January 10, 2025
by Ufuk Yeşil
The European Court of Human Rights (hereinafter ‘the Court’) declared the case of Çamurşen v. Türkiye inadmissible on the grounds of non-exhaustion of domestic remedies. In this case, the applicant alleged a violation of the right to respect for private life, arguing that internet traffic data had been retained beyond the prescribed statutory time limit and subsequently used as evidence in criminal proceedings for alleged membership in a terrorist organisation.
In the aftermath of the coup attempt on 15 July 2016, mass arrests and prosecutions ensued. Internet traffic data and Historical Traffic Search (HTS) records were frequently used as conclusive evidence to substantiate allegations of ByLock application usage and communication with other suspects linked to membership in the Gülen Movement. Notably, much of the internet data referenced in criminal proceedings had been retained far beyond the statutory retention period. Consequently, the use of such data in Gülen Movement related post-coup cases raised concerns about violations of the right to a fair trial and the right to respect for private life. Some individuals affected by this practice pursued justice through criminal complaints against the unlawful retention of this data and/or administrative lawsuits.
The Court first addressed this issue in the Yalçınkaya case. However, it concluded that the core issues raised under Article 8 of the Convention had already been considered under Article 6 § 1 and, in the specific circumstances of the case, found no need to deliver a separate ruling from the standpoint of Article 8 (§§ 368-373).
The Çamurşen case held particular significance as it was set to be the first decision by the Court addressing the retention of internet traffic data beyond statutory time limits. The Court grouped the Çamurşen application with six other similar applications and communicated them to the Turkish Government on 26 March 2021. The government subsequently submitted its observations for this group of cases on 6 October 2021. By early 2022, the applicants were expected to have responded to the government’s observations, suggesting that the Court’s judgment for all cases in this group should have been ready for announcement. However, the Court later issued a decision solely for the Çamurşen case, having apparently separated it from the other six cases.
In this blog post, after providing background information on the case, I will first summarise the Court’s decision regarding the effective remedies that need to be exhausted. Then, I will delve into the criminal complaint remedy and critique the Court’s failure to thoroughly examine the effectiveness of the domestic remedies.
The applicant, Mr Çamurşen, was detained on remand for alleged membership in the Gülen Movement two weeks after the coup attempt in July 2016. In September 2017, the Assize Court requested from the Information and Communication Technology Authority (BTK) to examine the applicant’s internet traffic data from 2014 to 2016. The court sought information on whether the applicant’s mobile phone number was connected to IP addresses linked to the ByLock app, an application allegedly used exclusively by Gülen Movement members, as well as the CGNAT data indicating internet traffic between different sources. The BTK subsequently provided the requested data to the trial court.
The applicant filed a criminal complaint against the BTK and the internet service provider, invoking Article 138 of the Turkish Penal Code (TPC). This provision states: ‘Any person who fails to destroy data in accordance with the prescribed procedures, before the expiry of the legally prescribed period for destruction, shall be sentenced to a penalty of imprisonment for a term of one to two years.’
Despite the clear wording of Article 138, the prosecutor declined to pursue the complaint, reasoning that the applicant’s allegations should have been raised as defence arguments during the criminal proceedings against him and did not warrant a separate criminal complaint. The Constitutional Court also declared the applicant’s complaint inadmissible, citing failure to exhaust effective domestic remedies (§§ 5-7).
The Court reiterated that Member States have discretion in determining how they comply with their obligation to provide a domestic remedy that enables the competent national authority to address the substance of a Convention complaint and grant appropriate relief. Referring to the Turkish Constitutional Court’s judgment in Ertan Erçıktı (3), the Court observed that administrative and civil courts in Türkiye had thoroughly examined similar claims, with their decisions being subject to review by higher courts. The Court emphasised that there was no evidence suggesting that the domestic judicial process was inadequate or ineffective (§ 24).
The Court concluded that compensatory remedies available before administrative and civil courts were capable of addressing the alleged violation and providing appropriate redress, including compensation. It found that the applicant had failed to pursue these remedies. Nevertheless, the Court reserved the right to assess the effectiveness of these remedies in future cases (§§ 25-27).
The Court demonstrates a tendency to require the exhaustion of compensatory remedies in cases concerning defamation or the protection of reputation (see, § 131 of the Admissibility Guide). However, the issue in this case is not the protection of an individual’s reputation, but the safeguarding of personal data.
