&lt;p class="MsoNormal" style="margin: 0px 0px 11px; line-height: 2; font-family: Calibri, sans-serif; text-align: justify; font-size: 15px;">&lt;span lang="TR" style="line-height: 107%; font-family: Arial, Helvetica, sans-serif; color: rgb(29, 27, 27); font-size: 14px;">&lt;span style="font-size: 14px;">The Italian Data
        Protection Authority (the "&lt;/span>&lt;strong>Authority&lt;/strong>&lt;span style="font-size: 14px;">") banned the data processing
        activities of Replica, an AI-powered chatbot app that offers a "virtual
        friend" experience to users. If Replica fails to comply with the
        Authority's order within 20 days, it may face a fine of up to €20 million or 4%
        of its global turnover.&lt;/span>&lt;/span>&lt;/p>

&lt;p class="MsoNormal" style="margin: 0px 0px 11px; line-height: 2; font-family: Calibri, sans-serif; text-align: justify; font-size: 15px;">&lt;span lang="TR" style="line-height: 107%; font-family: Arial, Helvetica, sans-serif; font-size: 14px; color: rgb(29, 27, 27);">The Authority found that
        Replica does not adhere to the transparency principle outlined in the European
        Data Protection General Regulation (GDPR) regarding the processing of personal
        data. In particularly, the legal basis for Replika's data processing, which
        relies on the performance of a contract, is invalid as children are not
        qualified to enter into such contracts.&lt;/span>&lt;/p>

&lt;p class="MsoNormal" style="margin: 0px 0px 11px; line-height: 2; font-family: Calibri, sans-serif; text-align: justify; font-size: 15px;">&lt;span lang="TR" style="line-height: 107%; font-family: Arial, Helvetica, sans-serif; font-size: 14px; color: rgb(29, 27, 27);">The decision also notes
        that Replika poses tangible threat to children. Replica lacks any age
        verification system during the registration process, and the chatbot's
        responses may not be appropriate for the children using the app.&lt;/span>&lt;/p>

&lt;p class="MsoNormal" style="margin: 0px 0px 11px; line-height: 2; font-family: Calibri, sans-serif; text-align: justify; font-size: 15px;">&lt;span lang="TR" style="line-height: 107%; font-family: Arial, Helvetica, sans-serif; font-size: 14px; color: rgb(29, 27, 27);">Concerns have been raised
        about the risks such technology might pose to children. These range from
        worries over kids being exposed to inappropriate content to more general
        concerns such as that they might get addicted to the interactions, be
        encouraged into spending money on customizing their avatars or to gain access
        to other paid content. But the Authority appears to the first regulator to take
        formal action over child safety.&lt;/span>&lt;/p>&lt;hr>&lt;p>&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;strong>Tagged with&lt;/strong>: &lt;a href="https://turkishlawblog.com/contributors/detail/kavlak-law-firm" target="_blank" style="color: rgb(2, 102, 132);">Kavlak Law Firm&lt;/a>, &lt;a href="https://turkishlawblog.com/writer/detail/ayse-aybuke-cilingir" target="_blank" style="color: rgb(2, 102, 132);">Ayşe Aybüke Çilingir&lt;/a>, &lt;a href="https://turkishlawblog.com/writer/detail/ozge-keskin" target="_blank" style="color: rgb(2, 102, 132);">Özge Keskin&lt;/a>, &lt;a href="https://turkishlawblog.com/insights/category/data-protection-privacy" target="_blank" style="color: rgb(2, 102, 132);">Data Protection&lt;/a>, &lt;/span>&lt;a href="https://turkishlawblog.com/insights/category/data-protection-privacy" target="_blank" style="color: rgb(2, 102, 132); font-family: Arial, Helvetica, sans-serif; font-size: 14px;">Data Privacy&lt;/a>&lt;br>&lt;/p>

The Italian Data         Protection Authority banned the data processing activities of Replica, an AI-powered chatbot app that offers a "virtual friend" experience to users.

Italian Data Protection Authority Bans Data Processing of AI-Powered Chatbot Replica

Aybüke graduated from Yeditepe
 University Faculty of Law in 2019. She has been working at the IT Department in
 <a href="https://turkishlawblog.com/contributors/detail/kavlak-law-firm" target="_blank" style="color: rgb(3, 102, 132);">Kavlak Law Firm</a> focusing on personal data protection law, e-commerce law, IT
 and technology law. She provides legal assistance to local and multinational
 clients on legal compliance, personal data protection compliance and IT
 agreements. Practice Areas &amp; Work Department

IT Law

Personal Data Protection Law 

E-Commerce Law

Compliance

&nbsp; 

Languages

Turkish

English

As an independent full-service law firm, KAVLAK provides
solutions and practical approaches for a wide range of legal issues to domestic
and international clients since 2006. Our team is experienced in providing
specialist expertise to clients based in the USA, UK and EMEA to reach their
significant potential for global expansion. KAVLAK has a high reputation in
providing legal services to innovative, technology-driven businesses.Our lawyers are recognized for practical legal and business
guidance and provide unique customized commercial advice to your business. We
have extensive experience and interdisciplinary approach to advising start-ups
on company formation, equity structures, Investments, IP rights and other
topics vital to their success. Over the
years, we have built a long track record of working in key industries and
markets, mainly legaltech, fintech, ecommerce, big data, supply chain
management &amp; logistics, AI, B2B software and leisure &amp;
entertainment.&nbsp;We provide legal
consultancy services to our clients by utilising our global network of start-up
ecosystem.

Kavlak Law Firm

Attorney at Law

&lt;p class="MsoNormal" style="margin: 0px 0px 11px; font-family: Calibri, sans-serif; text-align: justify; font-size: 15px;">&lt;span lang="TR" style="line-height: 107%; font-family: Arial, Helvetica, sans-serif; font-size: 14px;">Quote of the
        Topic: UK Information Commissioner John Edwards said that “If your organization
        shares large volumes of data, particularly special category data, we recommend
        that over the next five years you start considering using PETs”&lt;a style="color: rgb(5, 99, 193); text-decoration: underline;" href="#_ftn1" name="_ftnref1" title="">&lt;span class="MsoFootnoteReference" style="vertical-align: super;">&lt;span>&lt;span class="MsoFootnoteReference" style="vertical-align: super;">&lt;span lang="TR" style="line-height: 107%; font-family: " times="" new="" roman",="" serif;="" font-size:="" 16px;"="">[1]&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/a>&lt;/span>&lt;/p>

&lt;p class="MsoNormal" style="margin: 0px 0px 11px; font-family: Calibri, sans-serif; font-size: 15px; text-align: justify; line-height: 1;">&lt;br>&lt;/p>&lt;h2 class="MsoNormal" style="margin: 0px 0px 11px; font-family: Calibri, sans-serif; text-align: justify; font-size: 15px;">&lt;strong style="">&lt;span lang="TR" style="line-height: 107%; font-family: Arial, Helvetica, sans-serif; font-size: 14px;">So, what is the PET's?&lt;/span>&lt;/strong>&lt;/h2>

