I. TÜRKIYE

Data Breach Notifications

  • As of October 12, 2023, five data breach notifications were published on the website of the Personal Data Protection Authority ("Authority"). It has been stated that the reason for the violations is the unlawful unauthorized access to the information systems within the body of data controllers by a third party or persons.

Other Important Developments

  • In October 13, Authority has published Guide on Considerations in the Processing of Genetic Data ("Guide"). In addition to the practical explanations/directions regarding biometric data processing in the Guide, the Authority has assessed that it is not sufficient to make only a general explanation in terms of informing the data subjects whose genetic data is processed; the data subject should be clearly informed about the genetic data processing activity and its consequences, and that the processing of genetic data may provide access to the data of not only the data subject but also other family members.
  • The Authority has published its Bulletin covering July - September 2023. In addition to corporate statistics/activities, summaries of Board decisions and various articles are presented by the Authority. The right to be forgotten is especially reviewed.
  • In September 21, 2023, Microsoft has announced the general availability of Microsoft Copilot. Microsoft 365 Copilot essentially connects large language models (LLMs) to its customers' organizational data. While Microsoft 365 Copilot accesses content and context through Microsoft Graph and generates content and responses by analyzing and combining its customer's organizational data, it underlines that Microsoft Copilot is compliant with its existing privacy, security, and compliance commitments, including applicable privacy laws and privacy standards, such as ISO/IEC 27018, with respect to concerns raised as to the mattes like privacy and protection of trade secrets. As data protection measures, Microsoft 365 Copilot uses Azure OpenAI platform services for processing instead of using OpenAI's publicly available services; prompts, responses, and data accessed through Microsoft Graph are not used to train foundation LLMs (information contained within user's (the person using Copilot within the customer's organization) prompts, the data they retrieve, and the generated responses remain subject to Microsoft 365's security principles and measures); and data are not unintentionally leak between users, groups, and tenants via implemented logical isolation tools. As to the use of data to generate content, Microsoft Copilot Copyright Commitment protects customers from legal claims related to intellectual property infringement.
  • Ali Taha Koç, President of the Presidency's Digital Transformation Office, has attended the Cyber World Conference on September 15, 2023. Making statements about artificial intelligence and security, President Koç has stated that while talking about the security of artificial intelligence, the use of artificial intelligence for cyber security shall not be disregarded.

II. EUROPE AND THE WORLD

General Developments

European Union ("EU")

  • It has been announced that the tech giant Meta is considering getting customers in Europe to pay monthly subscription fees to use Instagram and Facebook if they don't agree to let Meta use their data to serve them ads. Users who pay the subscription fee which will be around 14 USD for a month will be able to use Meta's products without ads.
  • The Data Governance Act has entered into application on 24 September 2023. The Act creates a new European way of data governance based on increasing trust in data sharing.

European Commission

  • The European Commission has announced the adoption of a recommendation for increased artificial intelligence risk assessments to support EU economic security. The recommendation has covered six categories of AI technologies, including data analytics, language learning and object recognition. The commission wants to work with EU member states to "initially conduct collective risk assessments ... by the end of this year."
  • The European Commission has designated six companies as gatekeepers under Article 3 of the Digital Markets Act ("DMA"). The new gatekeepers are Alphabet, Amazon, Apple, ByteDance, Meta, and Microsoft. Jointly, these companies provide 22 core platform services, including social networks, internet browsers, operating systems, and mobile app stores.
  • The European Commission has launched the Digital Services Act ("DSA") Transparency Database, a regulatory repository where online platform providers' content moderation decisions will be publicly accessible. The database will collect providers' statements of reasons for removing or restricting access to content, a requirement under the DSA. All online platform providers will be required to submit data to the database as of 17 February 2024.
  • President of the European Commission, Ursula von der Leyen, has delivered her State of the Union 2023 speech, highlights of which are as follows;
    • The European Union has become a global pioneer on online rights,
    • The legislative measures to combat the lack of trust, disinformation and spread of harmful content, like the Digital Services Act ("DSA") and Digital Markets Act ("DMA"), have been realized. Similar measures shall be taken about artificial intelligence to eliminate the risks that come with it,
    • President von der Leyen has also said: "I believe Europe, together with partners, should lead the way on a new global framework for AI, built on three pillars: guardrails, governance and guiding innovation". As for guardrails, President von der Leyen has mentioned that AI Act put forward by the EU is already a blueprint for the whole world. EU's priority on the issue is that AI shall be developed in a human-centric, transparent and responsible way. About governance, President von der Leyen has stated that there should be a body for AI is needed. On guiding innovation, President von der Leyen has announced an initiative to let AI start-ups train their models on EU's supercomputers. Followingly, it was stated that an open dialogue with AI companies is needed,
    • As a final note, President von der Leyen has made an emphasis on how they will give efforts to create "minimum global standards for safe and ethical use of AI".

