European Commission Publishes New Framework on Data Protection
As anticipated, and just days before Data Protection and Privacy Day, the European Commission has released its proposal to reform the European Union’s data protection framework. The reform—which takes shape via a regulation on data protection and a directive “protecting personal data processed for the purposes of prevention, detection, investigation or prosecution of criminal offences”—comes after years of public consultations and dialogue with stakeholders.
“There is quite a buzz in Brussels today,” said IAPP Europe Managing Director Rita Di Antonio.
European Justice Commissioner Viviane Reding held a press conference at 10:30 CET to announce the changes. She said the proposals will improve the protection of Europeans’ personal data, reduce administrative burdens and save companies’ money.
The legislation defines personal data as “any information relating to an individual, whether it relates to his or her private, professional or public life,” including posts to social networking websites and computer IP addresses.
Eduardo Ustaran, CIPP/E, partner at Field Fisher Waterhouse LLP, said the proposal “is the most radical global attempt ever to regulate the increasing exploitation of personal information.”
The changes create “a single set of European rules—valid everywhere across the EU,” Reding said in the press conference. “So, one rule for the 27 member states and the 500 million people.”
The new regulation sees national data protection authorities as the go-to regulators for organizations, meaning that an organization will only have to work with one DPA rather than many, or, as Reding described it in her press conference, “One DPA for one company—a one-stop shop.”
She said this will eliminate unnecessary administrative burdens and costs to companies incurred as a result of the current need to deal with varying rules and authorities among member states. “This will save businesses around 2.3 billion euros per year,” Reding said.
Other facets of the regulation include:
A breach notification mandate: In the event of a serious breach, organizations must notify the national supervisory authority “as soon as possible (if feasible within 24 hours).”
Increased enforcement powers for data protection authorities: DPAs will be able to fine organizations that violate the rules up to €1 million or “up to 2 percent of the global annual turnover of a company.”
A data protection officer requirement: Companies with more than 250 employees and certain other organizations will be required to designate a data protection officer.
A data protection impact assessment requirement: Organizations involved in risky data processing will be required to conduct data protection impact assessments.
Explicit consent requirement: Wherever consent is required for data to be processed, it must be given explicitly, rather than assumed, according to the regulation.
Extra-territorial reach: The regulation applies to “personal data handled abroad by companies that are active in the EU market and offer their services to EU citizens.”
It is obvious, says Field Fisher Waterhouse’s Ustaran, that “the new law is targeted at companies operating on the Internet and aims to shake up the way they tackle privacy issues.”
Ustaran adds, “The prospect of substantial monetary fines based on the annual worldwide turnover of a company may contribute to get the attention of some decision makers.”
The Article 29 Working Party (WP)—the advisory body comprised of national data protection authorities from EU member states—issued a press release this morning stating that it welcomes the commission’s proposals, particularly the strengthened authority for DPAs and the data breach notification requirement, but WP Chairman Jacob Kohnstamm “regrets the commission’s level of ambition in the area of police and justice and underlines the need for stronger provisions in this field.”
Under the new framework, the Article 29 Working Party would be “upgraded” and renamed the European Data Protection Board.
Next, the proposal will be reviewed in the European Parliament and member states, via the Council of Ministers.
“This is by no means the end of the road,” Ustaran says, predicting that “2012 will be a crucial year” in the continued evolution of the law. “Policy makers will be looking for input from all key stakeholders.”
Sources:
https://www.privacyassociation.org/publications/european_commission_publishes_new_framework_on_data_protection
http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_10_en.pdf (directive)
http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf (regulation)
http://ec.europa.eu/justice/newsroom/data-protection/news/120125_en.htm (background documents and frequently asked questions)
HOŞÇA KAL SADİ!
Bilişim ve Teknoloji Hukuku Master Programımıza kayıtlı; kişiliği ile, dürüstlüğü ile, insanlığı ile mümtaz, yeri doldurulamayacak olan çok değerli öğrencim Sadi TİMURTAŞ'ı kaybetmenin derin üzüntüsü içindeyiz.
Sadi'yi sadece ailesi kaybetmedi. Ben de; pırlanta gibi, bilişim ve bilişim hukukuna gönül vermiş, ileride adli bilişim alanında gerçekten söz sahibi olacağına ve başarılı olacağına yürekten inandığım çocuğumu kaybettim. Üniversitedeki tüm arkadaşları da çok değerli dostlarını kaybettiler.
Sadi'ye Allah'tan rahmet, Ailesine sabırlar ve dayanma gücü diliyorum.
Bilişim hukuku master programında tüm arkadaşlarının ve Ailesinin başı sağolsun.
Is a ZIP Code Personal Identification Information?
Mass. Court: ZIP Code is personal identification info under credit card statute but plaintiff must still allege harm—Tyler v. Michaels Stores (Tyler v. Michaels Stores, Inc., 2012 WL 32208 (D. Mass.; Jan. 6, 2012)
Last year, the California Supreme Court held that a ZIP Code is personal identification information for purposes of a statute that restricted the type of information a retailer could collect. (See "California Supreme Court Rules That a ZIP Code is Personal Identification Information -- Pineda v. Williams-Sonoma.”)
A federal court in Massachusetts recently construed a similar Massachusetts statute to reach the same conclusion, albeit for different reasons. But having found that the retailer in this case technically violated the statute, the court dismissed the case on the basis that the plaintiff failed to allege a cognizable injury.
