Governing Personal Data Beyond The GDPR: A Comparative Analysis Of Independent Data Protection Authorities In Türkiye And Brazil

Yıl 2025, Sayı: 24, 56 - 66, 13.01.2026

Fethiye Nur Baştürk Akkaya

https://doi.org/10.26650/ihid.24.006

https://izlik.org/JA66DR59GW

Öz

This article examines how the General Data Protection Regulation (GDPR) of the European Union (EU) shapes the institutional design and authority of independent data protection authorities (DPAs) beyond the EU, focusing on Türkiye and Brazil. Contributing to debates around the “Brussels Effect,” the paper seeks to explore whether the establishment of GDPR-style DPA model might represent a form of pure mimicry or a more complex process of localized legal transplant in two particular settings.

The analysis is both doctrinal (of constitutional and statutory systems) and comparative (comparing institutions’ independence, powers to enforce the law, and accountability mechanisms). It illustrates that although both DPAs loosely follow the GDPR model in terms of their competency and sanctioning capacities, the autonomy and relevance of these institutions are strongly shaped by the domestic constitutional framework and administrative historical legacy.

The paper contends that GDPR-motivated DPAs should be conceptualized as hybrid"public"institutions embedded at the intersection of fundamental rights protection, market order, and administrative enforcement. Instead of producing uniform convergence, the GDPR acts as a soft law catalyst that facilitates institutional change within national and constitutional confines.

Anahtar Kelimeler

Data Protection Authorities (DPAs) , Legal Transplant , Global Administrative Law , Extraterritoriality , Data Protection Law