European Data Protection Board ("EDPB")

  • Norway's data protection authority ("DPA"), Datatilsynet, has appealed to the EDPB for a binding decision to uphold its penalty against Meta for its alleged illegal use of behavioral advertising. Datatilsynet's interim decision, originally issued in July, expires on 3 Nov., and the DPA is asking the EDPB to issue a decision making the ban on Meta's practices permanent.

European Data Protection Supervisor ("EDPS")

  • EDPB and EDPS have adopted a Joint Opinion on the European Commission's Proposal for a Regulation on additional procedural rules for the enforcement of the General Data Protection Regulation ("GDPR"). This proposal aims to ensure the timely completion of investigations and the delivery of swift remedies for individuals in cross-border cases, by harmonizing several procedural differences across the EU and streamlining the cross-border cooperation procedure.
  • EDPS has published the results of its audit of the European Union Agency for Law Enforcement Cooperation. The audit focused on Europol's protocols for processing personal data provided by third countries, international organizations, and alleged suspects who were under the age 15.

European Telecommunications Standards Institute ("ETSI")

  • ETSI has reported a database containing their online users' identities was stolen. The ETSI has worked with France's national Cybersecurity Agency to identify and repair the vulnerability that caused the breach. Users were asked to update their passwords.

United Kingdom ("UK")

  • UK Secretary of State for Science, Innovation and Technology Michelle Donelan has laid regulations in the UK Parliament, giving effect to a UK-US Data Bridge. The regulations are due to take effect on October 12, 2023.
  • UK's Department for Science, Innovation, and Technology has published the draft Data Protection Regulations 2023, which seeks to amend the UK General Data Protection Regulation ("UK GDPR") and Data Protection Act 2018. The draft regulations will update the UK's data protection legislation by amending the reference to "fundamental rights and freedoms" in the UK GDPR so that they refer to rights recognized under UK law, rather than retained EU rights.
  • The UK's competition authority, the Competition and Markets Authority (CMA), has set out principles designed to prevent artificial intelligence (AI) models from being used to the detriment of consumers and businesses. Accordingly, accountability, access, diversity, choice, flexibility, fair dealing, transparency are the principles determined. With these principles, the CMA aims to foster innovation and economic growth while mitigating potential risks associated with foundation models (FMs), engaging with stakeholders to refine these principles and support the positive evolution of AI markets.

Information Commissioner's Office ("ICO")

  • ICO has issued a preliminary enforcement notice against Snap that could require the technology company to stop processing data connected with its artificial intelligence chatbot, "My AI." A provisional ICO investigation has found a risk assessment conducted before My AI's launch did not "adequately assess" its data protection risks, particularly to children.
  • ICO has published new Guidance on lawful monitoring in the workplace, designed to help employees comply with their obligations under the UK GDPR and the Data Protection Act 2018. The Guidance aims to provide greater regulatory certainty, protect workers' data protection rights, and help employers build trust with workers, customers, and service users.
  • ICO has published new guidance on email security, with emphasis on safety when sending to multiple recipients which is relevant for pension schemes when emailing their membership.

France Data Protection Authority ("CNIL")

  • CNIL has issued a report on data minimization as a means of environmental protection. The "Data, Footprints and Freedoms" report explores whether data protection may contribute to environmental preservation. The report aims to provide "answers and recommendations for bringing the two objectives closer together."
  • CNIL has published a code of conduct with eight of the agency's "best practices" for organizations considering developing a guide. Among its recommendations, the CNIL suggests organizations evaluate the data protection knowledge of future members, make a plan and use concrete language understandable to readers.

Ireland Data Protection Commission ("DPC")

  • DPC has announced a fine of 345 million Euros against TikTok Technology Limited ("TikTok") for non-compliance with GDPR rules regarding the processing of personal data of child users. The DPC's investigation focused on how TikTok processed the data of children between July 31, 2020, and December 31, 2020.

Spanish Data Protection Agency ("AEPD")

  • AEPD has published guidance on the use of privacy-enhancing technologies in data systems, noting they can be used to implement governance policies and increase trust and data sovereignty. "PETs can be, and should be, 'dual-use' technologies to be efficient and effective, integrated into the core of the Data Spaces, fulfilling different purposes in the data-access sharing economy," the AEPD has stated.