Is a ZIP Code Personal Identification Information?
Section 105(a) of Massachusetts General Laws provides:
No person, firm, partnership, corporation or other business entity that accepts a credit card for a business transaction shall write, cause to be written or require that a credit card holder write personal identification information, not required by the credit card issuer, on the credit card transaction form. Personal identification information shall include, but shall not be limited to, a credit card holder’s address or telephone number.
The court looked to the legislative history behind the statute and said that the Massachusetts legislature’s intent was different from California’s. While the California legislature was concerned with retailers obtaining personal identification information and using it for marketing purposes, the Massachusetts legislature was more concerned about security and fraud prevention. Thus, while Pineda looked to whether a ZIP code could be used (together with the customer’s name) to locate the individual, the court in this case focused on whether recordation of this information by a retailer poses the risk of identity theft or fraud. The court looked to Massachusetts’ identity theft statute, which defines personal identifying information as “any name or number that may be used…to assume the identity of an individual.” The court said that inputting a ZIP code in the context of a credit card transaction is similar to inputting a PIN number in the context of a debit card transaction. Because the ZIP code is information that can be used along with other card holder information to commit identity theft and criminal fraud, the court said that the ZIP code is personal identification information for purposes of the statute.
Did the Retailer Write the Information on a Transaction Form?
Michaels argued that the statute does not cover electronically stored information and that the transaction form has to be a paper document. The court rejected this argument for several reasons. First, the statute applies to all credit card transactions, whether they are processed manually, electronically or through other means. The act does not distinguish between paper and electronic forms, and the court says that the risk of identity theft is present regardless of the type of transaction. The statute also permits the retailer to include information in the transaction form that is required by the credit card issuer. The retailer collects information during the transaction process (as required by the credit card issuer) and then issues the receipt, which may contain information different from the transaction form. (For example, the card number has to be truncated on the receipt under FACTA.) “The receipt is a printout of the permissible information on the transaction form, but it is not the transaction form itself.” (For what it’s worth, FACTA is also a statute aimed at curbing identity theft, but does not cover e-mailed receipts.
Has Plaintiff Alleged Cognizable Injury?
The statute in question does not provide for statutory damages. It says only that a violation of the statute is “deemed to be an unfair and deceptive trade practice.” A claim for unfair and deceptive trade practice requires a showing of “injury and loss” and a causal connection between defendant's practices and plaintiff's injury. Plaintiff had not been subject to identity theft, so she had to prove injury or loss in other ways. She did not argue that she has an increased risk of identity theft. Instead, she argued that Michaels used her name and ZIP code in conjunction with a commercially available database to determine her address and phone number. The court said that her allegations are insufficient because she does not allege that Michaels acted illegally in accessing the database. She also alleged that she was injured because she received “a deluge of unwanted mail.” The court said that this is not an injury cognizable under the statute since the statute was enacted to prevent fraud. [Although not cited in the order, see Cherny v. Emigrant Bank, for the proposition that the receipt of spam is not in itself a compensable harm.]
Unjust Enrichment
Plaintiff also brought a claim for unjust enrichment. This claim is similar to the "PII-as-valuable-property" claim brought by the RockYou plaintiffs. ("Judge Recognizes Loss of Value to PII as Basis of Standing for Data Breach Plaintiff -- Claridge v. RockYou.") Under this theory, her personal information is a valuable piece of property, so plaintiff should receive some compensation when she “exchanges” this information with the retailer. The court said there are two problems with this argument. First, the ZIP code is not itself valuable to Michaels. It derives value only due to “the independent work and cross-referencing necessary to obtain the full address.” Second, the court said that reasonable people would not expect compensation for turning over their ZIP code, and plaintiff did not allege that, had she known all the facts, she would have “charged” Michaels for the ZIP code.
The conclusion that plaintiff did not state a cognizable injury was the most interesting. The court dropped a giant footnote, saying that it’s not deciding this case on the basis of Article III standing, but even if it were, the result would be the same (citing In re iPhone App Litigation; Specific Media; In re Facebook Privacy Litigation). There is a big gray area here—whether a violation of a state law alone is enough to support standing, or whether even when plaintiff makes out a prima facie violation of a state statute, a plaintiff has to separately prove damages as a threshold matter. Can state legislatures circumvent Article III standing requirements? Can Congress? The court said that these issues are not implicated since the unfair trade practice statute only confers standing upon those who show that they have been injured. (My gut feeling is that Congress and state legislatures should have the power to define when a plaintiff can sue; at least they do so routinely. The court says that clarity on the standing question is forthcoming, since the Supreme Court granted cert. in Edwards v. First Am. Corp.)
The court’s conclusion on the unjust enrichment claim is also interesting. While one or two decisions accepted (at the motion to dismiss stage) the theory that personal information must be valuable because the defendant monetized it, later decisions, like this one, require plaintiff to more clearly articulate their misappropriation theories. Just because information is valuable in someone else’s hands, does not mean that their use of that information is a misappropriation of your property.
It’s unclear whether the court’s rejection of plaintiff’s injuries is a result of the court’s construction of the credit card statute as aimed to combat identity theft and fraud, or whether it’s because Massachusetts unfair trade practices statute (like California’s) requires some out-of-pocket loss.
