
served as a vital method for thousands of American
and European businesses to legally export data on Eu-
ropean citizens to the US. Aspiring to become a single
digital market, the EU negotiated the Safe Harbor
Agreement to serve as a “one stop shop” for companies
to get information on how to conduct data transfers
in line with EU laws.12
After the National Security Agency government leaks
in June 2013, however, the US and its companies
came under great scrutiny after the leaked documents
showed evidence of ongoing mass government sur-
veillance programs. Among the documented surveil-
lance activity, several instances of the US spying on
close European allies like Germany and the United
Kingdom emerged. In response, the European Court
of Justice invalidated the Safe Harbor Agreement in
October 2015, citing that it did not provide adequate
privacy protection for the 500 million citizens of the
European Union. e ensuing uncertainty left over
4,000 American and European businesses in the dark
on whether they could continue transferring data on
their clients and users from Europe to the US.13
european-court- declare-invalid-data-protection
13 us-
data- collection.html?_r=0
For the next two years, European and American
privacy experts and lawmakers negotiated the terms
of a revised data privacy agreement that would serve a
similar function to the Safe Harbor Agreement, albeit
with a few additions. In February 2016, the Article
29 Working Party, a group of data protection author-
ity representatives from all 28 EU Member States,
presented the EU-US Privacy Shield Agreement that
would serve as the new standard upon which EU citi-
zen data could be exported to the US.
Two major provisions exist in the Privacy Shield
Agreement that European leaders felt were not suf-
ciently guaranteed in the now defunct Safe Harbor
Agreement. e rst was greater limitations placed
on US intelligence agencies regarding the collection
of personal data in intelligence gathering operations.
Because the NSA leaks showed that the US was spying
even on close allies in Europe such as Germany, public
outcry against government surveillance reverberated
throughout the European continent, leading the coun-
tries’ leaders to call for stricter measures to protect
EU citizens against the US’s intelligence gathering
operations. e Oce of the Director of National
Intelligence explicitly assured in Privacy Shield “that
any access of public authorities for national security
purposes will be subject to clear limitations, safeguards
and oversight mechanisms, preventing generalized ac-
cess to personal data.”14
e second major addition to the Privacy Shield
Agreement was a formal system of judicial redress for
EU citizens who felt that their personal data was being
improperly handled. First, the US government will
create an independent ombudsman within the De-
partment of State who “will follow-up complaints and
enquiries by individuals and inform them whether the
relevant laws have been complied with.15 Companies
14 16-433_en.htm
15 Ibn al.
must resolve complaints received from EU citizens
within 45 days. If not, EU citizens have the right to
go directly to their national data protection authori-
ties, who will then work with the US Federal Trade
Commission to investigate and resolve privacy protec-
tion complaints. All of these mechanisms of judicial
redress will come at no cost to the individual ling the
To further ensure that the Privacy Shield Agreement
stays up to date, the European Commission, the US
Department of Commerce, and national intelligence
experts from the US and European Data Protection
Authorities will conduct annual reviews to ensure
that the existing agreement suciently protects EU
citizens without obstructing the work of law enforce-
ment and national security agencies. Moreover, an-
nual privacy summits with relevant NGOs and other
stakeholders will be held “to discuss broader develop-
ments in the area of U.S. privacy law and their impact
on Europeans.16
In lieu of the EU-US data transfer agreements, how-
ever, companies could still continue business as usual
through other means, such as through binding cor-
porate rules (BCRs) and model contractual clauses
(MCCs). Binding corporate rules are “internal rules
(such as a Code of Conduct) adopted by multination-
al group of companies which dene its global policy
with regard to the international transfers of personal
data within the same corporate group to entities
located in countries which do not provide an adequate
level of protection.17 In other words, they are compa-
ny-specic arrangements that allow for the transfer of
data from Europe to countries like the United States
according to the principles laid out in the Data Pro-
tection Directive of 1995.
