Personal Data Protection Bulletin - 2024 Third Quarter

Current Developments from Türkiye

Former Regulations on the Cross-Border Transfer of Personal Data Has Been Repealed

As noted in our second bulletin, the amendments to the Personal Data Protection Law No. 6698 (KVKK) entered into force on 01.06.2024. On 10.07.2024, the Regulation on the Procedures and Principles Regarding the Transfer of Cross-Border Personal Data (Regulation) was published. With these amendments and the Regulation, the procedures and principles concerning the application of Article 9 of the KVKK, which regulates the transfer of personal data abroad, have been clarified. Additionally, it was established that the old regulations regarding the cross-border transfer of personal data (e.g., explicit consent) will apply alongside the new regulations until 01.09.2024.

As of 01.09.2024, the application of the old version of the first paragraph of Article 9 of the KVKK has ended, and the cross-border transfer of personal data must be conducted following the new procedures and principles.

You can find the Regulation in Turkish here and our previous bulletin here.

Key Actions

• Companies resident in Türkiye that transfer personal data abroad should review their overseas transfer processes and implement one of the appropriate transfer mechanisms outlined in the Regulation.

Personal Data Protection Authority (Authority) Announces Signing a Cooperation Protocol with the Ministry of Trade

A Cooperation Protocol was signed between the General Directorate of Consumer Protection and Market Surveillance of the Ministry of Trade and the Authority on 28.08.2024, which aims to raise awareness across all segments of society about targeted advertising and deceptive commercial design practices, align with international regulations in digital advertising and personal data usage, and develop joint policies against violations. The protocol is designed to enhance consumer awareness regarding digital advertisements and applications and to strengthen their control over personal data.

You can access the details of the relevant protocol in Turkish here.

The Authority Published the Memorandum on Processing of Personal Data on the Legal Ground of Being Stipulated by Laws

On 05.08.2024, the Authority released a memorandum titled " Processing Personal Data on the Legal Ground of Being Stipulated by Laws”. This memorandum for data controllers and processors includes detailed explanations under both Turkish and European Union (EU) law regarding when personal data can be processed according to the legal requirement and offers concrete examples of the data processing stipulations across various laws and their applicability.

You can access the information note published by the institution in Turkish here.

The Authority Published a Public Announcement on the Data Controllers Registry

The Authority announced that it has imposed in total an administrative fine of 503,935,000 TL as of 01.08.2024 on domestic and foreign data controllers who failed to register with the data controller’s registry, along with disciplinary penalties on public institutions and professional organizations.

The Board continues to impose fines under Article 18 of the KVKK on approximately 16.350 data controllers out of about 130.600 identified as obligated to register and notify.

The public announcement is available in Turkish here.

Key Actions

• Domestic and foreign data controllers should verify their obligation to register with the registry and complete the registration and notification processes within the legal timeframe from when the registration obligation arises.

The "Communiqué on Commercial Electronic Message Management System Integrators" Was Published in the Official Gazette

The Message Management System (IYS) is a national database system where service providers record their current commercial electronic message consents. A company that is authorized by the Ministry of Trade and operates to assist service providers in sending commercial electronic messages, recording consent and rejection information in the IYS, obtaining consent through the IYS, and exercising the right to reject, is considered as a Message Management System Integrator.

The regulation governs the procedures and principles for registering commercial electronic message approvals and rejections in the IYS, conducting these transactions via integrators or service providers, authorizing integrators, and revoking their authorization.

You can access the Communiqué in Turkish here.

Current Developments from the World

European Union Artificial Intelligence (AI) Act Enters into Force

The AI Act was published in the Official Journal of the EU on 12.07.2024 and entered into force on 01.08.2024. The AI Act prohibits certain AI applications and introduces regulations for "high-risk" AI systems and general-purpose AI models (GPAI).

Provisions of the AI Act for various risk categories are expected to be gradually implemented from February 2025 until the end of 2030. Regulations for GPAI model providers will come into effect on 02.08.2025, while obligations for high-risk systems (e.g., biometrics, critical infrastructure, education, access to essential public services, law enforcement) will apply from 02.08.2026. By 02.08.2027, specific obligations for high-risk systems used as security components in products will begin, with all public sector AI systems must comply by 01.01.2030.

