&lt;p class="MsoNormal" style="margin: 0px 0px 11px; line-height: 2; font-family: Calibri, sans-serif; text-align: justify; font-size: 15px;">&lt;span lang="TR" style="line-height: 107%; font-family: Arial, Helvetica, sans-serif; color: rgb(29, 27, 27); font-size: 14px;">&lt;span style="font-size: 14px;">The Italian Data
        Protection Authority (the "&lt;/span>&lt;strong>Authority&lt;/strong>&lt;span style="font-size: 14px;">") banned the data processing
        activities of Replica, an AI-powered chatbot app that offers a "virtual
        friend" experience to users. If Replica fails to comply with the
        Authority's order within 20 days, it may face a fine of up to €20 million or 4%
        of its global turnover.&lt;/span>&lt;/span>&lt;/p>

&lt;p class="MsoNormal" style="margin: 0px 0px 11px; line-height: 2; font-family: Calibri, sans-serif; text-align: justify; font-size: 15px;">&lt;span lang="TR" style="line-height: 107%; font-family: Arial, Helvetica, sans-serif; font-size: 14px; color: rgb(29, 27, 27);">The Authority found that
        Replica does not adhere to the transparency principle outlined in the European
        Data Protection General Regulation (GDPR) regarding the processing of personal
        data. In particularly, the legal basis for Replika's data processing, which
        relies on the performance of a contract, is invalid as children are not
        qualified to enter into such contracts.&lt;/span>&lt;/p>

&lt;p class="MsoNormal" style="margin: 0px 0px 11px; line-height: 2; font-family: Calibri, sans-serif; text-align: justify; font-size: 15px;">&lt;span lang="TR" style="line-height: 107%; font-family: Arial, Helvetica, sans-serif; font-size: 14px; color: rgb(29, 27, 27);">The decision also notes
        that Replika poses tangible threat to children. Replica lacks any age
        verification system during the registration process, and the chatbot's
        responses may not be appropriate for the children using the app.&lt;/span>&lt;/p>

&lt;p class="MsoNormal" style="margin: 0px 0px 11px; line-height: 2; font-family: Calibri, sans-serif; text-align: justify; font-size: 15px;">&lt;span lang="TR" style="line-height: 107%; font-family: Arial, Helvetica, sans-serif; font-size: 14px; color: rgb(29, 27, 27);">Concerns have been raised
        about the risks such technology might pose to children. These range from
        worries over kids being exposed to inappropriate content to more general
        concerns such as that they might get addicted to the interactions, be
        encouraged into spending money on customizing their avatars or to gain access
        to other paid content. But the Authority appears to the first regulator to take
        formal action over child safety.&lt;/span>&lt;/p>

The Italian Data         Protection Authority banned the data processing activities of Replica, an AI-powered chatbot app that offers a "virtual friend" experience to users.

Italian Data Protection Authority Bans Data Processing of AI-Powered Chatbot Replica

Aybüke graduated from Yeditepe
 University Faculty of Law in 2019. She has been working at the IT Department in
 Kavlak Law Firm focusing on personal data protection law, e-commerce law, IT
 and technology law. She provides legal assistance to local and multinational
 clients on legal compliance, personal data protection compliance and IT
 agreements. Practice Areas &amp; Work Department

IT Law

Personal Data Protection Law 

E-Commerce Law

Compliance

&nbsp; 

Languages

Turkish

English

As an independent full-service law firm, KAVLAK provides
solutions and practical approaches for a wide range of legal issues to domestic
and international clients since 2006. Our team is experienced in providing
specialist expertise to clients based in the USA, UK and EMEA to reach their
significant potential for global expansion. KAVLAK has a high reputation in
providing legal services to innovative, technology-driven businesses.Our lawyers are recognized for practical legal and business
guidance and provide unique customized commercial advice to your business. We
have extensive experience and interdisciplinary approach to advising start-ups
on company formation, equity structures, Investments, IP rights and other
topics vital to their success. Over the
years, we have built a long track record of working in key industries and
markets, mainly legaltech, fintech, ecommerce, big data, supply chain
management &amp; logistics, AI, B2B software and leisure &amp;
entertainment.&nbsp;We provide legal
consultancy services to our clients by utilising our global network of start-up
ecosystem.