&lt;p class="MsoNormal" style="margin: 0px 0px 11px; font-family: Calibri, sans-serif; text-align: justify; font-size: 15px;">&lt;span lang="TR" style="line-height: 107%; font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">Privacy enhancing
        technologies (“&lt;/span>&lt;strong>PET&lt;/strong>&lt;span style="font-size: 14px;">”) is the general name given to a set of tools, techniques,
        and methodologies aimed at ensuring data security based on data minimization
        and empowering individuals to control their own data.&lt;/span>&lt;/span>&lt;/p>

&lt;p class="MsoNormal" style="margin: 0px 0px 11px; font-family: Calibri, sans-serif; text-align: justify; font-size: 15px;">&lt;span lang="TR" style="line-height: 107%; font-family: Arial, Helvetica, sans-serif; font-size: 14px;">Data protection
        law does not define PET’s. The European Union Agency for Cybersecurity (ENISA)
        refers to PETs as: ‘Software and hardware solutions, ie systems encompassing
        technical processes, methods or knowledge to achieve specific privacy or data
        protection functionality or to protect against risks of privacy of an
        individual or a group of natural persons.’&lt;/span>&lt;/p>

&lt;p class="MsoNormal" style="margin: 0px 0px 11px; font-family: Calibri, sans-serif; font-size: 15px; text-align: justify; line-height: 1;">&lt;br>&lt;/p>&lt;h2 class="MsoNormal" style="margin: 0px 0px 11px; font-family: Calibri, sans-serif; text-align: justify; font-size: 15px;">&lt;strong style="">&lt;span lang="TR" style="line-height: 107%; font-family: Arial, Helvetica, sans-serif; font-size: 14px;">What PET’s are there?&lt;/span>&lt;/strong>&lt;/h2>

&lt;p class="MsoNormal" style="margin: 0px 0px 11px; font-family: Calibri, sans-serif; text-align: justify; font-size: 15px;">&lt;span lang="TR" style="line-height: 107%; font-family: Arial, Helvetica, sans-serif; font-size: 14px;">There are many
        PET’s that you could consider as part of your data protection compliance. UK
        Information Commissioner Offices’s PET’s Guidance&lt;a style="color: rgb(5, 99, 193); text-decoration: underline;" href="#_ftn2" name="_ftnref2" title="">&lt;span class="MsoFootnoteReference" style="vertical-align: super;">&lt;span>&lt;span class="MsoFootnoteReference" style="vertical-align: super;">&lt;span lang="TR" style="line-height: 107%; font-family: " times="" new="" roman",="" serif;="" font-size:="" 16px;"="">[2]&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/a> list
        these below mentioned technologies.&lt;/span>&lt;/p>

&lt;ul style="list-style-type: square;">&lt;li style="margin-left: 20px; text-align: justify; line-height: 2;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span lang="TR" style="line-height: 107%; font-size: 14px;">Differential
        privacy&lt;/span>&lt;/span>&lt;/li>&lt;li style="margin-left: 20px; text-align: justify; line-height: 2;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span lang="TR" style="line-height: 107%; font-size: 14px;">Synthetic
        data&lt;/span>&lt;/span>&lt;/li>&lt;li style="margin-left: 20px; text-align: justify; line-height: 2;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span lang="TR" style="line-height: 107%; font-size: 14px;">Homomorphic
        encryption&nbsp;&lt;/span>&lt;/span>&lt;/li>&lt;li style="margin-left: 20px; text-align: justify; line-height: 2;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span lang="TR" style="line-height: 107%; font-size: 14px;">Zero-knowledge
        proofs&lt;/span>&lt;/span>&lt;/li>&lt;li style="margin-left: 20px; text-align: justify; line-height: 2;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span lang="TR" style="line-height: 107%; font-size: 14px;">Trusted
        execution environment&lt;/span>&lt;/span>&lt;/li>&lt;li style="margin-left: 20px; text-align: justify; line-height: 2;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span lang="TR" style="line-height: 107%; font-size: 14px;">Se&lt;span style="font-size: 14px;">cure
        multiparty computati&lt;/span>on&nbsp;&lt;/span>&lt;/span>&lt;/li>&lt;li style="margin-left: 20px; text-align: justify; line-height: 2;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span lang="TR" style="line-height: 107%; font-size: 14px;">Private
        set intersection&nbsp;&lt;/span>&lt;/span>&lt;/li>&lt;li style="margin-left: 20px; text-align: justify; line-height: 2;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span lang="TR" style="line-height: 107%; font-size: 14px;">Federated
        learning&lt;/span>&lt;/span>&lt;/li>&lt;/ul>















&lt;p class="MsoNormal" style="margin: 0px 0px 11px; font-family: Calibri, sans-serif; font-size: 15px; text-align: justify; line-height: 1;">&lt;br>&lt;/p>&lt;h2 class="MsoNormal" style="margin: 0px 0px 11px; font-family: Calibri, sans-serif; text-align: justify; font-size: 15px;">&lt;strong style="">&lt;span lang="TR" style="line-height: 107%; font-family: Arial, Helvetica, sans-serif; font-size: 14px;">What are the benefits of PET’s?&lt;/span>&lt;/strong>&lt;/h2>

&lt;p class="MsoNormal" style="margin: 0px 0px 11px; font-family: Calibri, sans-serif; text-align: justify; font-size: 15px;">&lt;span lang="TR" style="line-height: 107%; font-family: Arial, Helvetica, sans-serif; font-size: 14px;">Several categories
        of PETs can help achieve data protection compliance, including ‘data protection
        by design and default’. These include PETs that:&lt;/span>&lt;/p>

&lt;ul style="list-style-type: square;">&lt;li style="margin-left: 20px; text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span lang="TR" style="line-height: 107%; font-size: 14px;">Reduce
        the identifiability of the people that the information you are processing is
        about. These can help you to fulfil the principle of data minimisation;&lt;/span>&lt;/span>&lt;/li>&lt;li style="margin-left: 20px; text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span lang="TR" style="line-height: 107%; font-size: 14px;">Focus
        on hiding and shielding information. These can help you achieve the
        requirements of the security principle; and&lt;/span>&lt;/span>&lt;/li>&lt;li style="margin-left: 20px; text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span lang="TR" style="line-height: 107%; font-size: 14px;">Split
        datasets. These can help you to fulfil both the data minimisation and security
        principles, depending on the nature of the processing.&lt;/span>&lt;/span>&lt;/li>&lt;/ul>





&lt;p class="MsoNormal" style="margin: 0px 0px 11px; font-family: Calibri, sans-serif; text-align: justify; font-size: 15px;">&lt;span lang="TR" style="line-height: 107%; font-family: Arial, Helvetica, sans-serif; font-size: 14px;">These types of
        technologies open unprecedented opportunities for organisations to harness the
        power of personal data through innovative and trustworthy applications, by
        allowing them to share, link and analyse people’s personal information without
        having access to it.&lt;/span>&lt;/p>

&lt;p class="MsoNormal" style="margin: 0px 0px 11px; font-family: Calibri, sans-serif; text-align: justify; font-size: 15px;">&lt;span lang="TR" style="line-height: 107%; font-family: Arial, Helvetica, sans-serif; font-size: 14px;">In addition PET’s
        can be used to share anonymised personal information to detect and prevent
        financial crimes and related harms such as fraud, money laundering, and
        cybercrimes.&lt;/span>&lt;/p>

