With possession of personal information that can be used for identification, anyone who has access to it can form a picture of a person without actually knowing them personally. If our personal data were to be recorded and transmitted without our consent, then the state or other organizations could learn about our personal traits, private life facts, beliefs, financial situation, and even illnesses. They could gain insight into the most personal aspects of our lives, draw conclusions about us, and make decisions affecting our fate without our consent.
“Anonymized” data, stripped of personal characteristics, are no longer subject to protection, as it cannot harm the individual if it is used for statistical or scientific purposes. For example, it is within an individual’s conscientious freedom to choose civil service instead of military service within the framework of military obligations. It is not necessary to disclose who these conscripts were who made this decision. However, information on how many people in a given country choose civil service can be published without restrictions.
The right to informational self-determination is a relatively new fundamental right, which solidified in the second half of the 20th century. The Anglo-Saxon countries were at the forefront of codification: data protection rules were first incorporated into law in the United States in 1966 and in the United Kingdom in 1984.
Two types of solutions have emerged for the legal regulation of data protection today. In some countries, individual rights to informational self-determination and access to public information are regulated by a single law. The law has a dual function: to ensure that individuals are protected against the increasing information demands of the state, while at the same time making documents related to the functioning of state institutions accessible to individuals. As mentioned in the previous chapter, a basic requirement is that citizens’ private information should be made as difficult to obtain as possible, while the state should be as transparent as possible.
In other countries, separate laws regulate the protection of personal data and the right to access public information, and particularly sensitive or complex issues are regulated independently. Examples include laws on the handling of health data or the collection of data by police and national security services.
Many countries, including Canada, the United States, England, New Zealand, Germany, and Turkey, have an ombudsman or board that oversees compliance with data protection regulations. The ombudsman supervises the legality of data controllers’ operations and makes recommendations in cases where practice differs from what is desirable. Those who feel that an institution has collected and stored data about them in a manner that violates their rights may submit a complaint to the ombudsman.
The first significant international regulation can be considered the 1981 Data Protection Convention of the Council of Europe. European states that ratified the data protection convention, including Turkey, committed to complying with the data protection requirements contained in the document. However, this does not mean that individual countries cannot enact stricter rules than those contained in the convention to ensure information self-determination.
In response to the rapid growth of cross-border data flows, the European Union Communication directives in 1995 on how to achieve the dual objectives of allowing data to flow freely across borders while ensuring the protection of data. Directive 95/46/EC of the European Parliament and of the Council further strengthened data protection requirements for the automated processing of personal data. Separate recommendations were made for those special data processors who handle personal data requiring special protection. The heightened international attention is justified because the disclosure of special data can have extremely detrimental effects on the individual to whom the data relates. In 1987, a recommendation was made for police organizations, and in 1997 for health data processors by the Council of Europe.
Based on the aforementioned documents, the following principles can be observed regarding the protection of personal data:
• Personal data can only be recorded and used with the consent of the individual concerned or in cases determined by law;
• The recorded data must be accurate and up-to-date;
• Personal data can only be processed to the extent necessary and for a limited period of time to achieve the given purpose, after which it must be destroyed;
• Personal data can only be transmitted without the individual’s consent in exceptional circumstances;
• Personal data relating to ethnic origin, conscience, political convictions, and health status are entitled to special protection;
• It is desirable for an ombudsman or body to supervise data processing;
• Violations of data protection rules must be sanctioned by criminal provisions;
• People have the right to know the data recorded about them;
• The individual concerned can request the deletion of unnecessary data and the correction of incorrect data.
Charlie.