Smartwatch Privacy: A Beginner’s Guide

31.01.2023 İdil Yıldırım Günaydın

Introduction

Smartwatches have undeniably revolutionized our lives in the past decade. Apart from their core function as a timepiece, these wearable computers packaged in the form of a watch enable us to answer incoming calls, reply to messages and skim through social media notifications in seconds. Their steady rechargeable lithium-ion battery enables them to measure our heart rate, blood pressure, sleeping patterns, exercise routine, and even our calorie consumption and show daily reports on their touchscreen. However, as these devices carry on with their routine body-monitoring activities, questions regarding their compliance with data protection laws and cyber-security protocols began to arise. Have these devices turned from fashionable wearable computers to devices that collect personal data for commercial purposes?

This Newsletter aims to provide a brief evaluation of smartwatches’ data processing activities within the scope of Turkish data protection legislation.

Smartwatch Privacy: A Beginner’s Guide
% 0

General Data Processing Principles under Turkish Legislation

On 7 April 2016, after continuous efforts to align its national legislation with the European Union acquis, Turkiye adopted its first comprehensive data protection legislation with Law on Personal Data Protection No.6698 (“TDPL”). The TDPL has many similarities with EU Directive 95/46/EC, the predecessor of the Directive on General Data Protection Regulation (GDPR), and sets main data processing principles and obligations for data controllers.

The key concepts of TDPL are defined in Article 3. Consequently, personal data is defined as “any type of information that relates to an identified or identifiable individual”, whereas a data subject is “the individual whose personal data is processed”. Processing of personal data is defined as “any type of action made using personal data, such as collection, recording, storage, preservation, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization or blocking its use by wholly or partly automatic means or otherwise than by automatic means which form part of a filing system” under the same article.

The TDPL identifies separate “data controller” and “data processor” concepts. Accordingly, data controller is defined as “the individual or legal entity that determines the purposes and tools of processing of the personal data, and is responsible for the establishment and management of a data recording system” whereby a data processor is “the individual or legal entity that processes personal data, with the authority bestowed by the data controller, and on behalf of the data controller”.

The fundamental personal data processing principles are outlined under Article (4) of TDPL and personal data can only be processed in compliance with the procedures and principles set forth under TDPL and relevant laws. Such principles stipulated under this article are as follows;

  1. lawfulness and conformity with rules of bona fides,
  2. accuracy and being up to date, where necessary,
  3. being processed for specific, explicit and legitimate purposes,
  4. being relevant with, limited to and proportionate to the purposes for which they are processed,
  5. being retained for the period of time stipulated by relevant legislation or the purpose for which they are processed.

Following these principles, Article 5 (1) sets the rules for legal grounds for processing personal data by stating that personal data cannot be processed without the data subject’s explicit consent and such explicit consent needs to be freely given, specific and informed consent. The TDPL then lists exceptions to this rule under Article 5 (2) whereby the data subjects’ consent is not required. These exceptions are; i) if the processing is clearly provided for by the laws, ii) if the processing is necessary for the protection of life or to prevent the physical injury of a person, in cases where that person cannot express consent or whose consent is legally invalid due to physical disabilities, iii) processing of personal data belonging to the parties of a contract, is necessarily provided that it is directly related to the conclusion or fulfillment of that contract, iv) it is mandatory for the controller to be able to perform their legal obligations, v) the data concerned is made available to the public by the data subject themselves, vi) data processing is mandatory for the establishment, exercise or protection of any right and vii) it is mandatory for the legitimate interests of the controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.

For some categories of personal data, the exceptions for the explicit consent requirement are more limited. Subsequently, Article 6 (1) of TDPL brings a definition for special categories of personal data which relate to the “race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership to associations, foundations or trade-unions, health, sexual life, convictions and security measures, and the biometric and genetic data”. In terms of Article 6 (3), for data related to health and sexual life, data subject’s explicit consent will not be needed only if such data is processed by persons under confidentiality obligation and for the purposes of protection of public health, protective medicine, medical diagnosis, treatment, and care services.

TDPL’s data processing principles are a fundamental component of the data controllers’ obligations. As indicated under Article 10 of TDPL and Communiqué on Principles and Procedures to be Followed in Fulfillment of the Obligation to Inform (“Communiqué”), data controllers are required to inform data subjects when they begin to process their personal data. In its simplest form, privacy notices to be given to the data subjects need to include the following information; i) identity of the data controller and its representative (if any), ii) purpose of processing the personal data, iii) legal grounds for processing personal data, iv) method for collecting the personal data and v) data subjects’ rights depicted under Article 11 of TDPL.

