INmagazine Sayı 11 - Page 50

ARTICLE 48 Unlike the GDPR, TDPL does not provide any groundwork as to how the rights of the individual will be protected against the rights of the media and vice versa. Paragraph 3 of Article 7 (TDPL), has declared that the methods and scope of how the right to be forgotten is going to be implemented will be utilised with upcoming regulations. As soon as these regulations are published, the incorporation and applicability of the right will be much clearer. Right now, there are several loopholes and unanswered questions about the extent of Article 7, regarding freedom of expression and other fundamental rights. In the preamble of the law, Article 7 suggests numerous ways in which the personal data no longer needed for the precise purpose in which it was obtained for can be physically destroyed. This right is also available for data subjects whose personal data have been unlawfully acquired. Furthermore, the preamble specifies that the personal data which qualifies for erasure under Article 7, should be destroyed to render it impossible for retrieval. The data should be completely destroyed regardless of what source it has been stored on. Whether it’s a CD, hard drive, document or hard copy doesn’t make a difference. Making the personal data anonymous requires that the data should in no way be associated with the data subject. Therefore, although the personal data information may still be present as a statistic, it should not be connected to an identity and consequently should not be traceable. The TDPL has not established a set of new penalties for violations arising from personal data processing but instead has referred to the Turkish Criminal Law Act as reference. According to Article 17 (1) of the TDPL, those who violate rights regarding the privacy of data subjects by publishing sensitive data about them will be punished according to Articles 135-140 of the Criminal Code. This means that those who record personal data illegally will be sentenced to 1-3 years of imprisonment. If the personal data is sensitive data, i.e. Regarding the sexual health, religious beliefs, political views or health matters, however, the sentence will be raised by half. Article 138 of the Criminal Code, on the other hand, defines what will happen if the right to erase, destroy or make the personal data anonymous is violated. This will lead to 1-2 years of imprisonment. The Criminal Act threatens to impose extra measures on corporations. Financial sanctions are also on the agenda. CONCLUSION Overall, with regards to the right to be forgotten, the GDPR and TDPL have significant differences. The European regulation entails a detailed manifestation of the right to be forgotten including how it’ll be implemented and under what circumstances it could be invoked. Whereas, the TDPL has a substantial vagueness. The lack of clarity and detail in the TDPL leaves excessive initiative to the authorities, when it comes to how the decision will be made and whether the right to be forgotten will be granted. Furthermore, it is very likely that the TDPL will be needing revisions and alterations with additional by-laws in the near future to compensate for the absence of an adequate legislation. Without some clarity, the implementation process is bound to experience difficulties. Nevertheless, although the GDPR is a clearly written legislation, it is not flawless and has attracted criticisms from many specialists and journalists. The main reason why the right to be forgotten has been appraised by several sources is because it undermines the freedom of expression and the right to access information. This, however, is not the only ground for criticism. Similar to the TDPL, the GDPR is also very susceptible to difficulties regarding the implementation process. The scope of the GDPR is extra-territorial and this raises questions about sovereignty. The European commission requires all countries to abide by the decisions that come out of the European regulation. Peter Fleischer, Google’s privacy leader, in a recent interview said “we’ve been defending the idea that each country should be able to balance freedom of expression and privacy in the way that it chooses, not in the way that another country chooses. We’re doing this because we want to ensure that people have access to content that is legal in their country” (6). To sum up, Google is currently only deleting news links from specific country (European) domains (i.e. google.de). Most deleted news links are still accessible from the United States. The GDPR and TDPL have legislated different methods as penance for when and if the personal data subject’s rights are violated. The fact that the penalties differ is bound to cause problems in the long run for companies. This situation may cause confusion regarding which of the regulations will be referred to when it comes to deciding how to punish the infringements. Given this situation, we may argue; is the right to be forgotten ‘really’ available? Different jurisdictions such as Europe and the United States aren’t found upon the same values. For multinational companies, the differences of Data Privacy Laws and the applicability of them triggers high risk, especially in data transfer and process applications. For Europe and Turkey, we will need further clarification on the applicability of right to be forgotten through by-laws and court rulings. In the meantime, Data Privacy Officers/Compliance Officers of multinational companies will need to consider these differences to create a robust Data Privacy compliance programme to mitigate the risks. 