As noted above, Article 138 of the TPC stipulates imprisonment of one to two years for any person who fails to destroy retained data despite a legal obligation to do so. Furthermore, Article 139 of the TPC clarifies that the prosecution of this offense does not require a formal complaint. This means that once the non-destruction of personal data is acknowledged, the prosecution is obligated to act ex officio. Similarly, Article 63 § 3 of the Electronic Communications Law No. 5809 references Articles 132-140 of the TPC, emphasising the criminal responsibility of personnel from authorised electronic communication service providers for offences against private life.
In the context of Turkish legal provisions concerning the protection of privacy and personal data, criminal remedies cannot be considered merely as an alternative to civil or administrative remedies; they are the primary recourse. This distinctive emphasis on criminal remedies in Turkish law should have been thoroughly examined by the Court. However, the Çamurşen decision fails to provide any evaluation on this crucial aspect.
The Court, relying on the Constitutional Court’s Ertan Erçıktı (3) decision, concluded that compensatory remedies before administrative and civil courts constituted effective remedies. The Court emphasised that these decisions were subject to review by higher courts. However, the Ertan Erçıktı decision referenced rulings from two administrative courts, one appellate court, and one civil court, none of which accepted the compensation claims.
Moreover, my detailed analysis published by the Justice Square Foundation on the domestic court decisions referred to by the Government in the annexes to its observations in Çamurşen and others (including nine administrative court decisions, seven appellate court decisions, and one civil court decision) reveals that none resulted in compensation being awarded to applicants.
The case of Enver Evren is particularly illustrative. After exhausting an administrative full-remedy action as suggested in the Court’s decision (§ 16), he applied to the Constitutional Court. However, his complaint was found inadmissible on the grounds that there was no interference with constitutional rights and that the issue fell outside the Constitutional Court’s jurisdiction regarding the right to a fair trial (App. No: 2020/29100, 22/12/2020). This decision demonstrates that the Constitutional Court does not view the retention of internet traffic data beyond legally prescribed periods as a violation. Evren subsequently submitted his claim to the European Court, where his application has been registered as App. no. 34996/21.
The domestic court decisions submitted by the Government fail to demonstrate that compensation claims before administrative and civil courts are capable of providing adequate redress. Administrative courts consistently dismissed such claims without addressing their merits, arguing that ‘HTS records and internet traffic data do not constitute an administrative act that can be challenged in such proceedings.’ Similarly, domestic courts held that the retention of telecommunications data for judicial investigations was a legal obligation, that no pecuniary damage existed to warrant compensation, and that the BTK had not engaged in any unlawful actions. These dismissals were often issued without substantive examination, citing jurisdictional grounds or offering abstract reasoning that ignored relevant legal provisions. Appellate courts upheld these dismissals without meaningful review.
This pattern demonstrates that applicants’ claims were not effectively examined, and no genuinely functioning legal remedy exists in such cases. Furthermore, the applicants were not solely seeking pecuniary compensation but also the acknowledgment of a violation of their right to personal data protection and the prevention of unlawfully retained data being used as evidence in criminal proceedings. Contrary to the Court’s assertion, these claims did not receive comprehensive judicial review.
According to the Court’s case law, the obligation to exhaust domestic remedies requires that an applicant have normal recourse to remedies that are effective, adequate, and accessible. Such remedies must be sufficiently certain not only in theory but also in practice; otherwise, they lack the requisite accessibility and effectiveness. In the Çamurşen case, there is no evidence of a domestic decision demonstrating the effectiveness of the remedies the Court proposed for exhaustion.
Finally, in the six other cases communicated alongside Çamurşen, the Government’s submissions indicate that the Constitutional Court did not reject the applications on grounds of non-exhaustion of domestic remedies but addressed them on their merits.
The Court has reserved the possibility of examining the effectiveness of the remedy in future cases (§ 27). At a minimum, the Court should examine on the merits the other six cases communicated alongside Çamurşen, which were dismissed by the Turkish Constitutional Court on grounds other than non-exhaustion. In these cases, the Court would be called upon to examine the alleged violations of the right to respect for private life, particularly in terms of the ‘legality’ requirement of the intervention.
The assessment of legality requires that any interference with the right to private life has a clear legal basis that is accessible, foreseeable, and provides safeguards against abuse. This examination is essential in defining the legal framework for the collection and retention of internet traffic data.