Kavlak Law Firm

Attorney at Law

Özge Keskin works as a legal intern at Kavlak Law Firm. She
graduated from Istanbul University Faculty of Law in 2022. During her
bachelor's, she graduated from Kavlak Academy in second place and she also has
improved herself with internships and trainings in the fields of Compliance and
Ethics, Arbitration, Insurance and Art Law. Practice Areas &amp; Work Department

Data Protection



Compliance

IT Law

&nbsp; 

Languages

Turkish 

English

&nbsp; 

Memberships

Istanbul Bar Association Personal Data Protection Commission

Legal Intern

&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">The Information Commissioner's Office ("&lt;/span>&lt;strong style="font-size: 14px;">ICO&lt;/strong>&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">") released the
Tech Horizons Report (“&lt;/span>&lt;strong>Report&lt;/strong>&lt;span style="font-size: 14px;">”), which addresses the most significant
technological developments for privacy in the next two to five years, as well
as the current range of risks that may harm people's privacy and trust in these
technologies. The Report focuses on applied technologies that have more certain
implications for privacy in the near future. In the Report the following four
technologies: consumer healthtech, next-generation Internet of Things (IoT),
immersive technology, and decentralized finance are discussed in detail.&lt;/span>&lt;/span>&lt;/span>&lt;/p>&lt;p style="text-align: justify;">&lt;strong style="font-size: 14px; font-family: Arial, Helvetica, sans-serif;">Consumer Healthtech&lt;/strong>&lt;br>&lt;/p>&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">Consumer healthtech can improve wellbeing by tracking health metrics
and promoting healthy habits, but increased data processing must be considered
in this regard. Automated therapy and wearable technologies are given as examples
in the Report. According to the Report, main data protection and privacy issues
in developing consumer healthtech technology are as follows;&lt;/span>&lt;/span>&lt;/span>&lt;/p>&lt;ul style="list-style-type: square;">&lt;li style="margin-left: 20px; text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">Some consumer healthtech devices will generate special category
     data, requiring additional safeguards and create risk of unproper processing,
&lt;/span>&lt;/span>&lt;/span>&lt;/li>&lt;li style="margin-left: 20px; text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;"> Action is needed to ensure that users have meaningful
     transparency and control of processing of their personal information,&lt;/span>&lt;/span>&lt;/span>&lt;/li>&lt;li style="margin-left: 20px; text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">Some consumer healthtech devices present issues in terms of
     accuracy and bias,&lt;/span>&lt;/span>&lt;/span>&lt;/li>&lt;li style="margin-left: 20px; text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">Poor data management&lt;/span>&lt;/span>&lt;/span>&lt;/li>&lt;/ul>&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">To eliminate these issues, organizations must develop healthtech in
a privacy-positive way. They should provide clear privacy notices, be transparent
about processing special category data, and ensure that algorithmic processing
and AI use are accurate, fair, and checked for systemic bias.&lt;/span>&lt;/span>&lt;/span>&lt;/p>&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;strong>Next Generation IOT Devices&lt;/strong>&lt;/span>&lt;/span>&lt;/span>&lt;/p>&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">Internet of Things (“IoT”) is an evolving technology. IoT devices
have potential to reduce carbon footprints, assist vulnerable people, and
improve productivity. However, developers and regulators must address data
protection compliance issues following that:&lt;/span>&lt;/span>&lt;/span>&lt;/p>&lt;ul style="list-style-type: square;">&lt;li style="margin-left: 20px; text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">Widespread use of next
generation IoT devices may increase cybersecurity risks&lt;/span>&lt;/span>&lt;/span>&lt;/li>&lt;li style="margin-left: 20px; text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">Action is needed to provide
people with meaningful transparency and control of their personal information&lt;/span>&lt;/span>&lt;/span>&lt;/li>&lt;li style="margin-left: 20px; text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">Concerns exist about excessive
collection or repurposing of personal information&lt;/span>&lt;/span>&lt;/span>&lt;/li>&lt;/ul>&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">Organisations should consider to take additional steps in order to implement
privacy-positive innovation by enhancing IoT device security. Some security
principles are outlined in the upcoming Product Security and Telecommunications
Infrastructure Bill. Also, taking into account the European Telecommunications
Standards Institute’s IoT security standard, ensuring high standards of privacy
by default, exploring approaches to transparency and data minimization in smart
spaces, being aware of the unique privacy and security challenges of edge
computing, and exploring the potential of privacy enhancing techniques in the
context of connected devices are of importance in checking the privacy risks of
IoT devices.&lt;/span>&lt;/span>&lt;/span>&lt;/p>&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">As declared in the Report ICO intends to develop a guidance on the
aspects, continue the support on the default security standards, continue the
engagement with stakeholders in the property sector on their privacy readiness
for future IoT deployments.&lt;/span>&lt;/span>&lt;/span>&lt;/p>&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;strong>Immersive Technology&lt;/strong>&lt;/span>&lt;/span>&lt;/span>&lt;/p>&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">The Report focuses on the immersive technology nearer term and more
common applications of augmented reality (“&lt;/span>&lt;strong style="font-size: 14px;">AR&lt;/strong>&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">”) and virtual reality (“&lt;/span>&lt;strong style="font-size: 14px;">VR&lt;/strong>&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">”).
As VR and AR gain popularity, including listed below issues privacy concerns
