Personal Data Protection Bulletin - 2022 Fourth Quarter

Recent Updates from Turkey

The Regulation on the Collection, Storage and Sharing of Insurance Data Entered into Force

The Regulation on the Collection, Storage and Sharing of Insurance Data (“Regulation”) entered into force through publication in the Official Gazette dated 18.10.2022. The Regulation defines insurance data as data related to insurance agreements, insurers, insurance companies, and the insured, beneficiaries, or third parties who benefit from the insurance contract as well as all data taken as basis in risk assessment. The procedures and principles regarding all kinds of data processing activities such as collection, storage, and use of such data and sharing of such data with designated persons and organizations are governed by the Regulation. You can access the text of the Regulation here; for a more detailed summary of the content of the Regulation, you can access our related client alert here.

The 44^th Global Privacy Assembly was Held in Turkey

The 44^th Global Privacy Assembly (“Assembly”) hosted by the Personal Data Protection Authority (“Authority”) took place in Istanbul on the 25^th-28^th of October. The theme of the Assembly was privacy in an era of rapid technological development. In this context, latest issues such as artificial intelligence, big data, metaverse, blockchain, protection of personal data of children, interaction between competition law and personal data protection were evaluated by different experts. You can access the announcement of the Authority regarding Assembly here, the news on the Assembly here, and the website of the Assembly here.

The Authority’s Study Titled “Personal Data Protection Authority in its 5^th Year” was Published

The Authority published a study titled “Personal Data Protection Authority in its 5th Year” on 23.11.2022. Among the significant contents of the study are the key information about the Authority, relevant legislation, fundamental decisions of the Personal Data Protection Board (“Board”), public announcements and various statistics regarding the activities of the Authority. You can access the study here.

Conference on The Personal Data Protection Law and its Implementation was Held

The Conference on the Personal Data Protection Law and its Implementation (“Conference”) was held in Ankara on 14.12.2022. At the conference, subjects such as the general principles of personal data protection, data processing conditions, data processor and data controller within the scope of the Personal Data Protection Law No. 6698 (“Law”) and the status, obligations and responsibilities of the lawyers under the Law were discussed. You can access the announcement of the Authority regarding the Conference here.

Important Decisions of the Constitutional Court

Constitutional Court’s decision Regarding the Employer’s Supervision of Communication of Employees Dated 21.09.2022

The Constitutional Court assessed whether the inspection of communication tools allocated for the use of employees violates the right to respect for private life and the right to request protection of personal data within the scope of freedom of communication. The Court emphasized that the employer’s policy on communication tools should include the competence to inspect and examine the communication tools, the limits of use, the sanctions to be imposed in case of exceeding the limits, and the policy should be communicated to the employees in the context of the obligation to inform them. The Constitutional Court also found that the interception of the applicant’s messages on someone else’s mobile phone was contrary to the applicant’s reasonable expectation of respect for private life and freedom of communication. For these reasons, the Constitutional Court decided that the applicant’s right to respect for private life and freedom of communication were violated.

You may find the relevant decision here (Turkish) and our Newsletter with detailed information on the subject here.

Constitutional Court’s Decision Regarding the Audio Recordings Without Consent Dated 29.09.2022

The Constitutional Court evaluated the recording of a conversation in a non-public environment and its presentation as evidence within the scope of the right to respect for private life and the right to request the protection of personal data. The Court considered the recording of conversations with other persons in a non-public environment without consent and the use of the content as evidence again without consent as an attack on personal data. It also emphasized that an approach that gives absolute primacy to the purpose of obtaining evidence categorically leads to the legal protection of such attacks and leaves personal data and private life, which are constitutionally guaranteed, unprotected. In this context, the Constitutional Court decided that the applicant’s right to request the protection of personal data within the scope of the right to respect for private life was violated. You may find the relevant decision here (Turkish).  

Constitutional Court’s decision Regarding the Right to Request the Protection of Personal Data Dated 28.06.2022 

The Constitutional Court assessed the failure of a company operating in the electronic communications sector to provide the applicant with information about his telephone line as a violation of the right to an effective remedy in connection with the right to request protection of personal data. The Court emphasized that the rejection of the request for access to personal data was not justified in accordance with the requirements of the right to request the protection of personal data regulated under Article 20 of the Constitution, a relevant and sufficient justification was not put forward, and that the obligations of the company to provide the data were not examined by considering the legislation on protection of personal data. As a result, the Constitutional Court decided that the right to an effective remedy in connection with the right to request the protection of personal data within the scope of the right to respect for private life under Article 20 of the Constitution was violated. You may find the relevant decision here (Turkish).

