E175 - Melih Calikoglu, Data Privacy Expert and Lawyer (Turkey)
34:52
SUMMARY KEYWORDS
data, ai, privacy, european union, law, regulation, organizations, talk, turkey, privacy laws, small, people, work, problem, data protection, compliance, company, turkish, data protection laws, regulate
SPEAKERS
Melih Calikoglu, Debbie Reynolds
Debbie Reynolds 00:00
Personal views and opinions expressed by our podcast guests are their own and are not legal advice or official statements by their organizations. Hello, my name is Debbie Reynolds; they call me "The Data Diva". This is "The Data Diva" Talks Privacy podcast, where we discuss Data Privacy issues with industry leaders around the world with information that businesses need to know right now. I have a very special guest on the show all the way from Turkey. Melih Calikoglu, and I'm really happy to have him on the show. He's a Data Privacy professional and lawyer who works independently in a Data Privacy and data protection area. Welcome. Yeah, thank you for hosting me, Debbie. It's a great pleasure. Oh, thank you. Well, I'm also interested in you and your background and what you're doing in Turkey. I know, I like to have people on the show who are from other regions of the world. I know a lot of times, people in data protection seem like we talk a lot about the EU and we talk a lot about the US, but data protection and Data Privacy are occurring all over the world. So, if you can, I would love for you to tell me about your career journey and how you got interested in privacy.
Melih Calikoglu 01:30
Well, I have a long story of professional journey, actually. Most of the time in my career, I worked as a government officer in various positions and organizations quite well right; actually, almost 18 years ago, I suppose I decided that I should change my track and go on my own way. That was a time when the new Data Privacy law was introduced in Turkey. It was a treasure trove for me because I always loved to uncover how society works. The relations between people and organizations, and also to understand the technology, and implementing Data Privacy was a convergence for me. And it was great. Actually, most things that I allow in my professional life come and join together. So since then, around 2017, I began as a lawyer, at the same time consulting with companies and organizations in Turkey to comply with the new Data Privacy law. Very short,
Debbie Reynolds 02:35
Very good. Well, you told me a story before we recorded that I was not aware of. I would love to get your thoughts on this. So, as you said, Turkey did not have governing bodies around privacy or privacy laws until 2016. But tell me how that's different from what's happening in maybe the US or what's happening in the EU right now.
Melih Calikoglu 03:01
The story goes back to the candidacy of Turkey to the European Union, since 2004. Turkey is a candidate country for the European Union. So, it is supposed to accept the EE community, the European law, and introduce it into its legal system. And in 2010, there was a constitutional change, about the rights of privacy. This is when the first sentence about talking about the right to privacy in the Turkish legal system was introduced, but didn't actually take action until six years later in 2016. So that was when the country accepted a new law in line with data accession talks with the European Union. Since then, we now have a personal protection law of Turkey, and the legal system and the governing party. It all started actually in 2016. So for Turkey, it's quite a new subject, actually. So before that there were almost nothing besides general legal issues that you can rely on relating to privacy. But the first specifically, yes, it's a brand new thing.
Debbie Reynolds 04:13
Now, that's exciting. Tell me a little bit about maybe some nuances or differences. Turkish privacy laws are a bit different, maybe, than people would expect.
