INTERNET
Access Blocking Decisions on Broadcasting, Gaming and Creative Story Platforms
The rapidly expanding borders of the digital age not only facilitate access to information and entertainment but also open the doors to a world waiting to be explored by children. However, the digital world also brings along certain risks in terms of the security of personal data, the privacy and safety of children, and cyberbullying. As a matter of fact, the successive access blocking decisions issued against various broadcasting, gaming and creative story platforms based on Articles 8 and 8/A of the Law No. 5651 on the Regulation of Internet Publications and the Prevention of Crimes Committed through these Publications ("Internet Law") indicate that the relevant risks are also under the scrutiny of Turkish public authorities.
Article 8 of the Internet Law allows removal and/or access blocking of content in case there is reasonable indication that the relevant content can be considered within the scope of the catalogue crimes listed under Article 8, such as sexual abuse of children and obscenity; while Article 8/A regulates procedure of the removal and/or access blocking of content for sensitive and urgent cases such as the protection of national security and public order, and the prevention of crime.
Based on publicly available resources, access blocking decisions were issued against two live broadcasting platforms, one gaming platform and one creative story platform.
These access blocking decisions indicate that the scrutiny over children's safety on digital platforms and the implementation of security measures to protect minors will increase. Accordingly, it is critical for digital platforms and social network providers to take the necessary measures to ensure the safety of children and act in cooperation with public authorities.
Bill on the Use of Artificial Intelligence Systems
On June 25, 2024, The Artificial Intelligence Bill ("Bill") on the use of artificial intelligence ("AI") technologies was submitted to the Grand National Assembly of Türkiye. The Bill is noteworthy, as it is the first legislative work on AI systems submitted to the Grand National Assembly of Türkiye. In addition to the Bill, recent developments such as the publication of (i) the Medium-Term Program for 2025-2027, which comprises certain goals related to digital transformation and AI strategies, and (ii) the National Artificial Intelligence Strategy Action Plan for 2024-2025, which contains action plans to encourage the use of AI systems, signal that legislative activities on AI will gain momentum in the upcoming period.
The Bill contains provisions similar to the European Union Artificial Intelligence Act ("AI Act"), which has gradually entered into force as of August 1, 2024, and is being closely followed worldwide. Accordingly, the Bill, which aims to ensure the safe, ethical and fair use of AI technology and the protection of personal data, imposes certain obligations on the providers, sellers, users, importers and distributors of AI systems.
The AI Act addresses the AI systems used by providers in detail and categorizes them into (i) prohibited, (ii) high risk, (iii) minimal risk or (iv) no risk. However, the Bill does not stipulate such classification. Instead, it regulates risk assessment during the development and use of AI systems, stating that special measures shall be taken exclusively for high-risk AI systems. Accordingly, high-risk AI systems shall be registered with the administrative supervisory authorities to be authorized in the relevant field and subjected to conformity assessment. The aim of these risk and conformity assessment mechanisms are to ensure that AI systems benefit society and minimize potential harms. On the other hand, unlike the AI Act, the Bill does not set forth criteria on how the risk assessment shall be made, and therefore, the Bill does not set out which systems will be considered as high-risk AI systems and subject to registration obligation.
The Bill also imposes an obligation on AI operators to ensure that AI systems comply with the Bill and secondary regulations. Accordingly, the concept of "AI operators" encompasses all stakeholders in the AI ecosystem, including providers, dealers, users, importers and distributors. While fulfilling the compliance obligation envisaged in the Bill, AI operators shall consider fundamental principles such as ensuring the security of AI systems, providing ethical use, respecting personal data protection and ensuring nondiscrimination.
Similar to the AI Act, the Bill foresees administrative fines on AI operators for (i) using prohibited AI systems, (ii) breaching obligations set out in the Bill and (iii) providing inaccurate information to supervisory authorities. However, unlike the AI Act, the Bill does not specify the conditions for imposing administrative fines; it merely introduces a framework provision.
The Bill, which provides a general framework and lacks the detailed provisions of the AI Act, is still under evaluation in the commission. Nevertheless, the Bill opens the door in Türkiye for drafting regulations in line with international norms for the development and use of AI systems, as well as the supply of AI technology to the market, marking the first step toward legislative activities on AI systems.
You can access the Bill here (in Turkish).
Communiqué on Commercial Electronic Message Management System Integrators Published
The Communiqué on Commercial Electronic Message Management System Integrators ("Communiqué") drafted by the Ministry of Trade was published in the Official Gazette dated September 18, 2024 and numbered 32666. The Communiqué primarily establishes an authorization regime for third-party companies to provide services to individuals or entities that send commercial electronic messages or have them sent on their behalf. These companies are obliged to register with the Electronic Messages Management System (Tr. İYS), for the registration of the opt-in and opt-out information received from the recipients to the İYS. The Communiqué defines the companies that may provide such service as "integrators" and regulates the procedures and principles regarding (i) the registration of opt-in and opt-out information relating to receiving commercial electronic messages on IYS through integrators, (ii) the authorization of integrators and (iii) the annulment of the relevant authorization.