16 Ibn al.
17 29/bcr/index_
Additionally, the EU aords two sets of standard con-
tractual clauses for data transfers from EU data con-
trollers to non-EU data controllers and for data EU
data controllers to non-EU data processors.18 However,
because BCRs and MCCs are so time-consuming and
costly, only big companies with substantial resources
are able to use them. For this reason, it is usually small-
and medium-sized businesses that are most disad-
vantaged by the invalidation of agreements like Safe
Harbor and Privacy Shield.
A number of ongoing negotiations and revised legisla-
tion are in the pipeline in Europe. In December 2015,
the European Commission, European Parliament, and
European Council agreed upon the General Data Pro-
tection Reform, which unied fragmented legislation
across dierent countries and sectors into a single legal
framework that would form the basis of European
data protection regulations if formally adopted.19 e
reform is comprised of the General Data Protection
Regulation and the Data Protection Directive and
took three years of negotiations over its wording and
content. e European Council and the European
Parliament then formally adopted the updated version
of the Regulation and Directive in April 2016, and
both will go into eect two years later in 2018.
e Reform gives law enforcement agents one sin-
gle reference point to access and protect the data of
victims, witnesses, and suspects in criminal investiga-
tion cases. Phil Lee, a law rm partner at Fieldsher
familiar with European data protection laws, said,
“is is the most signicant development in data pro-
18 transfers/
19 European Commission, “Agreement on Commission’s EU data protec-
tion reform will boost Single Digital Market,” 15 December 2015, http:// 15-6321_en.htm
tection that Europe, possibly the world, has seen over
the past 20 years. Forget Safe Harbour and Right to
be Forgotten – this is much, much more signicant.20
Furthermore, in an eort to give Europeans better
control over their own personal data, companies are
now required to notify individuals when their data has
been hacked and must grant a “right to be forgotten
for European citizens under the new reform.21 is
meant that when EU citizens no longer wanted their
data to be processed and no legitimate grounds for
retaining their personal data existed, the data specied
would be deleted.22
A much-needed push to consolidate data legislation
and information, the General Data Protection Reform
also addresses data privacy in relation to small and
medium enterprises (SMEs). Because the Reform ap-
plies to all 28 EU member countries, the streamlined
and easy-to-access data privacy laws are aimed at facili-
tating cross-border trade and economic development.
EU Commissioner for Justice, Consumers and Gender
Equality Vera Jourova said, “Citizens and businesses
will prot from clear rules that are t for the digital
age, that give strong protection and at the same time
create opportunities and encourage innovation in a
European Digital Single Market. And harmonized
data protection rules for police and criminal justice
authorities will ease law enforcement cooperation
between Member States based on mutual trust, con-
tributing to the European Agenda for Security.”23
e Privacy Shield Agreement is pending ocial
adoption. After the Privacy Shield Agreement was
draft-text- pan-european- data-privacy-rules
21 European Commission, “Questions and Answers: Data protection
reform,” 21 December 2015,
22 15-3802_en.htm
23 European Commission, “Agreement on Commission’s EU data protec-
tion reform will boost Single Digital Market,” 15 December 2015, http:// 15-6321_en.htm
announced in February 2016, the Article 29 Work-
ing Party, the group of data protection authorities
from all 28 EU countries, examined the agreement
for two months before releasing their opinion in April.
Regarding the Privacy Shield Agreement as it is, they
applauded the improvements made to the agreement
compared to Safe Harbor but still cited concerns over
bulk intelligence collection programs and the inde-
pendence and ecacy of the ombudsman.24 Although
the group’s opinion is not legally binding, they still
hold great inuence over European legislators who
will have to make a decision on whether or not to
adopt the Privacy Shield Agreement in the coming
Turkey’s data protection legislation negotiations with
the European Union began in 2003, when the EU
Accession Partnership Document rst emphasized the
matter as a prerequisite for membership. Although
adopting this criterion into the EU Accession Nation-
al Programme, Turkey did not pursue the matter and
draft legislation. e issue re-emerged in 2014, largely
out of the need to co-operate with the EU legal and
police institutions EUROJUST and EUROPOL, fol-
lowing the intensication of the Syrian refugee crisis.
