AB ve Türk Hukuklarında Çerezler: Kişisel Verilerin Korunması Açısından Karşılaştırmalı Bir Değerlendirme

Year 2021, Volume: 3 Issue: 1, 61 - 88, 23.06.2021

Hüseyin Can Aksoy , Mesut Halıcıoğlu

Abstract

Çerezler, Avrupa Birliği’nde 2002/58/EC sayılı Direktif (E-Gizlilik Directifi) ile özel olarak düzenlenmektedir. Ancak, teknojik gelişme ve modern ihtiyaçlara cevap veremeyen bu düzenlemenin yakın bir gelecekte yerini E-Gizlilik Tüzüğüne bırakması beklenmektedir. E-Gizlilik Tüzüğü, Genel Veri Koruma Tüzüğü’nün elektronik haberleşme sektöründeki yansıması ve parçası olarak hazırlanmış olup, Tüzük kapsamında öne çıkan konulardan başlıca bir tanesi ise çerez uygulamalarıdır. AB hukukundan farklı olarak, Türk hukukunda tüm çerez uygulamaları bakımından doğrudan doğruya uygulanabilir bir düzenleme bulunmadığından, çerezlerin tabi olduğu kurallara ilişkin bir belirsizlik söz konusudur. Bu bağlamda, Türk hukuku çerez düzenlemeleri bakımından AB mevzuatının gerisinde kalmakta, güncel ihtiyaçlara yanıt verememekte ve sektörün beklentilerini karşılayamamaktadır. 6698 sayılı Kişisel Verilerin Korunması Kanunu da münhasıran çerezlerin tabi olacağı hukuki rejimi düzenlemek amacıyla kaleme alınmadığından, güncel soru ve ihtiyaçlara yanıt verememektedir. Dijital çağın gereklerini yakalayabilmek ve AB ile sürdürülebilir bir ekonomik ve politik ilişki kurabilmek için, Türk hukukunun AB mevzuatı ve teknolojik gelişmelerle uyumlu hale getirilmesi gerekmektedir.

Keywords

Kişisel Verilerin Korunması, Elektronik Haberleşme, GDPR, Gizlilik, Çerez

Cookies in EU and Turkish Law: A Comparative Review with respect to Data Protection

Abstract

In the European Union, cookies have been specifically regulated under 2002/58/EC (E-Privacy Directive). However, such Directive fails to reflect technological advancements and to answer modern needs. Therefore, it is expected to be replaced by the E-Privacy Regulation soon. E-Privacy Regulation is an extension of the General Data Protection Regulation in the field of electonic communications sector and one of the main subjects that stands out within the Regulation is cookies. Unlike EU law, in Turkish law, there is no direct regulation applicable to all cookies and this causes uncertainty with respect to the applicable rules. In this regard, Turkish law falls behind EU standards in terms of cookie regulations and currently Turkish law is unable to respond to current needs and to meet the expectations of the market. Personal Data Protection Law No. 6698 is also unable to answer current problems as it has not prepared to exclusively legislate cookies. To catch up with the needs of the digital era and establish sustainable relations with European Union, Turkish law must be revised in accordance with the EU law and the latest technological advancement.