You can find the AI Law here, the timeline of the AI Law here, and our article on the impact of the AI Law on actors in Türkiye here.

First International AI Framework Agreement Opened for Signature

The Council of Europe Framework Convention on AI, Human Rights, Democracy, and the Rule of Law (CETS No. 225) was opened for signature in Vilnius. This is the first international agreement aimed at ensuring AI systems align with human rights, democracy, and the rule of law.

The framework agreement has been signed by several countries, including Andorra, Georgia, Iceland, Norway, Moldova, San Marino, the United Kingdom, Israel, the United States (US), and the EU. The agreement, which sets out general principles and rules for activities in the lifecycle of AI systems, promotes the ethical use and protection of personal data. The framework agreement will take effect once ratified by five countries, including three Council of Europe member states.

You can find the Convention here, our article on the Convention here and our announcement on the Convention here.

French Data Protection Authority (CNIL) Publishes New Recommendations for AI System Development and General Data Protection Regulation (GDPR) Compliance for Public Comment

Aiming to clarify the GDPR impacts on AI with its "AI Action Plan" published in May 2023, CNIL announced on 07.06.2024 its first set of recommendations for AI use that ensures personal data protection. Then, on 02.07.2024, it published the second draft set of recommendations built on these principles and made them available for public consultation until 01.10.2024.

The second set includes "how-to" guides and a questionnaire, particularly on key issues in AI development, such as web scraping, publication of AI models in open source, and management of individuals' rights over data. It emphasizes that "legitimate interest" is the primary legal basis for the development of AI systems, stressing the need for risk assessments and protective measures for personal data. Under the draft recommendations, CNIL states that web scraping applications are feasible but should be subject to strict supervision. It emphasizes that individuals should be informed about the use of their personal data within AI systems a reasonable time in advance, including model-specific details.

The announcement on the second set of recommendations issued by CNIL is available here.

European Commission Declares Meta’s “Consent or Pay” Model Incompatible with the Digital Markets Act (DMA)

The European Commission has notified its preliminary findings that Meta's "Ad-Free Subscription/Consent or Pay" model is not compatible with the DMA. The model forces EU users to choose between paying a subscription fee for an ad-free version or using a free version with personalized advertising. The European Commission considered that this practice contradicts the obligations set out in Article 5 of the DMA and does not allow users to freely give their consent. To comply with the DMA, it was emphasized that non-consenting users should be granted access to an equivalent service that uses less personal data for ad personalization.

As mentioned in our previous bulletin, the European Data Protection Board has also commented on "consent or pay" models used by online platforms, stating that existing models often force users to either consent to data processing or pay a fee, which may result in consent being deemed invalid.

As can be seen, the current "consent or pay" models used by online platforms are considered by the authorities to be contrary to the DMA and GDPR, concluding that these models can override users' consent.

You can find the European Commission's press release here and our previous bulletin here.

Data Governance Framework Recommendation Report for Türkiye Has Been Published

On 01.04.2024, United Nations Development Programme (UNDP) Türkiye Country Office and the Central Digital Office issued the Data Governance Framework Recommendation Report for Türkiye (Report) to guide Türkiye’s data-driven digital transformation. The Report emphasizes the urgent need to strengthen data legislation, develop a comprehensive national data strategy, and improve sector-specific policies, among other areas. It also highlights Türkiye’s growing significance in global development, driven by the rapid daily increase of data across diverse sectors.

You may find the full Report here.

Italian Data Protection Authority Imposes €10,000 Fine for Employer's Refusal of Former Employee's Request for Access to Personal Data on Grounds of Trade Secrets

A data subject contacted his former employer requesting a copy of the personal data contained on the laptop provided to them. However, the employer refused the request, arguing that providing such copies could lead to the disclosure of trade secrets. Following the refusal, the data subject filed a complaint with the data protection authority on 06.04.2022.