will arise due to the collection and processing of potentially sensitive data.&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/p>&lt;ul style="list-style-type: square;">&lt;li style="margin-left: 20px; text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">Many immersive technologies will collect information about
     sensitive human characteristics, requiring additional safeguards,&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/li>&lt;li style="margin-left: 20px; text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">Immersive technologies collect large volumes of personal
     information, prompting questions about data minimization,&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/li>&lt;li style="margin-left: 20px; text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">Consideration needs to be given to how to provide transparency for
     the designated user,&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/li>&lt;li style="margin-left: 20px; text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">Concerns exist about lack of transparency for third parties whose
     personal information may be collected.&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/li>&lt;/ul>&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">Especially in immersive technologies embedding privacy by design is
critical to safeguarding people's privacy rights. Businesses developing these
technologies should explore technical and policy solutions to manage privacy
risks and maximize opportunities. AR and VR devices will process personal
information of users and non-users alike, exacerbating privacy risks if not
designed and implemented in a privacy-positive manner.&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/p>&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">It is of great importance to embed privacy by design in
infrastructure, also, policies and standards early on will be critical to
ensure people’s rights to privacy are safeguarded in the next generation of immersive
internet.&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/p>&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;strong>Decentralised Finance&lt;/strong>&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/p>&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">The growing popularity of decentralized finance (“&lt;/span>&lt;strong style="font-size: 14px;">DeFi&lt;/strong>&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">”) and the
qualities of distributed ledger technology (“&lt;/span>&lt;strong>DLT&lt;/strong>&lt;span style="font-size: 14px;">”) that enable
transparent, permissionless and permanent processing beyond centralised control
structures also present clear challenges listed below for privacy and
compliance with data protection law.&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/p>&lt;ul style="list-style-type: square;">&lt;li style="margin-left: 20px; text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">
 Organisations may use DeFi systems for a diverse range of
     transactions. Since anyone with access can inspect the chain and
     transactions, it is relatively simple for a bot or script to harvest
     information about transactions etc.&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/li>&lt;li style="margin-left: 20px; text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">Blockchain transtactions may not involve disclosing certain
     categories of personal information that does not eliminate the possibility
     that people could be identified. This is because information recorded as
     part of blockchain transactions may be pseudonymised rather than strictly
     anonymous. The risk of re-identification increases with the volume of
     information stored on the blockchain.&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/li>&lt;li style="margin-left: 20px; text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">The decentralised nature of networks in the crypto-asset
     industry raises questions about who may be the data controller as well as storage
     limitation, rectification and erasure obligations may present particular
     challenges in current popular applications of the technology. People may struggle
     to exercise their rights because of the identify who the accountable party
     for data processing.&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/li>&lt;/ul>&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">Fortunately, organizations are developing privacy-positive
capabilities, such as privacy mixers and zero-knowledge proofs, to address
these concerns. However, these solutions may also reduce the usefulness of the
service, so organizations must find a balance between privacy protection and
utility.&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/p>&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">Currently, DeFi might hold a tiny share of total financial services
markets. However, the potential for growth and the novel architecture
underpinning DeFi services may create important effects in people’s privacy, as
well as ownership and control of personal information in the near future.&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/p>&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">In decentralized technologies obligations relating to data
protection by design and default require organisations to implement privacy
standards and information rights in the systems and services they develop.&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/p>&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;strong>Conclusion&lt;/strong>&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/p>&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">The Report provided us with detailed information and aspects on which
new technologies will be inspected as well as insight on the privacy
expectations regarding applied technologies.&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/p>&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">ICO declares in the Report that following the publication of the
report into biometric futures in October 2022, second emerging technology
deepdive on neurotechnology in the first half of 2023 will also be published.&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;/span>&lt;span style="font-size: 14px;">&nbsp;&nbsp;&nbsp;&lt;/span>&lt;/span>&lt;/span>&lt;/p>

