The Decision Of The Constitutional Court On The Administrative Fine Imposed By The Personal Data Protection Board

The Constitutional Court in its decision dated 12.10.2023 and numbered 2020/7518, published in the Official Gazette dated 15.12.2023, determined that the deficiencies in the proceedings against the administrative fine imposed by the Personal Data Protection Board (the “Board”) on a global hotel chain (the “Applicant”), in which the Board determined to have violated its obligations to ensure data security, violated the Applicant’s right to property. Within this framework, the Constitutional Court ruled that a re-trial is necessary to eliminate the consequences of the violation of fundamental rights.

The Determination of the Violation of Data Security Obligations and the Administrative Fine

The data breach, which is the subject of the Constitutional Court’s decision and which occurred on a global scale, had occurred on 08.09.2018 when the Applicant received a warning from the in-house security tool regarding a suspicious transaction in the guest reservation database of the accommodation company which was acquired in 2016 and detected that the database was accessed by unauthorized third parties as a result of the investigation the Applicant has conducted. The Applicant notified the Board of the data breach in 2019 (approximately 1 year after the breach was detected) due to the fact that Turkish citizens were also affected by the negative consequences of the global data breach and stated that 500 million customer personal data had been copied due to the data breach, there had been unauthorized access to the company’s network where the database was kept since July 2014, and this unauthorized access was detected in 2018.

The Board, which initiated an investigation upon the data breach notification, resolved on 16.05.2019 to impose an administrative fine of TRY 1,450,000 in total against the Applicant, TRY 1,000,000 of which for not taking the necessary measures to ensure data security as per the Article 12/1 of the Personal Data Protection Law (the “PDPL”) and TRY 350,00 of which for not complying with the obligation to notify the breach as soon as possible as per the Article 12/5 of the PDPL.

It is also seen that the Board has not regarded the Applicant’s arguments that the violation occurred before the accommodation company was acquired in 2016 and therefore the acquired accommodation company should be regarded as the data controller.

The Objection against the Administrative Fine

The Applicant objected against the imposed administrative fine before the Istanbul Anatolian 1st Criminal Court of Peace. Within the scope of the objection, the Applicant alleged that:

• It is not the subject of the administrative fine, that the subject of the administrative fine is incorrectly determined, and therefore the administrative fine is in violation of the principle of individual criminal responsibility,
• The application of the PDPL, which entered into force after the date of the act alleged to be a misdemeanor, is in violation of the principle of non-retroactivity of laws,
• The Board decision regarding the administrative fine was not duly notified and did not contain sufficient justification,
• All technical and administrative measures were taken, that the infringement was detected and notified within a short period of time, the Board interpreted the ambiguity in the legislation regarding the infringement notification period to its detriment, and the Board’s decision on the 72-hour notification obligation period is dated after the case at hand and cannot be applied to the case at hand,
• The imposition of the administrative fine at the maximum threshold was not appropriate and violated its right to property.

However, the Istanbul Anatolian 1st Criminal Court of Peace rejected the application against the administrative sanction decision without proper justification by stating that the act subject to the administrative sanction is proven by the decision of the Board and therefore the administrative sanction is in accordance with the law and procedure. The Applicant’s appealed the relevant decision to the İstanbul Anatolian 2nd Criminal Court of Peace against such decision pursuant to the Law on Misdemeanors was also definitively rejected with the justification that “there is no violation of the procedure and the law and there is nothing to change in the decision” of the İstanbul Anatolian 1st Criminal Court of Peace.

The Decision of the Constitutional Court

Since the administrative fines that may be imposed on data controllers pursuant to the PDPL are subject to the Law on Misdemeanors, it is necessary to apply to criminal court of peace against the decisions regarding the administrative fines, unless a different decision and administrative sanction falling within the jurisdiction is applied. The decisions of the criminal courts of peace are subject to the review of another criminal court of peace as a judicial remedy. Therefore, since the decisions of the criminal courts of peace constitute a definitive judgement for the Applicant, the Applicant had to apply directly to the Constitutional Court against the decision of the İstanbul Anatolian 2nd Criminal Court of Peace.

The Constitutional Court in its decision, determined in summary the below:

• First of all, within the scope of the assessment regarding the existence of a property, it is undoubted that the imposition of an administrative fine causes a decrease in the Applicant’s assets and therefore it is clear that the relevant fine constitutes property for the Applicant,
• Subsequently, the general principles on the limitation of fundamental rights and freedoms set out under the Article 13 of the Constitution must be taken into account in interventions on the right to property, and therefore the relevant intervention must be based on the law, have a public interest purpose and be carried out by respecting the principle of proportionality,
• The relevant intervention is lawful and has the purpose of public interest, but it should be evaluated whether it is proportionate or not,
• Interventions on the right to property must be proportionate and effective review of claims of unlawfulness by a court is of great importance in terms of the proportionality of the intervention,
• The Applicant’s claims against the decision are significant and must be addressed as they affect the whole of the proceedings, and no assessment was made by the criminal court of peace within this framework, and the procedural assurances for the protection of the right to property within the scope of a fair trial were not fulfilled in the case at hand and therefore the right to property was violated.

Pursuant to the Constitutional Court’s decision, a re-trial and a comprehensive assessment of the Applicant’s claims are required to be made to eliminate the violation of rights.

Conclusion

Although the relevant decision is related to the administrative fine imposed by the Board pursuant to the PDPL, the dispute and the focal point of the decision revolve around whether there is an effective judicial review process against the Board’s decisions. The Constitutional Court also determined that administrative fines imposed under the PDPL are lawful and have a public interest purpose, but emphasized that decisions regarding these fines should be subject to effective judicial review.

As known, administrative fines constitute an intervention to the right to property, and an effective trial is also mandatory in terms of the right to a fair trial. As demonstrated by the relevant decision of the Constitutional Court, effective examination of claims of unlawfulness by a court constitute a great importance to ensure the proportionality of interventions to fundamental rights and freedoms.

In practice, it has long been criticized that the objection examinations conducted by the criminal courts of peace are inadequate, that the decisions are rendered without sufficient justification and that uniformity amongst decisions is not achieved. It has been considered that criminal courts of peace were not the right judicial authority for the decisions issued by the Board due the lack of expertise of criminal courts of peace in the field of personal data protection and to their current workload in practice, and that it would be more appropriate to apply to the administrative courts against such administrative fine decisions. You may review our article titled “Judicial Remedy Against Decisions Issued by Turkish Data Protection Board” to find our detailed opinions and suggestions on the issue at hand.

The findings and criticisms made against the shortcomings in the judicial remedy against the Board’s administrative fines in practice, and the fact that criminal courts of peace are not the right authority for such judicial review are supported by this decision of the Constitutional Court. With the Human Rights Action Plan published by the Ministry of Justice, it was previously announced that the PDPL would be harmonized with the European Union standards and that the Board’s decisions on administrative fines would be subject to review of administrative courts instead of criminal courts of peace. A legislative amendment is therefore expected in the near future.