Self-Disclosure or Burying the Evidence Dilemma: A Legal Review of  the Data Breach Rules under the Turkish Personal Data Protection Law

Kaya Mehmet

doi:https://dx.doi.org/10.26650/annales.2021.70.0007

Research Article

DOI :10.26650/annales.2021.70.0007 IUP :10.26650/annales.2021.70.0007 Full Text (PDF)

Self-Disclosure or Burying the Evidence Dilemma: A Legal Review of the Data Breach Rules under the Turkish Personal Data Protection Law

Technology has penetrated every aspect of life and brought security and privacy issues to the forefront of the regulatory landscape. In such a hyper-connected world, security breaches are inevitable. Hence, general legislation in the field of protection of personal data is becoming ubiquitous. The rules are likewise being drafted to ensure the highest degree of privacy and security. The violation of security requirements can have an unprecedented and catastrophic consequence on data controllers. A security incident can compel the data controller to notify a competent data protection authority of a breach and communicate all facts to affected data subjects. Data breach notification is self-disclosure of the data controller about a personal data-related incident regardless of the intentional or negligent character of the event. The underlying aim of this obligation is to prevent or mitigate all adverse effects or damage deriving from a data breach incident. This article maps out the legal framework governing data breach notification under the European Union’s law, in particular General Data Protection Regulation and the Turkish Data Protection Law. This article maintains that strict and burdensome data breach notification rules do not serve the interest of data protection of individuals as data controllers could refrain from notification and bury the pieces of evidence. Such a notification-phobia is a major threat to the overall cybersecurity realm. The article emphasizes that there is a need for balanced rules and adequate accountability tools which would encourage data controllers to report any data breach incidents without hesitation.

Keywords: Breach, Notification, Data Protection, Privacy, Cybersecurity

DOI :10.26650/annales.2021.70.0007 IUP :10.26650/annales.2021.70.0007 Full Text (PDF)

Kendini İhbar Etme veya Delilleri Yok Etme İkilemi: Kişisel Verilerin Korunması Hukuku Bağlamında Veri İhlal Bildirimi Kurallarının Hukuki Analizi

Mehmet Bedii Kaya

Teknoloji hayatın her alanına girmiş ve güvenlik ile mahremiyeti en temel regülasyon konusu haline getirmiştir. Her şeyin birbiriyle bu denli bağlantılı olduğu bir dünyada güvenlik ihlalleri kaçınılmazdır. Bunun bir neticesi olarak da kişisel verilerin korunması alanındaki düzenlemeler yaygınlaşmaktadır. Nihayetinde amaç en üst düzeyde mahremiyet ve güvenliği sağlamaktır. Güvenlik yükümlülüklerinin ihlali veri sorumluları nezdinde benzeri görülmemiş ve yıkıcı sonuçlar doğurmaktadır. Bir güvenlik ihlali veri sorumlusunu, yetkili veri koruma otoritesine ihlali bildirmek ve aynı zamanda ihlalden etkilenen ilgili kişilere olayın detaylarıyla ilgili haber vermek zorunda bırakmaktadır. Veri ihlal bildirimi, veri sorumlusunun kasten veya ihmali olarak gerçekleşmiş kişisel verileri ilgilendiren bir olaya ilişkin kendisini ihbar etmesidir. Bu yükümlülüğün altında yatan temel amaç, bir veri ihlal olayından kaynaklanan tüm olumsuz etkileri veya zararı önlemek veya azaltmaktır. Bu makalenin amacı Avrupa Birliği’nin veri ihlal bildirimlerine ilişkin temel düzenlemelerini, bilhassa da Genel Veri Koruma Tüzüğünü ve aynı zamanda Türk Kişisel Verilerin Korunması Kanununu incelemektir. Bu makalede katı ve külfetli veri ihlal bildirimi kurallarının veri sorumlularını bildirim yapmaktan imtina edip delilleri yok etmeye ittiği; bu sebeple de bu tür katı düzenlemelerin kişisel verilerinin korunmasına aslında hizmet etmediği tartışılmaktadır. Veri ihlal bildirimi yapma çekincesi genel anlamda siber güvenliğe yönelik önemli bir tehdittir. Bu makale kapsamında veri sorumlularının herhangi bir veri ihlal olayını tereddüt etmeden bildirmesini teşvik edecek dengeli düzenlemelere ve uygun hesap verebilirlik araçlarına ihtiyaç olduğu vurgulanmaktadır.