The critical issue that remains unresolved is whether internet traffic data was retained for the period prescribed by law. In Turkish domestic law, this matter is governed by the Electronic Communications Law No. 5809, the Law No. 5651 on Regulation of Publications on the Internet, and the regulations issued pursuant to these laws.
Article 51/10-c of Law No. 5809 stipulates that traffic data may be retained for a period not less than one year and not exceeding two years from the date of communication, with the retention period to be specified by regulation. Under Article 19/1-f of the Regulation on Authorisation in the Electronic Communications Sector, this retention period was initially set at one year until June 11, 2016, and up to a maximum of two years thereafter. Similarly, Law No. 5651 mandates access providers to retain traffic data for a period ranging from six months to two years (Art. 6/1-b).
These legal provisions grant the authority to retain internet traffic data exclusively to service providers and hosting providers. While certain provisions of Law No. 5651 (e.g., Articles 3/4, 4/3, 5/5, and 6/1-d) temporarily conferred similar authority to the BTK, these provisions were annulled by the Constitutional Court in 2014 and 2015. The Constitutional Court ruled that these provisions lacked specificity and foreseeability and failed to impose sufficient limitations on the subject matter, purpose, and scope of personal data collection, thereby leaving individuals unprotected against administrative abuse.
Moreover, the 13th Chamber of the Council of State annulled Article 8/1-b of the Regulation on the Procedures and Principles for the Regulation of Publications on the Internet, which granted the BTK similar authority. These rulings are of critical importance in ensuring the protection of personal data and maintaining legal predictability. Without a clear and predictable legal framework, the retention and use of internet traffic data for criminal investigations and other purposes remain a significant concern for the protection of privacy rights.
In its observations (§ 71) submitted to the Court in Çamurşen, the Government advanced an intriguing defence. According to the Government, the regulations on the retention of internet traffic data apply only to private entities, and as a public institution, the BTK is not bound by these obligations. Paradoxically, the Government interpreted the lack of legal regulation regarding the BTK’s retention of data as granting the institution the authority to retain data indefinitely. This interpretation effectively acknowledges that the BTK exercised an authority it lacked a legal basis for, thereby violating the right to respect for private life.
Moreover, administrative and civil courts, as well as public prosecutors, adopted this interpretation, dismissing compensation claims and criminal complaints on the grounds that the BTK could collect and retain such data without judicial authorisation. Fundamentally, the core of this interference with the right to respect for private life lies in the judiciary’s acceptance of the BTK’s actions as unproblematic, thereby enabling and legitimising these violations.
The Çamurşen group communication presented a critical opportunity to address the seriousness and systematic nature of the interference with the right to respect for private life, which has been postponed.
In this context, the Çamurşen case exemplifies the Court’s reluctance to address large-scale and systematic human rights violations in Türkiye following the events of 15 July 2016. In dealing with mass violations, the Court tends to group hundreds of applications and examine them through the lens of a single essential violation, often overlooking other significant claims. Despite being aware that the internet traffic data of hundreds of thousands of individuals had been retained beyond the statutory time-limit and unlawfully used to impose severe penalties, the Court has failed to adjudicate these cases for over eight years.
The compensatory remedy, which the Court has reserved the right to review in future applications, does not constitute an effective or adequate legal avenue in the present case or similar cases. Although the laws and regulations mandate that data must be retained only for the prescribed period and that failure to delete data within this timeframe incurs administrative and criminal penalties, there has not been a single court decision to date awarding compensation for the excessive retention of data or conducting a substantive examination of applicants’ claims.
The retention of internet traffic data constitutes a violation of Article 8 if it is in clear contradiction to the requirements of ‘lawfulness’ or the principle of ‘proportionality’. Moreover, the collection, processing, and retention of such data without proper safeguards are direct breaches of Article 8 (as held in Skoberne v. Slovenia, § 144). In similar cases, such as Rotaru v. Romania, Big Brother Watch and Others v. the United Kingdom, Benedik v. Slovenia, Ekimdzhiev and Others v. Bulgaria, Škoberne v. Slovenia and Borislav Tonchev v. Bulgaria, the Court has previously concluded that Article 8 of the Convention was violated.
The Court should have recognised that the Turkish judiciary is not inclined to redress the grave human rights violations that occurred in the post-coup period. Compensatory remedies are as ineffective as criminal complaints under the current Turkish judicial practice. The Court must urgently address the use of long-retained internet traffic data, obtained in violation of Article 8 (Skoberne v. Slovenia, §§ 146-147).