In addition, the EU 2013 Progress Report had criti-
cized the lack of a dedicated data protection law in
Turkey that would enable better cooperation between
Brussels and Ankara. A specic source of criticism was
that Turkey had adopted a Cyber Security Council
and a National Cyber Security Strategy and Action
Plan, yet had taken no steps on the protection of per-
sonal data and e-commerce regulations.
e December 2014 ‘Draft Law on the Protection
of Personal Data’ along with its revised 2016 version
24 working-party- verdict-on-
privacy-shield- data-transfer-mechanism-2016- 4
have been analyzed in depth in a previous EDAM
Report.25 EDAM’s main criticism of both versions
of the draft law was the fact that the proposed Data
Protection Council would be substantially short of
fullling the requirements of independence and would
eectively be a political – rather than technical – body.
Furthermore, the draft law had too many exceptions
to the limit of the government’s collection, processing
and storage of personal data, eectively falling sub-
stantially short of a reform document.
Before the proposed ‘Draft Law on the Protection of
Personal Data’, there were several existing laws that
refer to the collection and use of such data. Primarily,
the Turkish Constitution, following the amendments
of 2010, has rendered the protection of personal
data a part of individual rights, introducing restric-
tions to the state’s ability to record and process such
data. Such specic Articles of the Constitution are 17
(general acknowledgement of the individual’s right
of ‘living, protection and improvement of his mate-
rial and spiritual being’) and 20 (acknowledgement
of the right to ‘request the protection of data’, includ-
ing correction and deletion of such data). In Turkish
Civil Code on the other hand, Articles 23, 24 and 25
guarantee personal rights, although those that are not
specic to online identity or data rights. e Code of
Obligations (Law 6098) refers mostly to the nancial
aspect of data use, as its Article 419 renders employ-
ers responsible of their employee’s personal data on
performance and qualications. Finally, the Criminal
Code Articles 134 (violating secrecy of private data),
135 (illegal recording of data, violation of data collec-
tion law, data collection without consent), 136 (trans-
fer and dissemination of personal data) and 138 (data
deletion policy and failure in deletion). In addition,
the Law on the Right to Access Information allows a
degree of access to certain institutional, personal and
governmental data, with explicit restrictions on secret
ere are also sector-specic laws on data protection
such as Regulation on Procedures and Principles of
Broadcasts via Internet and Regulation on Mass Inter-
net Use Providers, the Ecommerce Law, Regulation on
Protection and Sharing of General Health Insurance
Data, Regulation on Data Privacy and Principles and
Procedures Regarding Security of Condential Data in
the Ocial Statistics, Regulation on Bank Cards and
Credit Cards, Regulation on Distance Contracts and
the Electronic Communications Law and its second-
ary legislation.
From the point of view of companies that are entering
or already operating in the Turkish market, several ad-
ditional data protection laws should be considered:
Labor Law #4857, Article 75 makes it necessary
for the employer to keep ‘any data necessary’ in
addition to employees’ identication informa-
tion. e law necessitates the disclosure of such
data to law enforcement agencies, but restricts
their use outside of ‘rules of honesty’ and within
legal requirements.
Banking Law #5411 as well, necessitates disclo-
sure of clients’ personal data to law enforcement
agencies only, restricting the use of such data in
any other form. e Banking and Credit Card
Law #5464, Article 23 follows up by clarifying
cases when credit card data can be processed.
e Article indicates that in addition to law
enforcement agencies, other institutions and
agencies that are explicitly mentioned in the law
(widest understanding of all available laws) can
also access such information.
