Turkish Law Blog
Proposed Data Protection Laws in Turkey and India: A Comparative Look
The Proposed Turkish Amendment
In Turkey, the proposed Amendment to Law No. 5651 would oblige social network providers to store the data related to Turkey within Turkey. As pointed out (Data Localization Law in the time of Corona: Proposed Amendment to the Law No. 5651) by Secil Bilgic, servers may be searched, and the government will have access to people’s posts. As a result, companies may refuse to build servers in Turkey because of the added obligations. In some way, as Secil points out, there is an absence of a carrot, but a stick present with possible consequences.
Social media platforms such as Facebook and Twitter will be legally bound to appoint a formal representative in Turkey. Failure to do so can result in losing access to Turkish users by between 50 and 95%. The representative has to respond within 72 hours to requests to remove content. Furthermore, the platforms will also have to execute decisions from the criminal courts for ‘content removal’ or ‘access denial’ without any exception.
India’s Own Proposed Data Protection Law
In India, there is a proposed data protection law that was introduced in the Lok Sabha (lower house of Parliament) in December 2019. This proposed law was developed on the government’s desire to have access to U.S. stored data during investigations – as a response to data colonialism by large Western technology firms.
Under the proposed Indian law, some very convenient exemptions have been made for the government. These exemptions are made for data collection, reporting requirements, and wherever the government feels ‘necessary or expedient’ in India’s interest and sovereignty. What is somewhat interesting, though, is that the government has conveniently changed the standard from ‘necessary and proportionate’ to ‘necessary and expedient.’
This change is despite ‘necessary and proportionate’ being the de facto constitutional standard for government processing of data in India. In the right to privacy ruling by the apex court, any intrusion into the right had to be authorized by law, conducted in a procedure established by law, and be necessary and proportionate to the objective being sought. The shift to ‘expediency’ abrogates the constitutional standard that has been prevalent in the Indian constitutional regime.
Further, like Turkey’s proposed law, the proposed data protection law fails to protect privacy regarding online communication because the government may have access to a user’s social media posts in the name of ‘expediency.’
Verification or Surveillance?
What is more problematic in the Indian scenario, is that social media platforms have to voluntarily verify their accounts if they want users to use the platform or access their services from India. The level of proof that will be required for this process is unclear at the moment. However, the verification process has been tied to the use of government ID’s, giving a social media platform more information about a user than is required.
Similar to the Turkish government’s power to search through data in the name of expediency, this linking of government ID’s would give the government the ability to tap into what ID’s are being used to register for which social media platform. Such activities shift the state’s focus from a laissez-faire approach to vigilance and surveillance, thereby indirectly expanding the scope of information available to the government. It gives free rein to private actors such as Facebook and Twitter to give preference to those accounts verified by allowing their content and reach to have a broader reach than unverified accounts.
Often, there have been issues in India with government data being leaked. What is the guarantee that posts that are mined and collected for a surveillance purpose, will not be leaked? When a user uses social media tools, he or she does not expect a third party to have access, unless it is on security grounds. If data is sought on an ‘expedient’ basis, is the security of the data guaranteed, or would that also be dealt with in an ‘expedient’ manner? Such uncertainties of how the government plans to handle the security of data obtained from social media are present in both the Indian and the Turkish context.
In both the Indian and Turkish proposed laws, the principle of data minimization is not followed. This is a core tenet of the data protection law: to minimize the information available to a data fiduciary. Instead, the approach that is being sought in both systems is to impose more obligations on companies so that they collect more data than usual. This approach violates the principle of data minimization. For both countries, perhaps it is better than the ‘data protection law’ stick to making decisions about ‘data,’ and the decision to regulate social media platforms be delegated to an information technology law instead.
In India, data will be subject to an independent data auditor who will be responsible for the implementation and effective compliance of applicable obligations. Such vigilance is justified in the Indian context because such intermediaries create interactions between users, allowing them to upload, share, and disseminate information.
Hence, in both the Turkish and Indian contexts, keeping a watch on social media platforms can be important for democracy and the electoral process. The justification in both countries is that such vigilance is necessary for a healthy democracy, in order to avoid miscreants abusing the system. However, both the Indian and the Turkish regulator want to enforce their version of privacy, that can very easily lead to censorship. Thus, the means used to protect the goal they are striving towards may end up jeopardizing the very goal of democracy itself.
Reality - De-Incentivizing Foreign Companies
As pointed out by Secil, foreign companies will be less likely to build servers in Turkey due to related costs. In India, there have been recent news articles of companies such as Wikipedia and TikTok facing trouble with India’s proposed data law. Many such companies have called for improved transparency by providing guidelines for intermediaries to reduce fears about surveillance.
In India, any entity with over a certain threshold of users (50,00,000) must be incorporated with a permanent registered office and address. The intermediary then has to within 72 hours of communication, provide such information, or any asked for transmission to a government agency in response to any assistance regarding cybersecurity.
Thus, from the business’s standpoint, a big brother is leaning over your shoulder, ready to make decisions about what you can host or not in the name of security. This undermines your fundamental product or service, which is all about privacy and the user experience. The security/expediency line in the sand may not always be a bright one and undermines the autonomy that a social media entity is supposed to have. Also, many times, with things such as WhatsApp, this data is ‘encrypted,’ so there is no way to have access to such data in the first place. So, if there is no door to open, what key is the social media platform supposed to hand over to the regulator?
Our Very Own Social Media
In a somewhat interesting turn of events, news shows that the Indian government is even planning its social media platforms, such as its own WhatsApp and Facebook. Using the Chinese model as a goal to strive towards, proponents of this approach justify China’s example as the reason for India to move towards building its versions of these apps.
The underlying idea behind these is that the previous approach to secure data has not worked, so this could be a step in the right direction. This represents a dangerous turn towards diluting the very idea of free expression on these apps if the government will get to control and decide how you may express yourself. Like the mandated Turkish representative, the Indianized apps may increase the pressure on social media platforms in terms of ‘content removal’ and ‘blocking access’ of certain users. The user experience on social media platforms will indeed be compromised in both India and Turkey.
On the other hand, industry bodies that represent companies such as Amazon and Google, have decided to take up the problematic aspects of the bill, such as verification of accounts with a Joint Parliamentary Committee. The main concern here is the high cost of compliance and the risk of the current provisions undermining the privacy of Indian users. The Turkish amendment may also see further debate and a similar discussion by companies in the information technology sector, who are likely to see the privacy of Turkish users on social media undermined similarly. Such surveillance will only increase the costs for both Indian and Turkish start-ups, which will thwart innovation in both countries.
Both countries are moving towards seeing social media networks as not foreign, but in some way under the control of the local government. The Indian and Turkish regulators want to see these social media companies as being accessible, with local representatives, and a localized version of such apps.
However, this approach is fundamentally at odds with principles of data protection law such as data minimization, and are more surveillance like in nature. Both proposed amendments in India and Turkey also raise the question, whether Indian and Turkish regulators understand privacy, or if they want people to have a version of privacy, the contours of which are defined by the government. It also raises questions of whether the government’s role is to support social media businesses or intimidate them into censorship instead.
In both countries, by threatening loss of access to users, fines, and mandatory reporting requirements, the message is clear: comply or perish.