What Happened in the Data Protection Ecosystem in 2023
In 2023, there was extensive discussion both nationally and internationally about data protection, cybersecurity, and artificial intelligence applications. Let’s take a closer look together at some of the notable developments in data protection and AI applications during that emerged in 2023.
What Happened at the Personal Data Protection Authority Nationally in 2023?
As of December 2023, 50 data breach notifications have been published on https://www.kvkk.gov.tr/.
In 2022, the Personal Data Protection Board (“the Board”) published 73 new decisions.
Two commitment letter applications have been accepted.
The commitment letter application regarding the transfer of personal data abroad by the data controller Otokoç Otomotiv Ticaret ve Sanayi Anonim Şirketi was evaluated by the Board within the scope of Article 9, paragraph 2(b) of the Law No. 6698 on the Protection of Personal Data (“Law”), and permission for the said data transfer was granted by the Board on 30.03.2023. [1]
The commitment letter application regarding the transfer of personal data abroad by Google Reklamcılık ve Pazarlama Limited Şirketi was evaluated by the Board within the scope of Article 9, paragraph 2(b) of the Law, and permission for the said data transfer was granted by the Board on 17.08.2023.[2]
A Public Announcement Regarding the Amendment to the Exemption Criteria for the Obligation to Register with the Data Controllers’ Registry has been Published.[3]
In the announcement, it was stated that businesses in our country have grown economically, their business volume has expanded, and the threshold of 25 million TRY, which was set in 2018, has become insufficient compared to the current annual financial statement totals. Therefore, the need to update the annual financial statement threshold specified in Board Decision No. 2018/87 has arisen. As a result of the assessment, the said exemption limit has been increased from 25 million Turkish Liras to 100 million Turkish Liras.
In this context, with its decision dated 06.07.2023 and numbered 2023/1154, the Board announced that real or legal person data controllers whose annual number of employees is less than 50 and whose annual financial statement total is less than 100 million Turkish Liras, and whose main activity does not involve the processing of sensitive personal data, are exempt from the obligation to register with the Registry. [4]
The “Recommendations on Privacy in Mobile Applications” Guide has been published.[5]
The key topics highlighted in the guide are summarized as follows:
Privacy protection measures for individuals using the mobile application
Principles for processing location data
Criteria for a strong password
Evaluation of data processing activities within the scope of personal data protection principles, with examples
Processing of children’s data in mobile applications
Methods to ensure data security throughout these processes.
The“Guide on Considerations for Processing Genetic Data” has been published.[6]
The Guide includes the following:
It is stated that genetic data, specified as sensitive personal data, is not comprehensively defined in the legislation, with a reference made to the European Union General Data Protection Regulation (GDPR) for a definition.
Examples are provided regarding who can act as data controllers and data processors in the processing of genetic data.
The principles to be considered when processing genetic data are outlined.
The exceptions specified in Article 28 of the Personal Data Protection Law No. 6698 regarding the processing of genetic data are evaluated.
Points to consider in fulfilling the data controller’s obligation to inform are explained.
The technical and administrative measures necessary to ensure the security of genetic data are listed.
It is emphasized that processing genetic data is of critical importance for the protection of individuals, national security and the economic interests of countries, highlighting the necessity of taking certain national measures, along with recommendations and suggestions.
Public Announcement on the Processing of Personal Data by Sending Verification Codes via SMS to SMS to Data Subjects During In-Store Shopping!
The Personal Data Protection Board (“Board”) has made the following evaluations in summary:
During checkout operations following in-store shopping, the purpose of sending an SMS to individuals’ phones and consequences of providing the code received via SMS should be clearly and understandably communicated to data subjects by authorized store personnel as part of layered information disclosure. Additionally, SMS content must include necessary information channels to fulfill the obligation to inform.
The practice of combining different data processing activities, such as approving a membership agreement, obtaining consent to process personal data, or collecting consent for commercial electronic communications through a single action by sending a verification code via SMS during in-store payment, should be discontinued. Processing activities requiring explicit consent should be presented as separate options, and explicit consent should be obtained individually.