&lt;p class="MsoNormal" style="margin: 0px 0px 11px; font-family: Calibri, sans-serif; text-align: justify; font-size: 15px; line-height: 2;">&lt;span lang="TR" style="line-height: 107%; font-family: Arial, Helvetica, sans-serif; font-size: 14px;">If your
        organization processes extensive volumes of data, particularly sensitive category
        data, PET’s can be a focal point of your agenda next 5 years. &lt;/span>&lt;/p>

&lt;div style="text-align: justify;">&lt;hr align="left" size="1" width="33%">



    &lt;div id="ftn1">

        &lt;p class="MsoFootnoteText" style="margin: 0px; font-family: Calibri, sans-serif; font-size: 13px;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;a style="color: rgb(5, 99, 193); text-decoration: underline;" href="#_ftnref1" name="_ftn1" title="">&lt;span class="MsoFootnoteReference" style="vertical-align: super;">&lt;span class="MsoFootnoteReference" style="vertical-align: super;">&lt;span lang="TR" style="line-height: 107%; font-size: 13px;">[1]&lt;/span>&lt;/span>&lt;/span>&lt;/a> https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2023/06/ico-urges-organisations-to-harness-the-power-of-data-safely-by-using-privacy-enhancing-technologies/
            &lt;/span>&lt;/p>

    &lt;/div>

    &lt;div id="ftn2">

        &lt;p class="MsoFootnoteText" style="margin: 0px; font-family: Calibri, sans-serif; font-size: 13px;">&lt;a style="color: rgb(5, 99, 193); text-decoration: underline;" href="#_ftnref2" name="_ftn2" title="">&lt;span class="MsoFootnoteReference" style="vertical-align: super;">&lt;span lang="TR">&lt;span>&lt;span class="MsoFootnoteReference" style="vertical-align: super;">&lt;span lang="TR" style="line-height: 107%; font-family: Arial, Helvetica, sans-serif; font-size: 14px;">[2]&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/a>&lt;span lang="TR" style=""> https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/data-sharing/privacy-enhancing-technologies/&lt;/span>&lt;/p>&lt;hr>&lt;p>&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;strong>Tagged with&lt;/strong>:&nbsp;&lt;span style="box-sizing: border-box; color: rgb(0, 0, 0); font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial; font-size: 14px;">&lt;a href="https://turkishlawblog.com/contributors/detail/kavlak-law-firm" target="_blank" style="color: rgb(2, 102, 132);">Kavlak Law Firm&lt;/a>&lt;/span>&lt;span style="box-sizing: border-box; color: rgb(0, 0, 0); font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial; font-size: 14px;">,&nbsp;&lt;/span>&lt;a href="https://turkishlawblog.com/writer/detail/ayse-aybuke-cilingir" target="_blank" style="color: rgb(2, 102, 132);">Özge Keskin&lt;/a>,&nbsp;&lt;span style="font-size: 14px;">&lt;a href="https://turkishlawblog.com/writer/detail/doganer-doganay" target="_blank" style="color: rgb(2, 102, 132);">Doğaner Doğanay&lt;/a>&lt;/span>&lt;/span>&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">,&nbsp;&lt;/span>&lt;a href="https://turkishlawblog.com/insights/category/data-protection-privacy" target="_blank" style="color: rgb(2, 102, 132); font-family: Arial, Helvetica, sans-serif; font-size: 14px;">Data Protection &amp; Privacy&lt;/a>&lt;/span>&lt;br>&lt;/p>

    &lt;/div>
&lt;/div>

PETs encompass tools, techniques, and methodologies that prioritize data security, data minimization, and individual data control. The European Union Agency for Cybersecurity defines PETs as software and hardware solutions for privacy and data protection. PETs include technologies such as differential privacy, homomorphic encryption, zero-knowledge proofs, trusted execution environments, and more. 

Exploring the Power of Privacy Enhancing Technologies

&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">According to The Guardian[1],
there is a concern that encrypted messaging app companies, including WhatsApp,
might cease their services in the UK if the Online Safety Bill is not amended.&lt;/span>&lt;/span>&lt;/span>&lt;/p>&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">The Online Safety Bill (“&lt;/span>&lt;strong style="font-size: 14px;">Bill&lt;/strong>&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">”) is a proposed
legislation in the UK aimed at enhancing internet safety and addressing online
harms. It seeks to hold companies accountable for the content shared on their
platforms and introduces measures to protect users, especially vulnerable
individuals like children.&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/p>&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">Under consideration, the Bill grants the Office of
Communications (“&lt;/span>&lt;strong>Ofcom&lt;/strong>&lt;span style="font-size: 14px;">”) the power to enforce regulations that require social
networks to utilize technology in combating terrorism and child sexual abuse
content. Services that do not comply may face fines of up to 10% of their
global revenue. The Bill also emphasizes the importance of companies making
diligent efforts to develop or obtain technology that aligns with the
regulatory obligations specified by Ofcom. This provision encourages social
networks to take proactive steps in addressing harmful content and prioritizing
user safety.&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/p>&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">However, messaging apps relying on end-to-end
encryption (“&lt;/span>&lt;/span>&lt;/span>&lt;strong style="font-size: 14px;">E2EE&lt;/strong>&lt;span style="font-size: 14px;">”) face a unique challenge in adhering to these regulations.
E2EE is a security measure that ensures secure communication and data privacy
between parties. It allows only the sender and intended recipient(s) to access
and understand the encrypted content while preventing unauthorized access. With
E2EE, data is encrypted on the sender's device and can only be decrypted by the
intended recipient(s).&lt;/span>&lt;/span>&lt;/p>&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">WhatsApp and Signal both employ E2EE to ensure secure
communication. When a message is sent, it is encrypted on the sender's device
using a unique lock and key. Only the intended recipient(s) can decrypt the
message using their private key. This ensures private and protected
conversations, with only the sender and recipient(s) having access to the
decrypted content.&lt;/span>&lt;/span>&lt;/p>&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">These apps argue that accessing user messages without
compromising E2EE would be technically infeasible and go against their
commitment to user privacy and security. Breaking the encryption would
undermine the trust placed in their platforms. It's important to note that
these platforms serve billions of users worldwide, with only a small percentage
residing in the UK. Given the choice between compromising security or
protecting their global user base, WhatsApp and similar providers seem inclined
to prioritize the security and privacy of their non-UK users.&lt;/span>&lt;/span>&lt;/p>&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">The government insists emphasizes the need to balance
privacy with public safety, particularly in combating crimes like child sexual
abuse. Although the Bill does not explicitly ban E2EE, the provisions create
uncertainty.&lt;/span>&lt;/span>&lt;/p>&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">As a result, messaging apps firmly assert that they
would not compromise the integrity of their encryption and the privacy of their
users' communications. A constructive resolution is necessary to address these
concerns and find a middle ground that respects privacy while ensuring online safety.&lt;/span>&lt;/span>&lt;/p>&lt;hr style="">&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">