The Communiqué states that integrators must obtain authorization from the Ministry of Trade to provide services to service providers as an integrator and sets out the conditions to be met by those applying for the integrator authorization. Companies that meet the relevant conditions will be able to apply to the institution designated by the Ministry of Trade within the scope of Article 10/A of the Regulation on Commercial Communication and Commercial Electronic Messages with the documents specified in the Communiqué as required for the authorization application.
The Communiqué introduces various obligations on companies that will provide services as integrators and regulates the sanctions to be imposed in case of failure to comply with these obligations. Accordingly, integrators are obliged to (i) provide services in compliance with the legislation, (ii) take necessary technical measures, (iii) ensure the protection of personal data obtained during their operations, and (iv) ensure the confidentiality of trade secrets obtained. In addition, within the scope of the obligation to keep records, if integrators retain the opt-in and opt-out information received from the recipients to send commercial electronic messages, they are jointly and severally liable with the service provider for their submission. The Communiqué stipulates that the integrator, who violates these obligations or fails to fulfill one of the conditions required to becoming an integrator, shall be given a period of thirty days to remedy the violation. In the event that the breach is not remedied within the given period or the conditions are not met over, the integrator authorization may be annulled by the Ministry of Trade.
You can access the Communiqué here (in Turkish).
WORLD NEWS
Dutch Data Protection Authority Sanctioned Data Controller for Unlawful Cross-border Transfers under the GDPR
On August 26, 2024, the Dutch Data Protection Authority ("Dutch DPA") imposed EUR 290 million administrative fine on a data controller company for failing to provide appropriate safeguards for cross-border data transfers. The Dutch DPA found that the data controller company transferred personal data of its European users -including their sensitive personal data- obtained as part of its services to servers in the United States for 27-months, without relying on one of the transfer mechanisms provided under the European General Data Protection Regulation ("GDPR").
In its defense, the data controller company argued that its European and American subsidiaries are joint controllers and both are subject to the GDPR, and that there is no transfer between them, and the personal data of the data subjects in Europe are collected directly by the American subsidiary. Therefore, relying one of the transfer mechanisms such as standard contractual clauses ("SCCs"), for the transfer of personal data outside the European Economic Area is not required. The data controller company also referred in its defense to the questions-and-answers publication of the European Commission ("Commission") dated 2022, while addressing why its subsidiary in United States did not rely on SCCs. In questions-and-answers publication, the Commission stated that the SCCs published in 2021 under the GDPR are not applicable to data importers who are subject to the GDPR pursuant to Article 3, despite being located outside the European Union, as (i) these data importers already have obligations arising directly from the GDPR and (ii) the obligations provided for in the SCCs and the GDPR would be duplicated or even deviated in case they were required to sign an SCC.
The Dutch DPA stated that the argument that the personal data of data subjects in Europe are directly collected by the American subsidiary does not reflect the truth since the European subsidiary has a significant influence and direction on the transfer of data to the United States. Therefore, the Dutch DPA concluded that data transfers take place between the European and American subsidiary. Based on this assessment, the Dutch DPA emphasized that the Commission's statements shall not be interpreted that the controller company could transfer personal data without relying on any of the transfer mechanisms provided for under the GDPR and stated that the transfer between the two subsidiaries was not carried out in accordance with the GDPR. According to the Dutch DPA, even if the data controller company in question does not conduct cross-border transfer based on an SCC in line with the Commission's opinion, it is possible to resort to other mechanisms provided for in the GDPR, such as binding corporate rules.
Following the Dutch DPA's decision, on September 12, 2024, the Commission announced that it plans to submit a new set of SCCs which covers the transfer activities of data importers established outside the European Union and directly subject to the GDPR to public consultation in the fourth quarter of 2024; and to publish this module in the second quarter of 2025.
You can access the decision here, and the Commission's announcement on the publication of a new set of SCCs here.
European Commission Answers Frequently Asked Questions on the Data Act
On September 6, 2024, the Commission published its answers to the Frequently Asked Questions ("FAQs") on the Data Act, which entered into force on January 11, 2024 and aims to increase access to data by ensuring a fair environment for its use. These answers provide guidance to obligors on certain issues, including the relationship of the Data Act with the GDPR and other European Union legislation, the data falling under the scope of the Data Act, the connected products, the users subjected to the Data Act, who is considered to be a data holder, the relationship of third parties with users, and the adequate protection for trade secrets. In this regard, the issues highlighted in the relevant questions and answers are as follows:
- The Commission stated that the scope of the data sharing obligation is limited to organizations and persons including consumers within the European Union, and therefore a third party established in a country that is not a member of the European Union cannot be involved in data sharing. In other words, the Data Act does not legitimize providing data access to operators located outside the European Union.