Furthermore, data controllers must carry out the processes of obtaining explicit consent and fulfilling the obligation to inform separately.
If sending a verification code via SMS is used to obtain explicit consent for sending commercial electronic messages, the explicit consent obtained must include all elements specified by law.
Providing explicit consent for processing personal data for the purpose of sending commercial electronic messages should not be presented as a mandatory element for completing a purchase. Otherwise, such a practice could undermine the elements of explicit consent, specifically the requirements of “being based on information and being freely given.” Therefore, such practices must comply with the law.
Accordingly, explicit consent for processing personal data for commercial electronic communications should be requested after the purchase is completed to prevent the perception that explicit consent for commercial electronic communication is a necessary element of the purchase.[7]
The Personal Data Protection Authority (“KVKK”) has decided to impose an administrative fine of 1,750,000 TRY on TikTok.
Following its examination of the TikTok application on internet and social media platforms, the KVKK concluded the following:
TikTok poses a risk regarding access to data of users belonging to sensitive age groups, and adequate measures have not been taken to identify and mitigate these risks.
Personal information of children under the age of 13 has been displayed, and data regarding children has been collected without proper parental consent, posing a risk of negative consequences for children who have used the application.
The section on Terms of Servicehad not been translated into Turkish at the time of obtaining consent, resulting in the content not being presented to users in an easily understandable manner and failing to fulfill the requirement of obtaining explicit consent separately from the obligation to inform.
çerezler kullanılarak gerçekleştirilen kişisel veri işleme faaliyetine ilişkin olarak ilgili kişilerden açık rıza alınmadığı sebepleriyle
idari para cezası uygulanmasına karar vermiştir[8].
Explicit consent had not been obtained from data subjects regarding the processing of personal data through the use of cookies.
For these reasons, the Board decided to impose the administrative fine [8].
International
The European Commission has published the NIS2 Directive containing new cybersecurity rules.[9]
The Network and Information Security (“NIS”) Directive is recognized as the first legislation on cybersecurity across the European Union (“EU”), with its primary objective being to ensure a high level of common cybersecurity among Member States.
In a statement published at the beginning of 2023 by the Parliament, it was noted that although the NIS Directive has strengthened the cybersecurity capacities of Member States, the increasing threats due to digitalization and the rise in cyberattacks necessitate revising the NIS Directive. Accordingly, the NIS2 Directive was introduced to strengthen security requirements, implement stricter monitoring measures, and establish more stringent enforcement requirements, ultimately aiming to enhance the level of cybersecurity in Europe in the long term.
The NIS2 Directive highlights several notable points:
Medium and large-scale organizations are included within the scope of the Directive and are required to comply with the specified security rules.
Companies affected by incidents related to supply chain security, encryption, and vulnerability disclosure are obligated to submit an initial report within the first 24 hours and a final report within one month.
Companies that fail to take the measures listed in the Directive may face administrative fines of up to 10 million euros or 2% of their global turnover, whichever is higher.
As of January 16, 2023, the NIS2 Directive has entered into force, and Member States are required to transpose the measures into their national laws within a 21-month period, by October 17, 2024.
Twitter has updated its security policy.
The social media platform Twitter announced the launch of a “zero tolerance against verbal violence” policy, completely banning violent content, threats, glorification of violence, or incitement to violence.
Twitter stated that it would review actions before temporarily or permanently suspending an account, clarifying that it would not intervene with accounts containing satire or artistic expression. However, it also emphasized that accounts violating the rules would be suspended, and in the event of repeated violations, the account would be permanently closed.
According to a news article published by Reuters, the Spanish data protection authority Agencia Española de Protección de Datos (“AEPD”) has officially called on the European Data Protection Board to examine the compliance of ChatGPT, owned by OpenAI, with the EU General Data Protection Regulation (“GDPR”). A spokesperson for AEPD stated that the matter was brought forward “to enable the implementation of harmonized actions within the framework of GDPR enforcement.”