The Information Commissioner's Office released the Tech Horizons Report, which addresses the most significant technological developments for privacy in the next two to five years, as well as the current range of risks that may harm people's privacy and trust in these technologies.

ICO Published Tech Horizons Report

&lt;p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 7px 0px; text-align: justify; text-indent: 0px; font-size: 15px;">&lt;span lang="TR" style="font-family: Arial, Helvetica, sans-serif; color: black; font-size: 14px;">&lt;span style="font-size: 14px;">US Federal Trade Commission (“&lt;/span>&lt;strong style="font-size: 14px;">FTC&lt;/strong>&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">”), yakın
        zamanda vermiş olduğu Fortnite oyununun geliştiricisi Epic Games Inc., (“&lt;/span>&lt;strong>Epic
        Games&lt;/strong>&lt;span style="font-size: 14px;">”) hakkındaki kararda, Children’s Online Privacy Protection Act
        (‘‘&lt;/span>&lt;/span>&lt;strong style="font-size: 14px;">COPPA&lt;/strong>&lt;span style="font-size: 14px;">’’) kapsamındaki getirilen yükümlülüklerin ihlal edildiğini tespit
        etmiştir. COPPA, 13 yaşın altındaki çocukların çevrimiçi bilgilerini ve
        gizliliğini korumaya yönelik düzenlemeler barındıran federal bir yasa olup ebeveynlere
        çocuklarından çevrimiçi olarak toplanan bilgileri kontrol imkânı sağlamaktadır.
        FTC, COPPA’nın ihlali ve ‘‘dark pattern’’ olarak bilinen tasarım hileleri
        kullanarak milyonlarca kullanıcıyı istenmeyen satın alma işlemlerine yönelttiği
        gerekçeleriyle Epic Games aleyhine 275 milyon dolar para cezası ve 245 milyon
        dolar geri ödeme olmak üzere toplamda 520 milyon dolar ödenmesine karar
        vermiştir. &lt;/span>&lt;/span>&lt;/span>&lt;/p>

&lt;p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 7px 0px; text-align: justify; text-indent: 0px; font-size: 15px;">&lt;span lang="TR" style="font-family: Arial, Helvetica, sans-serif; color: black; font-size: 14px;">FTC, yapmış olduğu incelemeler neticesinde
        aşağıdaki noktalara dikkat çekmiştir.&lt;/span>&lt;/p>

&lt;p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 7px 0px; text-align: justify; text-indent: 0px; font-size: 15px;">&lt;strong>&lt;span lang="TR" style="font-family: Arial, Helvetica, sans-serif; color: black; font-size: 14px;">Yetersiz Ebeveyn İzni &lt;/span>&lt;/strong>&lt;/p>

&lt;p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 7px 0px; text-align: justify; text-indent: 0px; font-size: 15px;">&lt;span lang="TR" style="font-family: Arial, Helvetica, sans-serif; color: black; font-size: 14px;">Fortnite hakkında gerçekleştirilen
        incelemeler, Fortnite oyuncaklarının lisans/pazarlama süreçleri ve şirketin
        iletişim kanalları birlikte değerlendirildiğinde Epic Games’in, Fortnite'ı 13
        yaş altındaki çocukların oynadığı bilgisine sahip olduğu sonucuna varılmıştır. Bununla
        birlikte, 13 yaşının altındaki çocukların kişisel verilerinin, uygun ebeveyn
        izni olmadan işlendiği ve çocuklarının kişisel verilerinin silinmesini isteyen
        ebeveynlere oyun içerisinde uygun araçların sağlanmadığı tespit edilmiştir.&lt;/span>&lt;/p>