Melih Calikoglu 04:26
All privacy laws are not equal. They have similarities, but differences but with the story of Turkey, since Turkey is actually within range of the European Union still. So, its law is expected to be in line with European Union law when it was released. But there are problems actually, in my professional view in this time that I saw it. So, actually, the Turkish Data Privacy law was similar to the European Union's previous regulation, the privacy directive in 1995. In terms of alignment with GDPR, it lacks some parts. It lacks some details, and the new technology and new approaches to Data Privacy. So we have problems. For example, the transfer of data to third countries is a problematic article in the Turkish data low wrongfully structured, I may say, but since the country is within the range of the European Union, the governing body is relying on GDPR, actually, when it's making decisions, because there are gaps for current and modern developments and cases. So, it somehow has to rely on GDPR for these up-to-date problems and solutions. It's a mixture of these actions. So everybody is learning Data Privacy, quite recently, the governing bodies, the judiciary system, the lawyers, and everybody saw is interesting. It was like Wild West at the beginning, but now it is settling down, actually. And I think there may be some amendments to the law to make it much more in line with the GDPR. Since every year Turkey, the European Union publishes a report on the ongoing process of the accession talks. And it specifically mentions that Turkish privacy law should be more aligned with the GDPR. And it's promoting this idea. And I think in time, it will get more in line with the European Union bottle is an ongoing process, currently.
Debbie Reynolds 06:36
So does the Turkish law have fines and penalties? Like the GDPR?
Melih Calikoglu 06:43
Yeah, there's a governing body called the Akaka they call it Personal Data Protection Board. And there are fines and in the low end, they are actively implementing these fines, just like the European Union differences in detail section about the in general, yeah, the system is working. And there is a quiet hype, actually, about getting in compliance with the new law. So it took some time. But yeah, after seven years now it's settling. Now everybody knows that they have to comply with the new law. It's a bustling scene, actually.
Debbie Reynolds 07:18
That's exciting to see all the changes in the different jurisdictions. I think GDPR has been very influential, even in places like the US, where we don't yet have privacy or data protection laws in the same way. But I think the GDPR has been really influential. But it's interesting that you say that Turkish law is more modeled after the Data Directive of 1995. Because a lot of jurisdictions that passed privacy laws and data protection laws between 1995 and 2016 are very liberally from that. So I always tell people, you should go back and read the Directive because a lot of those countries, like the Philippines, for example, are very similar. We're their laws came into effect around that time. So for some of those countries that either started their journey before DPR came out, they are very similar to the Data Director. So I think that's really interesting.
Melih Calikoglu 08:21
Time jump because when the Data Directive was first published, it was the age of emails. Right, a lot has changed; it's an incredibly different environment we have now regarding data processing, data transfers, data sharing, and all anything about privacy actually, on the digital world. But the Turkish example might be yes, as you say there, because it was began to be prepared before they should naturally look for the existing regulation, which was not a directive at the time. So in time, it's going to get more aligned with the GDPR. This is unavoidable I suppose, because GDPR is quite an extensive and influential regulation when it comes to privacy.
Debbie Reynolds 09:05
I agree. So, I want your thoughts on working with small and medium-sized businesses. I know a lot of times when we think of big business in the US; for example, 90 plus percent of businesses are small and medium-sized businesses. So, not everyone is Apple. Not everyone is Microsoft. But there are challenges for the small and medium-sized businesses to understand and comply with Data Privacy and data protection laws. What are your thoughts? What are you seeing in your work around the challenges are small and medium-sized businesses to embrace what these laws mean and actually change the way that they operate as an organization as it relates to privacy?
Melih Calikoglu 09:59
Well, yeah, lots of changes and differences; actually thinking about the bigger organizations is the capacity; actually, first, these organizations do not have the resources and the capacity, not financial, they're not on the employment level. So the problem is much bigger for them at a much bigger ratio of a cost for that, so and this causes risk aversion actually. So think about that most of them cannot have constant legal support and make a contract with lawyers actually, to receive constant legal support for the smaller ones. So talking about them about compliance is a very big first section. First, they don't understand what it is about. And they don't understand how it is related to their day businesses. So it's a completely new thing. The guy is producing, for example, handheld devices, or simple plastic objects, actually, since he has employees. So he has to comply with the Data Privacy law, talking in a different language actually, for them, they don't get them. And it's causal. And it's hard to implement because the administrator and technical measures are not for the faint of heart, actually. Although the laws the regulations talk about this, they say enough, what you call technical measures, not enough the word is not enough.