Additionally, the report mentions that OpenAI offers payments of up to 20,000 USD for error reports concerning ChatGPT.
ChatGPT was blocked in Italy due to violations of Personal Data Protection Rules.
According to a BBC report, the Italian data protection authority (“Data Protection Authority”) issued a blocking decision against ChatGPT on the grounds that it violated rules related to the collection of Italian users’ data. The authority also ordered the suspension of data processing of users' information and warned that, due to the absence of a system to verify users’ ages, children might be exposed to responses inappropriate for their development and awareness.
This decision reportedly followed a data breach that occurred on March 20. The data protection authority gave OpenAI 20 days to implement the requested measures, warning that failure to comply could result in fines of up to 20 million Euros or 4% of the company’s annual global turnover. [11]
According to an investigation by Reuters, former Tesla employees allegedly circulated “highly intrusive videos and images recorded by customers’ vehicle cameras” within the company’s internal messaging system. The report includes interviews with nine former employees claiming that the recordings captured Tesla customers in embarrassing situations and were shared among employees between 2019 and 2022. Although Tesla’s privacy notice states that “camera recordings remain anonymous and are not linked to any individual or vehicle,” multiple employees assert that Tesla has a program capable of determining where the videos were recorded.
Large fine imposed by the French Data Protection Authority for the collection of geographic location data on a scooter rental company! [13]
The French Data Protection Authority (“CNIL”) fined the scooter rental company Cityscoot €125,000 for collecting and recording vehicles’ geographic location data.
CNIL stated that Cityscoot failed to comply with data minimization and contractual framework obligations under the EU General Data Protection Regulation (“GDPR”) and also violated the French Data Protection Law by not informing users and failing to obtain consent for access to the data.
The Danish Data Protection Authority published a guideline on the use of CCTV cameras! [14]
On June 27, 2023, the Danish Data Protection Authority (“Datatilsynet”) released a guideline regarding the use of CCTV cameras, covering important points companies must consider about CCTV usage. It details when a behavior constitutes CCTV surveillance, how companies can fulfill their obligation to inform individuals being monitored through CCTV, and the rules to be observed in the storage and disclosure of CCTV recordings.
The UK Data Protection Authority (“ICO”) has issued notices to the 100 most visited websites in the United Kingdom, citing concerns that their cookie banners may not comply with the UK General Data Protection Regulation and the Privacy and Electronic Communications Regulations![15]
The letter sent by the Information Commissioner’s Office detailed how companies can rectify their errors and stated that the relevant notice was shared publicly to encourage compliance among other websites.
The Dutch Data Protection Authority, Autoriteit Persoonsgegevens (“AP”), has called for increased oversight and a comprehensive plan to manage the risks of generative artificial intelligence! [16]
The AP proposed presenting a full AI plan by 2030 to ensure more human control and to increase everyday awareness of how AI might impact lives.
Sweden’s data protection authority, Integritetsskyddsmyndigheten (“IMY”), imposed a fine of 58 million Swedish Krona (approximately 5.4 million Euros) on Spotify for alleged violations of transparency requirements under the EU General Data Protection Regulation (“GDPR”)! [17]
IMY found that while Spotify responded to data access requests, it “did not provide sufficiently clear information on how the company uses this data,” adding that Spotify needs to be “more specific” in explaining its data practices and “make it easier for the individual requesting access to understand how the company uses their data.”
The United Kingdom’s Information Commissioner’s Office (“ICO”) has published a guide to assist employers in monitoring employees in a lawful, transparent, and fair manner compliant with data protection rules. [18]
According to research commissioned by the ICO, which found that 70% of the public consider being monitored by an employer intrusive, the Authority emphasizes that all forms of monitoring must fully comply with data protection law. The guide also includes best practice recommendations to help employers build trust with their employees and respect their privacy rights.