&lt;p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 7px 0px; text-align: justify; text-indent: 0px; font-size: 15px;">&lt;strong>&lt;span lang="TR" style="font-family: Arial, Helvetica, sans-serif; color: black; font-size: 14px;">Çocuklara ve Gençlere Zararlı Olabilecek
            Varsayılan Gizlilik Ayarları&lt;/span>&lt;/strong>&lt;/p>

&lt;p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 7px 0px; text-align: justify; text-indent: 0px; font-size: 15px;">&lt;span lang="TR" style="font-family: Arial, Helvetica, sans-serif; color: black; font-size: 14px;">Fortnite içerisindeki varsayılan ayarlar,
        kullanıcıların yazılı ve sesli iletişimine izin vermektedir. Kararda, çocuklar
        gibi hassas yaş gruplarındaki Fortnite kullanıcılarının, yabancılar ile
        eşleştirilmesi sonucunda söz konusu ayarlar nedeniyle zarar görebileceği ifade
        edilmiştir. Ayrıca, çocukların ve gençlerin zorbalığa uğradığı, tehdit edildiği
        veintihar gibi tehlikeli ve
        psikolojik olarak travmatik durumlara maruz kaldığı FTC tarafından tespit
        edilmiştir. Geliştirici, 2017 yılının başlarında oyunda sesli iletişimi
        kapatmaya yarayan bir buton yerleştirmiş olsa da bu buton, kullanıcılar
        tarafından rahatça erişilemediği gerekçesiyle çocukların gizlilik haklarını
        koruma konusunda yeterli bulunmamıştır.&lt;/span>&lt;/p>

&lt;p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 7px 0px; text-align: justify; text-indent: 0px; font-size: 15px;">&lt;span lang="TR" style="font-family: Arial, Helvetica, sans-serif; color: black; font-size: 14px;">Tüm bu değerlendirmeler sonucunda Epic
        Games, COPPA’nın ihlali nedeniyle 275 milyon dolar ceza ödemenin yanı sıra
        aşağıdaki hususları yerine getirmekle de yükümlü kılınmıştır.&lt;/span>&lt;/p>

&lt;ul style="list-style-type: square;">&lt;li style="margin-left: 20px; text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span lang="TR" style="color: black;">Çocuklara ait kişisel verileri saklamak
        için ebeveyn iznine başvurulmalı ve daha önceden ebeveyn izni alınmadan
        uygunsuz bir şekilde işlenen kişisel veriler ise imha edilmelidir.&lt;/span>&lt;/span>&lt;/li>&lt;li style="margin-left: 20px; text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span lang="TR" style="color: black;">Yazılı ve sesli iletişimin “açık” olarak
        düzenlendiği varsayılan ayarlar, “kapalı” olarak değiştirilmeli; 13 yaşından
        küçük kullanıcılar için ebeveynleri, 13 yaşından büyük kullanıcıları için ise
        kendileri gizlilik ayarı aracılığı ile onay vermediği sürece sesli ve yazılı
        iletişimleri etkinleştirmeleri yasaklanmalıdır.&lt;/span>&lt;/span>&lt;/li>&lt;li style="margin-left: 20px; text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span lang="TR" style="color: black;">FTC tarafından belirtilen sorunları ele
        alan, kapsamlı bir gizlilik programı oluşturulmalı, ayrıca Epic Games
        içerisinde düzenli ve bağımsız denetimler yapılmalıdır.&lt;/span>&lt;/span>&lt;/li>&lt;/ul>





&lt;p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 7px 0px; text-align: justify; text-indent: 0px; font-size: 15px;">&lt;strong>&lt;span lang="TR" style="font-family: Arial, Helvetica, sans-serif; color: black; font-size: 14px;">İstenmeyen Satın Alma İşlemlerine Teşvik&lt;/span>&lt;/strong>&lt;/p>