Recent Developments from the World 

The Court of Justice of the European Union Dismisses as Inadmissible the Action Brought by WhatsApp Ireland Ltd Against the European Data Protection Board Decision 01/2021 

After receiving complaints from users and non-users of the ‘WhatsApp’ messaging service concerning the processing of personal data by WhatsApp Ireland Ltd (“WhatsApp IE”), the Irish Data Protection Authority (“DPA”) started an investigation and submitted a draft decision to all the other supervisory authorities of the Member States concerned by the processing of personal data at issue for their opinion. Since no consensus was reached on that draft, DPA referred the matter to the European Data Protection Board (“EDPB”). EDPB adopted a decision that was binding on all the supervisory authorities concerned. Upon EDPB’s decision, DPA imposed a fine of €225 million on WhatsApp IE with regard to the infringements of transparency obligations to both users and non-users of the service. WhatsApp IE requested that the Court of Justice of the European Union (“CJEU”) annul the EDPB’s decision. CJEU dismissed the action brought by WhatsApp IE as inadmissible on the ground that EDPB’s decision is not directly enforceable against WhatsApp IE. CJEU found that, even though the contested EDPB decision was binding on the DPA, it left a measure of discretion to that authority as to the content of the final decision, which also covers the amount of the administrative fines. It is now up to the Irish court to review the legality of the final decision of the DPA, which is enforceable against WhatsApp IE. You may find the announcement on the EDPB’s official site here. 

EDPB Adopts Dispute Resolution Binding Decisions Regarding Facebook, Instagram And Whatsapp

The Irish Supervisory Authority (“Irish SA”) issued draft decisions following complaint-based inquiries into the processing activities of Meta IE platforms Facebook, Instagram and WhatsApp. Several SAs issued objections on the draft decisions prepared by the Irish SA concerning, the legal basis for processing, data protection principles, and the use of corrective measures including fines. As no consensus was reached on these objections, the EDPB was called upon to settle the dispute between the supervisory authorities. In its binding decisions, the EDPB settles, the question of whether or not the processing of personal data for the performance of a contract is a suitable legal basis for behavioral advertising, in the cases of Facebook and Instagram, and for service improvement, in the case of WhatsApp. You may find the announcement on the EDPB’s official site here.

EDPB Adopts Recommendations on The Application for Approval and on The Elements and Principles to Be Found in Controller Binding Corporate Rules

Binding corporate rules (“BCR”) are data protection policies adhered to by companies established in the EU for transfers of personal data outside the EU within a group of undertakings or enterprises. Pursuant to Article 47 of the GDPR, companies shall submit BCRs for approval to the competent data protection authority in the EU. On November 2022, EDPB adopted the Recommendations on the application for approval and on the elements and principles to be found in Controller Binding Corporate Rules (“Recommendations”) which aim to ensure a level playing field for all BCR applicants. The Recommendations bring the guidance in line with the requirements in the CJEU’s Schrems II ruling. The Recommendations clarify the necessary content of BCRs and provide an updated standard application form for the approval of BCRs. You may find the announcement on the EDPB’s official site here. 

EDPB Published Updated Guidelines on Identifying a Controller or Processor’s Lead Supervisory Authority and Guidelines on Personal Data Breach Notification Under the GDPR

On 21.10.2022 EDPB published updated Guidelines 8/2022 on Identifying a Controller or Processor’s Lead Supervisory Authority providing explanations regarding joint controllers. With the updated guidelines, it has been clarified that each joint controller must have its own main establishment and that they cannot designate a common main establishment.

On 18.10.2022, EDPB published updated Guidelines 9/2022 on Personal Data Breach Notification under GDPR. The update concerns that where a controller not established in the EU experiences a breach related to data subjects in EU, all the supervisory authorities where the data subjects reside shall be notified. You may find the updated guidelines published on the EDPB’s official site here and here.

The European Council Has Adopted Digital Operational Resilience Act

The Digital Operational Resilience Act which has been adopted by the European Council on 28.11.2022, sets uniform requirements for the security of network and information systems of companies operating in the financial sector (such as banks, insurance companies and investment firms) as well as critical third parties which provide ICT (Information Communication Technologies)-related services to them, such as cloud platforms or data analytics services. 

You may find the press release on European Council’s official site here.

The European Council Has Adopted Its Common Position on The Artificial Intelligence Act

The draft Artificial Intelligence Act (“Draft AI Act”) lays down a uniform legal framework for AI to foster the development of safe and lawful AI that respects fundamental rights. The Draft AI Act contains the extension of the prohibition of using AI for social scoring also to private actors. Furthermore, the objectives where the use of ‘real-time’ remote biometric identification systems is considered to be strictly necessary for law enforcement purposes and for which law enforcement authorities should therefore be exceptionally allowed to use such systems have been clarified with the Draft AI Act. Finally, AI systems have been classified on a risk-based approach and several requirements for high-risk AI systems have been introduced. You may find the press release on European Council’s official site here.

Irish Supervisory Authority Imposed A Fine of 265 Million Euro on Meta Platforms

In an inquiry commenced on 14.04.2021, Irish Supervisory Authority (“DPA”) examined Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer tools’ compliance with the data protection by design and default, in other words the implementation of technical and organizational measures pursuant to GDPR Article 25. DPC found that there had been infringements of GDPR Article 25 and imposed administrative fines totaling €265 million on Meta Platforms. You may find the press release regarding the decision here.

