I. Türkiye

The Turkish Personal Data Protection Board's ("Board") Decision

  • On 6 July 2023, the Board published its Decision numbered 2023/1154 ("Decision") on its official website. The Decision amending the exception criteria for the obligation to register with the Data Controllers Registry ("VERBIS"). In the Decision, the Board made the following findings.
  • Some data controllers in Türkiye do not have the obligation to register and notify VERBIS and are considered to be within the exception. One category of data controllers included in the exemption was "real or legal person data controllers with less than 50 employees and an annual financial balance sheet total of less than TRY 25 million, whose main activity is not processing special categories of personal data".
  • As per the Decision, the Board updated the limit of TRY 25 million and increased it to TRY 100 million. Therefore, the exception will now be applied as "real or legal person data controllers with less than 50 employees and an annual financial balance sheet total of less than TRY 100 million, whose main activity is not the processing of sensitive personal data".
  • The Decision entered into force on the date of its publication in the Official Gazette, which is July 25, 2023.

Data Breach Notifications

  • As of August 14, 2023, sixteen data breach notifications were published on the website of the Personal Data Protection Authority ("Authority"). It has been stated that the reason for the violations are the unlawful unauthorized accesses to the information systems within the body of data controllers by a third party or persons.

II. Europe and the World

General Developments

European Commission

  • The European Commission formally released proposed procedural rules for EU General Data Protection Regulation ("GDPR") enforcement in cross-border cases 7 July. The initiative will "harmonize some aspects of the administrative procedure the national data protection authorities apply," per the commission. Stakeholders are encouraged to provide input to the commission on the formal adoption of the procedural rules through 4 September.

European Data Protection Board ("EDPB")

  • EDPB has adopted an Article 65 binding dispute resolution decision related to alleged TikTok children's privacy violations brought by Ireland's Data Protection Authority ("DPC"). The EDPB stated the dispute among members that spurred intervention pertained to "whether there had been an infringement of data protection by design and default with regard to age verification" and "infringement of the principle of fairness with regard to certain design practices."
  • EDPB issued its formal statement on the European Commission's first review of its adequacy agreement with Japan. The EDPB's main takeaway was "there were not substantial changes in the relevant Japanese legislation" to allow for authorities to access private sector information that could run counter to the GDPR.
  • EDPB adopted an information note on data transfers under the EU-U.S. Data Privacy Framework. The note explains individuals' rights and organizations' obligations.

European Data Protection Supervisor ("EDPS")

  • EDPS found the Court of Justice of the European Union's ("CJEU") use of Cisco Webex videoconferencing services meets EU data protection standards. The EDPS stated the CJEU requested authorization of contractual clauses under Article 48, related to its transfers of personal data in the use of Cisco Webex and related services, but the EDPS found "none of these data flows fall under the scope of an authorization decision under Article 48."

U.K. Information Commissioner's Office ("ICO")

  • ICO and U.K. Competition and Markets Authority jointly recommended businesses "stop using harmful website designs" to "trick consumers into giving up more of their personal data" than they would otherwise. The authorities issued a joint position paper highlighting how design practices could breach data protection laws. The regulators also offered guidance for empowering users to control their personal data.
  • ICO circulated a warning to members of the banking and financial services association U.K. Finance over unlawful financial data sharing. The warning stems from allegations that NatWest Bank shared account details belonging to a former politician with the media. ICO John Edwards stated banks "should not be using information in a way that is unduly unexpected" and "should not be holding any more information than is necessary."

France Data Protection Authority ("CNIL")

  • CNIL issued decisions regarding parental control standards for internet access. The first decision mandates minimum features that prohibit children under age 13 from downloading applications and blocking access to content on certain terminals. The second decision requires the mandatory features added to devices should not lead to additional data collection of children.
  • CNIL offered takeaways from its sandbox initiatives in the digital health and education technology sectors. Each sandbox carried four projects with the CNIL providing "regular legal and technical support" with the aim of generating findings that "innovators in the sector can benefit from them for their own projects."
  • CNIL published recommendations and considerations for Google's Privacy Sandbox. The CNIL detailed the basic purpose and use cases for the sandbox, which the regulator stated will be available to all parties in third quarter of 2023 as third-party cookies are deprecated.
  • CNIL published best practices for sharing personal data through application program interfaces ("API"). The CNIL identified cases when API use is recommended, listed risk factors to help organizations conduct a risk analysis and offered recommended measures to help them achieve "the desired level of security" and "facilitate compliance with data protection principles."

Irish Data Protection Authority ("DPC")

  • WhatsApp has switched its legal basis for processing personal data under the GDPR, following a EUR 5.5 million fine by DPC in January. The DPC found WhatsApp's prior "contract" legal basis insufficient and ordered the app to find a new one. WhatsApp will now use the "legitimate interest" legal basis.

European Center for Digital Rights ("NOYB")

  • NOYB has submitted a complaint to Spain's data protection authority, alleging Ireland airline Ryanair violated the GDPR with its facial recognition use. NOYB claimed the airline's biometric verification process in flight bookings does not have a legal basis for processing.

Australia

  • Australia's Federal Court ordered Meta's Facebook Israel and the now discontinued Onavo to pay a combined AUD 20 million for failing to adequately disclose data collection practices. The Australian Competition and Consumer Commission ("ACCC"), which brought the case forward, stated Meta used anonymized and aggregated data, including users' internet and app activity, for market research activities.

United States of America ("USA")

  • The USA Department of Justice and the Federal Trade Commission announced that Amazon agreed to a permanent injunction and USD 25 million civil penalty to settle alleged children's privacy violations related to its Alexa voice assistant. A complaint filed in the USA District Court for the Western District of Washington alleges Amazon retained children's voice recordings indefinitely and "engaged in unfair privacy practices" regarding geolocation information and voice recordings. Among requirements of the order, Amazon must identify and delete inactive child profiles.
  • Google has launched its generative artificial intelligence platform Bard in the EU after a delay in June over compliance with the GDPR. Google's Product Director Jack Krawczyk stated discussions with data protection authorities resulted in a focus on transparency around data use and giving users a choice over Google's use of their information.
  • The USA Federal Communications Commission ("FCC") Privacy and Data Protection Task Force proposed rules to protect consumers from scammers targeting data and personal information through cellphone SIM card swapping and port-out fraud. "Every consumer has a right to expect that their mobile phone service providers keep their accounts secure and their data private," FCC Chair Jessica Rosenworcel stated.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.