The New Paradigm of Data Protection Law: The Principle of Accountability
Mehmet Bedii KayaThe inadequacy of classical data protection approaches have been uncloaked by the evolving nature of cyber risks, the tremendous increase in personal data processing through analytics and artificial intelligence technologies, the diversification of data processing and storage environments and the proliferation of sectoral regulations. The principle of accountability is proposed as the most efficacious solution to tackle new emerging risks and challenges in the changing landscape of data protection and privacy contexts. The principle of accountability is a paradigm shift in data protection which has a conceptual breadth and magnitude that goes far beyond mere compliance. It requires data controllers to implement appropriate and effective measures to comply with the principles and obligations set out under data protection regulations and to further demonstrate this compliance on request. This is a process of proving that the protection of personal data is an essential value that is constantly observed, effectively applied, and regularly audited by data controllers. This article aims to provide a thorough analysis of the principle of accountability in the context of data protection law by adopting a comparative approach. The article aims to scrutinise the scope and underpinnings of the principle, identify its relationship with other data protection principles, and discuss the normative effects of such a principle has on data controllers and data processors.
Kişisel Verilerin Korunmasında Yeni Paradigma: Hesap Verebilirlik İlkesi
Mehmet Bedii KayaSiber risklerin değişen niteliği, analitik ve yapay zekâ uygulamalarıyla kişisel verilerin işlenmesinin yaygınlaşması, veri işleme ve saklama ortamlarının çeşitlenmesi, sektörel düzenlemelerin artması, klasik veri koruma yaklaşımlarının yetersiz kalmasına sebep olmuştur. Bu bağlamda, değişen veri koruma ve mahremiyet düzlemlerinde ortaya çıkan yeni riskler ve sorunlar için etkin bir çözüm olarak hesap verebilirlik ilkesi ortaya çıkmıştır. Hesap verebilirlik ilkesi, salt mevzuata uyumu aşan ve kavramsal derinliği haiz bir paradigma değişikliğidir. Bu ilke, veri sorumlularının, veri koruma düzenlemelerine uyum için uygun ve etkin tedbirleri almasını ve talep halinde de bunu ispat etmelerini gerektirmektedir. Diğer bir deyişle hesap verebilirlik ilkesi, kişisel verilerin korunmasının bir veri sorumlusu nezdinde sürekli gözetilen, etkin şekilde uygulanan ve düzenli olarak denetlenen bir değer olduğunun ispatı sürecidir. Bu makalenin amacı, veri koruma hukuku bağlamında hesap verebilirlik ilkesini mukayeseli olarak incelemektir. Çalışma, hesap verebilirlik ilkesinin temelini ve kapsamını sorgulamayı, diğer veri koruma ilkeleriyle ilişkisini tespit etmeyi ve ilkenin veri sorumluları ile veri işleyenler üzerindeki normatif etkisini ortaya koymayı hedeflemektedir.
The possibilities for the use of personal data have increased tremendously as a result of a data-wide range of analytics tools, the Internet of Things (IoT), artificial intelligence technologies and other similar methods. As highlighted by the Article 29 Working Party, the amount of personal data that exists, is processed and is further transferred continues to grow; the ever-increasing amount of personal information is accompanied by an increase in its value in social, political and economic terms; and breaches of personal information may have significant negative effects for data controllers in public and private sectors. The proliferation of national, regional, and international regulations for better protection of personal data and privacy have impacted business operations, government administrations and the personal activities of individuals. The inadequacy of classical data protection approaches have been uncloaked by the evolving nature of cyber risks, the tremendous increase of personal data processing through analytics and artificial intelligence technologies, the diversification of data processing and storage environments and the proliferation of sectoral regulations. The principle of accountability is proposed as the most efficacious solution to tackle new emerging risks and challenges in the changing landscape of data protection and privacy contexts.
Accountability is a principle that exists in different national and international regulations, and its importance is increasing over time. For instance, OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, the pioneer instrument that addresses new and elevated privacy risks, prescribes the principle of accountability alongside other major data protection principles, such as collection limitation, data quality, purpose specification, use limitation, security safeguards, openness and individual participation principles. The OECD identified accountability as a key concept and underlined that a data controller should be held accountable for complying with measures which give effect to these principles. While Convention 108 (Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data) did not explicitly include the principle of accountability, it is argued that the modernised Convention 108, also called as Convention 108+, is based on the accountability principle. The modernised Convention imposes broader obligations on those who process data or have data processed on their behalf. Accordingly, accountability becomes an integral part of the protective scheme, with an obligation on controllers to be able to demonstrate compliance with the data protection rules.
The Article 29 Working Party has underlined that there is an increasing need and interest in ensuring that data controllers take effective measures to deliver real data protection. The Article 29 Working Party’s discussions on the legal architecture of accountability-based systems has paid off. The principle of accountability is currently articulated under Article 5(2) of the General Data Protection Regulation (“GDPR”). The GDPR lays down six distinct data protection principles and requires controllers to be responsible for and be able to demonstrate compliance with these principles. This compliance requirement is briefly referred to as ‘accountability’. Turkish Data Protection Law does not mention accountability among its principles, which is not surprising as Turkish Data Protection Law is modelled after Directive 95/46/EC. However, in the long term, accountability is expected to be included among other core data protection principles since the Turkish government, under the latest development plan, announced its intention to reform Data Protection Law in accordance with the GDPR.
The principle of accountability is a paradigm shift in data protection which has a conceptual breadth and magnitude that goes far beyond mere compliance. It requires data controllers to implement appropriate and effective measures to comply with the principles and obligations set out under data protection regulations and to further demonstrate this compliance on request. It is the process of proving that the protection of personal data is an essential value that is constantly observed, effectively applied, and regularly audited by data controllers. The principle of accountability imposes an increased duty of care on data controller and calls the data controller to act prudently according to changing risks. This principle is directly interlinked with other core data protection principles and creates a special liability regime. It could even be said that the principle encapsulates parts from all the data protection principles. According to the Article 29 Working Party, common accountability measures may include the following non-exhaustive list: establishment of internal procedures; creation of written and binding data protection policies; maintenance of an inventory of data processing operations; appointment of a data protection officer; offering adequate data protection, training and education; implementing procedures to manage access, correction and deletion requests; establishment of an internal complaints handling mechanism; setting up internal procedures for the effective management and reporting of security breaches; performance of privacy impact assessments; and implementation and supervision of verification procedures. It is important to note that a data controller can determine the level of accountability that is desired to be achieved, which depends on the legal and institutional framework to which the controller is subject.
This article aims to provide a thorough analysis of the principle of accountability in the context of data protection law by adopting a comparative approach. The article aims to scrutinise the scope and underpinnings of the principle, identify its relationship with other data protection principles, and further discuss the normative effects of such a principle has on data controllers and data processors. In the context of this analysis, the article will attempt to shed light on how to demonstrate compliance with requirements set out under data protection laws/regulations in a practical way.