The Data Act was adopted by the European Council on November 27, 2023. [19]
The announcement states that following the official adoption by the Council, the new law will be published in the Official Journal of the EU in the coming weeks and will enter into force on the twentieth day after its publication. The Data Act introduces new rules regarding who can access and use data produced in the EU across all economic sectors.
The purpose of the law has been outlined as follows, in summary:
Ensuring fairness in the allocation of value derived from data among digital actors
Promoting a competitive data market
Creating opportunities for data-driven innovation, and
Making data more accessible for everyone
With the relevant legislative regulation, it is anticipated that users of connected devices—ranging from smart home appliances to intelligent industrial machines—will be granted access to the data generated through the use of these devices, which is typically collected solely by manufacturers and service providers.
The Data Act was published in the Official Journal of the EU on 22 December 2023. [20]
The Data Act, following its publication in the Official Journal on 22 December 2023, will enter into force on 11 January 2024. While certain provisions are known to take effect at a later stage, the majority of the rules will start to apply as of 12 September 2025.
In Brief:
The Personal Data Protection Authority published a total of 50 data breach notifications in 2023.
A Cooperation and Information Sharing Protocol was signed between the Personal Data Protection Authority and the Competition Authority.
The “financial version” of the AI chatbot ChatGPT, named BloombergGPT, was announced. [21]
Microsoft officials described 2023 as a “critical turning point” for artificial intelligence. [22]
The Dutch national railway company NS disclosed that a data breach may have affected over 780,000 passengers. [23]
Norway’s data protection authority, Datatilsynet, imposed a fine of 2.5 million NOK on the U.S.-based Argon Medical Devices for failing to report a data breach that occurred in July 2021 within the 72-hour timeframe required under the GDPR. [24]
The European Commission has launched formal proceedings to assess whether the social media platform X has breached the Digital Services Act (DSA) in relation to risk management, content moderation, dark patterns, ad transparency, and data access for researchers. [25]
In 2023, there was extensive discussion both nationally and internationally about data protection, cybersecurity, and artificial intelligence applications. Let’s take a closer look together at some of the notable developments in data protection and AI applications during that emerged in 2023.
What Happened at the Personal Data Protection Authority Nationally in 2023?
As of December 2023, 50 data breach notifications have been published on https://www.kvkk.gov.tr/.
In 2022, the Personal Data Protection Board (“the Board”) published 73 new decisions.
Two commitment letter applications have been accepted.
The commitment letter application regarding the transfer of personal data abroad by the data controller Otokoç Otomotiv Ticaret ve Sanayi Anonim Şirketi was evaluated by the Board within the scope of Article 9, paragraph 2(b) of the Law No. 6698 on the Protection of Personal Data (“Law”), and permission for the said data transfer was granted by the Board on 30.03.2023. [1]
The commitment letter application regarding the transfer of personal data abroad by Google Reklamcılık ve Pazarlama Limited Şirketi was evaluated by the Board within the scope of Article 9, paragraph 2(b) of the Law, and permission for the said data transfer was granted by the Board on 17.08.2023.[2]
A Public Announcement Regarding the Amendment to the Exemption Criteria for the Obligation to Register with the Data Controllers’ Registry has been Published.[3]
In the announcement, it was stated that businesses in our country have grown economically, their business volume has expanded, and the threshold of 25 million TRY, which was set in 2018, has become insufficient compared to the current annual financial statement totals. Therefore, the need to update the annual financial statement threshold specified in Board Decision No. 2018/87 has arisen. As a result of the assessment, the said exemption limit has been increased from 25 million Turkish Liras to 100 million Turkish Liras.
