Research Article


DOI :10.26650/annales.2021.70.0007   IUP :10.26650/annales.2021.70.0007    Full Text (PDF)

Self-Disclosure or Burying the Evidence Dilemma: A Legal Review of the Data Breach Rules under the Turkish Personal Data Protection Law

Mehmet Bedii Kaya

Technology has penetrated every aspect of life and brought security and privacy issues to the forefront of the regulatory landscape. In such a hyper-connected world, security breaches are inevitable. Hence, general legislation in the field of protection of personal data is becoming ubiquitous. The rules are likewise being drafted to ensure the highest degree of privacy and security. The violation of security requirements can have an unprecedented and catastrophic consequence on data controllers. A security incident can compel the data controller to notify a competent data protection authority of a breach and communicate all facts to affected data subjects. Data breach notification is self-disclosure of the data controller about a personal data-related incident regardless of the intentional or negligent character of the event. The underlying aim of this obligation is to prevent or mitigate all adverse effects or damage deriving from a data breach incident. This article maps out the legal framework governing data breach notification under the European Union’s law, in particular General Data Protection Regulation and the Turkish Data Protection Law. This article maintains that strict and burdensome data breach notification rules do not serve the interest of data protection of individuals as data controllers could refrain from notification and bury the pieces of evidence. Such a notification-phobia is a major threat to the overall cybersecurity realm. The article emphasizes that there is a need for balanced rules and adequate accountability tools which would encourage data controllers to report any data breach incidents without hesitation.

DOI :10.26650/annales.2021.70.0007   IUP :10.26650/annales.2021.70.0007    Full Text (PDF)

Kendini İhbar Etme veya Delilleri Yok Etme İkilemi: Kişisel Verilerin Korunması Hukuku Bağlamında Veri İhlal Bildirimi Kurallarının Hukuki Analizi

Mehmet Bedii Kaya

Teknoloji hayatın her alanına girmiş ve güvenlik ile mahremiyeti en temel regülasyon konusu haline getirmiştir. Her şeyin birbiriyle bu denli bağlantılı olduğu bir dünyada güvenlik ihlalleri kaçınılmazdır. Bunun bir neticesi olarak da kişisel verilerin korunması alanındaki düzenlemeler yaygınlaşmaktadır. Nihayetinde amaç en üst düzeyde mahremiyet ve güvenliği sağlamaktır. Güvenlik yükümlülüklerinin ihlali veri sorumluları nezdinde benzeri görülmemiş ve yıkıcı sonuçlar doğurmaktadır. Bir güvenlik ihlali veri sorumlusunu, yetkili veri koruma otoritesine ihlali bildirmek ve aynı zamanda ihlalden etkilenen ilgili kişilere olayın detaylarıyla ilgili haber vermek zorunda bırakmaktadır. Veri ihlal bildirimi, veri sorumlusunun kasten veya ihmali olarak gerçekleşmiş kişisel verileri ilgilendiren bir olaya ilişkin kendisini ihbar etmesidir. Bu yükümlülüğün altında yatan temel amaç, bir veri ihlal olayından kaynaklanan tüm olumsuz etkileri veya zararı önlemek veya azaltmaktır. Bu makalenin amacı Avrupa Birliği’nin veri ihlal bildirimlerine ilişkin temel düzenlemelerini, bilhassa da Genel Veri Koruma Tüzüğünü ve aynı zamanda Türk Kişisel Verilerin Korunması Kanununu incelemektir. Bu makalede katı ve külfetli veri ihlal bildirimi kurallarının veri sorumlularını bildirim yapmaktan imtina edip delilleri yok etmeye ittiği; bu sebeple de bu tür katı düzenlemelerin kişisel verilerinin korunmasına aslında hizmet etmediği tartışılmaktadır. Veri ihlal bildirimi yapma çekincesi genel anlamda siber güvenliğe yönelik önemli bir tehdittir. Bu makale kapsamında veri sorumlularının herhangi bir veri ihlal olayını tereddüt etmeden bildirmesini teşvik edecek dengeli düzenlemelere ve uygun hesap verebilirlik araçlarına ihtiyaç olduğu vurgulanmaktadır.