Debbie Reynolds 11:23
I think it's like an administrative and technical measure.
Melih Calikoglu 11:27
It takes care of the size of the company. Still is quite a first for the small and medium organization. What this causes is risk aversion. So what they do, they just copy similar text from a similar company. That's what they do, actually. But it's, you know, compliance is a much more complicated thing, actually, it has to be tailor-made to protect the organization from Data Privacy risks, let's say, although the law talks about protection of the person, the rights of the person, but there is the interests of the company, the data controller, at the same time, it also has to protect itself from this Data Privacy risks. In order to do that, the toolset you produce for them has to be tailor-made to take into consideration what they are doing, how they are processing the data, which tools they are using, who they are sharing the data with, and comprehensive data mapping first, you have to make to understand this. So this is a quite a lot of work actually ran generally, I finished with 200 pages of documents, when they see that they are generally shocked. And just they say that, how are we going to apply this? Because there are contracts, data transfer contracts and the agreements, the policies, the most of the companies never solve policies in their lives. They do business naturally.
Debbie Reynolds 12:52
Right.
Melih Calikoglu 12:55
So, when I talk about information security policy, bringing your own device policy gets more complicated. So I think European Union is aware of the subject one of the latest regulations about data. They talk about this imbalance between big organizations and small organizations, but still an insanely great problem. For example, now we are carrying out the European Union project, and Erasmus project in Germany and in Turkey. And it's about creating a training tool for the accommodation sector employees to get to be more easy to comply with the law to end up producing some video content for that can access freely on the project website. But most of the organizations, the hotels just don't want to talk about the subject question. And we go to them. And we have preferred surveys and other things, diverting the risks action, and we had real problem to collect data from them in that manner. They are somehow secretive about this, if they are complying with it or not, they don't want to discuss about it. And what they do is just most of them not I'm not talking about the accommodation sector, but the small and medium size, they just copy similar texts and paraphrase similar documents, just changing the names. What this creates is actually a question, are we really protecting privacy in this manner? Because as you said, Germany is also and Turkey. Most of the organizations who are processing personal data are small and medium-sized organizations. And there are other problems, for example, you know, data transfer agreements. For example, I am a small company, I am selling cars, actually, let's say in a small city, and I am using Google Drive and other Google products, and I'm sending Google a data transfer agreement. For example. Do you think Google will ever reply to me and say okay, now we have data transfer agreement coming from this little company that we have 5 million No 10 million similar companies. So it's also practically sometimes blocked by the real life situations actually. So ideally, yes, we have to create data transfer agreements, we have to sign with all the parties that we are sharing our data, but in reality is different actually. And both of these organizations cannot access bigger companies even ask them. So there are hierarchy between businesses actually. So for example, I was working with an insurance company insurance agent, I was working for the compliance project of them, and they worked with bigger insurance companies. And these bigger insurance companies have already prepared their data transfer agreements and sent to these agents, brokers. So the thing is, hierarchically, the insurance companies are top level, and these agents are on the bottom level. So the agreements were full section. And this is a problem for Turkey or countries who are adopting the privacy laws in recent times, we have roles in the privacy regulations, data controller data, subject data processors or processes during control. And it has different meanings, and it has different obligations for them to follow. So it has different roles, outcomes, different results. And if you define this wrongfully, for example, if you say trade data control that you are a processor and centered Data Transfer Agreement in accordingly, it's a problem. It is a contract that is inapplicable actually, in real life. Because you cannot judge over the regulation, what the regulations define. And here, again, you see the small and medium-sized organizations problems, do they have the power to discuss how the agreement will be arranged? Or the details or other things? So this hierarchy is also a real problem. So yeah, I think yeah, even if GDPR is a great example of crusading for Data Privacy rights for individuals, we have to take care also for real life business. And their problem. Yeah, I am facing this daily, the difference of our jobs from a dedicated data protection officer is that they are generally in bigger companies, because they have the resources to hire a data protection officer. And from our perspective, we work with every size of organizations, every type of organization. So we see many different problems and many different situations. And we have to solve, for example, I'm working on a company who is trying to sell a software to a European country, and is trying to get in compliance with the local law. They're the European Union law, and they use the Artificial Intelligence, oh, God, now, we have to completely rethink how the data will be processed using artificial intelligence, the data flow charts we have to create, we have to define responsibilities, etc. So it's not an easy thing to actually another difference from us. And the Data Protection Officer data protection officers are generally not generally they always are the ones who apply the solutions that they have produced. If there's a policy, he is the one who is going to, or she's the one who is going to follow if it is applied within the company or not. But we are consultants sexually. So we prepare all the documents we tailor-made just for the company. So it solves many of them their problems. But if it is not a blight, if it stays in a Dosia it is meaningless. It doesn't protect anything. Actually, these are real problems. And thinking about the percentage of small and medium-sized companies in our economies is a huge problem. Actually.
