I. TÜRKIYE

Data Breach Notifications

  • As of November 14, 2023, five data breach notifications were published on the website of the Personal Data Protection Authority ("Authority"). It has been stated that the reason for the violations is the unlawful unauthorized access to the information systems within the body of data controllers by a third party or persons.

II. EUROPE AND THE WORLD

General Developments

European Commission

  • The European Commission has given Meta and Snap a December 1 deadline to provide information on how they protect children from harmful content. The deadline is similar to the one given to Alphabet's YouTube and TikTok. The actions come after the passage of the Digital Services Act which requires major technology companies to do more to combat illegal and harmful content.
  • The European Commission issued the legal framework for publishing audit reports and audit implementation reports for very large online platforms and very large online search engines under the Digital Services Act. The regulation establishes legal requirements, such as the processes for very large online platforms and very large online search engines to select an independent auditor and audit methodology.

European Parliament

  • European Parliament endorsed the data-sharing provisions of the European Union ("EU") Data Act. The law's objective is to encourage innovation through the curtailment of barriers for accessing data in the context of Internet of Things devices and for training artificial intelligence systems' algorithms. The Data Act awaits Council of the European Union approval before entering into law.
  • European Parliament announced a provisional agreement with the Council of the European Union on the creation of an EU Digital Identity Wallet that provides online identification verification. Through the wallet's "privacy dashboard," citizens can access and remove their data from the wallet.
  • European Parliament and the Council of the European Union have tentatively reached an agreement on how targeted political advertising can work. The provision would only allow for targeted ads if a consumer gave explicit consent and would ban profiling based on personal data. Both parties must adopt the agreement before it can take effect.
  • European Parliament agreed to a draft proposal to combat child sexual abuse material ("CSAM"). The proposal would require digital platforms to detect and report CSAM. The regulation proposed empowering the EU Centre to have "the most extensive legal capacity accorded to legal persons" under member states' laws and use a web crawler-like bot to scan for "publicly accessible" CSAM content.

The Court of Justice of the European Union ("CJEU")

  • On November 9, 2023, CJEU has released Press Release No 168/23, announcing a significant decision. According to the decision, car manufacturers have granted independent operators, including repairers and parts distributors, access to vital information for vehicle repair and maintenance. This involves establishing a searchable database with details on replaceable parts, such as vehicle identification numbers. CJEU clarified that while these numbers aren't inherently personal data, they become so if they identify the vehicle owner. Regardless, even if classified as personal data, the EU General Data Protection Regulation ("GDPR") doesn't hinder manufacturers from sharing them with independent operators. The mandated information format should be electronically usable for immediate extraction and retention. This ruling stems from a case involving a German trade association contesting Scania's information provision to its members.
  • CJEU opined that a patient has the right to a free first copy of their medical records under the GDPR. The question came before the court after a German resident asked his dentist for a copy of his medical records and was told he needed to pay for it. The case still has to be decided by the German Federal Court of Justice.

European Data Protection Supervisor ("EDPS")

  • UK Information Commissioner's Office ("ICO") and EDPS signed a memorandum of understanding regarding their work on individuals' data protection and privacy rights. The agencies promised to share best practices and information to support their regulatory efforts and cooperate on certain projects of mutual interest.
  • EDPS and European Data Protection Board ("EDPB") have issued a joint opinion on the proposal to create a digital euro. Both agencies call for introducing a privacy threshold for online transactions, clarifications on the data protection requirements of the European Central Bank and payment service providers, and clear guidelines on how identifiers will be used to gauge how much digital euros a user has.
  • EDPS issued opinions on two European Commission proposals for imposing liability rules on artificial intelligence products. The two proposals would establish liability for AI developers making "defective products" and civil liability rules for consumers negatively impacted by AI systems. The EDPS offered several recommendations, including ensuring individuals harmed by CJEU institutions using a defective AI system have the same level of protection as those adversely impacted by a private entity's use of faulty system.

Interactive Advertising Bureau Europe ("IAB Europe")

  • IAB Europe released a paper outlining its recommendations for GDPR enforcement in cross-border cases. The guidance calls for early resolutions, including settlements to solve cases, and increased transparency in supervisory authorities' decisions. IAB's recommendations aim to "fostering a digital ecosystem that not only respects privacy and fundamental rights but also ensures efficient enforcement of GDPR regulations across borders."

United Kingdom ("UK")

  • UK Department for Science, Innovation and Technology announced updates to the app store and developer code of practice. Originally released December 2022, the updated code emphasizes previously established principles for "minimum security and privacy requirements," including transparency, data security measures and breach notification practices. The department also announced implementation of the code was extended to March 2024.

UK Information Commissioner's Office ("ICO")

  • ICO is soliciting 2024 applications for its Regulatory Sandbox program. ICO Executive Director of Regulatory Risk Stephen Almond has stated the sandbox aims to help "innovators big and small engineer privacy into the design of their products and give their customers confidence."
  • Clearview AI prevailed in its appeal of 2021 7.5 million GBP fine levied by ICO. Members of the First-tier Tribunal, who heard the appeal, ruled the company did engage in "data processing related to monitoring the behavior of people in the UK," however, the ICO "did not have jurisdiction" to impose the penalty on Clearview AI because its users were primarily law enforcement agencies outside the UK.