Germany

  • Germany's Federal Cartel Office, the Bundeskartellamt, has ruled Alphabet must give Google users the ability to decide how their data is used across its various services. The ruling has aimed to limit how much data Google can collect by requiring the company to get explicit consent before using the information. The competition regulator has stated users are not given "sufficient choice" concerning processing.

Netherlands

  • Google has been facing class-action style litigation in the Netherlands which accuses the AdTech giant of breaching European privacy laws. The plaintiffs argue that the tech giant collects users' online behaviour and location data on an immense scale through its services and products.
  • The Netherlands' data protection authority ("AP") has taken an action over concerns about personal data collection by organizations using generative artificial intelligence, paying special attention to apps for young children. The AP has asked a technology company to clarify its use of a chatbot in an app popular with children.

United States of America ("USA")

  • S. White House Office of Science and Technology Policy Director Arati Prabhakar has stated President Joe Biden will soon release an executive order on artificial intelligence. The order is expected to touch on how government and technology companies can mitigate the risks of AI while seizing positive and innovative opportunities.
  • All 50 state attorneys general and four attorneys general from U.S. territories has urged Congress to take action on the use of artificial intelligence ("AI") to exploit children. In their letter to Congress, the AGs address how AI can be used to exploit children, including tracking children's location, mimicking them, and generating child sexual abuse materials such as deepfakes.
  • A federal judge has temporarily blocked an online child protection law in California and stated that it probably violates the Constitution. Under the law, known as the California Age-Appropriate Design Code, digital platforms would have to vet their products before public release to see whether those offerings could harm kids and teens.
  • The California Privacy Protection Agency (CPPA) has released initial draft regulations for cybersecurity audits and risk assessments. Once finalized, these regulations will require businesses to conduct annual cybersecurity audits and submit regular risk assessments to the CPPA, focusing on their handling of personal information.
  • It has been reported that the National Student Clearinghouse indicated 890 U.S. higher education institutions had data stolen as part of the MOVEit ransomware hack. Schools from nearly every U.S. state were affected as the attack breached troves of personally identifiable information. Universities nationwide are required by the U.S. Department of Education to use MOVEit to share information with the NSC.
  • The Federal Trade Commission ("FTC") and the Department of Health and Human Services ("HHS") have published an updated version of the two agencies' joint publication, entitled "Collecting, Using, or Sharing Consumer Health Information? Look to HIPAA, the FTC Act, and the Health Breach Notification Rule." The publication aims to help businesses learn more about their legal obligations under some of the health privacy and security-related laws and rules enforced by the FTC and the HHS.
  • A close door meeting organized by US Senate Majority Leader Chuck Schumer has brought together the well-known technology executives, including Tesla CEO and X owner Elon Musk, Microsoft co-founder Bill Gates, Microsoft CEO Satya Nadella, Google CEO Sundar Pichai, Meta Platforms CEO Mark Zuckerberg, Nvidia CEO Jensen Huang, IBM CEO Arvind Krishna, and OpenAI CEO Sam Altman, as part of a push to legislate artificial intelligence. It has been stated that in the meeting, among the other ideas, whether there should be an independent agency to oversee certain aspects of the rapidly developing technology and how companies could be more transparent have been discussed.
  • Eight technology companies, namely, Adobe, Cohere, IBM, Nvidia, Palantir, Salesforce, Scale AI, and Stability, have signed onto the White House's voluntary AI pledge to foster safe artificial intelligence development. As may be recalled, Amazon, Anthropic, Google, Inflection AI, Microsoft and OpenAI were the first companies the White House announced signing onto the safe AI development pledge in July.

Canada

  • Canada's Federal Court of Appeal has ruled Google's search engine is covered by the country's federal privacy law. The court has determined an exemption for journalistic or artistic work does not cover Google searches, meaning Canadians have the right to request their names be unsearchable, known as the "right to be forgotten."

Australia

  • The Australian Human Rights Commission and the National Australia Bank have developed a human rights impact assessment ("HRIA") tool for artificial intelligence-informed decision-making systems in banking. The HRIA tool has addressed banks to determine and address human rights risks stemming from AI systems.

South Korea

  • The Personal Information Protection Commission (PIPC) in South Korea has established an Artificial Intelligence Privacy Team to address issues related to data protection and privacy in the context of artificial intelligence (AI). This team will concentrate on formulating principles for AI environments, rather than relying solely on existing regulations. The PIPC aims to develop a principle-centered discipline system to address the challenges and uncertainties that companies might encounter as they navigate the AI landscape.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.