Debbie Reynolds 18:47
I love what you said there, and that is so true. So I tell people compliance is not getting a document and putting it as you say in a dossier. It is about the action and activity and who's responsible and who's accountable. Then, as you say, within larger organizations, you have people who wear different hats that you can assign things to, but medium-sized businesses may have one or a few people who are splitting up that responsibility within the company. So they're basically playing a role when they need to, and it's more challenging because those people have other jobs, they have other responsibilities within the company. So adding that on to the work that they're already doing, I think can be a challenge, especially if they weren't accustomed to working in or complying with Data Privacy or data protection regulations.
Melih Calikoglu 19:49
Yeah, and it's a real problem. In my perspective, what we are telling them is to create communities actually, because there is no one person who understands the law; IT and a data protection officer have three heads, he has to know about how organizations administer administrative knowledge, she has to know about IT information technologies work and processes, they then she has to know about the legal structure and law actually, so small and medium-sized or do not have people like that. So what we say is, is you are the ones who are processing the data that the different departments just create a committee from this mid level managers or something, so try to deal with in a more collective way. Because what other solutions do they have, they don't have the resources to hire separate data protection officers, that's the reality, you know,
Debbie Reynolds 20:43
What is happening in the world right now related to privacy or data protection that concerns you?
Melih Calikoglu 20:52
AI, Artificial Intelligence, changed everything. Actually, even think about if GDPR is relevant or not, in this manner, you know, we have privacy laws, and it's also a time for the intellectual property rights. So it destroyed every foundation that our legal systems that are built upon having right to something ownership. So I own my data, I own my production or intellectual properties. So the concept of property is even now under discussion, there are solutions, by the way, for example, you know, the discussion about the painters, the draw artists whose works are fed to the AI, and the AI produces new pictures, I use it happily and everyone was used. But in the end, it's actually a collection of intellectual property rights, the new product? So who owns it? Who is the owner of the new product? And how are you going to compensate? The work of the previous human, it's an incredibly complex problem action. So although we have the European Union just introduced a new AI act, and you're seeing daily on LinkedIn, everyone is writing reports, writing guidelines, preparing new regulations, new bills, or other things. Yeah, the whole world is now on its feet, trying to solve the problem. But the problem is much deeper than what we think actually, of how we approach. The main problem is how we are going to approach this new entity. The artificial intelligence, in my view, we are thinking about is like our traditional algorithmic computing systems, it is not in our algorithmic mathematical approach, we upload the data to a database, which is similar to Excel for people SQL, you know, so you can query the change, delete or do everything. And the data is there. Unquestionably, you can reach it, and you can find it anywhere. But here's the things, merge everything. And you cannot discern which data was produced by whom. And it becomes a giant mess, actually. So it resembles actually ourselves, you know, we don't have Excel sheets in our brains do we have. So the information comes in different ways. We listen to things, for example, podcasts, we read things, we discuss things. So it's a mess, actually how we learn and how we process data and how we produce I think it's a wrong approach to think this. If it is a traditional algorithmic mathematical, and it's not. And the main discussion is about the ethics, the bias of, for example, the artificial intelligence, you have general AI, yeah, we feed it with our knowledge, and we expect it to be unbiased. You see, in a traditional computing way, it's easy, actually, you create another layer to filter the data and it's over. But not in this case. It's a completely huge problem, and don't know how we're going to solve it. Later the scientists managed to read our thoughts. Have you heard about it?