Overall, this decision, like many privacy lawsuits, reflects reluctance by courts to recognize informational privacy claims where they don't easily see out-of-pocket losses. The risk of future identity theft is not getting much traction in courts. (See also, Reilly v. Ceridian, a recent 3rd Circuit case.) The “personal information as currency” is not getting much traction in courts either. When those two theories are taken out of the mix, the plaintiff is left only to allege that the defendant violated the statute and therefore plaintiff is entitled to damages. Courts are requiring privacy plaintiffs to allege more than this.
For more on the California Supreme Court’s decision in Pineda v. Williams-Sonoma:
California Supreme Court rules that ZIP codes are personal identification information (The Privacy Advisor, March 2011)
Address Verification Service and privacy: The effect of the California Supreme Court ruling upon security (The Privacy Advisor, July 2011)
Source: Venkat Balasubramani (https://www.privacyassociation.org/publications/2012_01_17_mass._court_zip_code_is_personal_identification_info_under)
EU ISP Filtering Decision
Court of Justice of the European Union
PRESS RELEASE No 126/11
Luxembourg, 24 November 2011
Press and Information
Judgment in Case C-70/10
Scarlet Extended SA v Société belge des auteurs, compositeurs et éditeurs SCRL (SABAM)
EU law precludes the imposition of an injunction by a national court which requires an internet service provider to install a filtering system with a view to preventing the illegal downloading of files
Such an injunction does not comply with the prohibition on imposing a general monitoring obligation on such a provider, or with the requirement to strike a fair balance between, on the one hand, the right to intellectual property, and, on the other, the freedom to conduct business, the right to protection of personal data and the freedom to receive or impart information
This case has its origin in a dispute between Scarlet Extended SA, an internet service provider, and SABAM, a Belgian management company which is responsible for authorising the use by third parties of the musical works of authors, composers and editors.
In 2004, SABAM established that users of Scarlet's services were downloading works in SABAM’s catalogue from the internet, without authorisation and without paying royalties, by means of peer-to-peer networks (a transparent method of file sharing which is independent, decentralised and features advanced search and download functions).
Upon application by SABAM, the President of the Tribunal de première instance de Bruxelles (Brussels Court of First Instance, Belgium) ordered Scarlet, in its capacity as an internet service provider, on pain of a periodic penalty, to bring those copyright infringements to an end by making it impossible for its customers to send or receive in any way electronic files containing a musical work in SABAM's repertoire by means of peer-to-peer software.
Scarlet appealed to the Cour d'appel de Bruxelles (Brussels Court of Appeal), claiming that the injunction failed to comply with EU law because it imposed on Scarlet, de facto, a general obligation to monitor communications on its network, something which was incompatible with the Directive on electronic commerce1 and with fundamental rights. In that context, the Cour d'appel asks the Court of Justice whether EU law permits Member States to authorise a national court to order an internet service provider to install, on a general basis, as a preventive measure, exclusively at its expense and for an unlimited period, a system for filtering all electronic communications in order to identify illegal file downloads.
In its judgment delivered today, the Court points out, first of all, that holders of intellectual-property rights may apply for an injunction against intermediaries, such as internet service providers, whose services are being used by a third party to infringe their rights. The rules for the operation of injunctions are a matter for national law. However, those national rules must respect the limitations arising from European Union law, such as, in particular, the prohibition laid down in the E-Commerce Directive on electronic commerce under which national authorities must not adopt measures which would require an internet service provider to carry out general monitoring of the information that it transmits on its network.
1 Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (OJ 2000 L 178, p. 1).
www.curia.europa.eu
In this regard, the Court finds that the injunction in question would require Scarlet to actively monitor all the data relating to each of its customers in order to prevent any infringement of intellectual-property rights. It follows that the injunction would impose general monitoring, something which is incompatible with the E-Commerce Directive. Moreover, such an injunction would not respect the applicable fundamental rights.
It is true that the protection of the right to intellectual property is enshrined in the Charter of Fundamental Rights of the EU. There is, however, nothing whatsoever in the wording of the Charter or in the Court's case-law to suggest that that right is inviolable and must for that reason be absolutely protected.
In the present case, the injunction requiring the installation of a filtering system involves monitoring, in the interests of copyright holders, all electronic communications made through the network of the internet service provider concerned. That monitoring, moreover, is not limited in time. Such an injunction would thus result in a serious infringement of Scarlet's freedom to conduct its business as it would require Scarlet to install a complicated, costly, permanent computer system at its own expense.
What is more, the effects of the injunction would not be limited to Scarlet, as the filtering system would also be liable to infringe the fundamental rights of its customers, namely their right to protection of their personal data and their right to receive or impart information, which are rights safeguarded by the Charter of Fundamental Rights of the EU. It is common ground, first, that the injunction would involve a systematic analysis of all content and the collection and identification of users' IP addresses from which unlawful content on the network is sent. Those addresses are protected personal data. Secondly, the injunction could potentially undermine freedom of information since that system might not distinguish adequately between unlawful content and lawful content, with the result that its introduction could lead to the blocking of lawful communications.
Consequently, the Court finds that, in adopting the injunction requiring Scarlet to install such a filtering system, the national court would not be respecting the requirement that a fair balance be struck between the right to intellectual property, on the one hand, and the freedom to conduct business, the right to protection of personal data and the right to receive or impart information, on the other.