4 Footnotes: (1) https://www.imperva.com/ blog/2017/03/gdpr-series-part-4-penaltiesnon-compliance/ (2) http://ec.europa.eu/justice/dataprotection/files/factsheets/factsheet_data_ protection_en.pdf (3) http://ec.europa.eu/justice/dataprotection/files/factsheets/factsheet_data_ protection_en.pdf (4) http://eur-lex.europa.eu/legal-content/ EN/TXT/?uri=CELEX%3A62012CJ0131 (5) http://ec.europa.eu/justice/dataprotection/files/factsheets/factsheet_data_ protection_en.pdf (6) https://techcrunch.com/2017/07/19/ googles-right-to-be-forgotten-appealheading-to-europes-top-court/ A R T I CL E 48 Unlike the GDPR, TDPL does not provi- de any groundwork as to how the rights of the individual will be protected aga- inst the rights of the media and vice ver- sa. Paragraph 3 of Article 7 (TDPL), has declared that the methods and scope of how the right to be forgotten is going to be implemented will be utilised with upcoming regulations. As soon as these regulations are published, the incor- poration and applicability of the right will be much clearer. Right now, there are several loopholes and unanswered questions about the extent of Article 7, regarding freedom of expression and other fundamental rights. In the preamble of the law, Article 7 suggests numerous ways in which the personal data no longer needed for the precise purpose in which it was obtai- ned for can be physically destroyed. This right is also available for data sub- jects whose personal data have been unlawfully acquired. Furthermore, the preamble specifies that the personal data which qualifies for erasure under Article 7, should be destroyed to render it impossible for retrieval. The data sho- uld be completely destroyed regardless of what source it has been stored on. Whether it’s a CD, hard drive, document or hard copy doesn’t make a difference. Making the personal data anonymous requires that the data should in no way be associated with the data subject. Therefore, although the personal data information may still be present as a statistic, it should not be connected to an identity and consequently should not be traceable. The TDPL has not established a set of new penalties for violations arising from personal data processing but ins- tead has referred to the Turkish Crimi- nal Law Act as reference. According to Article 17 (1) of the TDPL, those who violate rights regarding the privacy of data subjects by publishing sensitive data about them will be punished accor- ding to Articles 135-140 of the Criminal Code. This means that those who record personal data illegally will be senten- ced to 1-3 years of imprisonment. If the personal data is sensitive data, i.e. Regarding the sexual health, religious beliefs, political views or health mat- ters, however, the sentence will be rai- sed by half. Article 138 of the Criminal Code, on the other hand, defines what will happen if the right to erase, destroy or make the personal data anonymous is violated. This will lead to 1-2 years of imprisonment. The Criminal Act threa- tens to impose extra measures on cor- porations. Financial sanctions are also on the agenda. CONCLUSION Overall, with regards to the right to be forgotten, the GDPR and TDPL have sig- nificant differences. The European re- gulation entails a detailed manifestati- on of the right to be forgotten including how it’ll be implemented and under what circumstances it could be [Y \X\H\HX[X[KBY[\ˈHXو\]H[]Z[[HX]\^\]H[]X]]HH]]ܚ]Y\[]Y\HX\[ۈ[HXYH[]\HYHܙ[[Hܘ[BY \\[ܙK]\\HZ[H]H[HYY[]\[ۜ[[\][ۜ]Y][ۘ[K[][HX\]\H\[]H܈BX[Hو[Y\]X]HY\][ۋ] B]YH\]KH[\[Y[][ۂ\\[^\Y[HYX[ BY\ˈ]\[\[YH\HX\Hܚ][Y\][ۋ]\]\[\]XYܚ]X\\™HX[HXX[\[\[\˂HXZ[X\ۈHHYBܙ[\Y[\Z\YH]\[\\\X]\H][\Z[\BYYHو^\[ۈ[HY˜X\[ܛX][ۋ\]\\HۛHܛ[܈ܚ]X\K[Z[\H H\[\H\\XHYX[Y\Y\[H[\[Y[][ۈ\ˈHBوH\^K]\]ܚX[[\œZ\\]Y\[ۜX]ݙ\ZY۝KB]\X[[Z\[ۈ\]Z\\[B[Y\XYHHHX\[ۜ]YH]وH]\X[Y[][ۋ]\Z\\x&\]XHXY\[HX[[\Y]ZY8'x&]HY[Y[[HYXH]XX[HB[HXH[[HYYHو^\B[ۈ[]XH[H^H]]B\[H^H][\[B\ˈx&\H[\X]\HB[[\H][H]HX\˜۝[]\Y[[Z\[x'H K[H\ H\\[HۛHKB][][HXYX[B]\X[HXZ[ KKKJK[[]Y][\H[X\BXHHH[]Y]\˂H[]HY\]YY\[Y]\[[H܈[[YH\ۘ[]HXX8&\Y˜\H[]Y HX]H[[Y\™Y\\[]\H؛[\[Bۙ[܈\[Y\ˈ\]X][ۂX^H]\Hۙ\[ۈY\[XقHY[][ۜ[HY\Y[]Y\XY[[\B[[[Y[˂][\]X][ۋHX^H\YN\HYHܙ[8&X[x&H]ZKBXOY\[\\X[ۜX\‘]\H[H[]Y]\\[&][\ۈH[YH[Y\ˈ܈][ B[][ۘ[\[Y\HY\[\ق]H]XH][H\XX[]Bو[HY\Y\\XX[H[]H[ٙ\[\\X][ۜ˂܈]\H[\^KH[YY\\\YX][ۈۈH\XX[]BوYHܙ[YK[]˜[\[[ˈ[HYX[[YK]B]XHٙX\\X[HٙX\ق][[][ۘ[\[Y\[YY˜ۜY\\HY\[\ܙX]HB؝\]H]XH\X[HB[[YHZ]Y]HH\ˈ \΂ JH΋˚[\\KK˜̌ M \\Y\\\ M \[[Y\BۋX\X[KŠ HX˙]\K]Kڝ\XK]KBX[ۋٚ[\٘XY]٘XY]]WœX[ۗ[ HX˙]\K]Kڝ\XK]KBX[ۋٚ[\٘XY]٘XY]]WœX[ۗ[ H]\[^ ]\K]KY[ X۝[ ‘S \OPSV LM LҌ LB JHX˙]\K]Kڝ\XK]KBX[ۋٚ[\٘XY]٘XY]]WœX[ۗ[ H΋Xܝ[ Ǩ M NK™\\Y ]XKYܙ[X\X[ BXY[]Y]\\] X\