&lt;strong>[1]&lt;/strong>&lt;span style="font-size: 14px;"> https://www.theguardian.com/technology/2023/may/08/whatsapp-could-disappear-uk-over-privacy-concerns-ministers-told&lt;/span>&lt;/span>&lt;/span>&lt;/p>&lt;hr>&lt;p>&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;strong>Tagged with&lt;/strong>:&nbsp;&lt;span style="box-sizing: border-box; color: rgb(0, 0, 0); font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: justify; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial; font-size: 14px;">&lt;a href="https://turkishlawblog.com/contributors/detail/kavlak-law-firm" target="_blank" style="color: rgb(2, 102, 132);">Kavlak Law Firm&lt;/a>&lt;/span>&lt;span style="box-sizing: border-box; color: rgb(0, 0, 0); font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: justify; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial; font-size: 14px;">,&nbsp;&lt;/span>&lt;span style="font-size: 14px;">&lt;a href="https://turkishlawblog.com/writer/detail/doganer-doganay" target="_blank" style="color: rgb(2, 102, 132);">Doğaner Doğanay&lt;/a>&lt;/span>&lt;span style="font-size: 14px;">,&nbsp;&lt;/span>&lt;a href="https://turkishlawblog.com/writer/detail/ayse-aybuke-cilingir" target="_blank" style="color: rgb(2, 102, 132);">Özge Keskin&lt;/a>,&lt;span style="font-size: 14px;">&nbsp;&lt;/span>&lt;/span>&lt;span style="font-size: 14px;">&lt;a href="https://turkishlawblog.com/insights/category/data-protection-privacy" target="_blank" style="color: rgb(2, 102, 132); font-family: Arial, Helvetica, sans-serif; font-size: 14px;">Data Protection &amp; Privacy&lt;/a>&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">,&nbsp;&lt;/span>&lt;/span>&lt;br>&lt;/p>

The proposed Online Safety Bill in the UK raises concerns that encrypted messaging app companies like WhatsApp may cease their services if the bill is not amended. The bill aims to enhance internet safety and hold companies accountable for content shared on their platforms. It grants regulatory power to the Office of Communications (Ofcom) to enforce measures against terrorism and child sexual abuse content. However, messaging apps relying on end-to-end encryption (E2EE) face challenges in complying with these regulations. E2EE ensures secure communication and data privacy, and breaking it would compromise user trust. Finding a middle ground is crucial to balance privacy and online safety.

The Encryption Paradox: Messaging Apps at a Crossroads in the UK

&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">According to the UK data protection legislation, each
controller and each processor must implement appropriate technical and
organizational measures to ensure a level of security appropriate to the risks
arising from the processing of personal data. In the rapidly advancing digital
landscape where cyber security has become increasingly complex, ensuring the
security of data is crucial for data controllers and processors. It is important for data
controllers and data processors to acknowledge and address new arising risks in
order to comply with the data protection regulations in light of cyber security.&lt;/span>&lt;/span>&lt;/p>&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">
The UK National Cyber Security Center (“&lt;/span>&lt;strong style="font-size: 14px;">NCSC&lt;/strong>&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">”) highlights
the usefulness of a data-driven approach in addressing this challenge[1].
Data-driven cybersecurity (“&lt;/span>&lt;strong>DDC&lt;/strong>&lt;span style="font-size: 14px;">”) is an approach to cybersecurity that uses
scientific method and data analysis to make evidence-based decisions. It
involves leveraging high-quality data to generate actionable insights that can
help organizations to better understand their cybersecurity posture and make
informed decisions. By using big data to analyse cybersecurity practices,
data-driven cybersecurity seeks to improve outcomes, transparency, and trust.
DDC can be implemented in different ways based on an organization's priorities,
resources, and risks.&lt;/span>&lt;/span>&lt;/span>&lt;/p>&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">To facilitate the DDC journey, NCSC has developed a
maturity model that helps organizations assess their level of data-driven
cybersecurity maturity. It can be used to:&lt;/span>&lt;/span>&lt;/span>&lt;/p>&lt;ul style="list-style-type: square;">&lt;li style="margin-left: 20px; text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">
assess
the current level of DDC maturity in an organisation ('&lt;/span>&lt;em>As is&lt;/em>&lt;span style="font-size: 14px;">')&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/li>&lt;li style="margin-left: 20px; text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">
decide
what level of maturity will be required in future ('&lt;/span>&lt;em>To be&lt;/em>&lt;span style="font-size: 14px;">')&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/li>&lt;li style="margin-left: 20px; text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">
determine
which steps could be taken to reach the desired maturity level (‘&lt;/span>&lt;em>Gap analysis&lt;/em>&lt;span style="font-size: 14px;">’)&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/li>&lt;/ul>&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">This model takes into account various factors such as
communication, people, security and compliance, platform and data processing
tools, integration, and data structure. By asking key questions related to
these pillars, organizations can identify gaps and take steps to improve their
cybersecurity posture.&lt;/span>&lt;/span>&lt;/span>&lt;/p>&lt;ul style="list-style-type: square;">&lt;li style="margin-left: 20px; text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">Can
you list all your assets (like devices) and report on their status?&lt;/span>&lt;/span>&lt;/span>&lt;/li>&lt;li style="margin-left: 20px; text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">
Can
you list all your RDP ports? Can you see which ones are open?&lt;/span>&lt;/span>&lt;/span>&lt;/li>&lt;li style="margin-left: 20px; text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">
Can
you show a diagram of the segmentation of your network? If part of it was
affected by ransomware, would you be confident the other parts would be
unaffected? Could you check to be sure?&lt;/span>&lt;/span>&lt;/span>&lt;/li>&lt;li style="margin-left: 20px; text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">
If
you were told there was a specific vulnerability on at least one device on your
network, would you be able to identify it from the versions of software
products on each device?&lt;/span>&lt;/span>&lt;/span>&lt;/li>&lt;li style="margin-left: 20px; text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">
Do
you know which vulnerabilities your organisation has, how widespread they are,
and on which devices?&lt;/span>&lt;/span>&lt;/span>&lt;/li>&lt;li style="margin-left: 20px; text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">
Do
you receive threat intelligence? How do you determine if it is relevant to your
organisation? Can you quickly determine how many (and which) of your devices
and networks are affected?&lt;/span>&lt;/span>&lt;/span>&lt;/li>&lt;li style="margin-left: 20px; text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">Is
your cyber security data analysis posture sustainable? Do you have skilled
staff working on it? Can you maintain the team?&lt;/span>&lt;/span>&lt;/span>&lt;/li>&lt;/ul>&lt;hr>&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;strong>[1]&lt;/strong>&lt;span style="font-size: 14px;"> https://www.ncsc.gov.uk/blog-post/data-driven-cyber-transforming-cyber-security-through-an-evidence-based-approach&lt;/span>&lt;/span>&lt;span style="font-size: 14px;">&lt;br>&lt;/span>&lt;/span>&lt;/span>&lt;/p>&lt;hr>&lt;p>&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;strong>Tagged with&lt;/strong>:&nbsp;&lt;span style="box-sizing: border-box; color: rgb(0, 0, 0); font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: justify; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial; font-size: 14px;">&lt;a href="https://turkishlawblog.com/contributors/detail/kavlak-law-firm" target="_blank" style="color: rgb(2, 102, 132);">Kavlak Law Firm&lt;/a>&lt;/span>&lt;span style="box-sizing: border-box; color: rgb(0, 0, 0); font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: justify; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial; font-size: 14px;">,&nbsp;&lt;/span>&lt;span style="font-size: 14px;">&lt;a href="https://turkishlawblog.com/writer/detail/ayse-aybuke-cilingir" target="_blank" style="color: rgb(2, 102, 132);">Ayşe Aybüke Çilingir&lt;/a>&lt;/span>&lt;span style="font-size: 14px;">, &lt;/span>&lt;/span>&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;a href="https://turkishlawblog.com/writer/detail/ayse-aybuke-cilingir" target="_blank" style="color: rgb(2, 102, 132);">Özge Keskin&lt;/a>,&nbsp;&lt;a href="https://turkishlawblog.com/insights/category/data-protection-privacy" target="_blank" style="color: rgb(2, 102, 132); font-size: 14px;">Data Protection &amp; Privacy&lt;/a>&lt;span style="font-size: 14px;">,&lt;/span>&nbsp;&lt;/span>&lt;a href="https://turkishlawblog.com/insights/category/data-protection-privacy" target="_blank" style="color: rgb(2, 102, 132); font-family: Arial, Helvetica, sans-serif; font-size: 14px;">Cyber Security&lt;/a>&lt;/span>&lt;br>&lt;/p>