Accordingly, the Court’s reply is that EU law precludes an injunction made against an internet service provider requiring it to install a system for filtering all electronic communications passing via its services which applies indiscriminately to all its customers, as a preventive measure, exclusively at its expense, and for an unlimited period.
NOTE: A reference for a preliminary ruling allows the courts and tribunals of the Member States, in disputes which have been brought before them, to refer questions to the Court of Justice about the interpretation of European Union law or the validity of a European Union act. The Court of Justice does not decide the dispute itself. It is for the national court or tribunal to dispose of the case in accordance with the Court’s decision, which is similarly binding on other national courts or tribunals before which a similar issue is raised.
Unofficial document for media use, not binding on the Court of Justice.
The full text of the judgment is published on the CURIA website on the day of delivery.
Press contact: Christopher Fretwell .. (+352) 4303 3355
Pictures of the delivery of the judgment are available from "Europe by Satellite" .. (+32) 2 2964106
www.curia.europa.eu
YENİ TÜRK TİCARET KANUNU HÜKÜMLERİ IŞIĞINDA "DİJİTAL ŞİRKET" KONFERANSI
Tarih: 11 Ekim 2011
Yer: İstanbul Bilgi Üniversitesi
Dolapdere Kampüsü
Mahkeme Salonu
PROGRAM
09:00-10:00 Kayıt
10:00-10:30 Açılış Konuşmaları
Açılış Konuşmaları
Prof. Dr. Turgut TARHANLI
İstanbul Bilgi Üniversitesi
Hukuk Fakültesi Dekanı
Prof. Dr. Remzi SANVER
İstanbul Bilgi Üniversitesi Rektörü
Prof. Dr. Ünal TEKİNALP
Türk Ticaret Kanunu Komisyonu
Başkanı
Hayati YAZICI
Gümrük ve Ticaret Bakanı
DİJİTAL ŞİRKET PANELİ
10:30-13:30
Oturum Başkanı:
Prof. Dr. Ünal TEKİNALP
Türk Ticaret Kanunu Komisyon Başkanı
İsmail YÜCEL
Gümrük ve Ticaret Bakanlığı
İç Ticaret Genel Müdürü
“Elektronik Ticaret Sicili”
Prof. Dr. Vedat AKGİRAY
Sermaye Piyasası Kurulu Başkanı
Prof. Dr. Tayfun ACARER
Bilgi Teknolojileri ve İletişim Kurumu
Başkanı
“TTK ve Kayıtlı e-Posta Uygulaması”
Doç. Dr. Yakup ERGİNCAN
Merkezi Kayıt Kuruluşu Genel Müdürü
“Kurumsal Yönetim, Yatırımcı İlişkileri ve Şirketler Bilgi Portalı”
Ümit YAYLA
Merkezi Kayıt Kuruluşu Genel Müdür Yardımcısı
“Yeni TTK uyarınca Halka Açık Şirketlerin Genel Kurul Toplantılarına Katılım”
Yrd.Doç.Dr. Leyla KESER BERBER
İstanbul Bilgi Üniversitesi
Bilişim ve Teknoloji Hukuku Enstitüsü Direktörü
Türk Ticaret Kanunu Bilişimle İlgili Hükümler
İkincil Mevzuat Alt Komisyon Başkanı
“Dijital Şirket’e İlişkin Hukuki Çerçeve”
13:30-13:45 Soru/Tartışma
13:45- Kapanış
14:00- Öğle Yemeği
Güvenli İnternet Hizmetine İlişkin Usul ve Esaslar
BİLGİ TEKNOLOJİLERİ VE İLETİŞİM KURULU
KARARI
Karar Tarihi : 24.08.2011
Karar No : 2011/DK-14/461
Gündem Konusu : Güvenli İnternet Hizmetine İlişkin Usul ve Esaslar.
KARAR :
5809 sayılı Kanunun 4 üncü 6 ncı ve 50 inci maddeleri ile 28.07.2010 tarihli ve 27655 sayılı Resmi Gazete’de yayımlanarak yürürlüğe giren Elektronik Haberleşme Sektöründe Tüketici Hakları Yönetmeliğinin 10 uncu maddesi ve ilgili diğer mevzuat hükümleri kapsamında,
• 22.02.2011 tarihli ve 2011/DK-10/91 sayılı Kurul Kararı ile onaylanarak yürürlüğe giren “İnternetin Güvenli Kullanımına İlişkin Usul ve Esaslar Taslağı”nın yürürlükten kaldırılması,
• Ek’te yer alan “Güvenli İnternet Hizmetine İlişkin Usul ve Esaslar”ın onaylanması,
• İşbu Kurul Kararının 22.08.2011 tarihi itibariyle yürürlüğe girmesi
hususlarına karar verilmiştir.
Ek
GÜVENLİ İNTERNET HİZMETİNE İLİŞKİN USUL VE ESASLAR
Amaç
MADDE 1 – (1) Bu Usul ve Esasların amacı, tercihe dayalı Güvenli İnternet Hizmetine ilişkin Usul ve Esasları düzenlemektir.
Kapsam
MADDE 2 - (1) Bu Usul ve Esaslar, İnternet hizmeti sunan İşletmeciler ile Güvenli İnternet Hizmetini talep eden aboneleri kapsar.
Hukuki dayanak
MADDE 3 - (1) Bu Usul ve Esaslar, 28/07/2010 tarih ve 27655 sayılı Resmi Gazete’de yayımlanan Elektronik Haberleşme Sektöründe Tüketici Hakları Yönetmeliğinin 10 uncu maddesine dayanılarak hazırlanmıştır.
