Kemal Kumkumoğlu
Ayşegül Avcı
With its decision published in the Official Gazette dated 15 December 2023, the Constitutional Court (“CC”) ruled on the violation of the right to property due to the rejection of the appeal against the administrative fine imposed by the Personal Data Protection Authority (“Authority”) before the Criminal Judgeship of Peace without an adequate examination. The violation of rights caused by the rejection decisions based on insufficient examination and incomplete justification in the appeal processes against the administrative fines imposed by the Personal Data Protection Authority has also become evident with the aforementioned decision of the Constitutional Court dated 12 October 2023.
Summary of the Individual Application
In the application subject to the decision, it was concluded that the objections of the data controller regarding the principle of legality in crime and punishment, the principles of non-retroactivity of punishments and individuality in punishment, the disproportionate and disproportionate nature of the fine imposed, against the administrative fine imposed by the Authority due to the failure to take the necessary technical and administrative measures to ensure data security, were not sufficiently evaluated by the Criminal Judgeship of Peace and the final administrative fine constituted a violation of the right to property. In the case where an administrative fine was imposed against the applicant, the proceedings were summarized as follows.
The applicant received a warning about a suspicious activity in the guest reservation database of the accommodation company it took over. Upon this warning, an investigation was initiated; as a result of the investigation lasting approximately 1 month, it was confirmed that on 18.11.2018, an unauthorized third party accessed the database where the reservation information of the company was kept.
The applicant issued a press release on 30.11.2018 after the unauthorized access causing the data breach was confirmed. The applicant also sent a notification e-mail to users affected by the data breach who have a valid e-mail address.
After the detection of the data breach, the applicant submitted a data breach notification to the Authority on 03.12.2018. In this notification, the applicant stated that for the last 4 years, there has been unauthorized access to the network of the taken-over accommodation company where the database is kept and that this unauthorized access was first detected on 08.09.2018. Finally, the applicant stated that the data subject to the breach included name, surname, postal address, telephone number, passport number, hotel information, check-in and check-out information, payment card information.
On 16.05.2019, the Authority decided to impose an administrative fine of 1,100,000 TRY , on the grounds that the necessary technical and administrative measures to ensure data security were not taken within the framework of Article 12/1 of the Law No. 6698 on the Protection of Personal Data (“Law”), and an additional fine of 350.000 TRY for failure to comply with the obligation to notify the breach as soon as possible pursuant to Article 12/5 of the same Law, totaling 1,450,000 TRY. This decision was notified on 12.07.2019 to the indirect subsidiary of the applicant, which operates the applicant’s hotels in Türkiye.
On 26.07.2019, the applicant objected to the decision with the request to annul the administrative fine. Istanbul Anatolian 1st Criminal Judgeship of Peace, which examined the objection, decided to reject the objection on the grounds that “It is understood that the action is confirmed with the report issued by the administration, and that the administrative fine imposed due to the misdemeanour caused by the confirmed action is in accordance with the law and procedure…”. The Applicant’s objection against this decision was re-examined by the Istanbul Anatolian 2nd Criminal Judgeship of Peace. However, the Judgeship decided to reject the objection definitively on the grounds that “it is understood that there is no procedural and legal violation in the decision of the Istanbul 1st Anatolian Criminal Judgeship of Peace subject to the objection, and that there is no matter to be changed in the decision given by the Istanbul 1st Anatolian Criminal Judgeship of Peace…”.
Objections of the Applicant to the Constitutional Court
The applicant, whose objection was rejected as final by the Criminal Judgeship of Peace, filed an individual application to the CC as the ordinary legal remedies had been exhausted. In this application, the applicant put forward the following allegations regarding the unlawfulness of the Personal Data Protection Authority decision and the decision of the Criminal Judgeship of Peace, which caused the violation of right to property.
The applicant stated that the data controller should be the accommodation company where the data breach occurred, that the applicant itself was not the addressee of the administrative fine, and that this was contrary to the principle of individuality of punishment,
Pursuant to Law No. 6698, the act regulated as a misdemeanour occurred before the entry into force of this law and for this reason, an administrative fine cannot be imposed for the act of “not taking the necessary technical and administrative measures to ensure data security”, which is considered a misdemeanour; that it is against the principle of retroactivity of laws,
The decision regarding the administrative fine was not properly notified,
The Personal Data Protection Authority’s decision and the decisions rendered by the appeal authorities do not contain sufficient justification and examination,
All administrative measures stipulated in Law No. 6698 have been taken from the moment the violation is detected, there is no clearly defined limited period in the Law on violation notification, and for this reason, the administrative fine imposed is contrary to the principle of legality in crime and punishment,
The imposition of administrative fines at the maximum limit was not proportionate and violated the right to property of the applicant.
The Constitutional Court’s Assessment
The Court firstly stated that the protection of personal data and the protection of data security are different notions from one another. Accordingly, the protection of personal data essentially refers to the protection of fundamental rights and freedoms during the processing of personal data and the legal frameworks during the processing of data. On the other hand, the protection of data security refers to the technical and administrative measures to be taken to protect the data itself. Data security aims to protect personal data processed and stored in accordance with the law by means of appropriate security measures against risks such as accidental or unauthorized access, alteration or publicization of such data.
After explaining the basic concepts of the Law No. 6698, the Court referred to the acts regulated in the Law and stipulated sanctions. In this context, according to the Law No. 6698, it is obligatory to ensure the appropriate level of security in order to prevent unlawful access to personal data, to ensure the protection of personal data and data security. The Court stated that while evaluating the appropriate level of security, the risks caused by the processing activity, especially the accidental or improper destruction, loss, alteration, unauthorized disclosure or access to personal data transmitted, stored or processed, should be taken into consideration. At this point, the discretion as to whether appropriate measures have been taken to ensure the level of security belongs to the administration, taking into account the size of the company, the work of the data controller and the nature of the personal data protected, although this discretion will not be unlimited.
Having assessed the whole procedure together with the applicant’s allegations, the Court concluded that the administrative fine imposed against the applicant resulted in a violation of the right to property, since the applicant’s objections and allegations were significant allegations that affected the entire judicial process and had to be met, and no evaluation was made by the Judge regarding the applicant’s objections.
Conclusion
The CC’s judgment dated 12 October 2023 concerns the violation of the applicant’s right to property due to the failure to provide the necessary procedural safeguards in the appeal process regarding the administrative fine imposed by the Personal Data Protection Authority. When the decision is assessed as a whole, the fact that the administrative fine imposed by the Authority is imposed at the maximum limit raises questions on the limits of the discretionary power of the administration and the extent to which the fines imposed are proportionate in terms of the circumstances of the specific case. Lastly, procedural failures such as “incomplete or non-existent justification of the decision”, “lack of effective investigation and adequate examination”, which is a general problem in our judicial system, have been addressed. Finally, the CC ruled that the right to property was violated on the grounds that the necessary procedural safeguards were not provided.
Pursuant to the relevant decision, Court pointed out that the failure to adequately meet the basic criminal law principles and procedural safeguards in the evaluation of personal data violations requiring administrative fines may lead to violation of rights and in this context, the decisions of the Criminal Judgeships of Peace are part of a structural problem, as stated in previous CC decisions.
Comments