French Supervisory Authority Ordered a Facial Recognition Service Provider to Stop Collecting and Using Data

Clearview AI is a facial recognition service provider which collects photographs from different websites and serves as a search engine in which a person can be searched using photographs. French Supervisory Authority (“CNIL”) found that the collection and use of biometric data had been carried out without a legal basis and give Clearview AI formal notice to cease the collection and use of data of persons on French territory in the absence of a legal basis and to facilitate the exercise of individuals’ rights and to comply with requests for erasure. Clearview AI, not providing any response to this formal notice, was fined a penalty of 20 million Euros. You may find the press release regarding the decision here.,

French Supervisory Authority imposed a fine of 800,000 Euros on Discord

CNIL found that Discord failed (i) to define and respect a data retention period appropriate to purpose with 2,474,000 user accounts not used for more than three years, (ii) to inform users that their words are still being transmitted and heard by others when they put the application in the background and thus to ensure data security by default and (iii) to carry out a data protection impact assessment. Consequently, CNIL imposed a fine of 800,000 Euros on Discord. You may find the press release regarding the decision here.

Information Commissioner’s Office Publishes Draft Employee Monitoring Guidance for Consultation

UK Information Commissioner’s Office (“ICO”) published the Draft Employee Monitoring Guidance for consultation aiming to provide practical guidance about monitoring workers. Alongside with the draft guidance, ICO also produced an impact scoping document and other additional practical tools such as checklists. You may find the press release regarding the draft guidance here.

US President Biden Issued Executive Order on Enhancing Safeguards for United States Intelligence Activities

On 16.07.2020, the CJEU had invalidated the EU-US Privacy Shield on the basis that US surveillance laws were not compatible with EU law. With the aim to ease cross-border personal data transfers between the EU and the US, the Executive Order 14086 on Enhancing Safeguards for United States Intelligence Activities (“EO”) sets out new safeguards to be applied to signals intelligence activities. Pursuant to the EO, signals intelligence activities shall be conducted only following a determination that the activities are necessary and proportionate to the validated intelligence priority for which they have been authorized. You may find the text of the EO here.

The European Commission Launched Draft Adequacy Decision for the EU-US Data Privacy Framework

Following the signature of the EO regarding US intelligence activities, European Commission released its draft adequacy decision on the EU-US Data Privacy Framework (“DPF”) setting out principles to achieve essential equivalence. Accordingly, US data controllers and data processors who certify their adherence to these principles will be listed DPF list by the US Department of Commerce. Organizations which are placed on the DPF list will be able to receive personal data on the basis of the EU-US DPF. You may find the draft decision here.

CNIL Imposed an Administrative Fine of 8,000,000 Euros on Apple for Not Collecting Consent from Data Subjects

In its decision, CNIL found that under the old version 14.6 of the operating system of the iPhone, when a user visited the App Store, identifiers used for several purposes, including personalization of ads on the App Store, were by default automatically read on the terminal without obtaining consent. CNIL decided that Apple is in breach of French Data Protection Act since these identifiers must not be read/or deposited without the user’s prior consent. You may find the press release regarding the CNIL decision here.

Israel Privacy Protection Authority Announced Public Consultation on Guidelines for Obligations of Database Owners

With the European Commission Decision dated 31.01.2011, Israel had been determined to be providing an adequate level of protection for personal data with regard to international transfers of personal data from the European Union to Israel. Israel Privacy Protection Authority (“PPA”), in order to ensure that this decision is not reversed, has published draft guideline on the protection of personal data. The draft guideline includes obligations for database owners that receive data originating from European Union such as obligation to delete data upon request, obligation to limit data retention periods, and data accuracy obligations. You may find the press release regarding the draft guidance here.

ICO Updated Its Guidance on International Transfers

ICO issued updated guidance on international personal data transfers from the UK to receivers located outside the UK. To the guidance, ICO added also a template transfer risk assessment, which is required when organizations rely on a transfer tool under Article 46 of the UK GDPR. The guidance offers an alternative to The EDPB Transfer Impact Assessment. You may find the blog post regarding the guidance here.

ICO Published Direct Marketing Guidance

ICO published new guidance on direct marketing aiming to provide detailed overview of the rules on direct marketing and practice recommendations. The guidance supplements the existing guidance on this topic, such as the ICO’s Guide to the Privacy and Electronic Communications Regulations 2003 (PECR) and the draft Direct Marketing Code of Practice. You may find the regarding guidance here.

Deadline for Old Standard Contractual Clauses (SCCs) Expired on 27.12.2022

SCC’s which are model contract clauses for data transfers from the EU to third countries, that are “pre-approved” by the European Commission have been updated. Since 27.12.2022 the old SCCs no longer legalize data transfers to countries outside the European Economic Area (EEA). The old SCCs must be replaced with the new version and a Transfer Impact Assessment has to be conducted by data controllers and processors, who transfer data outside the EEA. You may find the relevant news here.

The Digital Services Act (DSA) Entered into Force

The DSA, which introduces a comprehensive new set of rules for online intermediary services on how they have to design their services and procedures, entered on 16.11.2022 into force. It aims to reduce harms and counter risks online, introduces strong protections for users’ rights online, and places digital platforms under a unique new transparency and accountability framework. You may find the press release here.

To download the bulletin in pdf format, click here.