PDF View

References

  • Article 29 Data Protection Working Party, ‘Guidelines on Personal data breach notification under Regulation 2016/679 (Adopted on 3 October 2017 As last Revised and Adopted on 6 February2018)’ https://ec.europa.eu/newsroom/article29/document.cfm?action=display&doc_ id=49827 google scholar
  • Article 29 Data Protection Working Party, ‘Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679 Adopted on 3 October 2017’ http://ec.europa.eu/newsroom/just/document.cfm?doc_id=47889 google scholar
  • Burdon M, Lane B and Von Nessen P, ‘Data breach notification law in the EU and Australia e Where to now?’ (2012) 28 Computer Law & Security Review. google scholar
  • Council of Europe, ‘Explanatory Report to the Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data’ https://rm.coe.int/cets-223-explanatory-report-to-the-protocol-amending-the-convention-fo/16808ac91a google scholar
  • Çekin, M S, Avrupa Birliği Hukukuyla Mukayeseli Olarak 6698 sayılı Kişisel Verilerin Korunması Kanunu (On İki Levha 2018). google scholar
  • Determann L, Determann’s Field Guide to Data Privacy Law (Fourth Edition) (Edward Elgar 2020). google scholar
  • DiGrazia K, ‘Cyber Insurance, Data Security, and Blockchain in the Wake of the Equifax Breach’ (2018) 13 Journal of Business & Technology Law 225. google scholar
  • Dülger, M V, Kişisel Verilerin Korunması Hukuku 2. Baskı (Hukuk Akademisi 2019). google scholar
  • EBA, ‘Guidelines on major incident reporting under Directive (EU) 2015/2366 (PSD2) EBA/ GL/2017/10, 27.07.2017’. https://www.eba.europa.eu/regulation-and-policy/payment-services-and-electronic-money/guidelines-on-major-incidents-reporting-under-psd2 google scholar
  • EDPB ‘Guidelines on Examples regarding Data Breach Notification Adopted on 14 January 2021 Version 1.0’ https://edpb.europa.eu/sites/edpb/files/consultation/edpb_guidelines_202101_ databreachnotificationexamples_v1_en.pdf google scholar
  • ENISA, ‘Guidelines for Securing the Internet of Things’ (November 2020) https://www.enisa. europa.eu/publications/guidelines-for-securing-the-internet-of-things google scholar
  • ENISA, ‘Incentives and barriers of the cyber insurance market in Europe’ https://www.enisa. europa.eu/publications/incentives-and-barriers-of-the-cyber-insurance-market-in-europe/at_ download/fullReport google scholar
  • Gogolin G, Digital Forensics Explained (Second Edition) (CRC Press 2021). google scholar
  • Gorecki A, Cyber Breach Response That Actually Works (Wiley 2020). google scholar
  • Henkoğlu T, Adli Bilişim - Dijital Delillerin Elde Edilmesi ve Analizi (Pusula 2014). google scholar
  • Herrmann D and Pridöhl H, ‘Basic Concepts and Models of Cybersecurity’ in Christen M, Gordijn B and Loi M (eds), The Ethics of Cybersecurity (Springer 2020). google scholar
  • Hert P and Papakonstantinou V, ‘The Council of Europe Data Protection Convention reform: Analysis of the new text and critical comment on its global ambition’ (2014) 30 Computer Law & Security Review 633. google scholar
  • Karayazgan A, Hukuki Yönüyle Siber Riskin Sigorta ve Reasüransı (Legal 2020). google scholar
  • Lambert P B, Understanding the New European Data Protection Rules (CRC Press - Taylor & Francis 2018). google scholar
  • Mantelero A, Vaciago G, Esposito M S, Monte N, ‘The common EU approach to personal data and cybersecurity regulation’ (2021) 1 International Journal of Law and Information Technology 1. google scholar
  • Middleton K and Kazamia M, ‘Cyber Insurance: Underwriting, Scope of Cover, Benefits and Concerns’ in Marano P, Rokas I and Kochenburger P (eds), The “Dematerialized” Insurance -Distance Selling and Cyber Risks from an International Perspective (Springer 2016). google scholar
  • Nicoletti B, Insurance 4.0: Benefits and Challenges of Digital Transformation (Palgrave Macmillan 2021). google scholar
  • Porcedda M G, ‘Patching the patchwork: appraising the EU regulatory framework on cyber security breaches’ (2018) 34 Computer Law & Security Review 1077. google scholar
  • Sharma S, Data Privacy and GDPR Handbook (Wiley 2020). google scholar
  • Wang FF, Internet Jurisdiction and Choice of Law: Legal Practices in the EU, US and China (Cambridge University Press 2010). google scholar