Tanım ve kısaltmalar
MADDE 4 - (1) Bu Usul ve Esaslarda geçen;
a) Abone: Mobil İnternet hizmeti dâhil olmak üzere, İşletmeci ile İnternet hizmetinin sunulmasına yönelik olarak yapılan sözleşmeye taraf olan gerçek kişiyi,
b) Aile profili: Kurum tarafından İşletmecilere gönderilen aile profiline ilişkin listedeki alan adı, alt alan adı, IP adresi ve portlara abonenin erişiminin sağlanmadığı profili,
c) Çocuk profili: Kurum tarafından İşletmecilere gönderilen, çocuk profiline ilişkin listedeki alan adı, alt alan adı, IP adresi ve portlara abonenin erişiminin sağlandığı profili,
ç) Dosya bütünlük değeri (Hash Kodu): Bir bilgisayar dosyasının içindeki verilerin matematiksel bir işlemden geçirilmesi sonucu elde edilen ve dosyanın içerisindeki verilerde bir değişiklik yapılıp yapılmadığını kontrol için kullanılan dosyanın özünü belirten değeri,
d) Güvenli İnternet Hizmeti: Abonelerin talebi üzerine, ücretsiz olarak sunulan çocuk ve aile profilinden oluşan hizmeti,
e) Güvenli İnternet Hizmeti profili: Güvenli İnternet Hizmeti almak isteyen abonelerin ihtiyaçlarına göre seçebilecekleri çocuk ve aile profilinden herhangi birini,
f) İşletmeci: Mobil telefon hizmeti sunan İşletmeciler dâhil İnternet erişim hizmeti sunan İşletmecileri ve Türk Telekomünikasyon A.Ş.’yi,
g) Kurul: Bilgi Teknolojileri ve İletişim Kurulunu,
ğ) Kurum: Bilgi Teknolojileri ve İletişim Kurumunu,
h) Profil Düzenleme İnternet Sayfası: İşletmeciler tarafından tasarlanan ve bireysel abonelerin profillerini değiştirmek veya Güvenli İnternet Hizmeti
almaktan vazgeçmek istedikleri takdirde söz konusu taleplerini gerçekleştirebildikleri İnternet sayfasını,
ı) Uyarıcı ve Bilgilendirici İnternet Sayfası: İşletmeciler tarafından tasarlanan ve kullanıcıların profilleri nedeniyle İnternet sitelerine erişemediklerinde yönlendirilecekleri İnternet sayfasını
ifade etmektedir.
(2) Bu Usul ve Esaslarda geçen ancak bu maddenin birinci fıkrasında tanımlanmayan kavramlar için ilgili mevzuatta yer alan tanımlar geçerlidir.
Mevcut abonelerin durumu
MADDE 5 - (1) Güvenli İnternet Hizmetini talep etmeyen abonelerin mevcut İnternet erişim hizmeti, herhangi bir değişiklik olmaksızın sunulmaya devam eder.
Güvenli İnternet Hizmeti profilleri
MADDE 6 - (1) İşletmeciler, Güvenli İnternet Hizmetini, talep eden abonelere çocuk ve aile profili olmak üzere iki farklı profilde sunarlar.
Güvenli İnternet Hizmeti profillerinin seçimi
MADDE 7 - (1) Aboneler, Güvenli İnternet Hizmeti taleplerini hizmet aldığı İşletmeciye abonelik sözleşmesinin imzalanması sırasında iletebilir. Ayrıca bu taleplerini çağrı merkezi, bayi kanalı ya da İnternet sitesi aracılığı ile bildirebilir.
(2) İşletmeciler Güvenli İnternet Hizmetini abonelere ücretsiz olarak sunarlar.
(3) İşletmeciler, abonelik sözleşmelerinde veya abonelik sözleşmelerine ek olarak hazırlanan formlarda ve profil düzenleme sayfasında abonenin kolayca seçim yapabileceği Güvenli İnternet Hizmeti profillerine aşağıda belirtilen şekilde iki profile yer verirler. Abonelerin, aile profilini seçmeleri halinde aşağıda belirtilen alt seçeneklerden birini veya birkaçını seçebilmelerine ya da herhangi bir alt seçim yapmamalarına olanak sağlanır.
“Güvenli İnternet Hizmeti talep ediyorsanız aşağıdaki profillerden birisini tercih ediniz.
(4) İşletmeciler İnternet erişim hizmeti sunumunda abonenin en son tercihine göre hizmet sunmaya devam ederler.
(5) Güvenli İnternet Hizmeti alan abonelere, Profil Düzenleme İnternet Sayfası üzerinden işlem yapabilmeleri amacıyla İşletmeciler tarafından kullanıcı adı ve şifresi sağlanır.
(6) İşletmeciler tarafından abonelerine istedikleri an, güvenli bir şekilde kolayca ve ücretsiz olarak profiller arasında geçiş yapabilme ve/veya Güvenli İnternet Hizmeti almaktan vazgeçebilme imkanı sağlanır.
Profil düzenleme İnternet sayfası
MADDE 8 - (1) Aboneler profillerini değiştirmek veya Güvenli İnternet Hizmeti almaktan vazgeçmek istedikleri takdirde İşletmeciler tarafından tasarlanan Profil Düzenleme İnternet Sayfası aracılığıyla söz konusu taleplerini gerçekleştirebilirler.