Kaynakça

• Agência Nacional de Proteção de Dados, ‘Conselho Nacional de Proteção de Dados e da Privacidade’ https://www.gov.br/anpd/pt-br/cnpd-2/cnpd accessed 14 November 2025. google scholar
• Agência Nacional de Proteção de Dados, ‘Decision No 04/2024’ https://www.gov.br/anpd/pt-br/centrais-deconteudo/relatorio_de_instrucao_no_4_2024_fis_cgf_anpd_v-publica.pdf accessed 1 December 2025. google scholar
• Agência Nacional de Proteção de Dados, ‘Decision No 05/2024’ https://www.gov.br/anpd/pt-br/centrais-de-conteudo/decisoes-em-processossancionadores-1/relatorio_de_instrucao_5_publico_ocultado.pdf accessed 1 December 2025. google scholar
• Agência Nacional de Proteção de Dados, ‘Regulatory Agenda 2025-2026’ https://www.gov.br/anpd/pt-br/acesso-a-informacao/institucional/atos-normativos/regulamentacoes_anpd/agenda_regulatoria_25_26___ingles___revisada_final_fev25.pdf accessed 1 December 2025. google scholar
• Araújo ADS, ‘Papel e importância da Autoridade Nacional de Proteção de Dados’ (Migalhas, 19 June 2020) https://www.migalhas.com.br/depeso/329216/papel-e-importancia-autoridade-nacional-de-protecao-de-dados accessed 14 November 2025. google scholar
• Atay EE, ‘Bağımsız İdari Otoriteler ve Türkiye Uygulaması’ (2006) 10(1) Gazi Üniversitesi Hukuk Fakültesi Dergisi 259–293. google scholar
• ‘Brazil Authority Suspends Meta’s AI Privacy Policy, Seeks Adjustment’ (Reuters, 2 July 2024) https://www.reuters.com/technology/artificial-intelligence/brazil-authority-suspends-metas-ai-privacy-policy-seeks-adjustment-2024-07-02/ accessed 14 November 2025. google scholar
• Bieker F, ‘Enforcing Data Protection Law – The Role of the Supervisory Authorities in Theory and Practice’ in Lehmann A and others (eds), Privacy and Identity Management. Facing up to Next Steps (Springer International Publishing 2016) 125–139. google scholar
• Bradford A, ‘The Brussels Effect’ (2012) 107(1) Northwestern University Law Review 1–67. google scholar
• Bradford A, The Brussels Effect: How the European Union Rules the World (Oxford University Press 2020). google scholar
• ‘Brazil Authority Suspends Meta’s AI Privacy Policy, Seeks Adjustment’ (Reuters, 2 July 2024) https://www.reuters.com/technology/artificial-intelligence/brazil-authority-suspends-metas-ai-privacy-policy-seeks-adjustment-2024-07-02/ accessed 14 November 2025. google scholar
• Buczynski W and others, ‘Hard Law and Soft Law Regulations of Artificial Intelligence in Investment Management’ (2022) 24 Cambridge Yearbook of European Legal Studies 262–293. google scholar
• Buttarelli G, ‘The EU GDPR as a Clarion Call for a New Global Digital Gold Standard’ (European Data Protection Supervisor, 1 April 2016) https://www.edps.europa.eu/press-publications/press-news/blog/eu-gdpr-clarion-call-new-global-digital-gold-standard accessed 13 November 2025. google scholar
• Bygrave LA, Data Privacy Law: An International Perspective (Oxford University Press 2014). google scholar
• Carrillo AJ and Jackson M, ‘Follow the Leader? A Comparative Law Study of the EU’s General Data Protection Regulation’s Impact in Latin America’ (2022) 16(2) ICL Journal 177–204. google scholar
• Case C-288/12 Commission v Hungary ECLI:EU:C:2014:237. google scholar
• Case C-518/07 Commission v Germany ECLI:EU:C:2010:125. google scholar
• Case C-614/10 Commission v Austria ECLI:EU:C:2012:631. google scholar
• Constitution of the Federative Republic of Brazil 1988 (Brazilian Senate English translation) https://www2.senado.leg.br/bdsf/item/id/243334 accessed 13 November 2025. google scholar
• Duran L, ‘Türkiye’de Bağımsız İdari Otoriteler’ (1997) 30(1) Amme İdaresi Dergisi 3–10. google scholar
• Erickson A, ‘Comparative Analysis of the EU’s GDPR and Brazil’s LGPD: Enforcement Challenges with the LGPD’ (2019) 44(2) Brooklyn Journal of International Law 859–888. google scholar
• European Commission, ‘Draft Adequacy Decision on the adequate protection of personal data by the Federative Republic of Brazil’ (September 2025) https://commission.europa.eu/document/download/f5aee532-70bf-41b1-a94a-8e294a528f6a_en?filename=Draft%20Adequacy%20Decision%20-%20Brazil%20-%20LGPD%20-%20FINAL%20-%20September%202025.pdf accessed 1 December 2025. google scholar
• European Commission, ‘Turkey 2018 Report’ (Commission Staff Working Document) SWD(2018) 153 final. google scholar
• European Commission, ‘Türkiye 2025 Report’ (Commission Staff Working Document) SWD(2025) 756 final. google scholar
• Filipec O and Arellano Brito W, ‘Personal Data Protection in Brazil: How Much Europeanization?’ (2022) 22(2) International and Comparative Law Review 81–104. google scholar
