The term “data” refers to raw information in its fundamental state. On the other hand, the term “big data” is commonly used to describe vast, complex, and challenging-to-structure sets of information. Initially, this term was primarily employed to denote the voluminous size of data. However, in contemporary usage, it has evolved into a concept encompassing the entirety of processes, from the storage of data to its transformation into information, portraying the magnitude of the entire spectrum.
Big data is characterized by its fundamental components, including the escalation of data volume, the imperative nature of data velocity, and the diverse provenance of data. Through the adept utilization of data analysis and interpretation skills, big data empowers enterprises to make judicious decisions, curtail costs, and augment the quality of products/services. Consequently, big data is regarded as a capability affording society the opportunity to propel information in innovative ways. As big data solidifies its standing as an indispensable facet of technological progress within operational frameworks, a new epoch has dawned, obligating the prudent management of risks pertaining to the safeguarding of personal data. However, as delineated below, Law No. 6698 on the Protection of Personal Data, which underpins personal data protection jurisprudence in Turkey, does not sufficiently account for the transformative implications introduced by big data.
I. Protection of Special and Sensitive Personal Data
Pursuant to Article 3 of Law No. 6698 on the Protection of Personal Data, any information pertaining to an identified or identifiable natural person is considered personal data. Furthermore, according to Article 6, data such as “race, ethnic origin, political opinion, philosophical belief, religion, sect, attire, membership to associations, foundations or trade unions, health, sexual life, criminal convictions, and security measures” are designated as special categories of personal data, encompassing biometric and genetic data. All data falling within this definition benefit from the protection stipulated by the law. However, the utilization of extensive datasets in the context of big data can potentially grant access to sensitive personal information derived from seemingly ordinary data. In fact, it becomes feasible to ascertain identifiable information from non-personal data, thereby underscoring the need for a meticulous approach in handling such data transformations.
II. Principle of Purpose-Related, Limited, and Proportional Processing of Data
In accordance with Article 4, Paragraph 2 of the Law on the Protection of Personal Data, principles to be considered in the processing of personal data include: “a) compliance with the law and principles of honesty; b) accuracy and, when necessary, being up-to-date; c) processing for specific, clear, and legitimate purposes; d) connection, limitation, and proportionality with the purpose of processing; and e) retention for the duration prescribed by the relevant legislation or as long as necessary for the purpose for which they are processed.” Examining these conditions mandated by the law, it is observed that the utilization of big data may become nearly impracticable. The legal framework, which seeks to minimize the collection and processing of data with big data by linking it to specific purposes, is incongruent. In this context, the most fundamental challenge to be encountered is the lack of predictability for every purpose of processing data at the time when the data is collected, and consent is disclosed.
III. Explicit Consent of the Data Subject
The first paragraph of Article 3 of the Law defines explicit consent as “consent based on information regarding a specific subject and disclosed with free will. According to both Article 5, Paragraph 1, and Article 6, Paragraph 2, explicit consent of the individual is required for the processing of personal and sensitive personal data. Additionally, explicit consent is mandated for the transfer of personal data. It is crucial to emphasize that a casual consent regarding the processing of personal data does not meet the qualifying criteria stipulated in the law. At the time consent is disclosed, it must be specific regarding the purpose for which the data subject provides consent. Another condition envisaged by the law is consent based on informed decision-making. However, in practice, companies attempt to obtain the consent of the data subject through lengthy and intricate disclosure forms, conflicting with the provisions of the law. Lastly, the requirement for the consent to be disclosed with free will is also established. Within this framework, provisions that make the purchase of a service or product contingent upon an individual’s approval pose challenges, particularly in ensuring the consent is freely given.
IV. Principle of Processing Data for Specific, Explicit, and Legitimate Purposes
In accordance with Article 11 of the Law, individuals have the right to seek information from the relevant data controller regarding whether their personal data is being processed. However, the manner in which individuals will be informed and able to object to adverse results stemming from the analysis conducted by automated systems, as introduced by this article, remains uncertain. Furthermore, according to the provisions of Articles 13 and 14, which regulate the rights of data subjects to apply to the data controller and file complaints with the Board, requests must be submitted in writing or through other methods determined by the Board. Upon scrutiny of these provisions, it is apparent that the regulations operate under the assumption that data subjects are fully aware. However, in the context of big data applications, the likelihood of data subjects possessing such awareness appears doubtful. The primary reason for the misalignment of this regulation with big data applications is the absence of interactive communication between the data subject and the data processor. Simultaneously, the current regulation allows the data subject only to make information requests, depriving them of the opportunity to confirm the information received.
V. Anonymization of Personal Data
In addition to constitutional and legal regulations aimed at protecting personal data, there is a necessity for the implementation of processes such as destruction, deletion, and anonymization of personal data at the end of the maximum period required for the purposes for which they were processed. The primary objective of anonymization is to extract benefits from datasets with significant potential while purging them of personal information. Although anonymization is significant enough to warrant separate regulation in terms of the protection of personal data, merely anonymizing large datasets is not sufficient for data protection. Even when data on a large scale is anonymized, the identification of individuals becomes easier as the scale of the data increases. Consequently, anonymizing big data sets can, in practice, lead to more harm than benefit in terms of data protection.
