Self-Disclosure or Burying the Evidence Dilemma: A Legal Review of the Data Breach Rules under the Turkish Personal Data Protection Law
Yıl: 2021 Cilt: 0 Sayı: 70 Sayfa Aralığı: 195 - 241 Metin Dili: Fransızca DOI: 10.26650/annales.2021.70.0007 İndeks Tarihi: 27-05-2022
Self-Disclosure or Burying the Evidence Dilemma: A Legal Review of the Data Breach Rules under the Turkish Personal Data Protection Law
Öz: Technology has penetrated every aspect of life and brought security and privacy issues to the forefront of the regulatory
landscape. In such a hyper-connected world, security breaches are inevitable. Hence, general legislation in the field of
protection of personal data is becoming ubiquitous. The rules are likewise being drafted to ensure the highest degree of
privacy and security.
The violation of security requirements can have an unprecedented and catastrophic consequence on data controllers.
A security incident can compel the data controller to notify a competent data protection authority of a breach and
communicate all facts to affected data subjects. Data breach notification is self-disclosure of the data controller about a
personal data-related incident regardless of the intentional or negligent character of the event. The underlying aim of this
obligation is to prevent or mitigate all adverse effects or damage deriving from a data breach incident.
This article maps out the legal framework governing data breach notification under the European Union’s law, in
particular General Data Protection Regulation and the Turkish Data Protection Law. This article maintains that strict and
burdensome data breach notification rules do not serve the interest of data protection of individuals as data controllers
could refrain from notification and bury the pieces of evidence. Such a notification-phobia is a major threat to the overall
cybersecurity realm. The article emphasizes that there is a need for balanced rules and adequate accountability tools
which would encourage data controllers to report any data breach incidents without hesitation.
Anahtar Kelime: -
Öz: Teknoloji hayatın her alanına girmiş ve güvenlik ile mahremiyeti en temel regülasyon konusu haline getirmiştir. Her
şeyin birbiriyle bu denli bağlantılı olduğu bir dünyada güvenlik ihlalleri kaçınılmazdır. Bunun bir neticesi olarak da kişisel
verilerin korunması alanındaki düzenlemeler yaygınlaşmaktadır. Nihayetinde amaç en üst düzeyde mahremiyet ve
güvenliği sağlamaktır.
Güvenlik yükümlülüklerinin ihlali veri sorumluları nezdinde benzeri görülmemiş ve yıkıcı sonuçlar doğurmaktadır. Bir
güvenlik ihlali veri sorumlusunu, yetkili veri koruma otoritesine ihlali bildirmek ve aynı zamanda ihlalden etkilenen ilgili
kişilere olayın detaylarıyla ilgili haber vermek zorunda bırakmaktadır. Veri ihlal bildirimi, veri sorumlusunun kasten veya
ihmali olarak gerçekleşmiş kişisel verileri ilgilendiren bir olaya ilişkin kendisini ihbar etmesidir. Bu yükümlülüğün altında
yatan temel amaç, bir veri ihlal olayından kaynaklanan tüm olumsuz etkileri veya zararı önlemek veya azaltmaktır.
Bu makalenin amacı Avrupa Birliği’nin veri ihlal bildirimlerine ilişkin temel düzenlemelerini, bilhassa da Genel Veri Koruma Tüzüğünü ve aynı zamanda Türk Kişisel Verilerin Korunması Kanununu incelemektir. Bu makalede katı ve külfetli
veri ihlal bildirimi kurallarının veri sorumlularını bildirim yapmaktan imtina edip delilleri yok etmeye ittiği; bu
sebeple de bu tür katı düzenlemelerin kişisel verilerinin korunmasına aslında hizmet etmediği tartışılmaktadır.
Veri ihlal bildirimi yapma çekincesi genel anlamda siber güvenliğe yönelik önemli bir tehdittir. Bu makale
kapsamında veri sorumlularının herhangi bir veri ihlal olayını tereddüt etmeden bildirmesini teşvik edecek
dengeli düzenlemelere ve uygun hesap verebilirlik araçlarına ihtiyaç olduğu vurgulanmaktadır.
