Compliance Quarterly

Global

Artificial intelligence: Legal and ethical implications

A decision to adopt AI can raise fundamental ethical and moral issues for society. These complex issues are of vital importance to our future. As legal responsibility is a subset of moral responsibility, for AI to gain acceptance and be trusted in a given sector, a business will need to take into account the ethical considerations and the legal factors that flow from them. Read more about artificial intelligence on InsideTechLaw.com.

EU Data Act aims to provide a regulatory framework to data sharing

The EU Data Act aims to provide a regulatory framework to govern and make easier the sharing, use and re-use of internet of product-generated data. It also aims to make it easier to switch between cloud providers.

Read the full publication, "EU Data Act aims to provide a regulatory framework to data sharing."

EU Data Governance Act promotes re-use of public sector data

The EU Data Governance Act (DGA) aims to promote sharing and re-use of public sector data and to encourage data altruism. Those wishing to benefit from public sector data for their own analysis (referred to as data users in the DGA) need to understand the conditions that such sharing and re-use will operate under.

Read the full blog post, "EU Data Governance Act promotes re-use of public sector data."

Türkiye

The Personal Data Protection Authority issues new rules and amendments in data governance

Amendment of the criteria for exemption from the obligation to register with the Data Controllers Registry

As per Article 16 of the Law on the Protection of Personal Data and Regulation on Data Controller's Registry, Data Protection Board (Board) is authorized to determine exemption for the registration obligation by taking into account the objective criteria set by the Board such as the nature and quantity of the data processed, or the facts as data is being processed or transferred to third parties by virtue of law. With a recent decision of the Board dated 06.07.2023 and numbered 2023/1154, the total annual balance threshold exempting the data controllers from registration with VERBIS is increased from TRY 25 million to TRY 100 million considering the current economic conditions in Türkiye. Accordingly, as of 25.07.2023, data controllers employing less than 50 employees and with an annual balance less than TRY 100 million will be exempt from registering with VERBIS provided that their main business activity is not processing sensitive personal data.

Signing of cooperation and information sharing protocol with the Competition Authority

A Cooperation and Information Sharing Protocol was signed between the Personal Data Protection Authority and the Competition Authority in order to ensure an effective regulatory environment. Within the scope of the protocol, the authorities shall be conducting cooperation efforts such as:

1. carrying out joint work in emerging areas that fall within the mandate of both authorities and that could cause irreparable harm in the absence of rapid and effective intervention,
2. publishing reports in cooperation with both institutions in order to raise awareness on the protection of personal data and competition, especially in digital markets, and to convey a common message to undertakings in terms of practices concerning both areas of law,
3. organizing joint presentation and discussion programs within the scope of the traditional "Wednesday Seminars" of the Personal Data Protection Authority and/or "Thursday Conferences" of the Competition Authority,
4. organizing trainings in which the relevant authorities share their expertise and experience in their areas of responsibility with each other,
5. consulting on common issues at national and/or international events organized and/or attended by the relevant authorities, and supporting these events on issues that fall within the authorities' own areas.

New guideline on genetic data

On 13 October 2023, the Data Protection Authority (Authority) published the Guideline on Genetic Data which generally includes data controllers processing genetic data, data subjects, conditions for processing generic data, ensuring the security of genetic data and the recommendations of the Authority to guide data controllers to process personal data based on the correct legal grounds and to fulfill their obligations in accordance with the Data Protection Law. Pursuant to the Guideline, genetic data are mostly processed for (i) genetic analysis for diagnostic and therapeutic purposes in the field of health; (ii) analysis for the purpose of determining ancestry; and (iii) determination of genetic predisposition in nutrition, sports or talent, depending on the preference of individuals, except in mandatory cases. In the Guideline, the Authority emphasizes that it is not preferable to store genetic data in cloud systems. Additionally, genetic data is advised to be kept in such a way that it cannot be accessed by anyone other than the authorized personnel with whom confidentiality agreements have been concluded.

The Authority further recommends to: (i) support of local laboratories to conduct tests and research on genetic data domestically; (ii) conduct administrative arrangements for preserving the genetic data domestically and support domestic, national and accredited IT infrastructures; (iii) apply different procedures and rules for different purposes of processing genetic data.

New decision about the dependency of explicit consent with the service

In its recent decision concerning a healthcare organization providing appointments depending on an explicit consent, Personal Data Protection Board determined that the element of "given with free will" is violated by the data controller since the service is made conditional to the explicit consent. The Board further decided that relying on explicit consent as a legal basis for processing when it is not required is deceptive and should be considered as an abuse of right. Therefore, the Board has imposed an administrative fine on the data controller due to the violation of their obligations regarding data security. The Board also decided that the health organization should make certain revisions in the appointment form to separate the privacy notices and explicit consent.

New decision regarding promotion activities of private hospitals

In a new decision, the Personal Data Protection Authority stated that the photographs and the video recordings of individuals, taken for treatment purposes are considered sensitive data, processing of which should be made with explicit consent. The Data Protection Authority decided that usage of such materials in the organizations' communication cause a commercial appearance to the activities of the health institution and cause unfair competition vis a vis other health institutions, conflicting with the prohibition of advertisement by private hospitals according to the Regulation on Private Hospitals. It was decided by the Authority that health data and other personal data, which are considered as sensitive data, were processed for advertising purposes by the data controller and that the activity in question was not in accordance with the law. Therefore, the Board imposed an administrative fine on the data controller who failed to ensure the appropriate level of security in order to prevent unlawful processing and also requested the data controller to cease processing personal data, as well as to destruct retained personal data processed to date in accordance with Article 7 of the LPPD and the relevant health regulation.