(2) İşletmeciler Profil Düzenleme İnternet Sayfasında kullanılmak üzere abonelerine ücretsiz olarak mevcut kullanıcı adı ve şifrelerini kullandırabileceği gibi yeni bir kullanıcı adı ve şifre de tahsis edebilirler.
(3) Profil Düzenleme İnternet Sayfasında asgari olarak aşağıdaki bilgiler yer alır:
a) Ana sayfada yer alan hususlar;
i. Geçerli profil,
ii. Profil Seçim Menüsü,
b) Kullanıcının kullanıcı adı ve şifresini değiştirebileceği bir uygulama ve
c) Kurum tarafından gönderilen uyarıcı ve bilinçlendirme amaçlı bilgilendirici metinler.
Uyarıcı ve bilgilendirici İnternet sayfası
MADDE 9 - (1) Aboneler, profilleri nedeniyle İnternet sitelerine erişemediklerinde İşletmeciler tarafından tasarlanan Uyarıcı ve Bilgilendirici İnternet Sayfasına yönlendirilirler.
(2) İşletmeciler Uyarıcı ve Bilgilendirici İnternet Sayfası’nda asgari olarak aşağıdaki bilgileri sunarlar:
a) Geçerli profil ve
b) Kurum tarafından gönderilen uyarıcı ve bilinçlendirme amaçlı bilgilendirici metinler.
Çocuk ve Aile Profil Kriterleri Çalışma Kurulunun yapısı ve görevleri
MADDE 10 - (1) Çocuk ve Aile Profil listelerinin oluşturulmasına ilişkin kriterler, Çocuk ve Aile Profil Kriterleri Çalışma Kurulu tarafından tespit edilir.
(2) Çocuk ve Aile Profil Kriterleri Çalışma Kurulu, Kurum koordinasyonunda 11 üyeden oluşur.
(3) Çocuk ve Aile Profil Kriterleri Çalışma Kurulu, biri başkan olmak üzere Kurumdan 3, Aile ve Sosyal Politikalar Bakanlığından 2, İnternet Kurulunun sivil toplum temsilcisi üyelerinden 2, Türkiye Dijital Oyun Federasyonundan 1 ve psikoloji, pedagoji, sosyoloji, hukuk gibi ilişkili alanlarda uzmanlığı olan kişiler arasından Kurum tarafından seçilen 3 üye’den oluşur.
(4) Çocuk ve Aile Profil Kriterleri Çalışma Kurulu’nun tespit ettiği ilkeler çerçevesinde, Çocuk ve Aile Profil listeleri Kurum tarafından belirlenir.
Başvuru ve itirazların değerlendirilmesi
MADDE 11 - (1) Kullanıcılar ve İnternet site sahipleri, İnternet sitelerinin değerlendirilmesi için Kurumca hazırlanan İnternet sayfası üzerinden başvurabilirler ve itiraz edebilirler.
(2) Kullanıcılar, başvurularını Profil Düzenleme İnternet Sayfasında bulunan bağlantı ile, itirazlarını ise Uyarıcı ve Bilgilendirici İnternet Sayfasında bulunan bağlantı vasıtasıyla yaparlar. İlgili başvuru ve itiraza ilişkin İşletmeci adı, kullanıcı profili ile alan adı/IP adresi ve port bilgileri, başvuru ve itirazların doğru değerlendirilebilmesi için İşletmeciler tarafından Kuruma gönderilir.
(3) Kurum başvurular ve itirazların değerlendirilmesi için Çocuk ve Aile Profil Kriterleri Çalışma Kurulu'nun görüşüne başvurabilir.
Güvenli İnternet Hizmetinin sunumu ve altyapının kurulması
MADDE 12 - (1) İşletmeciler Güvenli İnternet Hizmetinin sunulması için gerekli altyapıyı kurarlar ve işletirler. Kurum tarafından İşletmecilere sadece listeler gönderilir.
(2) İşletmeciler, Kurum tarafından belirlenen Güvenli İnternet Hizmeti profilleri ile Kurum tarafından İşletmecilere gönderilen listeler üzerinde değişiklik yapamazlar.
(3) İşletmeciler, Güvenli İnternet Hizmetine ek olarak değişik isimler altında farklı hizmetler sunabilirler.
(4) Toptan düzeyde İnternet hizmetini yeniden satış yöntemi ile sunan İşletmeciler Güvenli İnternet Hizmetini ücretsiz olarak alternatif İşletmecilere sunarlar.
Liste veri tabanına erişim
MADDE 13 - (1) Güvenli İnternet Hizmeti profillerine ait listeler, İşletmecilerle Kurum arasında kurulmuş bulunan noktadan noktaya güvenli veri hatları üzerinden paylaşılır.
(2) Kurum veri tabanında tutulan veriler, güvenli hat üzerinden İşletmecilere gönderilir. İşletmeciler, Kurum tarafından gönderilen verileri ve güncellemeleri sistemlerine en geç 24 saat içinde aktarır ve uygularlar.
(3) Kurum tarafından veri tabanında tutulan alan adları ve alt alan adlarının ayrı ayrı dosya bütünlük değeri (hash kodu) alınır ve İşletmecilerle dosya bütünlük değerleri paylaşılır. İşletmeciler kullanıcıların erişmek istediği alan adları ve alt alan adlarının dosya bütünlük değerini alarak kendilerine gönderilen veri tabanından sorgular ve bu yöntemin kullanımı ile ilgili gerekli kontrol mekanizmalarını kurarlar.