Anahtar Kelime: Belge Türü: Makale Makale Türü: Araştırma Makalesi Erişim Türü: Erişime Açık
- Article 29 Data Protection Working Party, ‘Guidelines on Personal data breach notification under Regulation 2016/679 (Adopted on 3 October 2017 As last Revised and Adopted on 6 February2018)’ https://ec.europa.eu/newsroom/article29/document.cfm?action=display&doc_ id=49827
- Article 29 Data Protection Working Party, ‘Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679 Adopted on 3 October 2017’ http://ec.europa.eu/newsroom/just/document.cfm?doc_id=47889
- Burdon M, Lane B and Von Nessen P, ‘Data breach notification law in the EU and Australia e Where to now?’ (2012) 28 Computer Law & Security Review.
- Council of Europe, ‘Explanatory Report to the Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data’ https://rm.coe.int/cets- 223-explanatory-report-to-the-protocol-amending-the-convention-fo/16808ac91a
- Çekin, M S, Avrupa Birliği Hukukuyla Mukayeseli Olarak 6698 sayılı Kişisel Verilerin Korunması Kanunu (On İki Levha 2018).
- Determann L, Determann’s Field Guide to Data Privacy Law (Fourth Edition) (Edward Elgar 2020).
- DiGrazia K, ‘Cyber Insurance, Data Security, and Blockchain in the Wake of the Equifax Breach’ (2018) 13 Journal of Business & Technology Law 225.
- Dülger, M V, Kişisel Verilerin Korunması Hukuku 2. Baskı (Hukuk Akademisi 2019).
- EBA, ‘Guidelines on major incident reporting under Directive (EU) 2015/2366 (PSD2) EBA/ GL/2017/10, 27.07.2017’. https://www.eba.europa.eu/regulation-and-policy/payment-servicesand- electronic-money/guidelines-on-major-incidents-reporting-under-psd2
- EDPB ‘Guidelines on Examples regarding Data Breach Notification Adopted on 14 January 2021 Version 1.0’ https://edpb.europa.eu/sites/edpb/files/consultation/edpb_guidelines_202101_ databreachnotificationexamples_v1_en.pdf
- ENISA, ‘Guidelines for Securing the Internet of Things’ (November 2020) https://www.enisa. europa.eu/publications/guidelines-for-securing-the-internet-of-things
- ENISA, ‘Incentives and barriers of the cyber insurance market in Europe’ https://www.enisa. europa.eu/publications/incentives-and-barriers-of-the-cyber-insurance-market-in-europe/at_ download/fullReport
- Gogolin G, Digital Forensics Explained (Second Edition) (CRC Press 2021).
- Gorecki A, Cyber Breach Response That Actually Works (Wiley 2020).
- Henkoğlu T, Adli Bilişim - Dijital Delillerin Elde Edilmesi ve Analizi (Pusula 2014).
- Herrmann D and Pridöhl H, ‘Basic Concepts and Models of Cybersecurity’ in Christen M, Gordijn B and Loi M (eds), The Ethics of Cybersecurity (Springer 2020).
- Hert P and Papakonstantinou V, ‘The Council of Europe Data Protection Convention reform: Analysis of the new text and critical comment on its global ambition’ (2014) 30 Computer Law & Security Review 633.
- Karayazgan A, Hukuki Yönüyle Siber Riskin Sigorta ve Reasüransı (Legal 2020).
- Lambert P B, Understanding the New European Data Protection Rules (CRC Press - Taylor & Francis 2018).
- Mantelero A, Vaciago G, Esposito M S, Monte N, ‘The common EU approach to personal data and cybersecurity regulation’ (2021) 1 International Journal of Law and Information Technology 1.
- Middleton K and Kazamia M, ‘Cyber Insurance: Underwriting, Scope of Cover, Benefits and Concerns’ in Marano P, Rokas I and Kochenburger P (eds), The “Dematerialized” Insurance - Distance Selling and Cyber Risks from an International Perspective (Springer 2016).
- Nicoletti B, Insurance 4.0: Benefits and Challenges of Digital Transformation (Palgrave Macmillan 2021).
- Porcedda M G, ‘Patching the patchwork: appraising the EU regulatory framework on cyber security breaches’ (2018) 34 Computer Law & Security Review 1077.
- Sharma S, Data Privacy and GDPR Handbook (Wiley 2020).