Data controllers and processors in the UK are required to implement appropriate technical and organizational measures to ensure data security in compliance with data protection regulations. The UK National Cyber Security Center recommends a data-driven cybersecurity approach to address the challenges of cybersecurity in a rapidly advancing digital landscape. By leveraging high-quality data to generate actionable insights, data-driven cybersecurity seeks to improve outcomes, transparency, and trust. The NCSC has developed a maturity model that helps organizations assess their level of data-driven cybersecurity maturity and identify gaps in their cybersecurity posture based on factors such as communication, people, security and compliance, platform and data processing tools, integration, and data structure.

Data Driven Cyber Security

&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">The Online Safety Bill (“the &lt;/span>&lt;strong>Bill&lt;/strong>&lt;span style="font-size: 14px;">”) was introduced to
the UK parliament in May 2019 and with the latest update, published on March
27, 2023, aims to provide a safer internet for all users, particularly
children. In the latest version of the Bill, there are regulations intended to
ensure internet security for children, as well as obligations for internet
service providers and search engine providers to enhance internet security. One
of the main aims of the Bill is to create a safer environment on social media
platforms for both children and adults.&lt;/span>&lt;/span>&lt;/p>&lt;h2 style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;strong style="">
One Step Back&lt;/strong>&lt;/span>&lt;/span>&lt;/h2>&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">The Bill envisages a safer space for all users. One of
the striking points of these regulatory actions was the suicide of a teenager
in the UK. In the investigation on the suicide of a fourteen-year-old girl, who
ended her life in 2017, it was revealed that the "self-harm" and
"suicide" content suggested to her on Instagram had a significant
impact on her ending her life.[1]&lt;/span>&lt;/span>&lt;/p>&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">In 2018, a year after this incident, the scandal
emerged that the political consultancy firm Cambridge Analytica collected
personal data from Facebook without the consent of users for the purpose of
creating and targeting voter profiles.[2] It
was believed that the data of up to 87 million people was improperly shared.&lt;/span>&lt;/span>&lt;/p>&lt;h2 style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;strong style="">
Scope of the Online Safety Bill&lt;/strong>&lt;/span>&lt;/span>&lt;/h2>&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">The Bill imposes legal requirements to search engine
providers and internet service providers that allow users to encounter content
created, uploaded or shared by other users. Companies in scope can either be
categorised as category 1 services or category 2 services where category 1
services will include the largest platforms with the most users and will be
subject to higher obligations. Therefore, the Bill can affect not only Big Tech
companies but also many medium and small companies. In this regard messaging
services, websites, platforms and online forums where users interact can be
encompassed too.&lt;/span>&lt;/span>&lt;/p>&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">In addition to UK service providers, the Bill applies
to providers of regulated services based outside the UK where they fall within
scope of the Bill, for example, because such services target the UK or they
have a significant number of UK users.&lt;/span>&lt;/span>&lt;/p>&lt;h2 style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;strong style="">The Requirements for the Companies to Comply&lt;/strong>&lt;/span>&lt;/span>&lt;/h2>&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">Companies within the scope of the Bill have many obligations,
some of the more dire ones are listed below.&lt;/span>&lt;/span>&lt;/p>&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">• Quickly removing and
preventing the appearance of illegal content within the scope of the crimes
specified as priority crimes in the Bill,&lt;/span>&lt;/span>&lt;/p>&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">• Prevent children from
accessing content that is not illegal but not age appropriate and harmful (such
as pornographic content, online harassment, cyberbullying or online harassment,
or content that promotes or glorifies suicide, self-harm or eating disorders),&lt;/span>&lt;/span>&lt;/p>&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">• Implement age limits and age
control measures,&lt;/span>&lt;/span>&lt;/p>&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">• Ensure greater transparency
of risks and hazards to children, including publishing risk assessments,&lt;/span>&lt;/span>&lt;/p>&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">• Provide clear and accessible
ways for parents and children to report problems online as they arise.&lt;/span>&lt;/span>&lt;/p>&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">The obligation to remove legal but harmful content,
which was previous version of the bill, was introduced. In the revised version
of Bill, if the companies promise to prevent certain types of content in the
terms of service of the platforms, the relevant regulation has been revised by
making it obligatory to remove these contents.&lt;/span>&lt;/span>&lt;/p>&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">
When we look at the adult protections, category 1
services will be required to facilitate a “triple shield” method. Platforms have
the obligation to remove all illegal content, remove content that is banned by
their own terms and conditions and give the power to adult internet users with
tools so that they can tailor the type of content they see and the type that
they can avoid. This way the potentially harmful content can be avoided if they
do not want to see it on their feeds. Children will be automatically prevented
from seeing this content without a mechanism to change any settings.&lt;/span>&lt;/span>&lt;/p>&lt;h2 style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;strong style="">New Offenses Under the Bill&lt;/strong>&lt;/span>&lt;/span>&lt;/h2>&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">New criminal offences have been introduced under the
Bill. If the Bill becomes law, the sharing of pornographic deep fake images and
cyberflashing - which means sending obscene photos to people via airdrop - will
be considered a crime. In addition false communications offence, aimed at
protecting individuals from any communications where the sender intended to
cause harm by sending something knowingly false similar to libel/slander and assisting
or encouraging self-harm online are on the Bill.&lt;/span>&lt;/span>&lt;/p>&lt;h2 style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;strong style="">
The Consequence of Non-Compliance for Companies&lt;/strong>&lt;/span>&lt;/span>&lt;/h2>&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">Companies that fail to meet obligations could face
fines of up to £18m or 10% of global annual turnover, whichever is higher. At
the same time, business interruption measures may be taken against them,
including the prevention of inappropriate services.&lt;/span>&lt;/span>&lt;/span>&lt;/p>&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">The Bill, which does not impose sanctions only on
companies, imposes criminal sanctions against senior executives who do not
comply with the Office of Communications (“&lt;/span>&lt;strong>Ofcom&lt;/strong>&lt;span style="font-size: 14px;">”) information requests or
deliberately destroy or hide information. In addition, the government has
promised to introduce an amendment to the Bill which will provide for jail
terms of up to two years for executives whose companies do not comply with
child protection rules.&lt;/span>&lt;/span>&lt;/span>&lt;/p>&lt;h2 style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;strong style="">Conclusion&lt;/strong>&lt;/span>&lt;/span>&lt;/span>&lt;/h2>&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">The Online Safety Bill was published by the UK in 2019
as the world's first Online Safety Bill. Since the Bill, which is still not
enacted, is expected to become law this year, companies covered by the Bill may
have to comply with the obligations. For this reason, companies that have titles
such as internet service provider and search engine provider must move on with
risk assessments, assess which category that they fall under, set up systems to
monitor contents evaluate their existing services at this point and displaying
a risk-based approach will prevent the companies from facing sanctions.&lt;/span>&lt;/span>&lt;/span>&lt;/p>&lt;hr>&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;strong>[1]&lt;/strong>&lt;span style="font-size: 14px;"> https://www.bbc.com/news/uk-england-london-63073489&lt;/span>&lt;/span>&lt;/span>&lt;/p>&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;strong>[2]&lt;/strong>&lt;span style="font-size: 14px;"> https://www.bbc.com/news/technology-64075067&lt;/span>&lt;/span>&lt;span style="font-size: 14px;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;/span>&lt;/span>&lt;/p>