Citations

Copy and paste a formatted citation or use one of the options to export in your chosen format


EXPORT



APA

Kaya, M.B. (2021). Self-Disclosure or Burying the Evidence Dilemma: A Legal Review of the Data Breach Rules under the Turkish Personal Data Protection Law. Annales de la Faculté de Droit d’Istanbul, 0(70), 195-241. https://doi.org/10.26650/annales.2021.70.0007


AMA

Kaya M B. Self-Disclosure or Burying the Evidence Dilemma: A Legal Review of the Data Breach Rules under the Turkish Personal Data Protection Law. Annales de la Faculté de Droit d’Istanbul. 2021;0(70):195-241. https://doi.org/10.26650/annales.2021.70.0007


ABNT

Kaya, M.B. Self-Disclosure or Burying the Evidence Dilemma: A Legal Review of the Data Breach Rules under the Turkish Personal Data Protection Law. Annales de la Faculté de Droit d’Istanbul, [Publisher Location], v. 0, n. 70, p. 195-241, 2021.


Chicago: Author-Date Style

Kaya, Mehmet Bedii,. 2021. “Self-Disclosure or Burying the Evidence Dilemma: A Legal Review of the Data Breach Rules under the Turkish Personal Data Protection Law.” Annales de la Faculté de Droit d’Istanbul 0, no. 70: 195-241. https://doi.org/10.26650/annales.2021.70.0007


Chicago: Humanities Style

Kaya, Mehmet Bedii,. Self-Disclosure or Burying the Evidence Dilemma: A Legal Review of the Data Breach Rules under the Turkish Personal Data Protection Law.” Annales de la Faculté de Droit d’Istanbul 0, no. 70 (Dec. 2023): 195-241. https://doi.org/10.26650/annales.2021.70.0007


Harvard: Australian Style

Kaya, MB 2021, 'Self-Disclosure or Burying the Evidence Dilemma: A Legal Review of the Data Breach Rules under the Turkish Personal Data Protection Law', Annales de la Faculté de Droit d’Istanbul, vol. 0, no. 70, pp. 195-241, viewed 5 Dec. 2023, https://doi.org/10.26650/annales.2021.70.0007


Harvard: Author-Date Style

Kaya, M.B. (2021) ‘Self-Disclosure or Burying the Evidence Dilemma: A Legal Review of the Data Breach Rules under the Turkish Personal Data Protection Law’, Annales de la Faculté de Droit d’Istanbul, 0(70), pp. 195-241. https://doi.org/10.26650/annales.2021.70.0007 (5 Dec. 2023).


MLA

Kaya, Mehmet Bedii,. Self-Disclosure or Burying the Evidence Dilemma: A Legal Review of the Data Breach Rules under the Turkish Personal Data Protection Law.” Annales de la Faculté de Droit d’Istanbul, vol. 0, no. 70, 2021, pp. 195-241. [Database Container], https://doi.org/10.26650/annales.2021.70.0007


Vancouver

Kaya MB. Self-Disclosure or Burying the Evidence Dilemma: A Legal Review of the Data Breach Rules under the Turkish Personal Data Protection Law. Annales de la Faculté de Droit d’Istanbul [Internet]. 5 Dec. 2023 [cited 5 Dec. 2023];0(70):195-241. Available from: https://doi.org/10.26650/annales.2021.70.0007 doi: 10.26650/annales.2021.70.0007


ISNAD

Kaya, MehmetBedii. Self-Disclosure or Burying the Evidence Dilemma: A Legal Review of the Data Breach Rules under the Turkish Personal Data Protection Law”. Annales de la Faculté de Droit d’Istanbul 0/70 (Dec. 2023): 195-241. https://doi.org/10.26650/annales.2021.70.0007



TIMELINE


Submitted07.04.2021
Accepted27.08.2021
Published Online01.09.2021

LICENCE


Attribution-NonCommercial (CC BY-NC)

This license lets others remix, tweak, and build upon your work non-commercially, and although their new works must also acknowledge you and be non-commercial, they don’t have to license their derivative works on the same terms.


SHARE




Istanbul University Press aims to contribute to the dissemination of ever growing scientific knowledge through publication of high quality scientific journals and books in accordance with the international publishing standards and ethics. Istanbul University Press follows an open access, non-commercial, scholarly publishing.