Keywords

Data Protection, Electronic Communication, GDPR, Privacy, Cookies

References

• AEPD. (2020). Guía sobre el uso de las cookies. https://www.aepd.es/sites/default/files/2020-07/guia-cookies.pdf adresinden erişildi.
• Article 29 Data Protection Working Party. (2010). Opinion 2/2010 on online behavioural advertising ( No: 00909/10/EN WP 171). Brussels: Article 29 Data Protection Working Party. https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp171_en.pdf, adresinden erişildi.
• Article 29 Data Protection Working Party. (2012). Opinion 04/2012 on Cookie Consent Exemption ( No: 00879/12/EN WP 194). Brussels.
• Article 29 Data Protection Working Party. (2013). Working Document 02/2013 providing guidance on obtaining consent for cookies ( No: 1676/13/EN WP 208).
• Article 29 Data Protection Working Party. (2014). Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC ( No: 844/14/EN WP 217). https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdf adresinden erişildi.
• Avrupa Komisyonu. (2015). A Digital Single Market Strategy for Europe ( No: COM(2015) 192). https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A52015DC0192 adresinden erişildi.
• Avrupa Komisyonu. (2019). Turkey 2019 Report (Progression Report No: SWD(2019) 220). https://ec.europa.eu/neighbourhood-enlargement/sites/near/files/20190529-turkey-report.pdf adresinden erişildi.
• Avrupa Parlamentosu. (2017). Reform of the e-Privacy Directive ( No: PE 608.661). Briefing: EU Legislation in Progress. Brussels.
• Avrupa Veri Koruma Kurulu. (2019). Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects (Guideline). https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines-art_6-1-b-adopted_after_public_consultation_en.pdf adresinden erişildi.
• Avrupa Veri Koruma Kurulu. (2020). Guidelines 05/2020 on consent under Regulation 2016/679.
• Avrupa Veri Koruma Kurulu. (2021). Statement 03/2021 on the ePrivacy Regulation. https://edpb.europa.eu/system/files/2021-03/edpb_statement_032021_eprivacy_regulation_en_0.pdf adresinden erişildi.
• Avrupa Veri Koruma Kurulu. (t.y.). Statement of the EDPB on the revision of the ePrivacy Regulation and its impact on the protection of individuals with regard to the privacy and confidentiality of their communications. https://edpb.europa.eu/sites/default/files/files/file1/edpb_statement_on_eprivacy_en.pdf adresinden erişildi.
• Bilgi Teknolojileri ve İletişim Kurumu. (2018). 2019-2023 Stratejik Planı. https://www.btk.gov.tr/uploads/pages/yayinlar-stratejik-planlar/btk-2019-2023-stratejik-plani.pdf adresinden erişildi.
• Boban, M. (2019). E-PRIVACY REGULATION – NEW EUROPEAN FRAMEWORK FOR REGULATION ON PRIVACY AND ELECTRONIC COMMUNICATIONS DESIGNED TO PROTECT USER PRIVACY IN THE DIGITAL AGE (ss. 176-187). 47th International Scientific Conference on Economic and Social Development, sunulmuş bildiri, Prague.
• Borgesius, Z. ve McDonald, A. M. (2015). Do Not Track for Europe. Information and Internet Policy paper içinde . TPRC43: The 43rd Research Conference on Communications, sunulmuş bildiri, Amsterdam: TPRC.
• Bump, P. (2021). The Death of the Third-Party Cookie: What Marketers Need to Know About Google’s Looming Privacy Pivots. HubSpot. https://blog.hubspot.com/marketing/third-party-cookie-phase-out adresinden erişildi.
• Cairoli, F. ve Olivi, G. (2020). Cookies and online advertising: An ongoing changing scenario. JD Supra. https://www.jdsupra.com/legalnews/cookies-and-online-advertising-an-43737/ adresinden erişildi.