In this context, with its decision dated 06.07.2023 and numbered 2023/1154, the Board announced that real or legal person data controllers whose annual number of employees is less than 50 and whose annual financial statement total is less than 100 million Turkish Liras, and whose main activity does not involve the processing of sensitive personal data, are exempt from the obligation to register with the Registry. [4]
The “Recommendations on Privacy in Mobile Applications” Guide has been published.[5]
The key topics highlighted in the guide are summarized as follows:
Privacy protection measures for individuals using the mobile application
Principles for processing location data
Criteria for a strong password
Evaluation of data processing activities within the scope of personal data protection principles, with examples
Processing of children’s data in mobile applications
Methods to ensure data security throughout these processes.
The“Guide on Considerations for Processing Genetic Data” has been published.[6]
The Guide includes the following:
It is stated that genetic data, specified as sensitive personal data, is not comprehensively defined in the legislation, with a reference made to the European Union General Data Protection Regulation (GDPR) for a definition.
Examples are provided regarding who can act as data controllers and data processors in the processing of genetic data.
The principles to be considered when processing genetic data are outlined.
The exceptions specified in Article 28 of the Personal Data Protection Law No. 6698 regarding the processing of genetic data are evaluated.
Points to consider in fulfilling the data controller’s obligation to inform are explained.
The technical and administrative measures necessary to ensure the security of genetic data are listed.
It is emphasized that processing genetic data is of critical importance for the protection of individuals, national security and the economic interests of countries, highlighting the necessity of taking certain national measures, along with recommendations and suggestions.
Public Announcement on the Processing of Personal Data by Sending Verification Codes via SMS to SMS to Data Subjects During In-Store Shopping!
The Personal Data Protection Board (“Board”) has made the following evaluations in summary:
During checkout operations following in-store shopping, the purpose of sending an SMS to individuals’ phones and consequences of providing the code received via SMS should be clearly and understandably communicated to data subjects by authorized store personnel as part of layered information disclosure. Additionally, SMS content must include necessary information channels to fulfill the obligation to inform.
The practice of combining different data processing activities, such as approving a membership agreement, obtaining consent to process personal data, or collecting consent for commercial electronic communications through a single action by sending a verification code via SMS during in-store payment, should be discontinued. Processing activities requiring explicit consent should be presented as separate options, and explicit consent should be obtained individually.
Furthermore, data controllers must carry out the processes of obtaining explicit consent and fulfilling the obligation to inform separately.
If sending a verification code via SMS is used to obtain explicit consent for sending commercial electronic messages, the explicit consent obtained must include all elements specified by law.
Providing explicit consent for processing personal data for the purpose of sending commercial electronic messages should not be presented as a mandatory element for completing a purchase. Otherwise, such a practice could undermine the elements of explicit consent, specifically the requirements of “being based on information and being freely given.” Therefore, such practices must comply with the law.
Accordingly, explicit consent for processing personal data for commercial electronic communications should be requested after the purchase is completed to prevent the perception that explicit consent for commercial electronic communication is a necessary element of the purchase.[7]
The Personal Data Protection Authority (“KVKK”) has decided to impose an administrative fine of 1,750,000 TRY on TikTok.
Following its examination of the TikTok application on internet and social media platforms, the KVKK concluded the following:
TikTok poses a risk regarding access to data of users belonging to sensitive age groups, and adequate measures have not been taken to identify and mitigate these risks.
Personal information of children under the age of 13 has been displayed, and data regarding children has been collected without proper parental consent, posing a risk of negative consequences for children who have used the application.
The section on Terms of Servicehad not been translated into Turkish at the time of obtaining consent, resulting in the content not being presented to users in an easily understandable manner and failing to fulfill the requirement of obtaining explicit consent separately from the obligation to inform.
çerezler kullanılarak gerçekleştirilen kişisel veri işleme faaliyetine ilişkin olarak ilgili kişilerden açık rıza alınmadığı sebepleriyle
idari para cezası uygulanmasına karar vermiştir[8].
Explicit consent had not been obtained from data subjects regarding the processing of personal data through the use of cookies.
For these reasons, the Board decided to impose the administrative fine [8].
