I. Türkiye

The Turkish Personal Data Protection Board's ("Board") Decision

  • On 11/05/2023, the Board published its Decision numbered 2023/787 ("First Decision") on its official website. The First Decision relates to a complaint that it is unlawful for a hospital to obtain explicit consent from patients for the processing of personal data, including health data, within the scope of advertising and promotional activities. In the First Decision, the Board made the following findings.
  • Pursuant to Article 60 of the Regulation on Private Hospitals, the prohibition of private hospitals to make promotions in the form of advertisements to create demand was taken into consideration.
  • Although private hospitals are prohibited from advertising within the scope of regulations specific to the health sector, the fact that the hospital processed health data and other personal data for advertising purposes was found unlawful and it was determined that this activity "did not have a legitimate purpose".
  • On 02/05/2023, the Board published its Decision numbered 2023/692 ("Second Decision") on its official website. The Second Decision relates to the condition of explicit consent for health services provided by a private health institution. In the Second Decision, the Board made the following findings.
  • It has been stated that mandatory promotional consent cannot be obtained for the appointment service, which constitutes a preliminary step for the data subjects to receive services. In this context, mandatory promotional consent is considered as a violation of the principle of compliance with the law and good faith.
  • In addition, proceeding based on explicit consent for the appointment process was found to be "deceptive and an abuse of right" and was also considered as a violation of general principles.

Data Breach Notifications

  • As of September 12, 2023, five data breach notifications were published on the website of the Personal Data Protection Authority ("Authority"). It has been stated that the reason for the violations is the unlawful unauthorized access to the information systems within the body of data controllers by a third party or persons.

Undertaking Applications

  • Google Reklamcılık ve Pazarlama Limited Şirketi's application for cross-border data transfer undertaking application was authorized by the Board on 17.08.2023.

II. Europe and the World

General Developments

European Data Protection Supervisor ("EDPS")

  • EDPS issued two opinions related to financial and payment services regulations. In its first opinion, the EDPS welcomed the proposal for a Regulation on a Financial Data Access Framework and recommended tightening the definition of "customer data." In the second opinion, the EDPS generally approved the Regulation and Directive on payment services within the EU, and recommended clearly defining limits on what personal data is necessary for fraud prevention.

The Court of Justice of the European Union ("CJEU")

  • The CJEU rendered a decision against certain uses of personal data by law enforcement. In a case from Lithuania, the court ruled the EU Law Enforcement Directive cannot be applied "in connection with investigations into corruption in the public service." Authorities can only use personal data from electronic communications for criminal prosecutions under the directive.

U.K. Information Commissioner's Office ("ICO")

  • ICO published guidance to help employers understand data protection obligations under the U.K. General Data Protection Regulation and Data Protection Act when handling employees' health information. The ICO stated the guidance will "provide greater regulatory certainty," "protect workers' data protection rights" and "help employers to build trust with workers."
  • ICO warned organizations against using the blind carbon copy function when sending emails containing sensitive personal information. The ICO also published guidance for organizations on protecting personal information when sending bulk emails.

European Center for Digital Rights ("NOYB")

  • NOYB accused Google-owned Fitbit of violating the EU General Data Protection Regulation enforcement in Austria, Italy and the Netherlands. In complaints filed against Fitbit, NOYB alleged users are forced to consent to data transfers outside the EU and are not given the ability to withdraw consent.

France Data Protection Authority ("CNIL")

  • CNIL published guidelines for remote exam monitoring practices in public and private higher education. The guidelines aim to foster data protection compliant monitoring schemes that "enable the maintenance of mutual trust." The guidance also covers "automatic analysis systems" with monitoring, which the CNIL stated exclude user behavior analysis.

United States of America ("USA")

  • The USA District Court for the Northern District of California Senior District Judge William Orrick ruled a class-action lawsuit claiming Meta Platforms violated U.S. wiretap law and California privacy law could move forward. The lawsuit claims the privacy of patients treated by hospitals and medical providers using Meta's pixel tracking tool was violated.
  • Google announced Application Programming Interface ("APIs") for its Privacy Sandbox are now "generally available" for users as a default feature. The feature, which is the company's privacy-preserving solution for phasing out third-party cookies, allows Chrome developers to replace cookies with APIs.
  • X, formerly known as Twitter, updated its privacy notice stating it may collect and use biometric data "for safety, security, and identification purposes,". X stated premium users will be able to upload their government ID and a picture.
  • Meta announced millions of Facebook Messenger accounts will be able to trial end-to-end encryption standards for individual and group chats. Meta is working to finalize default encryption standards by year's end and maintains it is on track to do so.
  • Meta announced its cryptography-based private data lookup ("PDL") tool is being extended to passwords and other services across platforms. The PDL "allows users to privately query a server-side data set" while "disabling Meta from learning the result of the intersection."

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.