December 2024 – In this edition of Quick Read, we summarise the latest updates on data protection law and sector news in Turkey. In this issue:
- fines imposed on two social media giants;
- Turkish Data Protection Authority (“DPA”) releases an informative note regarding ChatGPT;
- president of the DPA attends the 46th Conference of the Global Privacy Assembly;
- one data breach is announced.
Twitch faces fine of TRY 2 million over massive data breach
On 16 November 2024, the DPA imposed an administrative fine of TRY 2 million (approximately EUR 55,000) on the social media platform Twitch due to a significant data breach. This fine consists of:
- TRY 1.75 million Tfor failing to ensure adequate data security, and
- TRY 250,000 for not reporting the breach.
The penalty followed the DPA’s investigation into reports of a 125 GB data leak, which exposed sensitive user information, including account details and financial data. The investigation revealed that Twitch failed to implement adequate security measures to prevent system vulnerabilities and only responded to the breach after it occurred.
The DPA determined that this negligence violated the principles of ensuring data security and taking necessary precautions to protect user information, as outlined in Turkish DP Law.
Although the DPA did not publish the decision, the fine was reported through a news outlet, Anadolu Agency.
X (formerly Twitter) hit with TRY 1.47 million fine!
On 14 November 2024, the DPA fined X (formerly Twitter) TRY 1.47 million (approximately EUR 40,021) for violating data security provisions.
The DPA determined that X mistakenly used email addresses and phone numbers collected for security purposes for advertising activities. This misuse violated the principles of "lawfulness and fairness" and "being relevant, limited, and proportionate to the purpose for which they are processed" as outlined in Turkish DP Law.
Although the DPA did not publish the decision, the fine was reported through a news outlet, Anadolu Agency.
AI chatbots are under DPA’s radar
On 8 November 2024, the DPA released an informational note on its website addressing the use of AI chatbots such as ChatGPT. The note stressed that such chatbots are deeply involved in collecting and processing personal data. The DPA emphasised several key considerations relating to chatbots and privacy issues:
- the purpose of AI chatbots and the types of personal data processed;
- risks of oversharing by users, potentially compromising privacy;
- cybersecurity vulnerabilities in chatbot applications that could lead to data breaches;
- the need for special attention when childeren engage with these platforms.
In conclusion, the DPA urges caution in the development and deployment of AI chatbots, emphasising the need for data protection by design, user awareness, and additional protections for children to minimise privacy risks.
46th Conference of the Global Privacy Assembly (“GPA”)
From 28 October–1 November, the Global Privacy Assembly took place in Jersey, featuring presentations from data protection authorities, international organisations, and privacy experts from around the world. The event covered several crucial topics, including:
- AI and ethics in data processing;
- the importance of privacy during humanitarian crises;
- cross-border data transfers and international privacy cooperation;
- the protection of children’s personal data;
- cybersecurity and data breach prevention.
Prof. Dr. Faruk BILIR, the President of the DPA, and the accompanying delegation represented the Turkish DPA at the GPA.
Data breach notifications
A data breach caused by a ransomware attack occurred at Zillon Inc., Atılım University affecting the personal data of users, subscribers, customers and potential customers, particularly their communication data.