The Italian Data Protection Authority emphasized that the only limitation to Article 15 of the GDPR, which regulates the data subject's right to access, is that this right must not adversely affect the rights and freedoms of others, including the interest of the controller in protecting its trade secrets. However, it stated that this limitation does not give the controller the right to completely refuse the request for access based on Article 15(4) of the GDPR. It concluded that the data controller must balance both rights and that the copy of personal data could be provided free of trade secret information. Based on these grounds, it decided to impose an administrative fine against the data controller employer.

The decision of the Italian Data Protection Authority is available in Italian here.

Swiss-US Data Privacy Framework (Swiss-DPF) Enters into Force

At the meeting on 14.08.2024, the Swiss Federal Council confirmed that the Swiss-DPF provides an adequate level of data protection for the transfer of personal data by private companies or public authorities to participants in the US, and the Swiss-DPF entered into force on 15.09.2024. Accordingly, Switzerland has updated Annex 1 of the Swiss Data Protection Regulation following the EU's Data Privacy Framework (DPF) and determined that data transfers under the Swiss-DPF provide adequate data protection safeguards. As a result, US companies that have certified compliance with the Swiss-DPF principles will be able to transfer personal data without the need for additional safeguards, such as signing standard contractual clauses.

You can find the Swiss-DPF here, the announcement of the Swiss Federal Council here, and our article with detailed information on the DPF here.

Amsterdam District Court Finds X's (Formerly Twitter) Temporary Restriction of a User's Account to be Automated Decision Making Under the GDPR

In this specific case, a user was "shadowbanned" after posting a message containing child pornography but was not notified of the ban. The user learned of the situation when others said they could not find his account and requested information; he later discovered that the restriction had been lifted. When X only responded by referring to its privacy policy, the data subject filed a complaint with the District Court of Amsterdam. X argued that the data subject had abused his right of access by characterizing the user as a journalist, claiming that the shadowing did not amount to automated decision-making because detection parameters were set by humans.

However, the court emphasized that X's response did not comply with the GDPR and that the data subject was not informed about the processing of his personal data. Furthermore, the court stated that the automated decision-making process has a serious impact on the data subject and that, according to Articles 13, 14, and 15 of the GDPR, the controller must provide clear and transparent information about this process. The court ruled that X could not evade its obligations by invoking the protection of trade secrets and that it must provide information about the processing of personal data, responding within three months, or face a fine of EUR 4,000 per day.

The decision is available in Dutch here.

Key Actions

• Data controllers should provide data subjects with clear and comprehensible information about how personal data is processed, including detailed information about automated decision-making systems.
• Data subjects' requests for access must be responded to promptly and by applicable data protection legislation; mere reference to the privacy policy is insufficient.

European Commission Acts Against European Data Protection Supervisor's (EDPS) Decision to Suspend Use of Microsoft 365

As mentioned in our previous bulletin, on 08.03.2024, the EDPS ruled that the European Commission had breached fundamental data protection rules in its use of Microsoft 365 and failed to provide adequate safeguards for data transfers outside the EU/European Economic Area (EEA). Following this decision, the European Commission filed a lawsuit against the EDPS for misinterpreting EU data protection law.

According to the allegations published in the Official Journal of the European Union, the EDPS incorrectly applied the legislation, particularly in the case of cross-border transfers, by assuming that the data flow between the European Commission and Microsoft Corporation in the US constituted a direct transfer. This case stands out as an important development in terms of the interpretation of the GDPR and other legislation, as well as the data security obligation of EU institutions.

The European Commission's allegations can be found here.

The Belgian Data Protection Authority Publishes Guidelines (Guidelines) on GDPR Compliance of AI Systems

On 19.09.2024, the Belgian Data Protection Authority published guidelines on AI and the GDPR, emphasizing the importance of developing AI systems that comply with data protection principles. These guidelines for various professions provide a comprehensive guide to the joint implementation of the GDPR and the AI Act. They highlight the GDPR principles such as lawfulness, fairness, transparency, purpose limitation, and data minimization in data processing. They also emphasize, the importance of human oversight, safeguards, and accountability in data processing in AI systems, and highlight the need for detailed information, documentation, risk assessments, and notification obligations for high-risk AI systems.

The Guide is available here.

To download the bulletin in pdf format, click here.