- In addition, it is stated that the Data Act shall not supersede legislation on the protection of trade secrets. However, when the data holder receives a request for data access, it shall identify the trade secrets that may be disclosed if such access is granted and agree with the user and third parties to take measures to ensure the security and confidentiality of such data. In case such measures are not implemented, the data holder will be entitled to suspend the data access. In addition, if the data controller can demonstrate on concrete grounds that it will suffer serious economic damage due to the disclosure of these trade secrets, it may refuse the request for data access, provided that the conditions in the Data Act are met.
Although the FAQs published by the Commission are not binding, it provides practical information for those affected by the Data Act. In this sense, it is critical for relevant stakeholders to review these explanations regarding the implementation of the Data Act, which aims to regulate data flow between individuals and the private sector, as well as fundamental data rights.
You may access the FAQs here. For detailed information, you may access our legal alert regarding the Data Act here.
Information Commissioner's Office Published the Audit Framework for Compliance with the Data Protection Legislation
On October 7, 2024, the Information Commissioner's Office ("ICO") published the Data Protection Audit Framework ("Audit Framework") to assist data actors determine whether their data processing activities comply with the legislation.
The Audit Framework includes the following 9 different toolkits that provide criteria for public and private sector organizations to assess their compliance with personal data protection legislation:
- Accountability: The accountability toolkit expects a proactive approach to ensure that personal data processing activities comply with the legislation and provides recommendations to the relevant companies.
- Records Management: The records management toolkit provides guidance on the retention policies regarding the personal data processed by companies within the scope of their operations.
- Information and Cyber Security: The information and cyber security toolkit provides a checklist that can be used when assessing the integrity, availability and security of information. In this context, the toolkit provides organizations with a cyber security certificate.
- Training and Awareness: The training and awareness toolkit sets out the issues to be considered for employee training in organizations. In this context, the Audit Framework expects companies to (i) include sectorspecific requirements in the employee training program and (ii) draft a document on the required training analysis.
- Data Sharing: The data sharing toolkit sets out the circumstances in which personal data may be shared. In this context, the Audit Framework states that companies are expected to carry out a Data Protection Impact Assessment test to assess the risks in data sharing activities and determine how to minimize the relevant risks.
- Request for Access: The request for access toolkit sets out the measures to be taken to respond effectively to requests for access to personal data.
- Personal Data Breach Management: The personal data breach management toolkit sets out the measures to be taken to detect and prevent a data breach.
- Artificial Intelligence: The AI toolkit sets out the measures to be taken to ensure the security of personal data against AI systems involved in data processing activities.
- Age Appropriate Design: The age-appropriate design toolkit sets out criteria to help assess whether the obligations under the GDPR to protect children's personal data online have been complied with.
The ICO has also published downloadable audit tests for each toolkit, which will help organizations conduct their own compliance assessment and identify areas for improvement. In this respect, the Audit Framework provides an opportunity to examine and test the criteria that the data protection authority will rely on during an investigation to assess whether the company's activities comply with the legislation.
You can access the Audit Framework here.
European Data Protection Board Adopts a New Opinion on Data Processing Activities Involving Data Processor(s) and Sub-processor(s)
On October 7, 2024, the European Data Protection Board ("EDPB") adopted an opinion numbered 22/2024 on the liability of data controllers, processors and sub-processors in respect of data processing activities involving data processor(s) and sub-processor(s) ("Opinion"). The Opinion mainly addresses questions concerning the interpretation of certain obligations of data controllers towards data processors and sub-processors pursuant to Article 28 GDPR and the wordings of controller-processor contracts.
Pursuant to Article 28 of the GDPR, data controllers shall use data processors who provide adequate safeguards in terms of taking appropriate technical and organizational measures for ensuring the protection of the rights of data subjects. Accordingly, the EDPB notes that the obligation of data controllers to ensure the adequate level of protection of the fundamental rights and freedoms of data subjects remains where the data exporter is a processor or a sub-processor
According to the Opinion, in case it is requested by a supervisory authority, data controllers shall be able to demonstrate that the data transfer was carried out (i) by ensuring the necessary level of security that does not prejudice the fundamental rights and freedoms of data subjects and (ii) in compliance with the obligations set out in Article 28 of the GDPR. In this regard, data controllers are expected to be able to document that the transfer is carried out by providing the appropriate level of protection for the data subjects within the scope of the accountability principle, especially for onward transfers involving data processors and sub-processors. Such documentation may be provided through sources including the documents showing the reason for the transfer, the transfer map and, where appropriate, the transfer impact assessment. In this regard, data processors are required to proactively provide the data controller with information on the sub-processors which they are worked with and to keep this information up to date. In this respect, providing transfer maps to the requesting supervisory authority for transfers involving data processors and sub-processors is of great significance for data controllers.