Debbie Reynolds 24:14
I have heard that one. Oh, my goodness.
Melih Calikoglu 24:18
We are digitizing ourselves down to our toes actually. And which means we can read by the computers. And we can be assessed by the computing systems, including now generative AI, to our very private boats. So this is new, and I think we are taking it lightly. I think this is as big as the Jesus. You know, it's a new age, actually. And it's a start of a new history, but it's under discussion. Yeah, we have to discuss this and nobody has a solution. I don't think so. And the new laws. Yes, I think they are very good. And do we have to do this because you As a human societies, we don't have anything but to regulate. This is our, the most comprehensive tool that we created in 5000 years or something. First, it was introducing Hammurabi. Yes. The Babylonian king. Now we love to regulate, we have to regulate, because we don't have any other drug. But how we are going to regulate this new thing is a completely new phenomenon. And it's exciting here. So a wonderful subject. But it's a problem at the same time.
Debbie Reynolds 25:29
It is. I agree. I hadn't heard anyone say it that way. You're right. It is a new age, isn't it? So it's before AI and after AI, before the democratization of AI. That's what happened.
Melih Calikoglu 25:46
Before the democritization of AI when we had AI, but we didn't know it actually. Right. They call machine learning. And they were doing lab tests for the last eight or 10 years after they sold, how they cracked the code. how humans think, actually and learn. That's the main thing actually, it mimics us. It learns like us and it thinks like us and after marketization, I was shocked. And who doesn't use Shut up? I am using it daily. And it comes with problems and the questions if I am consultant and trying to solve problems for my consultants, and I am loading their data onto a completely different companies. Not database, but some kind of data mined, what would you call it? So yes, we have ethical problems. And sometimes I was thinking about, okay, everybody's writing emails using AI. Absolutely. Email companies integrated AI generative AI into their products. So let me ask you a question. Who is talking to who now think about this? I'm writing an email. I'm not writing an email, chat. GPT writes it okay. Then I'm sending it to you. And for example, you are replying, but how are you replying? You are making the church up the right answer. So are we the ones who are talking about church if it is talking to itself? These are incredible. Questions section.
Debbie Reynolds 27:20
Oh, my goodness, I haven't thought about that. That's all true. And I think three is really interesting. Because when Generative AI or Chat GPT, and all these new AI tools became more commonplace. You're right that a lot of companies still are implementing derivative AI and AI into their products; almost any tool that you use today, you open it up, they say, hey, we have this new feature, or you can do X,Y, and Z, this new thing. I think, for people who were afraid of AI, they want to shut the door on it. And I use it. It's impossible because it's in everything now.