Medical Deontology Code, Article 4 species
that personal data can be used and processed
only to the extent required for medical practice
and not for the purposes of research dissemina-
tion, such as conferences or articles. Even in
cases where the patient waives any claim on
medical data, the Code prohibits transfer of
such data.
Electronic Communications Law #5809, Arti-
cle 4 focuses on the transfer of data and brings
in the necessity of protecting data security
and condentiality of electronic communica-
tions. In addition, this law enables Information
and Communication Technologies Authority
(BTK) to produce new regulations with regard
to processing and storing personal data. How-
ever, following successive appeals from the
Constitutional Court and the Council of State,
BTK was stripped of its legal right to process
personal data, citing incompatibility with the
Constitution. In addition, the Legislation on
the Processing and Protection of Personal Data
in Electronic Communications Sector, that was
put into eect in January 2013, harmonizes the
issue of protecting personal data in line with the
EU’s 2002/58 legislation, with a specic focus
on Internet Service Providers.
Electronic Signature Law of #5070 regulates the
processing of personal data in digital certicate
platforms. A digital certicate is an electronic
“passport” that allows a person, computer or
organization to exchange information securely
over the Internet using the public key infra-
structure (PKI). A digital certicate may also be
referred to as a public key certicate. e Law
#5070 restricts the collection of personal data
only to enable the processing of a digital certi-
cate, and prohibits storing such data in a way
that becomes accessible by third parties.
Eurojust and Europol are two European Union insti-
tutions that handle judicial and police co-operation
on crime and criminal surveillance and intelligence.
Formed in 2002 and 1998 respectively, Eurojust and
Europol aim to crack down on trans-border crimi-
nal networks and are crucial for Turkey with regard
to cooperation against smuggling, drug tracking,
and human tracking issues. In January 2008, for
example, Europol, Eurojust, and the Turkish police
cooperated in Operation Greensea, cracking down on
a Turkish/Chinese smuggling gang that was track-
ing large numbers of Turks of Kurdish origin into the
UK, arresting 23 people in France, Belgium, and the
UK. In addition, Europol-Eurojust cooperation with
Turkey is critical as Turkey is a key heroin tracking
route from Afghanistan and Pakistan into the EU. On
Turkey’s end, drug tracking is a major security issue,
as funds from such sources yield substantial revenues
for the outlawed Kurdistan Workers’ Party (PKK).
Coordination with these two European institutions is
key for Ankara to monitor, track, and extradite indi-
viduals taking part in PKK funding and recruitment
operations in Europe.
However, a pressing necessity to hasten and expand
this cooperation emerged with the intensication of
the Syrian refugee problem. EU Council Report in-
dicates that ‘Following reductions in departures from
Libya and Western Africa, Turkey is now the principal
transit country for illegal migration to the EU. Irregu-
lar migrants transit Turkey en route to Greece, Bul-
garia and Cyprus, with Greece the main entry point
into the EU for onward travel to other Member States,
including Italy. FRONTEX assesses that Greece now
accounts for 75% of all detections of illegal border-
crossings in the EU.’26 Both the sheer size of the
refugee crisis and their exponential eects on existing
smuggling and criminal issues in Turkey and the EU,
have forced Turkish and European police and justice
institutions to work closer. is was the rationale,
when the EU 2013 Progress Report underlined the
necessity of a dedicated personal data protection law
in Turkey, to make such cooperation legally possible.
Although Turkey responded to this call with its 2014
Draft Law on the Protection of Personal Data and had
later revised it based on commentary by European and
Turkish legal observers, the updated 2016 version falls
even shorter to meet EU standards. In early March
2016, Eurojust prepared a report, indicating that legal
cooperation with Turkey on the refugee issue would
be very dicult within existing legal structure in
Turkey. To that end, the report warned against signing
the most recent refugee deal with Ankara, arguing that
it didnt have necessary infrastructure to enforce or
monitor the terms in the agreement.
