The top-level and hair-raising speed reached in technology innovation thanks to Industry 4.0 manifest technologies ancient with each passing day even when they are considered cutting-edge. Fierce global competition in technologic field in almost every sector from medical to telecommunication, engineering to software, agriculture to automotive encourages competitors to take the lead, provokes them to intensely focus on R&D activities, and conduces to constantly developing cutting-edge technology output.
Apple, among the pioneers in global competition as per its own sector, made once again an indelible impression thanks to new concrete attempts made in IoT technology through its new product AirTag, offered for pre-sales on 23rd of April 2021, and launched extensively on 30th of April 2021. Despite the fact that the product enjoys the benefits of being "new tech", the opportunity for third parties to be able to reach location data causes privacy concerns while also it raises new questions in terms of law. In this article, an attempt will first be made in brief to explain the functioning principle of AirTag, whereupon legal issues to which it leads will be scrutinized.
II. HOW DOES AIRTAG FUNCTION? WHAT CONCERNS DOES IT RAISE?
The functioning of the product relies on the synchronization of the product with the app "Find" as can be downloaded to iPhone, iPad and iPod touch, which later on helps spotting the location of lost items. As such, it becomes possible to locate the lost item to which AirTag is tied or connected, without regard to distance. Radiating bluetooth and NFC signals, the product is capable of sending location data to the user. Besides, as suggested by Apple, mobile devices using Android-based operating systems will also be able to track down location of such items. Apple further claims that end-to-end encryption technology helps protecting user's personal data1.
Notwithstanding that Apple constantly underlines the security and privacy factors, the new product launched under the name "AirTag" causes quite grave concerns as to the data owners' location data. The more serious concern in terms of privacy and personal data breach emerges as regards the possibility to track down the location of third parties, to whom or whose items AirTag was installed on without their knowledge and consent.
In the official website, Apple states that in case AirTag remains far from the person who has synchronized it to his own device, it sounds to alert enabling those nearby to return the lost item to its owner2. According to the functioning of technical system devised for AirTag, in the event that AirTag gets connected to another mobile device which it has not been paired with, the warning notification is delivered to such mobile device. Here, location data may be obtained by third parties until such notification mechanism becomes effective. Additionally, Android based mobile devices may be exploited till a lost AirTag has been spotted, while also location data belonging to owners of Android devices may be reached. In such circumstances, Android user may not be aware that their location data is reached
II. LEGAL DIMENSION OF AIRTAG USE
Although Apple suggests that the privacy of everybody's data is ensured through end-to-end encryption and frequent changes in bluetooth identifiers, due to AirTag being installed on the relevant person or his belongings without him being aware of such instalment will enable tracking of such persons by technical means. In such case, unlawful obtainment of personal data and violation of privacy crimes may be at stake according to Turkish Penal Code no. 5237 ("TPC"). Any acts by the perpetrator towards the victim which constitute crimes also amount to torts, hence the claims for indemnity of monetary and non-monetary damages may also be applicable between the relevant persons pursuant to Turkish Code of Obligations no. 6098 ("TCO").
Likewise, from the aspect of the same crimes, questions may arise in terms of spotting location data of third parties. It also bears great importance to assess such circumstances in light of personal data protection legislation. In ordinary course of life, it must be considered on the part of every relevant body, be it AirTag owner or not, whether Code no. 6698 on Personal Data Protection ("CPDP") would apply with respect to obtainment and other processing activities of personal data on a case-by-case basis.
In the light of CPDP; instant location data obtained through AirTag becomes personal data to the extent that it allows instant tracking of a real person. Pursuant to CPDP, Apple is obliged to take all necessary administrative and technical security measures for the protection of personal data obtained from real persons. In this context, Apple is directly and jointly responsible for data violations committed by individuals who obtain personal data maliciously through AirTag.
On the other hand; Due to the working principle of AirTag, the possibility of violating the privacy of location data becomes even more important. However, based on the tracking of the instant data provided by the product, it is possible to indirectly access other personal data of real persons, especially the address information. In this context, it is considered likely that larger-scale violations through Airtag would be caused.
In a scenario where the opportunity enabling the tracking down of location data has become widespread and facilitated beyond expectations, the positive obligations of the member states, as contracting parties to European Convention on Human Rights ("ECHR") may be in question to ensure the privacy of life as laid down thereunder. In case of any infringement of such obligations may also bring forward fair compensation for violation of privacy of life set out under article 5 of ECHR.
As in any fields, the new developments in technology also inevitably give rise to new requirements in legal terms. The legal order, on the other hand, fails, most of the times, to achieve arrangements as required by technologic innovation, however, struggles to find fair resolutions by means of interpretations in light of present legislation.
By the same token, AirTag and the IoT tech it uses will likely bring new legal requirements, whereas they must be considered in accordance with the present legislation prior to enactment of relevant one. Indeed, regarding the privacy concerns raised by AirTag, it becomes indispensable to seek fair resolution through teleological interpretation when necessary, acting in accordance with effective regulations.
Therefore, the functioning principle and usage of AirTag must be evaluated pursuant to, in particular TPC, CPDP and ECHR. Apart from all these, it should be noted that in case the usage of AirTag results in torts between persons, TCO may also apply.
2. see no.1
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.