Smartwatches and TDPL

As briefly introduced above, smartwatches offer their users various health and productivity applications and their usage can create a large amount of data also integrated with the Internet of Things (“IoT”) to create a more personalized experience. The concept of IoT refers to “an infrastructure that interacts with other devices or systems, as billions of sensors embedded in everyday devices are designed to record, process, store and transfer data and are associated with unique identifiers”.[1] Thus, smartwatches may have an inherent privacy risk.

In terms of TDPL, the usage of smartwatch applications may trigger the processing of personal data, especially health data. As required under TDPL, data controllers have an obligation to inform data subjects in a manner that is adequate under TDPL and the Communiqué and obtain data subjects’ consent in case there is no other legal ground for processing personal data. Some technology companies present detailed privacy policies outlining their data processing activities on their website and obtain data subjects’ consent when required. Nevertheless, data controllers also need to comply with the principle of proportionality as outlined under Article 4 of TDPL when processing users’ personal data. Otherwise, apart from its consequences under TDPL, users’ personal data would become more vulnerable to cyber-attacks.[2]

Conclusion

The usage of smartwatches may make their users’ life easier but there are certain data privacy implications that need to be addressed under TDPL. Data controllers need to comply with these rules and regulations, offer detailed privacy notices to the users and obtain their consent where necessary.

References
  • Kama Işık, Sezen: Avrupa Veri Koruma Hukukuna Anayasal Bir Bakış, İstanbul, On İki Levha Yayıncılık, 2020, s.185.
  • Akçınar, Melik Ahmet: “Akıllı Saatler ve Kişisel Veriler”, Bilişim Hukuku Dergisi, 2022, C 4, S 2, s. 248.

All rights of this article are reserved. This article may not be used, reproduced, copied, published, distributed, or otherwise disseminated without quotation or Erdem & Erdem Law Firm's written consent. Any content created without citing the resource or Erdem & Erdem Law Firm’s written consent is regularly tracked, and legal action will be taken in case of violation.

Other Contents

Artificial Intelligence Act Adopted by the European Parliament
Newsletter Articles
Artificial Intelligence Act Adopted by the European Parliament

The first “Artificial Intelligence Act” of all time, which includes rules and regulations that directly affect tools such as ChatGPT, Bard and Midjourney adopted by the European Parliament with a majority of votes. Thus, the European Parliament has officially taken the steps of a regulation that could be a turning point for...

Personal Data Protection 31.07.2023
CJEU Decides That A Mere Infringement of the GDPR Is Not Sufficient for Non-Material Compensation
Newsletter Articles
CJEU Decides That A Mere Infringement of the GDPR Is Not Sufficient for Non-Material Compensation

In its decision regarding Case-300/21 and dated May 4, 2023, the Court of Justice of the European Union (“CJEU”) evaluates the right to compensation for an infringement of the European Union General Data Protection Regulation (“GDPR”) regulated in Article 82 of the GDPR. The CJEU decided that a mere...

Personal Data Protection 31.05.2023
ChatGPT: A Grey Zone Between Privacy, Cybersecurity, Human Rights and Innovation
Newsletter Articles
ChatGPT: A Grey Zone Between Privacy, Cybersecurity, Human Rights and Innovation

ChatGPT, a large language model (LLM) developed by OpenAI, is an artificial intelligence (AI) system based on deep learning techniques and neural networks for natural language processing. ChatGPT can process and generate human-like text, chat, analyse and answer follow-up questions, and acknowledge errors...

Personal Data Protection 30.04.2023
A Comparative Approach to Joint Controllers
Newsletter Articles
A Comparative Approach to Joint Controllers

The Personal Data Protection Law numbered 6698 (“PDPL”) introduces definitions for many concepts such as personal data, data controller, data processor and data subject. In terms of understanding and interpreting these concepts, secondary legislation, Personal Data Protection Authority (“Authority”) guidelines...

Personal Data Protection 31.03.2023
The EU’s Digital Operational Resilience Act for Financial Services Industry Actors Entered into Force
Newsletter Articles
The EU’s Digital Operational Resilience Act for Financial Services Industry Actors Entered into Force

The Covid-19 pandemic and recent technological developments have significantly accelerated the digital transformation of all sectors. However, this rapid change especially in the financial sector (mobile banking, e-commerce, contactless payments, etc.) has brought some risks along with making life extremely...