International
The European Commission has published the NIS2 Directive containing new cybersecurity rules.[9]
The Network and Information Security (“NIS”) Directive is recognized as the first legislation on cybersecurity across the European Union (“EU”), with its primary objective being to ensure a high level of common cybersecurity among Member States.
In a statement published at the beginning of 2023 by the Parliament, it was noted that although the NIS Directive has strengthened the cybersecurity capacities of Member States, the increasing threats due to digitalization and the rise in cyberattacks necessitate revising the NIS Directive. Accordingly, the NIS2 Directive was introduced to strengthen security requirements, implement stricter monitoring measures, and establish more stringent enforcement requirements, ultimately aiming to enhance the level of cybersecurity in Europe in the long term.
The NIS2 Directive highlights several notable points:
Medium and large-scale organizations are included within the scope of the Directive and are required to comply with the specified security rules.
Companies affected by incidents related to supply chain security, encryption, and vulnerability disclosure are obligated to submit an initial report within the first 24 hours and a final report within one month.
Companies that fail to take the measures listed in the Directive may face administrative fines of up to 10 million euros or 2% of their global turnover, whichever is higher.
As of January 16, 2023, the NIS2 Directive has entered into force, and Member States are required to transpose the measures into their national laws within a 21-month period, by October 17, 2024.
Twitter has updated its security policy.
The social media platform Twitter announced the launch of a “zero tolerance against verbal violence” policy, completely banning violent content, threats, glorification of violence, or incitement to violence.
Twitter stated that it would review actions before temporarily or permanently suspending an account, clarifying that it would not intervene with accounts containing satire or artistic expression. However, it also emphasized that accounts violating the rules would be suspended, and in the event of repeated violations, the account would be permanently closed.
According to a news article published by Reuters, the Spanish data protection authority Agencia Española de Protección de Datos (“AEPD”) has officially called on the European Data Protection Board to examine the compliance of ChatGPT, owned by OpenAI, with the EU General Data Protection Regulation (“GDPR”). A spokesperson for AEPD stated that the matter was brought forward “to enable the implementation of harmonized actions within the framework of GDPR enforcement.”
Additionally, the report mentions that OpenAI offers payments of up to 20,000 USD for error reports concerning ChatGPT.
ChatGPT was blocked in Italy due to violations of Personal Data Protection Rules.
According to a BBC report, the Italian data protection authority (“Data Protection Authority”) issued a blocking decision against ChatGPT on the grounds that it violated rules related to the collection of Italian users’ data. The authority also ordered the suspension of data processing of users' information and warned that, due to the absence of a system to verify users’ ages, children might be exposed to responses inappropriate for their development and awareness.
This decision reportedly followed a data breach that occurred on March 20. The data protection authority gave OpenAI 20 days to implement the requested measures, warning that failure to comply could result in fines of up to 20 million Euros or 4% of the company’s annual global turnover. [11]
According to an investigation by Reuters, former Tesla employees allegedly circulated “highly intrusive videos and images recorded by customers’ vehicle cameras” within the company’s internal messaging system. The report includes interviews with nine former employees claiming that the recordings captured Tesla customers in embarrassing situations and were shared among employees between 2019 and 2022. Although Tesla’s privacy notice states that “camera recordings remain anonymous and are not linked to any individual or vehicle,” multiple employees assert that Tesla has a program capable of determining where the videos were recorded.
Large fine imposed by the French Data Protection Authority for the collection of geographic location data on a scooter rental company! [13]
The French Data Protection Authority (“CNIL”) fined the scooter rental company Cityscoot €125,000 for collecting and recording vehicles’ geographic location data.
CNIL stated that Cityscoot failed to comply with data minimization and contractual framework obligations under the EU General Data Protection Regulation (“GDPR”) and also violated the French Data Protection Law by not informing users and failing to obtain consent for access to the data.