• Castelluccia, C. ve Narayanan, A. (2012). Privacy considerations of online behavioural tracking. The European Network and Information Security Agency (ENISA).
• CNIL. (2019). Cookies and Other Tracking Tools ( No: 2019-093). France.
• CNIL. (2020). Délibération n° 2020-091 du 17 septembre 2020 portant adoption de lignes directrices relatives à l’application de l’article 82 de la loi du 6 janvier 1978 modifiée aux opérations de lecture et écriture dans le terminal d’un utilisateur (notamment aux « cookies et autres traceurs ») et abrogeant la délibération n° 2019-093 du 4 juillet 2019. https://ico.org.uk/media/for-organisations/guide-to-pecr/guidance-on-the-use-of-cookies-and-similar-technologies-1-0.pdf adresinden erişildi.
• Cofone, I. N. (2017). The way the cookie crumbles: Online tracking meets behavioural economics. International Journal of Law and Information Technology, 25, 38-62.
• Cookies, the GDPR, and the ePrivacy Directive. (2020). https://gdpr.eu/cookies/ adresinden erişildi.
• Custers, B. (2018). Profiling as Inferred Data: Amplifier Effects and Positive Feedback Loops. Being Profiled: Cogitas Ergo Sum içinde . Amsterdam: Amsterdam University Press BV.
• Çekin, M. S. (2018). Avrupa Birliği Hukukuyla Mukayeseli Olarak 6698 Sayılı Kanun Çerçevesinde Kişisel Verilerin Korunması Hukuku (1. bs.). İstanbul: On İki Levha.
• Data Protection Commision(DPC). (2020). Cookies and Other Tracking Technologies (Guidance Note). https://www.dataprotection.ie/sites/default/files/uploads/2020-04/Guidance%20note%20on%20cookies%20and%20other%20tracking%20technologies.pdf adresinden erişildi.
• Develioğlu, M. (2017). 6698 sayılı Kişisel Verilerin Korunması Kanunu ile Karşılaştırmalı Olarak Avrupa Birliği Genel Veri Koruma Tüzüğü uyarınca Kişisel Verilerin Korunması Hukuku (1. bs.). İstanbul: On İki Levha.
• Doğan, B. ve Bozkurt, T. (2020). Kişisel Verilerin Korunması Çerçevesinde Çerezler; Türleri, Kullanımları ve Uygulama Örnekleriyle. Lexpera Blog.
• DUMORTIER, J. ve DE PRETER, C. (2006). The European regulatory framework for security and privacy protection in electronic communications. ANN. TELECOMMUN, 61(3-4), 443-457.
• Dülger, M. V. (2021, ubat). Yurt Dışına Veri Aktarımında Milyonluk Ceza: Kişisel Verileri Koruma Kurulunun Amazon Kararı. SSRN. https://ssrn.com/abstract=3792388 adresinden erişildi.
• Edenberg, E. ve Jones, M. L. (2019). Analyzing the legal roots and moral core of digital consent. New Media & Society, 21(8), 1804-1823.
• Garzaniti, L. ve O’ Regan, M. (2010). Telecommunications, Broadcasting and the Internet: EU Competition Law & Regulation (3rd bs.). Londra: Sweet & Maxwell.
• Georgiev, N. (2020). Whitelisting stalkers: The answer to fix EU’s abhorrent cookie policy? KU Leuven CITIP. https://www.law.kuleuven.be/citip/blog/whitelisting-stalkers-the-answer-to-fix-eus-abhorrent-cookie-policy/ adresinden erişildi.
• Globocnik, J. (2019). On Joint Controllership for Social Plugins and Other Third-Party Content – a Case Note on the CJEU Decision in Fashion ID. IIC, 50, 1034-1044.
• Healey, R. (2021). EPrivacy Regulation – What is It? Formiti. https://formiti.com/eprivacy-regulation-what-is-it/#:~:text=What%20Does%20the%20EPrivacy%20Regulation,cables%20and%20satellites%20are%20covered adresinden erişildi.
• Hildebrandt, M. (2008). Profiling and the Identity of the European Citizen. Profiling the European Citizen: Cross-Disciplinary Perspectives içinde (ss. 303-343). Springer Science + Business Media B.V.
• Information Commissioner’s Office (ICO). (2018). Privacy and Electronic Communications Regulations (Guide).