Personal Data Protection 31.01.2023
An Examination of Loyalty Programs Under Personal Data Protection Legislation
Newsletter Articles
An Examination of Loyalty Programs Under Personal Data Protection Legislation

The Personal Data Protection Authority (“DPA”), on 16.06.2022, published the Draft Guidelines on Examination of Loyalty Programs within the Scope of Personal Data Protection Legislation (“Draft Guidelines”). The public has until 16.07.2022 to submit comments on them, and after these are evaluated...

Personal Data Protection 30.11.2022
Is the Missing Piece of the Puzzle Found in the Intersection Between GDPR and Antitrust Law?
Newsletter Articles
Is the Missing Piece of the Puzzle Found in the Intersection Between GDPR and Antitrust Law?

The German Competition Authority (“Bundeskartellamt”) had previously found Meta (formerly Facebook) responsible for abusing its dominant position in the social network market by collecting and processing the personal data of its users without their consent and imposed measures on Meta and its associated...

Personal Data Protection 31.10.2022
Guidelines on Personal Data Protection in the Banking Sector Published by the Turkish Personal Data Protection Authority
Newsletter Articles
Guidelines on Personal Data Protection in the Banking Sector Published by the Turkish Personal Data Protection Authority

Banks process large volumes of personal data in their daily operations. In order to deal with this sensitive information, the Turkish Personal Data Protection Authority, in cooperation with the Banks Association of Turkey, published Good Practice Guidelines on Personal Data Protection in the Banking...

Personal Data Protection 30.09.2022
GDPR and Mass Claims
Newsletter Articles
GDPR and Mass Claims

The procedural rules on mass claims within European Union (“EU”) Member States is not uniform. To improve the position of consumers who might wish to make such claims, the European Parliament passed the Collective Redress Directive (“Directive”). The impact of the Directive is expected to...

Personal Data Protection 31.08.2022
Briefing for the Impact Assessment of the Data Act Has Been Published
Newsletter Articles
Briefing for the Impact Assessment of the Data Act Has Been Published

In February 2020, the European Commission (“Commission”) published “A European Strategy for Data” as part of a wider drive concerning digital transformation and policy. Through this communication, the European Union (“EU”), defining itself as having a leading role in the data economy...

Personal Data Protection 31.07.2022
The Regulation on Protection and Processing of Personal Data by the Social Security Institution
Newsletter Articles
The Regulation on Protection and Processing of Personal Data by the Social Security Institution

The Regulation on Protection and Processing of Personal Data by the Social Security Institution (the “Regulation”), the purpose of which is to determine the procedures and principles for processing data obtained within the scope of the duties and authority of...

Personal Data Protection February 2022
A New Era: The Personal Information Protection Law of the People’s Republic of China
Newsletter Articles
A New Era: The Personal Information Protection Law of the People’s Republic of China

The Personal Information Protection Law of the People’s Republic of China (“PIPL”) passed at the 30th meeting of the Standing Committee of the 13th National People’s Congress on 20 August 2021 and entered into force on 1 November 2021 as per Article 74...

Personal Data Protection February 2022
All Eyes of the Data Protection Authorities are on Cookies!
Newsletter Articles
All Eyes of the Data Protection Authorities are on Cookies!

In today's world, there is no doubt that data has become one of the most valuable assets and resources for some companies. The ability to collect, store, process, and analyze data on a large scale has dramatically changed...

Personal Data Protection January 2022
The Right to Be Forgotten
Newsletter Articles
The Right to Be Forgotten
Personal Data Protection November 2021
A Groundbreaking Whatsapp Decision by the Irish Supervisory Authority
Newsletter Articles
Healthcare Sector Publishes a Guideline on Data Protection
Newsletter Articles
Healthcare Sector Publishes a Guideline on Data Protection
Personal Data Protection September 2019
The General Data Protection Regulation in Force
Newsletter Articles
The General Data Protection Regulation in Force
Personal Data Protection May 2018
Destruction of Personal Data
Newsletter Articles
Destruction of Personal Data
Personal Data Protection November 2017
The EU General Data Protection Regulation and Its Territorial Scope
Newsletter Articles

For creative legal solutions, please contact us.