(4) Kurum veri tabanında tutulan IP adreslerinin ve portların listesi dosya bütünlük değeri hesaplanmaksızın İşletmecilerle paylaşılır. İşletmeciler söz konusu IP adreslerine veya portlara ilişkin sorgulamaları gerçekleştirirler.
(5) İşletmeciler, Güvenli İnternet Hizmeti sunumu kapsamında geliştirdikleri yazılım ve donanım çözümlerini yedekli olarak kurarlar.
Bilgilendirme metni
MADDE 14 - (1) İşletmeciler abonelerine Güvenli İnternet Hizmetinin tanıtımı için içeriği Kurum tarafından uygun görülen bilinçlendirme amaçlı bilgilendirici metinleri gönderirler. İşletmeciler, Usul ve Esasların tanıtımını abonelere fiilen hizmetin
sunulmaya başlanılmasından önce kısa mesaj, çağrı merkezi, tek seferde yönlendirilen bilgilendirme sayfası (captive portal), açılır pencere (pop-up) ve/veya fatura yöntemlerinden en az birisi aracılığıyla gerçekleştirirler.
Test süreci ve fiilen hizmetin sunulmaya başlanılması
MADDE 15 - (1) İşletmeciler Güvenli İnternet Hizmetinin sunulabilmesi için gerekli tüm altyapı ve uygulama çalışmalarını test sürecinin başlamasından önce hazır hale getirirler.
(2) Güvenli İnternet Hizmetinin sunumu için test süreci İşletmeciler ile Kurum arasında 22.08.2011 ile 22.11.2011 tarihleri arasında gerçekleştirilir.
(3) İşletmecinin uygun görmesi durumunda bu süreçte test amacıyla abone alımı yapılabilir.
(4) İşletmeciler 22.11.2011 tarihinden itibaren geçerli olmak üzere test sürecine son vererek abonelere fiilen hizmet sunmaya başlarlar.
Yürürlük
MADDE 16 - (1) Bu Usul ve Esaslar, 22.08.2011 tarihinde yürürlüğe girer.
Yürütme
MADDE 17 - (1) Bu Usul ve Esasların hükümlerini Bilgi Teknolojileri ve İletişim Kurulu Başkanı yürütür. .
Unofficial translation prepared by ICTA.
By-Law on the Principles and Procedures Concerning to the Safe Internet Service
Purpose
Article 1- (1) The purpose of this By-Law is to define the procedures and principals concerning to the Safe Internet Service requested by subscribers.
Scope
Article 2- (1) This By-Law covers internet service providers and individual subscribers demanding Safe Internet Service.
Legal Basis
Article 3- (1) This By-Law is prepared on the basis of Article 10 of “Ordinance on the Consumer Rights In The Telecommunications Sector” published in the Official Gazette dated 28/07/2010 and numbered 27655.
Definitions
Article 4- (1) The terms used in this By-Law shall have the following meanings:
a. Subscriber: Any natural person who is party to a contract with an operator for the provision of internet service, including mobile internet services.
b. Family profile: The profile in that the users are not able to access the domain names, sub-domain names, IP addresses, and ports in the list which is sent to the operators by the Authority.
c. Child profile: The profile in that the users are only able to access the domain names, sub-domain names, IP addresses and ports in the list related to child profile which is sent to the operators by the Authority.
d. Hash code: A hash code is a value obtained by a mathematical function that determines the integrity of a file data.
e. Safe Internet Service: The service provided free of charge upon the request of the subscriber and which consists of family and child profiles.
f. Safe Internet Service profile: Either child profile or family profile which can be chosen by subscribers who request Safe Internet Service.
g. Operator: Any company, which provides internet services including mobile operators and the Turk Telekomunikasyon Inc.
h. Board: Information and Communication Technologies Board.
i. Authority: Information and Communication Technologies Authority.
j. Edit Profile Web Page: The web page, on which individual subscriber can change his/her profile or opt out from Safe Internet Service when he/she wants, designed by the operators.
k. Cautionary and informative web page: The web page that is designed by the operators and to which users will be redirected when they try to access a web site being inaccessible according to his/her Safe Internet Service profile.
(2) For the terms that have not been defined in the first sub-clause of this article, the definitions set out in other relevant legislations are applicable.
Status of existing subscribers
Article 5- (1) Existing internet access service of the subscribers, who do not request Safe Internet Service, will continue to be provided in its present form without any change.
Safe Internet Service profiles
Article 6 – (1) The operators shall provide Safe Internet Service to subscribers, who demand this service, as two separate profiles which are child profile and family profile.
Selection of the Safe Internet Service profiles
Article 7 – (1) Subscribers can inform the operator about their Safe Internet usage request by means of subscription agreement. Additionally they can inform the operator via dealer, call centre or website.
(2) The operators shall provide Safe Internet Service to subscribers free of charge.
(3) The operators shall provide Safe Internet Service profile options, which could be easily selected by the subscriber in the subscription agreements or additional subscription forms and in the edit profile web page, as shown below. In case subscribers choose the family profile, selecting one or more of the sub-options mentioned below or selecting none of these sub-options should be made possible for them.
