With the implementation of the Law on the Protection of Personal Data No. 6698 (LPPD) and its secondary regulations, the Data Protection Authority (DPA), tasked with monitoring violations of LPPD obligations, have started to impose administrative fines to persons and/or companies violating their obligations set forth at the LPPD. Although Article 18 of the LPPD does state the monetary fines applicable to such violations, it did so by determining a lower and upper limit for administrative fines. This not an uncommon practice as most administrative fines stated in other legislation in Turkey are determined this way, giving discretionary powers to the relevant authority imposing the fines (although there are also fixed administrative fines determined in other legislation). However, difference between the lower and upper limits set forth by the LPPD is high enough (the fines can range from TRY5.000 up to TRY1.000.000 depending on the type of violation) to cause arbitrary treatment of certain data controllers.
Legal Standing of the Administrative Fines Imposed by the DPA
According to Article 22 of the LPPD, the DPA is authorized to impose administrative sanctions to those who violate the obligations set forth at the LPPD. Whereas the sanctions applicable to such violations is noted at Article 18 of the LPPD, titled “Misdemeanors”. Although the sanctions are listed at this article, there are no provisions that includes clauses regarding the legal standing of these sanctions and the procedures for legal remedies and/or objections against such. Instead, the legal standing of these sanctions is noted in the preamble of the LPPD. Accordingly, the preamble states that these sanctions are deemed as misdemeanors and that the DPA shall apply the conditions mentioned at Article 17 of the Misdemeanor Law No. 5326 (Misdemeanor Law), when issuing a sanction. Therefore, the administrative fines noted at the LPPD should be evaluated within the context of the Misdemeanor Law.
According to this Article 17 of the Misdemeanor Law, administrative fines can be determined either as a fixed (pre-determined) amount or by providing a lower and upper limit for the fine, which gives discretionary powers to the relevant authority to decide on the exact amount of the administrative fine to be imposed to a specific case. In this respect, the provision included within the LPPD does not violate or otherwise contradict with the Misdemeanor law, as it simply provides lower and upper limits, and leaves the determination of the actual fine up to the discretion of the DPA. However, Article 17 also notes that, in cases where the administrative fines are determined with lower and upper limits (and therefore are not fixed), actual administrative fine amounts to be imposed should be determined by taking into account the specifics of each case, the nature of the infringement, as well as the degree of fault and the economic conditions of the perpetrator. Since the LPPD provisions regarding administrative fines are to be interpreted within the context of the Misdemeanor Law, any administrative fine to be imposed should be proportional with the nature of the infringement, as well as the degree of fault and the economic conditions of the perpetrator (in this case the data controller or processor).
Discretionary Powers of the DPA to Impose Administrative Fines
In light of the above information concerning the proportionality principle, it is important to review and consider the administrative fine amounts previously imposed by the DPA within the context of the LPPD. We already discussed above that the legislation provides for a high margin between the lower and upper limits for administrative fines, which was an intentional decision made during the drafting of the LPPD. The reasoning for such high margins is to provide the DPA with discretionary powers in determining the appropriate penalty amount depending on the specifics of each infringement, and although the LPPD does not include specific provisions setting guidelines for determining the penalty amounts, the preamble designates that the DPA shall be required to consider the provisions of the Misdemeanor Law when determining these penalty amounts.
When previous DPA decisions are reviewed, it becomes clear that in some decisions, the DPA made arbitrary and controversial decisions and imposed the maximum administrative fine available to data controllers or processors without considering their economic conditions. In these cases, it can be argued that the DPA failed to take the provisions of the Misdemeanor Law in account, and did not apply the proportionality principle to determine a fair penalty amount, which lead to an exorbitant administrative fine imposed from the upper limit provided by the LPPD. Another important aspect to note here is that the most of these decisions also lack a comprehensive justification for imposing a penalty from the upper limit. One of the main reasons for such arbitrary DPA decisions is the lack of clear provisions stating the rules and procedures for determining penalty amounts and the vagueness within the LPPD and its secondary regulations. The DPA does not have a clear guideline set forth for determining the penalty amounts, but is rather only required to observe the general rules for administrative fines set forth at the Misdemeanor Law, which gives the DPA a carte blanche to determine arbitrary penalty amounts as it deems fit.
Although the case law concerning the LPPD provisions is yet to be established by the Turkish courts, there are other legal precedents established by the Council of State, concerning administrative fines imposed based on different legislation. According to one precedent of the Council of State, the competent authority tasked with imposing administrative fines should determine the penalty amounts in accordance with the provisions of the Misdemeanor Law and should therefore take into account the nature of the infringement as well as the economic condition of the perpetrator, even though the relevant legislation provides discretionary powers to determine the penalty amount to the relevant authority. The Constitutional Court also established a similar precedent and decided that the relevant authority does not have an unlimited discretionary power to determine the administrative fine amount and shall always be limited by the law, and should therefore always take into account the specifics of the case and the economic conditions of the perpetrator.
Appeals Against DPA Sanctions
As noted above, the LPPD preamble states that any administrative fine imposed based on Article 18 shall be subject to the Misdemeanor Law provisions. Accordingly, the rules and procedures of legal objections against such administrative sanctions shall also be determined in accordance with the same Misdemeanor Law. Article 27 of the Misdemeanor Law sets forth that appeals against administrative sanctions can be filed before the competent criminal judicature of peace within 15 days from the receipt of the relevant sanction and/or administrative fine. Therefore, in cases where the data controllers / processors are fined by the DPA for infringements of the LPPD, the relevant controllers or processors may appeal this decision to the competent criminal judicature of peace within 15 days from the receipt and may request the cancellation or re-evaluation of the fines.
Although court precedents regarding these LPPD issues are yet to be established, the data controllers and/or processors fined by the DPA have started to appeal these decisions and some of these cases have been already reviewed by the relevant criminal judicatures of peace. Accordingly, some of the sanction decisions passed on the courts were found to be unfair as the DPA did not consider the nature of the infringements and the economic conditions of the controllers / processors, and also failed to adequately justify the reasoning for imposing fines from the upper limit. Accordingly, one recent criminal judicature of peace decision overturned a DPA decision, which imposed an exorbitant amount of administrative fine to a data controller, and decreased the administrative fine amount significantly, stating that the DPA failed to justify and provide compelling reasons for imposing a fine from the upper limit.
Although there are many cases still pending before the courts and the case law is yet to be established by higher courts, the recent court decisions suggest that, in some cases, the DPA is in fact imposing arbitrary and exorbitant administrative fines to data controller / processors, without considering their economic conditions. Considering that the DPA is starting to extend its reach within the market to monitor a wider range of data controllers / processors, these arbitrary practices by the DPA will continue unless the LPPD and its secondary regulations are amended to include specific criteria for determining administrative fines. Considering the recent court decisions, data controllers / processors may appeal against administrative fines and request a re-evaluation, where DPA issued arbitrary penalties without justification.