Compliance Quarterly Türkiye

Global

Generative AI: A global guide to key IP considerations

Artificial intelligence (AI) presents a number of challenges related to intellectual property (IP). Our new guide focuses on the key IP considerations associated with generative AI systems, such as ChatGPT, Gemini, and DALL-E, which employ algorithms to create new content. Using examples from a number of jurisdictions, we consider key IP issues in relation to generative AI systems.

Read the full Generative AI guide.

2024 Annual Litigation Trends Survey

Our 2024 Annual Litigation Trends Survey reveals that technology and cybersecurity risks, along with evolving regulations, are the top concerns for corporate counsel. The rise in cyberattacks and the growing complexity of data privacy laws increase litigation exposure for organizations.

Read the full 2024 Annual Litigation Trends Survey.

State of play in website and privacy litigation

Over the past two years, there has been a surge in litigation alleging that common tracking technologies and web analytics on websites may lead to liability under various state and federal laws.

Read the full legal update, "State of play in website and privacy litigation."

Türkiye

The Law on the Protection of Personal Data is amended

The amendments to the Law on Protection of Personal Data Law (LPPD) with the new Law Proposal on the Amendment of the Criminal Procedure Law and Certain Laws (Law Proposal) is published in the Official Gazette of Türkiye in March 2024. The referred amendments aim to harmonize the LPPD with the European Union General Data Protection Regulation (GDPR).

In brief, with the Law Proposal:

1. The legal grounds for processing of special categories of personal data (sensitive data) have been redefined: The conditions for processing special categories of personal data have been expanded to enable the data controller to refrain from obtaining explicit consent while processing sensitive data.
2. A new legal regime has been introduced for cross-border data transfer: In particular, “explicit consent” has been transformed from a general requirement into an “exception”, and a new special transition period has been provided for transfers with explicit consent. Additionally, standard clause contract concept is introduced, which is not subject to approval of the Turkish Personal Data Protection Board (Board).
3. Data processor is enabled to transfer the personal data abroad: Data processors, like data controllers, have become entitled to transfer data abroad if there is a legal processing reason. In parallel, liabilities are imposed on data processors of their violations of LPPD with respect to cross-border data transfer.
4. An administrative judicial remedy has been introduced against all actions of the Board: With the Law Proposal, administrative fines imposed by the Board may be challenged before the administrative courts.

Accordingly, the amendments relating to cross-border data transfer based on explicit consent will be implemented until September 1, 2024 and other amendments have come into force on June 1, 2024.

Authority amended the criteria for exemption from the obligation to register with the Data Controllers Registry

According to the Law on the Protection of Personal Data and Regulation on Data Controller’s Registry, Data Protection Board (Board) is authorized to determine exemption for the registration obligation by taking into account the objective criteria set by the Board such as the nature and quantity of the data processed, or the facts as data is being processed or transferred to third parties by virtue of law.

With a recent decision of the Board the total annual balance threshold exempting the data controllers from registration with VERBIS is increased from ₺25 million to ₺100 million considering the current economic conditions in Türkiye. Accordingly, as of July 2023, data controllers employing less than 50 employees and with an annual balance less than ₺100 million will be exempt from registering with VERBIS, provided that their main business activity is not processing sensitive personal data.

Data Protection Authority signed a cooperation and information sharing protocol with the Competition Authority

A Cooperation and Information Sharing Protocol was signed between the Personal Data Protection Authority and the Competition Authority in order to ensure an active and effective regulatory environment. Within the scope of the protocol, the authorities will be conducting active cooperation efforts such as:

1. Carrying out joint work in emerging areas that fall within the mandate of both authorities and that could cause irreparable harm in the absence of rapid and effective intervention
2. Publishing reports in cooperation with both institutions in order to raise awareness among users on the protection of personal data and competition, especially in digital markets, and to convey a common message to undertakings in terms of practices concerning both areas of law
3. Organizing joint presentation and discussion programs within the scope of the traditional "Wednesday Seminars" of the Personal Data Protection Authority and/or "Thursday Conferences" of the Competition Authority
4. Organizing trainings in which the relevant authorities share their expertise and experience in their areas of responsibility with each other
5. Consulting on common issues at national and/or international events organized and/or attended by the relevant authorities and supporting these events on issues that fall within the authorities' own areas

The Constitutional Court has made a decision regarding violation of personal data in an investigation

An application is made to the Constitutional Court by an employee alleging that the right to request the protection of personal data was violated due to the lack of an effective criminal investigation due to the fact that the personal data of the employee was unlawfully obtained. The applicant stated that the employer, who terminated the employment contract, unlawfully examined the applicant's bank account transactions and the employee have reported this situation to the Samsun Chief Public Prosecutor's Office.

The Prosecutor's Office decided that there was no need for prosecution on the grounds that the crime of unlawfully obtaining personal data was not committed, and the Criminal Court of First Instance has also rejected the objection. The applicant then applied to the Constitutional Court, arguing that the evidence was not collected and that an effective investigation was not conducted in compliance with the data protection legislation. The Constitutional Court has ruled that the right to request the protection of personal data in a criminal investigation had been violated and decided that a new investigation should be conducted to eliminate the consequences of such violation.