“If you want to opt in “Safe Internet Service” please select one of the profiles below. ”
(4) The operators shall provide internet access services according to the last preference of the subscriber.
(5) A username and a password is provided to the subscribers using Safe Internet Service by the operators in order to enable them to use Edit Profile Web Page.
(6) Providing the safety of the system, the operators shall provide opportunity of switching between the profiles and/or of opting out from the Safe Internet Service to the subscribers using Safe Internet Service when they want, in an easy way and free of charge, via call centre or edit profile web page.
Edit profile web page
ARTICLE 8 – (1) The subscribers can change their profiles or opt out from the Safe Internet Service, when they want, through the Edit Profile Web Page that shall be designed by the operators.
(2) The operators can either provide a new username and password to their subscribers or make it possible for subscribers to use their current username and password in the Edit Profile Web Page free of charge.
(3) At least the information mentioned below should be provided in the Edit Profile Web Page:
a) Information that must take place in the main page;
i. Current profile,
ii. 'Edit Profile Module' at which username and password will be used,
b) An application through which the user can change his/her password and
c) Cautionary and informative text sent by the Authority.
Cautionary and informative web page
ARTICLE 9 – (1) Users are redirected to the Cautionary and Informative Web Page built by the operators, when they try to access to the web pages that are inaccessible according to their profiles.
(2) The operators shall provide at least the information listed below in the “Cautionary and Informative Web Page”:
a) Current user profile and
b) Cautionary and informative texts sent by the Authority.
Child and family profiles criteria working board’s structure and tasks
ARTICLE 10 – (1) The criteria of the lists that will be used within the concept of the Safe Internet Service is determined by the Child and Family Profiles Criteria Working Board.
(2) Child and Family Profiles Criteria Working Board consists of 11 members coordinated by the Authority.
(3) Child and Family Profiles Criteria Working Board is made up of 3 members, one of which is the President, from the Authority, 2 members from Ministry of Family and Social Policies, 2 members among non-governmental organization members of the Internet Committee, 1 member from the Digital Games Federation of Turkey, 3 members, who are experts in related branches such as psychology, pedagogy, sociology and law, selected by the Authority.
(4) The lists of child and family profiles are determined by the Authority, according to the principles constituted by the Child and Family Profiles Criteria Working Board.
Assessment of appeals and objections
ARTICLE 11 - (1) The users and owners of the internet sites can appeal and object, via the website provided by the Authority, to the Authority for the assessment of the internet sites.
(2) The users can make the appeals via the link on the Edit Profile Web Page and the objections via the link on the Cautionary and Informative Web Page. Operator name, user profile, domain name/IP address and port information, associated with the appeal and objection, are sent to the Authority by the operators for proper assessment of appeals and objections.
(3) The Authority can appeal to the opinion of Child and Family Profiles Criteria Working Board regarding the assessment of the objections and appeals.
Safe internet service provision and infrastructure building
ARTICLE 12 – (1) The operators shall build the infrastructure required for the Safe Internet Service and operate it. Role of the Authority is only to send the lists to the operators.
(2) The operators cannot make any change on the Safe Internet Service profiles determined by the Authority and the lists which will be sent by the Authority.
(3) In addition to the Safe Internet Service, operators can offer different service packages with different launch names.
(4) The operators, which offer internet service via resale, shall offer the Safe Internet Service to alternative operators free of charge.
Access to the list database
ARTICLE 13 – (1) The lists of Safe Internet Service profiles are shared with operators through point-to-point secure data lines established between the Authority and operators.
(2) The data stored in the Authority database will be sent through the secure data line to the operators. The operators shall apply the updates and data sent by the Authority to working systems used for provision of Safe Internet Service in 24 hours.
(3) The hash codes of domain and sub-domain names in the database are separately determined by the Authority and these hash codes are shared with the operators. Operators shall search the hash codes of the domain and sub-domain names, which the users want to access, through the database sent to them, and build necessary control mechanisms for the use of this method.
(4) The lists of IP addresses and ports in the database of the Authority are shared with the operators without taking the hash codes. The operators shall inquire the said IP addresses or ports.
(5) The operators shall set up the systems developed in accordance with the provision of the Safe Internet Service with backups.
Informative text
ARTICLE 14 – (1) The operators shall send an informative text, the content of which will be determined by the Authority, to the subscribers. Before the service is provided to the users, the operators shall inform the subscribers about introduction of this By-Law using at least one of the methods which are SMS, call centre, captive portal, pop-up and/or billing,.
Test process and provision of the service
ARTICLE 15 – (1) The operators shall build the required infrastructure and applications for the provision of Safe Internet Service before the test process starts.
(2) The test process for the Safe Internet Service shall be carried out between the Authority and the operators from 22.08.2011 to 22.11.2011.
(3) If it is considered proper by the operators, the operators can allow subscriptions to the Safe Internet Service during the test process.
(3) The test process shall be terminated on 22.11.2011 and the Service shall be provided to the users by this date.
Entry into force
ARTICLE 16 – (1) This By-Law enters into force in 22.08.2011.
Enforcement
Article 17 – (1) The provisions of this By-Law shall be enforced by the President of the Information and Communication Technologies Board.
Important Notice: In case of divergent interpretation, the original Turkish text shall prevail.
Source: http://www.btk.gov.tr/mevzuat/kurul_kararlari/dosyalar/2011%20DK-14-461.pdf