26 eurojust-
europol- frontex-int-sec-9359- 10.pdf
On April 14, 2016, EU lawmakers approved a law
that allowed the easier exchange of airline passenger
data among the national security forces in EU Mem-
ber States. In light of terrorist attacks that have rattled
European capitals like Paris and Brussels, European
citizens and lawmakers have pushed for measures that
would better facilitate the transfer of sensitive data.
Although the law regulating the retention and transfer
of passenger name records (PNR) – which includes
name, travel dates, itinerary, ticket details, contact
details, travel agent, means of payment, seat number,
and baggage information – had been “stalled” in par-
liament, the growing urgency to update existing data
privacy and transfer laws to conform to contemporary
problems and the rising fear of more terror attacks
from returning jihadists have pushed the normally
privacy-centric European continent to more aggres-
sively nd ways to utilize personal data eectively and
Spurred by similar motivations, Turkey adopted the
Law on the Protection of Personal Data. Although it
has made strides in attempting to address the issue
of data privacy and transfers in the last few years,
the country still has a long way to go in order to
adequately to protect its citizens and the citizens of
European partners. With the aim of institutionalizing
a more robust data protection regime, Turkey should
take note of the number of European legislative eorts
that more adequately safeguard citizens from the mis-
use and abuse of personal data.
Asst. Prof. H. Akın Ünver
Board Member, EDAM
Faculty Member, International Relations,
Kadir Has University
Akin Unver is an assistant professor of International
Relations at Kadir Has University, specializing on
energy politics, conict psychology and radicalization
sociologies. In addition, he studies discourse theory,
Regional Security Complex eory and psychoanalyti-
cal approaches to decision-making and teaches courses
on Politics of the Middle East, Diplomatic History,
Energy Security (graduate-level) and Security eory
(PhD-level). A graduate of Bilkent and Middle East
Technical Universities, Dr. Unver completed his PhD
at the University of Essex, Department of Govern-
ment. Dr. Unver was a Marcia Robins - Wilf Young
scholar at the Washington Institute for Near East
Policy in 2007-08 and a dual post-doctoral research
at the University of Michigan’s Center for European
Studies and the Center for Middle East and North
African Studies in 2008-2010. He was awarded the
position of Ertegun Lecturer at the Princeton Uni-
versity’s Near Eastern Studies Department, teaching
courses such as History of the Middle East, Conict-
Terrorism Sociology and Turkish Political Sociology -
he was also the rst scholar to retain the Ertegün chair
for two consecutive years at Princeton. Having pub-
lished in Foreign Aairs, e Diplomat, Columbia
Journal of International Aairs, Middle East Quarterly,
Middle East Policy and Yale Journal of International
Aairs, Dr. Ünver has also spoken and lectured at
invited events at Princeton University’s Woodrow
Wilson School, Georgetown University’s Edmund
Walsh School of Foreign Service, London School of
Economics’ Middle East Center and Woodrow Wilson
International Center for Scholars. He regularly ap-
pears for commentary on BBC World News, France
24, Finnish National Broadcasting Company and Al
Jazeera International.
Grace Kim
Research Assistant, EDAM
Grace Kim graduated from Princeton University’s
Department of Politics in 2013 with a minor in Near
Eastern Studies. Upon graduation, she was awarded a
U.S. Student Fulbright Fellowship to conduct research
on the intersection of politics, law, society, religion,
and the economy and its inuence on womens rights
in Turkey. She is currently working as a research as-
sistant at EDAM, where she focuses on foreign policy
and security issues.
EDAM Cyber Policy Paper Series 2016/3
June 2016
Data Transfers
and Data
Asst. Prof. H. Akın Ünver
Board Member, EDAM
Faculty Member, International Relations,
Kadir Has University
Grace Kim
Research Assistant, EDAM
ResearchGate has not been able to resolve any citations for this publication.
ResearchGate has not been able to resolve any references for this publication.