The Danish Data Protection Authority published a guideline on the use of CCTV cameras! [14]
On June 27, 2023, the Danish Data Protection Authority (“Datatilsynet”) released a guideline regarding the use of CCTV cameras, covering important points companies must consider about CCTV usage. It details when a behavior constitutes CCTV surveillance, how companies can fulfill their obligation to inform individuals being monitored through CCTV, and the rules to be observed in the storage and disclosure of CCTV recordings.
The UK Data Protection Authority (“ICO”) has issued notices to the 100 most visited websites in the United Kingdom, citing concerns that their cookie banners may not comply with the UK General Data Protection Regulation and the Privacy and Electronic Communications Regulations![15]
The letter sent by the Information Commissioner’s Office detailed how companies can rectify their errors and stated that the relevant notice was shared publicly to encourage compliance among other websites.
The Dutch Data Protection Authority, Autoriteit Persoonsgegevens (“AP”), has called for increased oversight and a comprehensive plan to manage the risks of generative artificial intelligence! [16]
The AP proposed presenting a full AI plan by 2030 to ensure more human control and to increase everyday awareness of how AI might impact lives.
Sweden’s data protection authority, Integritetsskyddsmyndigheten (“IMY”), imposed a fine of 58 million Swedish Krona (approximately 5.4 million Euros) on Spotify for alleged violations of transparency requirements under the EU General Data Protection Regulation (“GDPR”)! [17]
IMY found that while Spotify responded to data access requests, it “did not provide sufficiently clear information on how the company uses this data,” adding that Spotify needs to be “more specific” in explaining its data practices and “make it easier for the individual requesting access to understand how the company uses their data.”
The United Kingdom’s Information Commissioner’s Office (“ICO”) has published a guide to assist employers in monitoring employees in a lawful, transparent, and fair manner compliant with data protection rules. [18]
According to research commissioned by the ICO, which found that 70% of the public consider being monitored by an employer intrusive, the Authority emphasizes that all forms of monitoring must fully comply with data protection law. The guide also includes best practice recommendations to help employers build trust with their employees and respect their privacy rights.
The Data Act was adopted by the European Council on November 27, 2023. [19]
The announcement states that following the official adoption by the Council, the new law will be published in the Official Journal of the EU in the coming weeks and will enter into force on the twentieth day after its publication. The Data Act introduces new rules regarding who can access and use data produced in the EU across all economic sectors.
The purpose of the law has been outlined as follows, in summary:
Ensuring fairness in the allocation of value derived from data among digital actors
Promoting a competitive data market
Creating opportunities for data-driven innovation, and
Making data more accessible for everyone
With the relevant legislative regulation, it is anticipated that users of connected devices—ranging from smart home appliances to intelligent industrial machines—will be granted access to the data generated through the use of these devices, which is typically collected solely by manufacturers and service providers.
The Data Act was published in the Official Journal of the EU on 22 December 2023. [20]
The Data Act, following its publication in the Official Journal on 22 December 2023, will enter into force on 11 January 2024. While certain provisions are known to take effect at a later stage, the majority of the rules will start to apply as of 12 September 2025.
In Brief:
The Personal Data Protection Authority published a total of 50 data breach notifications in 2023.
A Cooperation and Information Sharing Protocol was signed between the Personal Data Protection Authority and the Competition Authority.
The “financial version” of the AI chatbot ChatGPT, named BloombergGPT, was announced. [21]
Microsoft officials described 2023 as a “critical turning point” for artificial intelligence. [22]
The Dutch national railway company NS disclosed that a data breach may have affected over 780,000 passengers. [23]
Norway’s data protection authority, Datatilsynet, imposed a fine of 2.5 million NOK on the U.S.-based Argon Medical Devices for failing to report a data breach that occurred in July 2021 within the 72-hour timeframe required under the GDPR. [24]
The European Commission has launched formal proceedings to assess whether the social media platform X has breached the Digital Services Act (DSA) in relation to risk management, content moderation, dark patterns, ad transparency, and data access for researchers. [25]
Turkish