&lt;p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 7px 0px; text-align: justify; text-indent: 0px; font-size: 15px;">&lt;span lang="TR" style="font-family: Arial, Helvetica, sans-serif; color: black; font-size: 14px;">Epic Games, “dark pattern” adı verilen
        tasarım tekniklerini kullanarak kullanıcıları istemedikleri satın alma
        işlemlerine yönlendirdiği, çocukların oyun içerisinde ebeveyn veya kart sahibi
        izni olmadan yetkisiz satın almalar gerçekleştirebildiği, yetkisiz ödemelere
        şikâyet eden kullanıcıların hesaplarının bloke edilerek taleplerin yerine
        getirilmediği gerekçeleriyle para cezasına çarptırılmıştır. Buna ek olarak Epic
        Games aşağıdaki belirtilenlerin yapılmaması konusunda talimatlandırılmıştır.&lt;/span>&lt;/p>

&lt;ul style="list-style-type: square;">&lt;li style="margin-left: 20px; text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span lang="TR" style="color: black;">‘‘Dark pattern’’ kullanılarak
        kullanıcılardan ücret talep etmek,&lt;/span>&lt;/span>&lt;/li>&lt;li style="margin-left: 20px; text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span lang="TR" style="color: black;">Kullanıcıların onayı alınmaksızın herhangi
        bir şekilde ücret talep etmek,&lt;/span>&lt;/span>&lt;/li>&lt;li style="margin-left: 20px; text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span lang="TR" style="color: black;">Yetkisiz ödemelere itiraz eden
        kullanıcıların hesaplarının bloke etmek.&lt;/span>&lt;/span>&lt;/li>&lt;/ul>





&lt;p class="MsoNormal" style="font-family: Calibri, sans-serif; margin: 7px 0px; text-align: justify; text-indent: 0px; font-size: 15px;">&lt;span lang="TR" style="font-family: Arial, Helvetica, sans-serif; color: black; font-size: 14px;">Sonuç olarak, FTC, daha önce Amazon ve
        Apple davalarında olduğu gibi ‘‘dark pattern’’ kullanılarak uygulama içi
        yetkisiz satın almalar gerçekleştirilmesi ve çocukların gizlilik haklarına
        ilişkin önemli noktaların altını çizmiştir. Çevrimiçi hizmet sağlayıcıların,
        çocukların gizlilik haklarının ihlalinin ve çevrimiçi platformlarda yetkisiz
        satın alma işlemlerinin önüne geçebilmeleri amacıyla daha ciddi tedbirler
        almaları gerektiği ifade edilebilir. Aksi takdirde, söz konusu ihlaller
        nedeniyle yüksek miktarlarda para cezalarıyla karşılaşmaya devam edeceğimizi
        söyleyebiliriz.&lt;/span>&lt;/p>

US Federal Trade Commission, yakın zamanda vermiş olduğu Fortnite oyununun geliştiricisi Epic Games Inc., hakkındaki kararda, Children’s Online Privacy Protection Act kapsamındaki getirilen yükümlülüklerin ihlal edildiğini tespit etmiştir.

Epic Games, Çocuk Mahremiyeti İhlalleri ve İstenmeyen Ücretlerle İlgili FTC İddiaları Üzerine 520 Milyar Dolar Ödeme Yapacak