The Online Safety Bill was introduced to the UK parliament in May 2019 and with the latest update, published on March 27, 2023, aims to provide a safer internet for all users, particularly children.

UK Online Safety Bill Introduces a New Online Regimen

&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">Avrupa
Veri Koruma Denetçisi Ofisi (“&lt;/span>&lt;strong style="font-size: 14px;">EDPS&lt;/strong>&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">”), Avrupa Veri Koruma Komisyonu'nun (“&lt;/span>&lt;strong style="font-size: 14px;">EDPB&lt;/strong>&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">”)
Veri Koruma Görevlilerinin (“&lt;/span>&lt;strong>DPO&lt;/strong>&lt;span style="font-size: 14px;">”) atanması ve pozisyonuna ilişkin, Avrupa
Ekonomik Alanı (“&lt;/span>&lt;/span>&lt;/span>&lt;strong style="font-size: 14px;">EU/EEA&lt;/strong>&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">”) içerisinden 26 Veri Koruma Otoritesi’nin yer alacağı Koordine
Yaptırım Eylemi’ne katılacağını duyurdu.&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/p>&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">
Koordine
Yaptırım Eylemi, EDPS'nin aktif olarak yer aldığı, EDPB'nin Koordine Yaptırım
Çerçevesinin (“&lt;/span>&lt;strong style="font-size: 14px;">CEF&lt;/strong>&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">”) bir parçasıdır. Koordine Yaptırım Eylemi ile CEF, EU/EEA'nın
Veri Koruma Otoriteleri arasındaki yaptırım eylemlerini ve işbirliğini
kolaylaştırmayı amaçlamaktadır.&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/p>&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">Veri
Koruma Görevlileri, kişisel verilerin korunması mevzuatına uyuma katkıda
bulunmak ve veri sahibi haklarının etkili bir şekilde korunmasını teşvik etmek amacıyla,
veri koruma otoriteleri, bireyler ve kuruluşların iş birimleri arasında aracı
görevi görür. EDPS bünyesinde çalışan Wojciech Wiewiórowski, DPO’ların rolü
hakkında şunları söylemiştir; “&lt;/span>&lt;em>Bir veri koruma görevlisinin rolü, kişisel
verilerin korunması mevzuatının EU’daki kuruluşlar ve EU kurumları, organları,
ofisleri ve ajansları (“&lt;/em>&lt;/span>&lt;strong style="">&lt;em>EUI&lt;/em>&lt;/strong>&lt;span style="font-size: 14px;">&lt;em>”) içinde uygulanmasını sağlamada çok önemlidir.
Veri koruma görevlileri, EU Veri Koruma Regülasyonu ile uygulaması arasındaki
boşluğu doldurarak, bireylerin mahremiyetinin ve kişisel verilerinin etkili bir
şekilde korunmasını teşvik etmeye yardımcı olur. Bu nedenle, kişisel verilerin
korunması mevzuatının, ilkelerinin ve iyi uygulamaların EU/EEA genelinde istikrarlı
ve tutarlı bir şekilde uygulanmasını kolaylaştırmak amacıyla EDBP ile iş
birliği yapıyoruz.&lt;/em>&lt;span style="font-size: 14px;">”&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/p>&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">
EDPS,
EDBP’nin Koordine Yaptırım Eylemi’ne katılımı ile, DPO'nun temel işlevi
nedeniyle EU’daki DPO'ların rolüne, sorumluluklarına ve görevlerine
odaklanacaktır. DPO'ların yürürlükteki kişisel verilerin korunması mevzuatına
uyup uymadığını, GDPR'ın 37-39. maddelerine göre görevlerini yerine getirmek
için gerekli duruma ve gerekli kaynaklara sahip olup olmadığını değerlendirmek
için, katılan DPA'lar pek çok yöntem izlemesi söz konusudur. Bunlardan birkaçı
ise şu şekildedir;&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/p>&lt;ul style="list-style-type: square;">&lt;li style="margin-left: 20px; text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">Resmi bir soruşturmanın gerekip gerekmediğini belirlemeye yardımcı olmak için
DPO'lara bilgi toplayıcı ve belirleyici soru listesi göndermek,&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/li>&lt;li style="margin-left: 20px; text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">
Resmi soruşturmaların başlatılması,&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/li>&lt;li style="margin-left: 20px; text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">
Devam eden soruşturmaların takibi.&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/li>&lt;/ul>&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">Bu
yöntemler DPO'ların bağımsızlığının, tavsiye süreçlerinin ve EUI’lerin
bireylerin kişisel verilerinin işlenmesi kapsamındaki faaliyetleri ışığında görevlerini
yerine getirme süreçlerinin kontrol edilmesini içerebilir.&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/p>&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">Bu
ortak girişimin sonuçları koordineli bir şekilde analiz edilecek ve DPA'lar
daha fazla ulusal denetim ve yaptırım eyleminin gerekli olup olmadığına karar
verecektir. Ek olarak, toplanan sonuçlar konu hakkında daha derin içgörüler
sağlayacak ve EU düzeyinde hedeflenen takibe olanak sağlayacaktır.&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/p>&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">
2022'de
yayınlanan ilk Koordine Yaptırım Eylemi, kamu sektörü tarafından bulut
hizmetlerinin kullanımına odaklandı ve ilk CEF girişiminin bulguları 18 Ocak
2023'te yayınlandı. Benzer şekilde, bu ikinci Koordine Yaptırım Eylemi’nin
veriler üzerindeki sonuçları koruma görevlileri işbirliği içinde analiz
edilecek ve bulgulara ilişkin bir rapor yayınlanacaktır.&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/p>

Avrupa Veri Koruma Denetçisi Ofisi, Avrupa Veri Koruma Komisyonu'nun Veri Koruma Görevlilerinin atanması ve pozisyonuna ilişkin, Avrupa Ekonomik Alanı içerisinden 26 Veri Koruma Otoritesi’nin yer alacağı Koordine Yaptırım Eylemi’ne katılacağını duyurdu.

EDPS, Veri Koruma Görevlilerini Denetlemek İçin EDPB'nin Koordine Yaptırım Eylemine Katılıyor

Turkish Personal Data Protection Board (“Board”) evaluated a complaint regarding a private health institution obtaining explicit consent from patients unlawfully, in its decision dated 02.05.2023 and numbered 2023/692.

