Media

Is Commercial Data Safe?

Is Commercial Data Safe?

The “Modernization of Customs Administration Project” changed the codes of the entire customs community in the early 2000s. The “BİLGE” (Computerized Customs Activities) software, which allows customs declarations to be made, was the first interactive software in the public sector, and more importantly, it enabled data exchange and approval between customs administrations and customs obliged parties. Customs brokerage companies and agencies that succeeded in adopting the regulations and automation envisaged by this project survived. Those that failed to do so had to cease their operations.

In 1998, when the software was developed, there was no widespread internet infrastructure worldwide. In those years, EDI (Electronic Data Interchange) software allowed data transfer between systems but was not widely used. Therefore, the Customs Administration provided access to BİLGE to IT companies that developed some interface software for customs obliged persons to access the system from their own offices by using this software. In the following years, with the internet, which established a widespread access network, it became possible to access every system globally to the extent permitted. Currently, the BILGE system can be accessed from the computer terminals in the data entry halls of customs directorates by using the package software of the companies that develop the interface software or over the internet.

An effective firewall protects the BILGE system. However, hackers, also known as “hackers,” are not idle. Even the best-protected systems can be breached. Hackers who break into bank systems can even transfer millions of dollars to their accounts.

The widespread use of information systems and the ease of data accessibility have created a digital landscape where our once-private data can be easily exploited. However, to counter this, we have witnessed a robust global surge in legal regulations aimed at safeguarding personal data over the past two decades. This concerted global response underscores the universal concern for data security and provides a reassuring beacon of hope in the face of these challenges.

In Türkiye, legal infrastructure arrangements were initiated in 2010 by adding the third paragraph to the Constitution's Article 20 on "Privacy of private life." The section reads, "Everyone has the right to request the protection of personal data concerning them. This right includes the right to be informed about personal data concerning oneself, to access such data, to request their correction or deletion, and to learn whether they are used for their intended purposes. Personal data may only be processed in cases stipulated by law or with the person's explicit consent. The principles and procedures regarding protecting personal data shall be regulated by law." 

Subsequently, the Law No. 6698 on the Protection of Personal Data entered into force on March 24, 2016. The "Personal Data Protection Board" was established to make and monitor the regulations in this field. With dozens of rules, communiqués, and board decisions published by the Board above, the legal infrastructure in this field is being updated.

The security of commercial and industrial data is as essential as personal data. The complaints that their commercial data is shared in the market and even marketed, that they have lost customers from abroad due to this, and that they may have leaked from the BİLGE system since they did not share the data above themselves cannot be prevented. 

The Ministry of Trade tried to reinforce the legal infrastructure on this issue by amending the regulation published in the Official Gazette on April 20. 

In the 5th paragraph added to Article 112 of the Customs Regulation, it is stated that “If the declaration is to be made using software provided by persons who mediate the declaration through computer data processing techniques by providing software services, the procedures and principles to be followed by the service providers providing the software service in question and the technical qualifications that the systems of these persons should have are determined by the Ministry.”

The following paragraphs, 7, 8, and 9, were added to Article 563 titled “Obligations of the customs broker” of the same Regulation: 

“(7) Real and legal persons providing customs consultancy services and their partners and employees cannot disclose the information and trade secrets they have learned about the persons or organizations on whose account they declare, even if they terminate their professional activities. However, this provision shall not apply in case of any judicial or administrative examination or investigation.

(8) Real and legal persons providing customs consultancy services are obliged to take all kinds of measures for the security of data in the computer systems they use for making declarations through computer data processing techniques. Suppose services are obtained from third parties for declarations through computer data processing techniques. In that case, a written contract must be made with the person from whom the service is obtained. In this contract, it must be clearly stated that the service provider will take all kinds of measures for the security of the data and that it cannot disclose the information and secrets within the scope of the service provided.

(9) Natural and legal person consultants who do not fulfill the contractual condition in the eighth paragraph shall not be allowed to provide indirect representation services until this condition is fulfilled.”

Indeed, customs brokers who make customs declarations as indirect representatives must be compassionate about the security of the data they obtain from their clients. In this respect, they should sign contracts with those who provide them with interface software that contains binding provisions on data security and should not “betray the trust.”

At the same time, the Ministry of Trade should keep its antennae open to see if its employees are protecting this easily convertible commercial data with the same sensitivity. If such a determination is made, it should quickly take appropriate action.