&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">The US Federal
Trade Commission ("&lt;/span>&lt;strong style="font-size: 14px;">FTC&lt;/strong>&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">"), in a recent decision regarding the
developer of the Fortnite game, Epic Games Inc., (“&lt;/span>&lt;strong>Epic Games&lt;/strong>&lt;span style="font-size: 14px;">”), has determined
that obligations arising from Children's Online Privacy Protection Act
("&lt;/span>&lt;/span>&lt;strong style="font-size: 14px;">COPPA&lt;/strong>&lt;span style="font-size: 14px;">") have been violated. COPPA is a federal law that
regulates the online information and privacy of children under the age of 13,
also giving parents control over the information collected from their children
online. The FTC has ordered Epic Games to pay a total of $520 million, $275
million in fines for violating COPPA and using design tricks known as
"dark patterns" to steer millions of users towards unwanted
purchases, as well as $245 million in refunds.&lt;/span>&lt;/span>&lt;/span>&lt;/p>&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">As a result of its
investigations, the FTC has drawn attention to the following points.&lt;/span>&lt;/span>&lt;/span>&lt;/p>&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;strong>Insufficient
Parental Permission&lt;/strong>&lt;/span>&lt;/span>&lt;/span>&lt;/p>&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">During the
investigations conducted regarding Fortnite, including the licensing/marketing
processes of Fortnite toys and the company's communication channels, FTC came
to the conclusion that Epic Games is aware that children under the age of 13
play Fortnite. In addition to this, it has been determined that personal data
of children under the age of 13 is processed without appropriate parental
consent, and that appropriate tools are not provided within the game for
parents to request the deletion of their children's personal data.&lt;/span>&lt;/span>&lt;/span>&lt;/p>&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;strong>Default Privacy
Settings That May be Harmful to Children and Youth&lt;/strong>&lt;/span>&lt;/span>&lt;/span>&lt;/p>&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">The default
settings within Fortnite allow users to engage in written and verbal
communication. The decision states that sensitive age groups of Fortnite users,
such as children, may be harmed as a result of these settings due to being
matched with strangers. Additionally, the FTC has found that children and teenagers
have been subjected to bullying, threats, dangerous and psychologically
traumatic situations such as suicide. Although the developer had placed a
button in the game in early 2017 to disable voice communication, it was deemed
insufficient to protect children's privacy rights as it was not easily
accessible to users.&lt;/span>&lt;/span>&lt;/span>&lt;/p>&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">As a result of all
these evaluations, Epic Games was obligated to fulfill the following in
addition to paying a fine of 275 million dollars for violating COPPA:&lt;/span>&lt;/span>&lt;/span>&lt;/p>&lt;ul style="list-style-type: square;">&lt;li style="text-align: justify; margin-left: 20px;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">Parental consent
must be obtained to store children's personal data, and personal data processed
inappropriately without prior parental consent must be destroyed.&lt;/span>&lt;/span>&lt;/span>&lt;/li>&lt;li style="text-align: justify; margin-left: 20px;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">The default
settings that allow written and voice communication should be changed to
"closed"; parents of users under 13 should be prohibited from
enabling written and voice communication unless they give their consent through
the privacy setting, and users over 13 should be prohibited from enabling
written and voice communication unless they give their own consent through the
privacy setting.&lt;/span>&lt;/span>&lt;/span>&lt;/li>&lt;li style="text-align: justify; margin-left: 20px;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">A comprehensive
privacy program that addresses the issues identified by the FTC should be
established, and regular and independent audits should be conducted within Epic
Games.&lt;/span>&lt;/span>&lt;/span>&lt;/li>&lt;/ul>&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">&lt;strong>Encouraging
Unwanted Purchases&lt;/strong>&lt;/span>&lt;/span>&lt;/span>&lt;/p>&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">Epic Games was
fined for using design techniques called "dark patterns" to direct
users to unwanted purchases, allowing children to make unauthorized purchases
without parental or cardholder permission within the game, and blocking
accounts of users who complain about unauthorized payments without fulfilling
their requests. In addition, Epic Games has been instructed not to do the
following:&lt;/span>&lt;/span>&lt;/span>&lt;/p>&lt;ul style="list-style-type: square;">&lt;li style="margin-left: 20px; text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">Charging users using "dark patterns",&lt;/span>&lt;/span>&lt;/span>&lt;/li>&lt;li style="margin-left: 20px; text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">Requesting payment from users without obtaining their
consent,&lt;/span>&lt;/span>&lt;/span>&lt;/li>&lt;li style="margin-left: 20px; text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">Blocking the accounts of users who dispute
unauthorized payments.&lt;/span>&lt;/span>&lt;/span>&lt;/li>&lt;/ul>&lt;p style="text-align: justify;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">&lt;span style="font-size: 14px;">&lt;span style="font-size: 14px;">As a result, the
FTC, as in previous cases involving Amazon and Apple, has emphasized the use of
"dark patterns" to facilitate unauthorized in-app purchases and
important points regarding children's privacy rights. It can be argued that
online service providers need to take more serious measures to prevent
violations of children's privacy rights and unauthorized purchases on online
platforms. Otherwise, we can say that we will continue to face high fines due
to such violations.&lt;/span>&lt;/span>&lt;/span>&lt;/p>

The US Federal Trade Commission, in a recent decision regarding the developer of the Fortnite game, Epic Games Inc., has determined that obligations arising from Children's Online Privacy Protection Act have been violated.