Turkish Data Protection Board Fines a Private Healthcare Institution for a Mandatory Checkbox

&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">Turkish Personal Data Protection Board (“&lt;strong>Board&lt;/strong>”) evaluated a notice regarding a private hospital obtaining explicit consent from patients for processing personal data, including health data, within the scope of advertising and promotion activities in its decision dated 11.05.2023 and numbered 2023/787.&lt;/span>&lt;/p>&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">In the notice, the data subject demanded action to be taken by stating that the private hospital data controller, through the patient consent forms, request explicit consent from the patients in order to share their photographs and videos with the contracted media organs for advertising and promotion purposes.&lt;/span>&lt;/p>&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">The Board made the following evaluations regarding the notice;&lt;/span>&lt;/p>&lt;ul style="list-style-type: square;">&lt;li style="margin-left: 20px; text-align: justify; line-height: 2;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">In the case, patients’ explicit consent is requested with the “Informed Consent Form for the Protection of Personal Data Specific to Photograph/Video” presented by the data controller and in the form, it is stated that for marketing, advertising and promotion purposes, the photos/videos will be recorded and can be transferred to third parties, national, local and international media organs and social media platforms with which services are received, cooperated or contracted.&lt;/span>&lt;/li>&lt;li style="margin-left: 20px; text-align: justify; line-height: 2;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">Pursuant to the Law on the Protection of Personal Data with no. 6698 (“&lt;strong>DPL&lt;/strong>”), explicit consent must be given with free will based on an informed decision; on the other hand, the processing must comply with the principles of lawfulness and fairness and the processing for specific, clear and legitimate purposes regulated in the DPL. Pursuant to the opinion of Article 29 Data Protection Working Party dated 03/2013, in the broadest sense, the principle for the processing for specific, clear and legitimate purposes means that the purposes must comply with legislations. In other words, if the personal data processing violates a sector-specific regulation, processing activity cannot be accepted to be lawful.&lt;/span>&lt;/li>&lt;li style="margin-left: 20px; text-align: justify; line-height: 2;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">The Private Hospitals Regulation allows promotion and information by private hospitals if the information is about protecting and improving health; but prohibits carrying out promotional activities in the nature of advertising, with the purpose to create demand. Statements about the successful outcome of a treatment that include the patient's health problem and the doctor's explanations about the patient are beyond the scope of the information and promotion activities of health institutions allowed in the same legislation. In this respect, although private hospitals are prohibited from advertising pursuant to the sector-specific regulation, it is clear that health data and other personal data are processed by the data controller for advertising purposes, and the said processing activity is not in compliance with the legislation and does not have a legitimate purpose.&lt;/span>&lt;/li>&lt;li style="margin-left: 20px; text-align: justify; line-height: 2;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">Further, the principle of processing to be related, limited and proportionate means that personal data that is not suitable or related to or necessary for the purpose, should not be processed; and principle of proportionality means establishing a reasonable balance between the data processing activity and the intended purpose. Therefore, even if personal data is processed related to a specific purpose based on the data subject’s explicit consent, the explicit consent does not legitimize excessive collection of data.&lt;/span>&lt;/li>&lt;li style="margin-left: 20px; text-align: justify; line-height: 2;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">Therefore, although it was stated by the data controller that video recordings were made with the patients’ explicit consent, in order to raise public awareness of diseases that are rarely known in the society, and to provide information about the characteristics and treatment process of these diseases in a way that protects and improves health, processing health data is not necessary to achieve said purposes. Considering that there are alternative ways to achieve these purposes that do not require personal data processing and that the personal data processing is not necessary, this personal data processing activity violates the principle of proportionality.&lt;/span>&lt;/li>&lt;/ul>&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">In this regard, the Board adopted the following decision;&lt;/span>&lt;/p>&lt;ul style="list-style-type: square;">&lt;li style="margin-left: 20px; text-align: justify; line-height: 2;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">Special categories of personal data is processed by the data controller by shooting videos about the data subject’s diseases and treatment processes and sharing them on its social media accounts. Although this data processing activity is based on the explicit consent of the data subject, private hospitals are prohibited from advertising according to the Private Hospitals Regulation. Therefore, the data subjects’ explicit consent is not valid and the data subjects’ personal data has been processed unlawfully, without any legal base. For this reason, the Board decided to impose an administrative fine of TRY 250.000 (approx. 8.635 EUR) on the data controller on the grounds that the data controller did not take the necessary technical and administrative measures for processing personal data lawfully.&lt;/span>&lt;/li>&lt;li style="margin-left: 20px; text-align: justify; line-height: 2;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">The Board decided to instruct the data controller to terminate the processing of personal data for mentioned purposes; to destroy such personal data in accordance with the Regulation on the Deletion, Destruction or Anonymization of Personal Data; and if such personal data was transferred to third parties, to inform these third parties about these transactions.&lt;/span>&lt;/li>&lt;/ul>

Turkish Personal Data Protection Board (“Board”) evaluated a notice regarding a private hospital obtaining explicit consent from patients for processing personal data, including health data, within the scope of advertising and promotion activities in its decision dated 11.05.2023 and numbered 2023/787. In the notice, the data subject demanded action to be taken by stating that the private hospital data controller, through the patient consent forms, request explicit consent from the patients in order to share their photographs and videos with the contracted media organs for advertising and promotion purposes.

Turkish Data Protection Board Fines a Private Hospital for Making Videos about Patients’ Treatments

The Personal Data Protection Board assessed a complaint against a fitness center for processing blood type information without explicit consent, a special category of personal data. The Board imposed a fine of TRY 100.000 on the fitness center for not meeting obligations under Article 12 of the Law No. 6698 on the Protection of Personal Data. The center was instructed to provide a privacy notice and explicit consent separately as per the law and related guidelines. Allegations of improper data storage and unauthorized access to security camera footage were unproven.