Keywords: İhlal, Bildirim, Veri Koruma, Mahremiyet, Siber Güvenlik

References

Article 29 Data Protection Working Party, ‘Guidelines on Personal data breach notification under Regulation 2016/679 (Adopted on 3 October 2017 As last Revised and Adopted on 6 February2018)’ https://ec.europa.eu/newsroom/article29/document.cfm?action=display&doc_ id=49827 google scholar
Article 29 Data Protection Working Party, ‘Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679 Adopted on 3 October 2017’ http://ec.europa.eu/newsroom/just/document.cfm?doc_id=47889 google scholar
Burdon M, Lane B and Von Nessen P, ‘Data breach notification law in the EU and Australia e Where to now?’ (2012) 28 Computer Law & Security Review. google scholar
Council of Europe, ‘Explanatory Report to the Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data’ https://rm.coe.int/cets-223-explanatory-report-to-the-protocol-amending-the-convention-fo/16808ac91a google scholar
Çekin, M S, Avrupa Birliği Hukukuyla Mukayeseli Olarak 6698 sayılı Kişisel Verilerin Korunması Kanunu (On İki Levha 2018). google scholar
Determann L, Determann’s Field Guide to Data Privacy Law (Fourth Edition) (Edward Elgar 2020). google scholar
DiGrazia K, ‘Cyber Insurance, Data Security, and Blockchain in the Wake of the Equifax Breach’ (2018) 13 Journal of Business & Technology Law 225. google scholar
Dülger, M V, Kişisel Verilerin Korunması Hukuku 2. Baskı (Hukuk Akademisi 2019). google scholar
EBA, ‘Guidelines on major incident reporting under Directive (EU) 2015/2366 (PSD2) EBA/ GL/2017/10, 27.07.2017’. https://www.eba.europa.eu/regulation-and-policy/payment-services-and-electronic-money/guidelines-on-major-incidents-reporting-under-psd2 google scholar
EDPB ‘Guidelines on Examples regarding Data Breach Notification Adopted on 14 January 2021 Version 1.0’ https://edpb.europa.eu/sites/edpb/files/consultation/edpb_guidelines_202101_ databreachnotificationexamples_v1_en.pdf google scholar
ENISA, ‘Guidelines for Securing the Internet of Things’ (November 2020) https://www.enisa. europa.eu/publications/guidelines-for-securing-the-internet-of-things google scholar
ENISA, ‘Incentives and barriers of the cyber insurance market in Europe’ https://www.enisa. europa.eu/publications/incentives-and-barriers-of-the-cyber-insurance-market-in-europe/at_ download/fullReport google scholar
Gogolin G, Digital Forensics Explained (Second Edition) (CRC Press 2021). google scholar
Gorecki A, Cyber Breach Response That Actually Works (Wiley 2020). google scholar
Henkoğlu T, Adli Bilişim - Dijital Delillerin Elde Edilmesi ve Analizi (Pusula 2014). google scholar
Herrmann D and Pridöhl H, ‘Basic Concepts and Models of Cybersecurity’ in Christen M, Gordijn B and Loi M (eds), The Ethics of Cybersecurity (Springer 2020). google scholar
Hert P and Papakonstantinou V, ‘The Council of Europe Data Protection Convention reform: Analysis of the new text and critical comment on its global ambition’ (2014) 30 Computer Law & Security Review 633. google scholar
Karayazgan A, Hukuki Yönüyle Siber Riskin Sigorta ve Reasüransı (Legal 2020). google scholar
Lambert P B, Understanding the New European Data Protection Rules (CRC Press - Taylor & Francis 2018). google scholar
Mantelero A, Vaciago G, Esposito M S, Monte N, ‘The common EU approach to personal data and cybersecurity regulation’ (2021) 1 International Journal of Law and Information Technology 1. google scholar
Middleton K and Kazamia M, ‘Cyber Insurance: Underwriting, Scope of Cover, Benefits and Concerns’ in Marano P, Rokas I and Kochenburger P (eds), The “Dematerialized” Insurance -Distance Selling and Cyber Risks from an International Perspective (Springer 2016). google scholar
Nicoletti B, Insurance 4.0: Benefits and Challenges of Digital Transformation (Palgrave Macmillan 2021). google scholar
Porcedda M G, ‘Patching the patchwork: appraising the EU regulatory framework on cyber security breaches’ (2018) 34 Computer Law & Security Review 1077. google scholar
Sharma S, Data Privacy and GDPR Handbook (Wiley 2020). google scholar
Wang FF, Internet Jurisdiction and Choice of Law: Legal Practices in the EU, US and China (Cambridge University Press 2010). google scholar