• Information Commissioner’s Office (ICO). (2019). How do we comply with the cookie rules? https://ico.org.uk/for-organisations/guide-to-pecr/guidance-on-the-use-of-cookies-and-similar-technologies/how-do-we-comply-with-the-cookie-rules/#comply14 adresinden erişildi.
• Information Commissioner’s Office (ICO). (2019). Use of cookies and similar technologies (Guidance Note). UK. https://ico.org.uk/media/for-organisations/guide-to-pecr/guidance-on-the-use-of-cookies-and-similar-technologies-1-0.pdf adresinden erişildi.
• Jones, M. L. (2020). Cookies: A legacy of controversy. Internet Histories, 4(1), 87-104.
• Kamara, I. ve Kosta, E. (2016). Do Not Track initiatives: Regaining the lost user control. International Data Privacy Law, 6(4), 276-290.
• Kosta, E. (2013). Peeking into the cookie jar: The European approach towards the regulation of cookies. International Journal of Law and Information Technology, 21(4), 308-406.
• Lee, P. (2011). The impact of cookie ‘consent’ on targeted adverts. Journal of Database Marketing & Customer Strategy Management, 18, 205-209.
• Losnedahl, T. (2018). When should service be regarded as ‘electronic communicatiion’ services? https://www.ibanet.org/Article/NewDetail.aspx?ArticleUid=9FC49697-3D3D-4D8C-B102-35FF8772CA7C adresinden erişildi.
• Naranjo, D. (2017). e-Privacy Regulation: Good Intentions but a Lot of Work to Do. European Data Protection Law Review, 3(2), 152-154.
• OneTrust. (2020). THE ULTIMATE COOKIE HANDBOOK FOR PRIVACY PROFESSIONALS.
• Oy, B. (2021, ubat). Use (and Abuse) of Website Cookies under EU Privacy Law: Practical Tips for Better Compliance. Lexology. https://www.lexology.com/library/detail.aspx?g=64772d95-c4c7-4ad0-8a5c-ab66ff564e1e adresinden erişildi.
• Planet 49. No. C‑673/17 (Avrupa Birliği Adalet Divanı Oca. 11, 2019). http://curia.europa.eu/juris/document/document.jsf?text=&docid=218462&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=2427389 adresinden erişildi.
• Schechner, S. (2021, Ocak). Google Pursues Plan to Remove Third-Party Cookies; Alphabet unit is seeking privacy-friendly alternatives despite complaints from rivals that use cookies. Wall Street Journal. New York.
• Skouma, G. ve Léonard, L. (2015). On-line Behavioral Tracking: What May Change After the Legal Reform on Personal Data Protection. Reforming European Data Protection Law içinde , Law, Governance and Technology (C. 1-20, C. Privacy and Data Protection, ss. 35-63). Brüksel: Springer.
• Stolton, S. (2020, Kasım). German Presidency charts new COVID19 ‘metadata’ rules in leaked ePrivacy text. Euractiv. https://www.euractiv.com/section/digital/news/german-presidency-charts-new-covid19-metadata-rules-in-leaked-eprivacy-text/ adresinden erişildi.
• Tracking Under the E-Privacy Regulation. (2021). CMS. https://cms.law/en/deu/insight/e-privacy/tracking-under-the-e-privacy-regulation adresinden erişildi.
• Vaughan, J. (2020). Why Data Is Collected and How It Is Used (Library Technology Report) (ss. 17-27). USA: alatechsource.
• Voisin, G., Boardman, R., Assion, S., Nevola, C. C. ve Sampedro, L. (2020). ICO, CNIL, German and Spanish DPA Revised Cookies Guidelines: Convergence and Divergence. IAPP. https://iapp.org/resources/article/ico-and-cnil-revised-cookie-guidelines-convergence-and-divergence/ adresinden erişildi.
• Voss, W. G. (2017). First the GDPR, Now the Proposed E-Privacy Regulation. Journal of Internet Law, 1-11.
• Zorer, U. (2019). Çerezler Hakkında Hukuki Değerlendirme. Medium.com. https://medium.com/@umutzorer/%C3%A7erezler-hakk%C4%B1nda-hukuki-de%C4%9Ferlendirme-44c58d3eba32 adresinden erişildi.