A Fitness Center Processing Data Subject’s Blood Type

&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">Bugün Resmi Gazete’de yayımlanan Kişisel Verileri Koruma Kurulu’nun (“&lt;strong>Kurul&lt;/strong>”) 06 Temmuz 2023 tarihli ve 2023/1154 sayılı kararıyla Veri Sorumluları Sicili’ne (“&lt;strong>VERBİS&lt;/strong>”) kayıt yükümlülüğüne istisna getirilmesine kriter olarak kabul edilmiş olan “yıllık mali bilanço toplamı” tutarında, ülkemizdeki ekonomik koşullar doğrultusunda yeniden değerlendirme yapılmıştır.&lt;/span>&lt;/p>&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">İlgili kararla birlikte, daha önce Kurul’un 19 Temmuz 2018 tarihli ve 2018/87 sayılı kararıyla yıllık mali bilanço toplamı bakımından 25 milyon Türk Lirası olarak belirlenen istisna sınırı, 100 milyon Türk Lirası olarak değiştirilmiştir.&lt;/span>&lt;/p>&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">Bu doğrultuda, bugünden itibaren, “yıllık çalışan sayısı 50’den az ve yıllık mali bilanço toplamı 100 milyon Türk Lirası’ndan az olan gerçek veya tüzel kişi veri sorumlularından ana faaliyet konusu özel nitelikli kişisel veri işleme olmayanlar” VERBIS’e kayıt yükümlülüğünden istisnadır.  Veri sorumluları, istisnaya tabii olup olmadıklarını değerlendirirken, yürürlük tarihinden (25 Temmuz 2023) itibaren verecekleri beyannameleri dikkate almalıdır.&lt;/span>&lt;/p>&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">Bu istisna, yalnızca Türkiye’de faaliyet gösteren veri sorumluları için belirlenmiştir ve yabancı veri sorumlularını kapsamamaktadır.&lt;/span>&lt;/p>&lt;hr>&lt;p>&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;strong>Tagged with&lt;/strong>:&nbsp;&lt;a href="https://turkishlawblog.com/contributors/detail/ozdagistanli-ekici-attorney-partnership" target="_blank" style="color: rgb(2, 102, 132); font-size: 14px;">Özdağıstanli Ekici Attorney Partnership&lt;/a>&lt;span style="font-size: 14px;">,&lt;/span>&nbsp;&lt;span style="font-size: 14px;">&lt;a href="https://turkishlawblog.com/writer/detail/burak-ozdagistanli" target="_blank" style="color: rgb(2, 102, 132);">Burak Özdağıstanli&lt;/a>,&lt;/span>&lt;span style="font-size: 14px;">&nbsp;&lt;/span>&lt;/span>&lt;span style="font-size: 14px;">&lt;a href="https://turkishlawblog.com/writer/detail/ebru-gumus" target="_blank" style="color: rgb(2, 102, 132); font-family: Arial, Helvetica, sans-serif; font-size: 14px;">Ebru Gümüş&lt;/a>&lt;span style="font-size: 14px;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">,&nbsp;&lt;span style="font-size: 14px;">&lt;a href="https://turkishlawblog.com/insights/category/data-protection-privacy" target="_blank" style="color: rgb(2, 102, 132);">Personal Data&lt;/a>&lt;/span>&lt;span style="font-size: 14px;">,&nbsp;&lt;/span>&lt;/span>&lt;a href="https://turkishlawblog.com/insights/category/data-protection-privacy" target="_blank" style="color: rgb(2, 102, 132); font-family: Arial, Helvetica, sans-serif; font-size: 14px;">Data Protection &amp; Privacy&lt;/a>&lt;/span>&lt;/span>&lt;br>&lt;/p>

Bugün Resmi Gazete’de yayımlanan Kişisel Verileri Koruma Kurulu’nun (“Kurul”) 06 Temmuz 2023 tarihli ve 2023/1154 sayılı kararıyla Veri Sorumluları Sicili’ne (“VERBİS”) kayıt yükümlülüğüne istisna getirilmesine kriter olarak kabul edilmiş olan “yıllık mali bilanço toplamı” tutarında, ülkemizdeki ekonomik koşullar doğrultusunda yeniden değerlendirme yapılmıştır.

VERBIS'e Kayıt Şartlarında Değişiklik

&lt;p style="text-align: justify; line-height: 2;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">Turkish Personal Data Protection Board’s (“&lt;/span>&lt;strong style="font-size: 14px;">Board&lt;/strong>&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">”) decision dated 06 July 2023 and numbered 2023/1154, that was published on the Official Gazette today, reevaluated “&lt;/span>&lt;em>annual financial balance sheet total&lt;/em>&lt;span style="font-size: 14px;">” amount, which was accepted as a criterion to be exempt from the obligation to register with the Data Controllers Registry (“&lt;/span>&lt;/span>&lt;strong style="font-size: 14px;">VERBIS&lt;/strong>&lt;span style="font-size: 14px;">”), due to economic conditions in the country. &lt;/span>&lt;/span>&lt;/span>&lt;/p>&lt;p style="text-align: justify; line-height: 2;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">   With this decision, the exemption limit is amended to 100.000.000 Turkish Liras for the annual financial balance sheet, which was previously determined as 25.000.000 Turkish Liras with the Board's decision dated 19 July 2018 and numbered 2018/87. &lt;/span>&lt;/span>&lt;/span>&lt;/p>&lt;p style="text-align: justify; line-height: 2;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">   In this context, as of today, “&lt;/span>&lt;em>natural person or legal entity data controllers -whose main field of activity is not processing special personal data- with less than 50 employees annually and annual financial balance sheet total less than TRY 100.000.000&lt;/em>&lt;span style="font-size: 14px;">” are exempted from the obligation to register to VERBIS. &lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/p>&lt;p style="text-align: justify; line-height: 2;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">Data controllers should consider the declarations to be submitted as of the effective date (25 July 2023) when evaluating whether they are subject to this exception.&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/p>&lt;p style="text-align: justify; line-height: 2;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">   This exception has been determined only for local data controllers and does not apply to foreign data controllers.&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/p>&lt;hr>&lt;p>&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;strong>Tagged with&lt;/strong>:&nbsp;&lt;a href="https://turkishlawblog.com/contributors/detail/ozdagistanli-ekici-attorney-partnership" target="_blank" style="color: rgb(2, 102, 132); font-size: 14px;">Özdağıstanli Ekici Attorney Partnership&lt;/a>&lt;span style="font-size: 14px;">,&lt;/span>&nbsp;&lt;span style="font-size: 14px;">&lt;a href="https://turkishlawblog.com/writer/detail/burak-ozdagistanli" target="_blank" style="color: rgb(2, 102, 132);">Burak Özdağıstanli&lt;/a>,&lt;/span>&lt;span style="font-size: 14px;">&nbsp;&lt;/span>&lt;/span>&lt;span style="font-size: 14px;">&lt;a href="https://turkishlawblog.com/writer/detail/ebru-gumus" target="_blank" style="color: rgb(2, 102, 132); font-family: Arial, Helvetica, sans-serif; font-size: 14px;">Ebru Gümüş&lt;/a>&lt;span style="font-size: 14px;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">,&nbsp;&lt;span style="font-size: 14px;">&lt;a href="https://turkishlawblog.com/insights/category/data-protection-privacy" target="_blank" style="color: rgb(2, 102, 132);">Personal Data&lt;/a>&lt;/span>&lt;span style="font-size: 14px;">,&nbsp;&lt;/span>&lt;/span>&lt;a href="https://turkishlawblog.com/insights/category/data-protection-privacy" target="_blank" style="color: rgb(2, 102, 132); font-family: Arial, Helvetica, sans-serif; font-size: 14px;">Data Protection &amp; Privacy&lt;/a>&lt;/span>&lt;/span>&lt;br>&lt;/p>

The Turkish Personal Data Protection Board amended the exemption limit for Data Controllers Registry (VERBIS) registration due to economic conditions. The new limit is 100.000.000 Turkish Liras for the annual financial balance sheet, up from the previous 25.000.000 Turkish Liras. Data controllers with less than 50 employees and an annual financial balance sheet total below TRY 100.000.000 are exempt from VERBIS registration. The effective date is 25 July 2023, and the exception applies only to local data controllers, not foreign ones.

Italian Data Protection Authority Bans Data Processing of AI-Powered Chatbot Replica

Popular Articles on Data Protection & Privacy

Latest Insights from Kavlak Law Firm

Italian Data Protection Authority Bans Data Processing of AI-Powered Chatbot Replica

Popular Articles on Data Protection & Privacy

Latest Insights from Kavlak Law Firm

Subscribe to our newsletter