Citations

Copy and paste a formatted citation or use one of the options to export in your chosen format

EXPORT

APA

Kaya, M.B. (2021). Self-Disclosure or Burying the Evidence Dilemma: A Legal Review of the Data Breach Rules under the Turkish Personal Data Protection Law. Annales de la Faculté de Droit d’Istanbul, 0(70), 195-241. https://doi.org/10.26650/annales.2021.70.0007

AMA

Kaya M B. Self-Disclosure or Burying the Evidence Dilemma: A Legal Review of the Data Breach Rules under the Turkish Personal Data Protection Law. Annales de la Faculté de Droit d’Istanbul. 2021;0(70):195-241. https://doi.org/10.26650/annales.2021.70.0007

ABNT

Kaya, M.B. Self-Disclosure or Burying the Evidence Dilemma: A Legal Review of the Data Breach Rules under the Turkish Personal Data Protection Law. Annales de la Faculté de Droit d’Istanbul, [Publisher Location], v. 0, n. 70, p. 195-241, 2021.

Chicago: Author-Date Style

Kaya, Mehmet Bedii,. 2021. “Self-Disclosure or Burying the Evidence Dilemma: A Legal Review of the Data Breach Rules under the Turkish Personal Data Protection Law.” Annales de la Faculté de Droit d’Istanbul 0, no. 70: 195-241. https://doi.org/10.26650/annales.2021.70.0007

Chicago: Humanities Style

Kaya, Mehmet Bedii,. “Self-Disclosure or Burying the Evidence Dilemma: A Legal Review of the Data Breach Rules under the Turkish Personal Data Protection Law.” Annales de la Faculté de Droit d’Istanbul 0, no. 70 (Jun. 2023): 195-241. https://doi.org/10.26650/annales.2021.70.0007

Harvard: Australian Style

Kaya, MB 2021, 'Self-Disclosure or Burying the Evidence Dilemma: A Legal Review of the Data Breach Rules under the Turkish Personal Data Protection Law', Annales de la Faculté de Droit d’Istanbul, vol. 0, no. 70, pp. 195-241, viewed 5 Jun. 2023, https://doi.org/10.26650/annales.2021.70.0007

Harvard: Author-Date Style

Kaya, M.B. (2021) ‘Self-Disclosure or Burying the Evidence Dilemma: A Legal Review of the Data Breach Rules under the Turkish Personal Data Protection Law’, Annales de la Faculté de Droit d’Istanbul, 0(70), pp. 195-241. https://doi.org/10.26650/annales.2021.70.0007 (5 Jun. 2023).

MLA

Kaya, Mehmet Bedii,. “Self-Disclosure or Burying the Evidence Dilemma: A Legal Review of the Data Breach Rules under the Turkish Personal Data Protection Law.” Annales de la Faculté de Droit d’Istanbul, vol. 0, no. 70, 2021, pp. 195-241. [Database Container], https://doi.org/10.26650/annales.2021.70.0007

Vancouver

Kaya MB. Self-Disclosure or Burying the Evidence Dilemma: A Legal Review of the Data Breach Rules under the Turkish Personal Data Protection Law. Annales de la Faculté de Droit d’Istanbul [Internet]. 5 Jun. 2023 [cited 5 Jun. 2023];0(70):195-241. Available from: https://doi.org/10.26650/annales.2021.70.0007 doi: 10.26650/annales.2021.70.0007

ISNAD

Kaya, MehmetBedii. “Self-Disclosure or Burying the Evidence Dilemma: A Legal Review of the Data Breach Rules under the Turkish Personal Data Protection Law”. Annales de la Faculté de Droit d’Istanbul 0/70 (Jun. 2023): 195-241. https://doi.org/10.26650/annales.2021.70.0007

Issue 702021, P. 195-241

TIMELINE

Submitted	07.04.2021
Accepted	27.08.2021
Published Online	01.09.2021

LICENCE

Attribution-NonCommercial (CC BY-NC)

This license lets others remix, tweak, and build upon your work non-commercially, and although their new works must also acknowledge you and be non-commercial, they don’t have to license their derivative works on the same terms.

Annales de la Faculté de Droit d’Istanbul