- Wang FF, Internet Jurisdiction and Choice of Law: Legal Practices in the EU, US and China (Cambridge University Press 2010).
| APA | Kaya M (2021). Self-Disclosure or Burying the Evidence Dilemma: A Legal Review of the Data Breach Rules under the Turkish Personal Data Protection Law. , 195 - 241. 10.26650/annales.2021.70.0007 |
| Chicago | Kaya Mehmet Bedii Self-Disclosure or Burying the Evidence Dilemma: A Legal Review of the Data Breach Rules under the Turkish Personal Data Protection Law. (2021): 195 - 241. 10.26650/annales.2021.70.0007 |
| MLA | Kaya Mehmet Bedii Self-Disclosure or Burying the Evidence Dilemma: A Legal Review of the Data Breach Rules under the Turkish Personal Data Protection Law. , 2021, ss.195 - 241. 10.26650/annales.2021.70.0007 |
| AMA | Kaya M Self-Disclosure or Burying the Evidence Dilemma: A Legal Review of the Data Breach Rules under the Turkish Personal Data Protection Law. . 2021; 195 - 241. 10.26650/annales.2021.70.0007 |
| Vancouver | Kaya M Self-Disclosure or Burying the Evidence Dilemma: A Legal Review of the Data Breach Rules under the Turkish Personal Data Protection Law. . 2021; 195 - 241. 10.26650/annales.2021.70.0007 |
| IEEE | Kaya M "Self-Disclosure or Burying the Evidence Dilemma: A Legal Review of the Data Breach Rules under the Turkish Personal Data Protection Law." , ss.195 - 241, 2021. 10.26650/annales.2021.70.0007 |
| ISNAD | Kaya, Mehmet Bedii. "Self-Disclosure or Burying the Evidence Dilemma: A Legal Review of the Data Breach Rules under the Turkish Personal Data Protection Law". (2021), 195-241. https://doi.org/10.26650/annales.2021.70.0007 |
| APA | Kaya M (2021). Self-Disclosure or Burying the Evidence Dilemma: A Legal Review of the Data Breach Rules under the Turkish Personal Data Protection Law. Annales de la Faculté de Droit d Istanbul, 0(70), 195 - 241. 10.26650/annales.2021.70.0007 |
| Chicago | Kaya Mehmet Bedii Self-Disclosure or Burying the Evidence Dilemma: A Legal Review of the Data Breach Rules under the Turkish Personal Data Protection Law. Annales de la Faculté de Droit d Istanbul 0, no.70 (2021): 195 - 241. 10.26650/annales.2021.70.0007 |
| MLA | Kaya Mehmet Bedii Self-Disclosure or Burying the Evidence Dilemma: A Legal Review of the Data Breach Rules under the Turkish Personal Data Protection Law. Annales de la Faculté de Droit d Istanbul, vol.0, no.70, 2021, ss.195 - 241. 10.26650/annales.2021.70.0007 |
| AMA | Kaya M Self-Disclosure or Burying the Evidence Dilemma: A Legal Review of the Data Breach Rules under the Turkish Personal Data Protection Law. Annales de la Faculté de Droit d Istanbul. 2021; 0(70): 195 - 241. 10.26650/annales.2021.70.0007 |
| Vancouver | Kaya M Self-Disclosure or Burying the Evidence Dilemma: A Legal Review of the Data Breach Rules under the Turkish Personal Data Protection Law. Annales de la Faculté de Droit d Istanbul. 2021; 0(70): 195 - 241. 10.26650/annales.2021.70.0007 |
| IEEE | Kaya M "Self-Disclosure or Burying the Evidence Dilemma: A Legal Review of the Data Breach Rules under the Turkish Personal Data Protection Law." Annales de la Faculté de Droit d Istanbul, 0, ss.195 - 241, 2021. 10.26650/annales.2021.70.0007 |
| ISNAD | Kaya, Mehmet Bedii. "Self-Disclosure or Burying the Evidence Dilemma: A Legal Review of the Data Breach Rules under the Turkish Personal Data Protection Law". Annales de la Faculté de Droit d Istanbul 70 (2021), 195-241. https://doi.org/10.26650/annales.2021.70.0007 |