French Data Protection Authority ("CNIL")

  • CNIL has issued 10 sanctions over recent months to private and public entities totaling EUR 97,000. The nature of the complaints included processing the geolocation data of employees driving company vehicles while on their breaks and the use of video surveillance of employees at their workstations. The CNIL highlighted the fines came under a new simplified sanction procedure.
  • CNIL published an FAQ document on the European Commission's adequacy decision regarding the EU-U.S. Data Privacy Framework. The FAQ features key provisions of the Data Privacy Framework and details the process by which French entities can transfer data to United States of America organizations if the given organization has not adopted the Data Privacy Framework agreement.
  • CNIL has opened a consultation on processes for creating datasets toward artificial intelligence development. The CNIL is drafting "how-to sheets" with "concrete and practical answers" that support "actors of the AI ecosystem in their efforts to comply with the legislation on the protection of personal data."

Germany

  • The Berlin Regional Court, Landgericht Berlin, has banned LinkedIn's alleged practice of ignoring user tracking opt-outs, the Federation of German Consumer Organizations announced. The court also stated the platform could no longer make a member's profile visible on other websites as a default setting.

Belgian Data Protection Authority ("APD")

  • APD released a checklist for proper application and usage of third-party cookies and user tracking mechanisms. The checklist offers reminders along with "dos and don'ts" for applying cookies while the APD reminds companies that "free, specific, (and) informed" consent is required for any tracking that is not strictly necessary.

Liechtenstein

  • Liechtenstein's data protection authority, Datenschutzstelle, has published guidance on data protection practices around artificial intelligence-powered chatbots. The guidelines outline chatbots and their usage while discussing the legal basis for data processing, transparency obligations, and existing legal uncertainties for chatbots under the GDPR.

Norway's Data Protection Authority ("Datatilsynet")

  • Datatilsynet stated it is taking part in a review at the "European level" of Meta's ad-free subscription model for EU users to address alleged targeted advertising infringements under GDPR. Datatilsynet stated EU data protection authorities "have expressed skepticism" over Meta's compliance "partly because you have to pay if you do not 'consent."

United States of America (U.S.A.)

  • On October 30, the White House publishedS.A. President Joe Biden's executive order calling for the "safe, secure, and trustworthy development and use of artificial intelligence". The order lays out eight guiding principles and priorities for how AI systems should be developed and deployed. Meanwhile, the U.S.A. National Institute of Standards and Technology, along with several other agencies, will take a leading role in adopting the requirements of Biden's executive order.
  • S.A. Federal Trade Commission ("FTC") announced nonbanking financial institutions will be subject to required data breach and security notification rules. Under an FTC-approved amendment to the Safeguards Rule, finance-based businesses, including mortgage brokers, motor vehicle dealers and payday lenders, will be obligated to maintain a "comprehensive security program" and report incidents involving more than 500 individuals within 30 days of discovery.
  • Amazon Web Services announced an independent cloud service for European customers to comply with the EU's data privacy and sovereignty standards. The service will behave similarly to Amazon's cloud services in other regions but will keep all metadata within the EU and have additional data residency options.
  • Google intends to kickstart a privacy initiative to curb the proliferation of device fingerprinting. Google Software Engineer Brianna Goldstein wrote the updated IP Protection tool will route third-party tracking attempts through "proxies for the purpose of protecting the user by masking their IP address from those domains."
  • Google released a legislative framework offering policymakers principles to craft better laws to protect children online. Many of the principles are grounded in embedding age-appropriate design features that are "designed with safety in mind" to deliver a better online experience for minors.
  • A 13-year legal battle over Google allegedly leaking users' personal information to publishers is nearly over after a U.S.A. judge approved a USD 23 million settlement. The lawsuit claimed search engine queries were being transmitted to third parties.
  • S.A. President Joe Biden has released a new policy detailing how other countries should respond to ransomware attacks and its plans to share data about attackers. The policy framework aims to make it easier to track the culprits and discourage paying ransoms, which the White House continues to advise against.

Canada

  • The Office of the Privacy Commissioner of Canada has published two guidance notes to support its recent joint resolution with provincial privacy authorities to improve children's privacy standards. One guide focuses on consideration for the "best interests of young people" in data processing activities while the second guide offers recommendations to organizations on best practices for protecting children.

China

  • The Cyberspace Administration of China released its Global AI Governance Initiative, a framework for artificial intelligence. The framework calls for "equal rights" when developing AI, regardless of a country's "size, strength or social system."

Australia

  • Microsoft pledged AUD 5 billion to the Australian government to bolster cybersecurity, artificial intelligence and cloud-computing capabilities. Notably, the investment includes training programs for 300,000 Australian AI and cloud professionals as well as collaboration with cyber defense agencies to improve threat identification and response.

The Group of Seven ("G7")

  • The G7 members signed a code of conduct for companies looking to develop artificial intelligence technologies. The code contains 11 guiding principles that "provide guidance for organizations developing, deploying and using advanced AI systems."

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.