Epic Games to Pay 520 Million Dollars over FTC Allegations of Child Privacy Violations and Unwanted Charges

&lt;p class="MsoNormal" align="center" style="margin: 0px 0px 11px; line-height: 2; font-family: Calibri, sans-serif; text-align: justify; font-size: 15px;">&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">İtalyan Veri Koruma Otoritesi
        &lt;/span>&lt;strong style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">(“Otorite”)&lt;/strong>&lt;span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">, kullanıcılarına “sanal bir arkadaş” sunma amacı olan yapay zekâ
        destekli chatbot Replika’nın veri işleme faaliyetlerini yasakladı. Eğer Replika
        tarafından 20 gün içerisinde karara uyulmazsa, 20 milyon Euro veya global
        cirosunun %4’ü kadar para cezasıyla karşı karşıya kalacak.&lt;/span>&lt;br>&lt;/p>

&lt;p class="MsoNormal" style="margin: 0px 0px 11px; line-height: 2; font-family: Calibri, sans-serif; text-align: justify; font-size: 15px;">&lt;span lang="TR" style="line-height: 107%; font-family: Arial, Helvetica, sans-serif; font-size: 14px;">Otorite, verdiği kararda
        Replika’nın Avrupa Veri Koruma Genel Tüzüğü’nün (GDPR) şeffaflık ilkesine uygun
        veri işlemediğine, özellikle çocukların sözleşmelere taraf olmaya ehil bile değilken
        Replika’nın sözleşmenin yerine getirilmesi için gerekli olması hukuki nedenine
        dayanarak çocukların verilerinin işlenmesinin hukuka aykırı olduğuna karar
        vermiştir. &lt;/span>&lt;/p>

&lt;p class="MsoNormal" style="margin: 0px 0px 11px; line-height: 2; font-family: Calibri, sans-serif; text-align: justify; font-size: 15px;">&lt;span lang="TR" style="line-height: 107%; font-family: Arial, Helvetica, sans-serif; font-size: 14px;">Kararda, Replika’nın
        uygulama içerisinde kaydolurken herhangi bir yaş doğrulaması yapmaması ve uygulamayı
        kullanan çocuklar için yaşlarına uygun olmayan cevaplar vermesi nedeniyle
        çocuklar için somut tehditler içerdiği belirtilmiştir. &lt;/span>&lt;/p>

&lt;p class="MsoNormal" style="margin: 0px 0px 11px; line-height: 2; font-family: Calibri, sans-serif; text-align: justify; font-size: 15px;">&lt;span lang="TR" style="line-height: 107%; font-family: Arial, Helvetica, sans-serif; font-size: 14px;">Bu teknolojinin çocuklar
        için oluşturabileceği riskler konusunda endişeler dile getirilmekte. Bunlar,
        çocukların uygunsuz içeriğe maruz kalmasıyla ilgili endişelerden, etkileşimlere
        bağımlı hale gelmeleri, avatarlarını özelleştirmek için para harcamaya teşvik
        edilmeleri veya diğer ücretli içeriğe erişim elde edebilecekleri gibi daha
        genel endişelere kadar uzanıyor. Ancak Otorite, çocuk güvenliği konusunda resmi
        önlem alan ilk düzenleyici olarak görünmektedir.&lt;/span>&lt;/p>

İtalyan Veri Koruma Otoritesi, kullanıcılarına “sanal bir arkadaş” sunma amacı olan yapay zekâ destekli chatbot Replika’nın veri işleme faaliyetlerini yasakladı.

Italian Data Protection Authority Bans Data Processing of AI-Powered Chatbot Replica

Popular Articles on Data Protection & Privacy

Latest Insights from Kavlak Law Firm

Italian Data Protection Authority Bans Data Processing of AI-Powered Chatbot Replica

Popular Articles on Data Protection & Privacy

Latest Insights from Kavlak Law Firm

Subscribe to our newsletter