• Greenleaf G, ‘Global Data Privacy Laws 2021: Despite COVID Delays, 145 Laws Show GDPR Dominance’ (2021) 169 Privacy Laws & Business International Report 1–5. google scholar
• Hu IY, ‘The Global Diffusion of the “General Data Protection Regulation” (GDPR)’ (Master’s thesis, Erasmus University Rotterdam 2019) https://thesis.eur.nl/pub/50756/Hu-Ivy.pdf accessed 13 November 2025. google scholar
• ‘“Kimlik bilgileri çalındı” iddiasıyla ilgili Bakanlık’tan “güncel bir sızıntı bilgisi yok” açıklaması geldi’ (BBC News Türkçe, 12 September 2024) https://www.bbc.com/turkce/articles/cn8789ez2q7o accessed 3 December 2025. google scholar
• Kişisel Verileri Koruma Kurumu, ‘Faaliyet Raporları’ https://www.kvkk.gov.tr/Icerik/2094/Faaliyet-Raporu accessed 1 December 2025. google scholar
• Kişisel Verileri Koruma Kurumu, ‘Public Announcement on COVID-19 PCR Test Results and Vaccination Status Information Requests’ (28 September 2021) https://www.kvkk.gov.tr/Icerik/7048/COVID-19-PCR-Test-Sonucu-ve-Asi-Bilgisi-Sorgulamalari-Hakkinda-Kamuoyu-Duyurusu accessed 28 December 2025. google scholar
• Korkut AS, ‘108 million Turkish citizens’ personal data stolen, BTK admits failure and seeks help from Google’ (Freewebturkey, 9 September 2024) https://www.freewebturkey.com/108-million-turkish-citizens-personal-data-stolen-btk-admits-failure-and-seeks-help-from-google accessed 3 December 2025. google scholar
• Law No 13,709 of 14 August 2018 (Lei Geral de Proteção de Dados) (Brazil, official English translation by ANPD) https://www.gov.br/anpd/pt-br/centrais-de-conteudo/outros-documentos-e-publicacoes-institucionais/lgpd-en-lei-no-13-709-capa.pdf accessed 13 November 2025. google scholar
• Law No 13,853 of 8 July 2019 (Brazil) http://www.planalto.gov.br/ccivil_03/_Ato2019-2022/2019/Lei/L13853.htm#art2 accessed 13 November 2025. google scholar
• Law No 14,460 of 25 October 2022 (Brazil) http://www.planalto.gov.br/ccivil_03/_Ato2019-2022/2022/Lei/L14460.htm#art7 accessed 28 December 2025. google scholar
• Learte BES and Da Silva WR, ‘Protection of Personal Data as a Fundamental Right in Brazil: Aspects and Reflections of Constitutional Amendment 115/2022’ (2023) 3(31) Scientific Journal of Applied Social and Clinical Science 2–12. google scholar
• Lee A Bygrave, ‘The “Strasbourg Effect” on Data Protection in Light of the “Brussels Effect”: Logic, Mechanics and Prospects’ (2021) 40 Computer Law & Security Review 105460, 2 google scholar
• Mahieu R, Asghari H, Parsons C, van Hoboken J, Crete-Nishihata M, Hilts A and Anstis S, ‘Measuring the Brussels Effect through Access Requests: Has the European General Data Protection Regulation Influenced the Data Protection Rights of Canadian Citizens?’ (2021) 11 Journal of Information Policy 301–349. google scholar
• Noprianto B and Amelia T, ‘The Legal Reform of the Independent Supervisory Institution for the Enforcement of Personal Data Protection Law’ (2024) 204 SHS Web of Conferences 07003. google scholar
• Ryngaert C and Taylor M, ‘The GDPR as Global Data Protection Regulation?’ (2020) 114 American Journal of International Law 5–9. google scholar
• Sever DÇ, ‘Türkiye’de Düzenleyici Kurumların Yapısı, İşlevi ve Dönüşümü’ (2015) 64(1) Ankara Üniversitesi Hukuk Fakültesi Dergisi 195–236. google scholar
• Solmaz E, ‘Kişisel Verileri Koruma Otoritelerinin İdeal Özellikleri: Türkiye Kişisel Verileri Koruma Kurumu’nun Bu Açıdan Değerlendirilmesi’ in Kaya C (ed), Kişisel Verilerin Korunması Hukuku ve Bilgi Edinme Hukuku: Çeşitli Açılardan Bakış (On İki Levha Yayıncılık 2023) 249–290. google scholar
• Şahin CY, Amerikan Federal İdare Hukukunda ‘Regülasyon’ (Ve Türk İdare Hukukuna Yansımaları) (On İki Levha 2010). google scholar
• Tan T, ‘Bağımsız İdari Otoriteler veya Düzenleyici Kurumlar’ (2002) 35(2) Amme İdaresi Dergisi 11–37. google scholar
• Tan T, ‘Bağımsızlıklarını Yitiren Düzenleyici Kurulların İşlevsellikleri de Sorgulanıyor’ (2024) 23 İdare Hukuku ve İlimleri Dergisi 1–26. google scholar
• Tansuğ Ç, ‘2016/679 Sayılı Avrupa Birliği Genel Veri Koruma Tüzüğü Karşısında Kişisel Verileri Koruma Kurumunun Bağımsızlığı’ (2018) 16(183) Legal Hukuk Dergisi 1159–1178. google scholar
• Ulusoy A, ‘Bağımsız İdari Kurumlar’ (1999) 100(29) Danıştay Dergisi 3–17. google scholar
• Ulusoy A, Bağımsız İdari Otoriteler (Turhan Kitabevi 2003). google scholar
• Veronese A and others, ‘The Influence of European Union Personal Data Protection Standards in Latin America from the Perspective of Social Actors and Latin American Authorities’ (2023) 9 UNIO – EU Law Journal 118–138. google scholar
• Watson A, ‘Comparative Law and Legal Change’ (1978) 37(2) Cambridge Law Journal 313–336. google scholar