According to the Opinion, the liability of controllers and processors under Article 28 GDPR will arise, unless it can be demonstrated before a supervisory authority that the transfer involving sub-processors and processors ensures the adequate level of protection for data subjects.
You can access the Opinion here.
You can access the Opinion here. European Data Protection Board Publishes Draft Guidelines on the Processing of Personal Data Based on Legitimate Interest
On October 8, 2024, the EDPB published Draft Guidelines No. 1/2024 on the processing of personal data based on Article 6(1)(f) of the GDPR, which regulates legitimate interest as a legal ground for processing ("Draft Guidelines"). The Draft Guidelines provide guidance on the circumstances under which data controllers may carry out data processing activities based on legitimate interest.
The Draft Guidelines mainly emphasize that the legal ground of legitimate interest (i) shall be interpreted restrictively by data controllers and (ii) shall not be considered as a loophole to legitimize data processing activities where other lawful grounds cannot be relied upon.
Pursuant to the Draft Guidelines, in order to rely on the legitimate interest, certain aspects such as the nature and source of the legitimate interest, the impact of the processing on the data subject and the expectations of the data subject shall be taken into consideration. The Draft Guidelines also states that the legitimate interest of the data controller shall be considered on a case-by-case basis and provides practical suggestions on how the legitimate interest shall be assessed under certain scenarios such as preventing fraud, carrying out direct marketing activities and ensuring information security. In this respect, for instance, in a scenario where personal data are processed for direct marketing activities based on legitimate interest, data controllers shall honor any objections received from data subjects regarding the data processing activity without assessing the merits of the objection. In other words, the data controller shall not reject the objection of the data subject by attempting to justify the processing stating that it has a compelling legitimate interest to legitimize the continuation of data processing.
The Draft Guidelines, which include detailed guidance on how the concept of legitimate interest shall be assessed by data controllers, will be available for public consultation until 20 November 2024.
You can access the Draft Guidelines here, and the public consultation page on the Draft Guidelines here.
Council of the European Union Adopts the Cyber Resilience Act
On October 10, 2024, the Council of the European Union adopted the Cyber Resilience Act, which aims to make hardware and software products available on the market with fewer vulnerabilities and imposes various obligations on a wide range of stakeholders in the digital ecosystem to ensure the security of products containing digital elements. The Cyber Resilience Act requires products with digital elements, such as connected home cameras, fridges, TVs and toys, to be designed, developed and subjected to marketing with a competent level of cyber security measures in mind, and imposes various obligations on manufacturers.
With a risk-based approach, the Cyber Resilience Act classifies products according to whether they have significant digital elements as follows:
- Default Products: It refers to the products that do not have critical vulnerabilities. The European Commission states that ninety per cent (90%) of products including Internet of Things (IoT) devices, digital consumer products and other commonly used software and devices shall be classified as default products.
- Critical Products: It includes high-risk products compared to the default category. Critical products are divided into two subcategories as (i) Class I and (ii) Class II. "Class I" products mainly consist of products that have limited access to sensitive personal data such as VPNs, malicious software or antivirus software, industrial IoT and are made available to consumers. It is accepted that products under Class I do not have a serious impact in the event of a cyber security threats. On the other hand, products under "Class II" pose a higher cybersecurity risk compared to Class I, and includes digital products and services that, if compromised, could have significant adverse impacts on individuals, organizations or society. Examples of products under this class include medical devices and products that process sensitive personal or financial data.
Pursuant to the Cyber Resilience Act, the obligations of manufacturers, distributors and service providers differ depending on the class of the categories of products. Accordingly, the Cyber Resilience Act stipulates stricter obligations, such as preparing detailed reports on how the product in question meets cybersecurity requirements, certifying that independent assessments have been carried out, and identifying vulnerabilities more rigorously, as the risk of ensuring cybersecurity increases.
The Cyber Resilience Act, which will affect many actors in the digital market to ensure the security of products containing digital elements, is expected to be signed by the Council of the European Union and the European Parliament following its adoption by the Council of the European Union, and subsequently published in the Official Gazette of the European Union. The Cyber Resilience Act will gradually enter into force twenty days after its publication in the European Official Journal.
You can access the Cyber Resilience Act here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.