Melih Calikoglu 28:03
Impossible. What was the first social media application before Facebook? What was was a Myspace? Myspace? Yeah. Okay. In 2003, for example, we ever thought about there will be a word like is today? No. You see, the old meet LinkedIn actually, isn't it every hour socializing now is carried out to social media. And in 2003, it was a science fiction, actually, what is the reality? So I think we are currently not understanding how will this change our world, this is MySpace time for us learning to AI. And it will be a very different world center; there comes the question of authenticity. Actually, I cannot make calculations because I have calculated once upon a time we memorize telephone numbers, right? We now know I don't know, it is changing us at the same time. As big so and privacy think about in this new world, the New Age, the subject of privacy, for example. So I was reading about LinkedIn is a great place as a social media, you can find any sort of research reports, guidelines, and yeah, I think for them for this service. And there was a research about synthetic data. For example, since you do not want to feed the artificial intelligence with real people's data. What they do is they synthesize it, they create a synthetic version, which do not resembles real people and identify when they say something like anonymization. So these researchers quickly solved they talk with AI. So this is also a complete and if we are talking to the computer, currently, they taught it and they get the real people's data, who were supposed to be synthesized and unreadable. So where's our solutions? How are we going to protect privacy? And so it's a brave new world. I read an article talk again about data poisoning. Poisoning wonderful. Yeah, for people, I love to learn. And this is incredibly exciting for me. But on the social level and the legal level, there's a lot to be solved and first analyzed. So it's a brave new world. And I don't think AI act of European Union is just a start, not direct solution.
Debbie Reynolds 30:29
I agree. I agree. I think you're right; we're moving into a new frontier where we don't really comprehend exactly how AI is going to change so much of what we do. So it's going to be really interesting to see how people react to that. And regulation. I know that when the European Union said they were doing an AI Act, people were really happy and excited. And I think some people breathed a sigh of relief. They're like, oh, wow, now we're going to have AI regulation. And that's great. But the thing that's going to happen with technology, well, first of all, no matter what, technology always outpaces the law, right? So, the law tends to be very reactive. But what's going to happen with AI now is that it's going to go way ahead, right? It's going to exponentially grow. So, I'm going to go lightyears ahead of where things are now. There's a place, obviously, for regulation, but regulation won't be sufficient to manage what's happening with AI.
Melih Calikoglu 31:31
You'll remember when European Union's AI Act was introduced, it was before Generative AI. They had no idea they will be a Generative AI entity coming and it's a nuclear bomb actually, is changing every day. And we are learning about new things. And yes, regulations, instead of depending on the regulations, I think we need to discuss a lot. Discussions are our first line of defense, let's say, to regulate this thing, and because otherwise, we will be overwhelmed, and we won't be able to handle it.
Debbie Reynolds 32:06
So, if it were the world, according to you, Melih, what would be your wish for privacy or data protection anywhere in the world, whether that be regulation, human behavior, or technology?
Melih Calikoglu 32:29
It will be AI solutions that makes privacy compliance seamless. For small and medium-sized organizations, and for the person whose data is protected, like me, and you, you know, cookie, consent popups, and privacy notices. Do you think anybody reads them? One in 1000, one in 10,000? So?
Debbie Reynolds 32:55
Right.
Melih Calikoglu 32:57
Are these traditional approaches is not working? Yeah. Okay. It looks glamorous and wonderful. Okay, we have notifications. We have data transfer agreements; we are collecting consent. But now consent is actually torture for the user. They are regularly consenting, and it says turned into an automatic thing actually, is because the user wants to get to the content quickly, and you are avoiding to access the content. What is done? Does he read the cookie privacy policy? No. He just says, Yes, I consent. So yeah, it's good. I'm not saying that they're useless, but here's a greater thing that as you say, technology is running in the speed of light. And we are regulating it is a bit of a horse. Maybe if anybody, AI programmers, can solve this privacy thing, make it a seamless process that AI helps us handle it interesting. And this is what I expect from the New Age, actually. And this new entity that we call artificial intelligence.
Debbie Reynolds 34:07
Thank you so much for being on the show. I love your insights. And I'm really excited about the work that you're doing. I know the audience will love the episode as much as I have. So this is great. Thank you so much.
Melih Calikoglu 34:21
You're welcome. And thanks for hosting. I hope to discuss it further in the future, endless discussions.
Debbie Reynolds 34:28
Yeah, endless, endless discussions. Well, thank you so much, and I look forward to being in touch with you soon.
Melih Calikoglu 34:37
Thank you very much.
Debbie Reynolds 34:38
Okay. Bye bye.