Turkey's 'Pandemic Tracking Isolation Project' aims to track those who have been diagnosed with coronavirus to ensure that they abide by their quarantines.
However, based on how the project had been announced, it contains some deficiencies that are inconsistent with the Personal Data Protection law, no. 6698. As these flaws could be based on the manner in which the project was announced, the project will undoubtedly lead to a legal crisis if they are not adequately discussed.
What is the aim of Pandemic Tracking Isolation Project? It uses an app to monitor the mobile phones of those who have been diagnosed with the virus in order to determine whether or not they are staying under quarantine. Those who have been observed breaching their quarantine will be warned by either a text message or a telephone call, and those who do not heed these warnings could be subject to legal and administrative sanctions.
In order to detect the movements of people who do not comply with their quarantines, their location information will have to be tracked from their mobile devices. Location information is not among the types that are legally considered personal data. Monitoring mobile devices also includes access to communication information, another form of data that is not legally considered personal.
Regardless of the type of data, the manner in which it is processed is based on the consent of the person to which it belongs. Yet there are exceptional processing conditions, which differ according to the type of data in question. Accordingly, health data which is considered sensitive personal data, can only be processed if the person gives consent, whether or not they have been diagnosed with coronavirus.
An exception to this is that for the purpose of protecting public health, carrying out preventative medicine, medical diagnosis, and planning and managing the financing of healthcare services, health data can be processed under the requirement that the individuals or institutions in charge are bound by confidentiality.
In fact, the Communications Director of Presidency Fahrettin Altun declared the project would be based upon this provision of the law. This explanation may appear to be true at first glance, but upon thorough examination of the project, one detects some major flaws.
So what makes this project new? Its purpose is not to identify those who have contracted the virus. The process is being carried out regardless of that specific project. What is new is that an individual's location information can be tracked and shared and through one’s contact information, and one can be warned or even confronted with sanctions.
The first major problem with this project is the clear discrepancy between the way it is carried out and legal regulations.
The article specified by the Presidency's Communications Directorate concerning health data does not include location and contact information, as such information is not considered sensitive personal data. At this point, paragraph three of the sixth article cannot apply to this data. This is because general data cannot be legally considered hierarchically superior to sensitive personal data. Based on this, that part of the article in question, which pertains to sensitive personal data including data relating to one's health and sexual activity, cannot be applied to general data due to the argumentum a fortiori principle. This is the project’s first flaw.
So how then, is it possible to process location and contact information without consent? This is the first deficiency in the announcement of the project. One can only answer this question through a comprehensive study. For the project to be in accordance with law 6698, a number of legal amendments will have to be made, or the project will have to be changed.
A problematic area of the process is the authority in question that will be processing the data. According to the 28th article of law 6698, there are exceptions to the processing of certain data when it pertains to matters of national defense, national security, public safety, public order, and economic security. Yet institutions including GSM operators do not fall under the category of an exception or an authority when it comes to data.
Considering that all data and data relationships need to be examined separately, do GSM operators, for instance, have the legally-defined authority to access and process health data? Is the nature of these activities (as per stipulated in the law) preventative, protective and informative? These questions need to be answered separately with regards to the processing activity and subject of each data.
Besides, Fahrettin Altun announced that the project was in accordance with law no. 6698. This statement suggests that the project is thought to be subject to the relevant laws by the authorities and reveals that there are significant tensions between the project and the country's personal data protection legislation.
Such discussions will lack any significance if answers are not provided regarding who will carry out the processing of data within the legal boundaries. The project will reveal a large data processing network. As such, the project should be studied within the scope of the personal data protection legislation, and security studies should be conducted as to the data protection process. If not, the project will scatter around the personal data of people infected with the coronavirus. And this data could be used for other purposes.