What’s Happening in the World?
While the field of Data Protection is developing at an accelerating pace in our country, worldwide innovations continue to remain on the radar of the Personal Data Protection Authority (“Authority”).
From the examples we have repeatedly encountered before, we witness that the Authority keeps up with the world agenda, especially the European General Data Protection Regulation (“GDPR”) regulations, and tries to catch up with the requirements of the fast-moving data privacy world.
As GRC Legal Law Firm, we closely follow the world agenda and present a selection of the current developments for your information with this content.
Amazon x CNIL
The State Council upheld the decision of the French Data Protection Authority (“CNIL”) regarding Amazon’s unlawfulness in cookie processing. In this context, Amazon will have to pay a fine of 35 Million Euros. Amazon had previously appealed the decision of the CNIL to the State Council, which agreed with the decision of the competent authority CNIL on 27 June 2022.
While this development is a major hurdle for Amazon, it is an indirect victory for internet users. The biggest justification for the infringement decision is that Amazon, which processes data with small files placed on the computers of internet users and creates a bigdata-wide data set in the background, does not obtain consent from its users at points that require consent.
So much so that the infringing practice is noticed when internet users visit amazon.fr after clicking on an advertisement published on another website. Cookies were secretly processed without any verification from internet users until the intervention of data protection authorities, but consent for such cookies, which is not mandatory, is a must today.
When announcing its sanction against Amazon in December 2020, the CNIL emphasised that the information provided in the site’s information banner was not complete and clear. It was stated that general and approximate definitions and purposes of all cookies are included and there are no details such as the role they serve and the right to refuse. At the end of 1.5 years, the highest court of the French administrative system rejected Amazon’s request by approving CNIL’s fine of 35 Million Euros.
In this sense, Amazon is a marketplace with a criminal record all over the world and was sanctioned by the Authority with a total of 1.2M administrative fine with its Decision dated 27/02/2020 and numbered 2020/173.
United Kingdom x Cookie Panel
The UK is planning to scrap Cookie Checkboxes, but a Privacy Campaign Group has warned that proposals to remove cookie checkboxes will make it easier to spy on internet users. According to the plan, the government aims to establish an opt-out mechanism, but requires clear information about opt-out to be provided to the user on the website.
The Open Rights Group, which campaigns for privacy and freedom of expression on online platforms, emphasises that the proposal would make spying on people’s activities the “default option”. In a statement outlining the intended use of cookies and highlighting the potential risks associated with the proposal, the group also said that while cookie panels can be annoying, there are important reasons for someone to seek consent before creating detailed data files about you.
The regulations in question are also functional in nature, proposing to change the governance structure of the UK’s independent data watchdog as an output of the digital reform bill announced in the Queen’s speech last month.
Today, while the Cookie Guide is the most up-to-date publication of the Personal Data Protection Authority in Turkey, the fact that the same issues are being discussed in the UK is a sign that digital is developing not only for us but also worldwide and that it has risen up in importance. In line with the concerns raised in the UK, the Cookie Guide also addresses the issue that it is not correct to regulate the use of cookies as the default option.
TikTok x USA
According to the news dated 21 June 2022, TikTok announced that it would start sending the data of US citizen users to Oracle’s US servers. Hours after the announcement, it was claimed that TikTok’s employees in China repeatedly accessed the data of US users. This claim is based on more than 80 hours of leaked dubbed calls called “TikTok Tapes”.
According to the news, engineers in China were able to access US user data between September 2021 and January 2022. Another claim in the news covered in the international news channel Buzfeed is that during a meeting in September 2021, it was stated that “everything was seen in China” and that US employees turned to their colleagues in China and sought answers about how US user data was leaked.
In August 2020, US President Trump threatened the Chinese company that owns TikTok that if it did not sell the application to a US company, it would block its use nationwide. In his statement, Trump claimed that there was credible evidence that it undermined US national security. While there is no evidence that TikTok or its owner, ByteDance, uses data differently than any other US-based technology company, the difference with apps like Facebook or Snapchat is that the company is based in the People’s Republic of China.
Although the ban never came, TikTok accepted an offer from US tech giant Oracle for parts of its operation, and months later, current US President Biden reversed the decision on the ban but continued the commercial investigation.
TikTok eventually moved forward with the Oracle deal and has repeatedly tried to deflect data security concerns by guaranteeing that user data is stored in the US. While moving servers to the United States was a logical step to separate the US and Chinese branches, in the eyes of the US government, TikTok is perceived as a breakthrough to enter America’s big tech sector.
As stakeholders of the data security world, we are at a point where we, as stakeholders of the data security world, are aware that the information obtained on social platforms, thanks to the Cambridge Analytica Scandal, has the power to influence the election results if it is misused, although America’s concerns in the “national security” dimension could have been perceived as utopian a few years ago.
OpenSea x Customer.io
OpenSea, the world’s largest NFT marketplace by trade volume, suffered a data breach after an employee at Customer.io, the platform’s email distribution partner, leaked user data. In a statement warning its customers against possible phishing attacks, OpenSea stated that a staff member at Customer.io, a contracted email reseller, abused his authorisation to download and share incoming emails.
According to OpenSea, anyone who has shared their email address with OpenSea in any way in the past is at great risk, and according to the data collected, the number of people affected by the breach is known to be more than 1.8 million. OpenSea also added that it is assisting customer.io in the ongoing investigation and has reported the situation to law enforcement officials.
With this e-mail breach, the privacy of millions of users has been violated. Users started to receive a large number of unexpected emails and their mailboxes started to be filled with spam. OpenSea emphasised that precautions should be taken, such as not clicking on emails that look like their own but are sent from different domains. Although OpenSea says that for now it does not appear that any passwords or other personal information has been stolen, it should be considered as a possibility that personal information, digital identities and other private data may have been compromised by the email breach.
In this respect, it can be said that in the later stages of the investigation, OpenSea and customer.io may face data breach charges and some sanctions under the GDPR and the Electronic Communications Privacy Act.
Data protection law and its basic principles, which are gradually increasing the degree of uniform application worldwide, follow a route that competes with the course of the era in our country, both with the GDPR effect, which is closely followed, and local regulations. In the evolved destination of this route, there will be a reconciliation system expressed as “merchantability” in which the data subjects themselves determine the value of their personal data. When that day comes, both the regulators and the regulation creation process will be designed to work in a truly bilateral manner.