Update: Turkish Council of State has stopped execution of the Regulation on the Processing of Health Data and the Maintenance of Privacy
Following the long awaited Law on Protection of Personal Data (“Law”) dated April 7, 2016; the Ministry of Health (“MoH”) issued the Regulation on the Processing of Health Data and the Maintenance of Privacy (“Regulation”) on October 22, 2016.
Since the very beginning, the Regulation was widely criticised as it contains provisions contradicting with the Law (such as bringing burdensome obligations not regulated by the Law). For example, the Regulation required that the consents to be obtained to process health data should be in written form although the Law does not include any such requirement. Actions were brought before the Council of State for stopping execution and cancellation of the Regulation.
On 6 July 2017, the Council of State rendered its decisions on two of these actions and stopped the execution of the Regulation.
The first action resolved by the Council of State was started by Turkish Employer Pharmacist Union (TEİS) for cancellation of subparagraph 5 of the Article 5 and Article 14 of the Regulation claiming that the Regulation put the pharmacists under obligations which are incompatible with pharmacists’ specific legislation and practically impossible for them to comply with.
The second action before the Council of State was brought by Turkish Dermatology Association for cancellation and suspension of all provisions of the Regulation. It was mainly claimed under this case that the Regulation contradicts with the various provisions of the Law, the Turkish Constitution and the Convention on the Protection of Individuals with regard to Automatic Processing of Personal Data No 108, dated 1981.
The Council of State rendered its decisions without referring to the justifications claimed under these cases, but stated that the Regulation is contrary to the Law with different reasons.
The Council of State noted that the Law is a framework law covering all sectors as well as public and private institutions and the Personal Data Protection Board (“Board”) has a general authority to control and audit concerning the protection of personal data in all sectors.
Pursuant to the Law, one of the duties of the Board is to deliver its opinion about the legislation drafted by other institutions or organizations that contain provisions on personal data. In the above mentioned decisions, the Council of State ruled that obtaining opinion of the Board is a condition to enact legislation regulating personal data.
As the Regulation was issued by MoH without waiting for the establishment of the Board and thereby without consulting the Board, the Council of State found the Regulation contrary to the Law and rendered an order of stay for all provisions of the Regulation.
Taking into account the differences between the Law and the Regulation, we think that the decisions of Council of State are right and indeed necessary to avoid the contradictions occurred in practice. In parallel with the Council of State’s justification, we are of the view that consulting to the Board, which is entrusted with important powers and duties concerning protection of personal data under the Law, is a must to ensure integrity and avoid problems while drafting new legislations on protection of personal data. Although each sector has specific characteristics which may require specific regulations on processing of personal data, it is very important to remember that the Law is the main legislation providing the general framework regarding protection of personal data and the regulatory bodies in different sectors must cooperate with the Board in issuing regulations in their specific sectors so that such regulations are fully in compliance with the principles set forth under the Law.