Comparative Evaluation of Selected Elements of Data Protection Regulations: Türkiye’s KVKK and the EU’s GDPR

Personal data protection regulations have been adopted by 137 countries until the beginning of 2022. In addition to creating a data protection agency, personal data protection regulations have also created new professionalism, namely personal data protection officers. The main role of the data protection officer is to ensure compliance with personal data protection regulations placing the function of a data protection officer as an important factor in the personal data protection ecosystem. It raises the question of how the role of data protection officers in the personal data protection ecosystem when it is analyzed from the attributes attached to the profession. Therefore, using the normative juridical research method, this paper attempts to describe the role of the data protection officer in the personal data protection ecosystem by analyzing the attributes attached to the profession through a comparison of the General Data Protection Regulation (GDPR) in the European Union, Personal Data Protection Act Singapore and the draft of personal data regulation in Indonesia. This paper concluded that the existence of a data protection officer is part of the data protection regulation, whether it appears as an obligation or in terms of certain conditions. Independency of the data protection officer and organizational support is essential to optimize the data protection officer’s role which has been adopted on GDPR. It also noticed the presence of data protection officers as a service to fulfill the needs of data protection officers by organizations. Further research regarding the attribute of data protection officers as studied in this paper is needed since the Indonesia personal data protection bill will impact many sectors, both private and public sectors.

Smartphone apps to track SARS-CoV 2 infections need to fulfill certain minimal requirements to guarantee privacy and justify their use under data protection laws.

The article provides a detailed analysis of the legal regulation of personal data protection in various jurisdictions, including the European Union, the United States, Canada, and Ukraine. Special attention is given to the General Data Protection Regulation (GDPR), which is one of the strictest international standards in this field. The main provisions of the GDPR are examined, such as the principles of lawfulness, fairness, transparency, purpose limitation, and data minimization, as well as the rights of data subjects, including the right to access, rectification, and erasure of data. The impact of GDPR on international businesses is analyzed, showing how it has forced companies worldwide to adapt their data processing systems to comply with European legal requirements. The section on the United States focuses on California state law, particularly the California Consumer Privacy Act (CCPA), which grants citizens rights over their personal data. Although the U.S. legislative framework is fragmented compared to GDPR, the CCPA is a significant step toward protecting the privacy of American citizens. Canadian legislation is represented by the Personal Information Protection and Electronic Documents Act (PIPEDA), which ensures the protection of personal data in commercial relationships. PIPEDA strikes a balance between business interests and citizens’ rights, providing flexibility in the use of personal data while adhering to principles of transparency and consent. The article also analyzes the process of harmonizing Ukraine’s legislation with the GDPR, which is a crucial step in the context of the country’s integration into the European legal space. Ukrainian legal reforms focus on strengthening citizens’ rights and improving mechanisms for controlling personal data processing. The article offers a comparative analysis of the discussed legal systems, highlighting key differences in data protection approaches. Unlike the EU, where regulation is comprehensive and stringent, U.S. laws are fragmented. In Canada, PIPEDA creates a more flexible system oriented toward the commercial sector. Ukraine, meanwhile, is on its way to full harmonization with European standards, which will enhance the legal protection of citizens in the digital economy.

The protection of personal data is a top priority for both individuals and organizations in the modern digital world. In the Ghanaian context, strict data privacy laws are essential to protecting citizens' rights and privacy. The legal foundation for these restrictions is the 1992 constitution of Ghana and Data Protection Act, specifically the Data Protection Act, 2012 (Act 843), which establishes the guidelines for legitimate data processing, the responsibilities of data controllers and processors, and the rights of data subjects. Compliance with local laws, however, may not be sufficient for enterprises operating on a worldwide scale or in international marketplaces as a result of the fact that globalization and digitalization cut across national boundaries. This article delves into Ghana's complex data privacy landscape, illuminating key points and providing suggestions for how businesses can improve their data protection practices by adhering to internationally recognized data protection standards like the General Data Protection Regulation (GDPR) of the European Union. Understanding the fundamental principles of Ghana's Data Protection Act, the scope and applicability of GDPR in Ghana, the importance of data mapping and inventory, the function of Data Protection Impact Assessments (DPIAs), consent and the rights of data subjects, data security and breach notification, and the potential sanctions for non-compliance are some of the key areas of focus. Readers can obtain a profound awareness of Ghana's data privacy landscape and the procedures necessary to successfully align with national and international data protection regulations by navigating this in-depth exploration. Businesses that prioritize compliance with data protection regulations in Ghana are better positioned not only to meet legal requirements but also to foster trust, drive innovation, and contribute to the nation's digital advancement on the global stage. In an ever-evolving digital world where data privacy is paramount.

The growth of e-commerce and other platforms has significantly increased the amount of personal data that is shared and submitted online; however, the adequate and secure collection and processing of these data is of great concern. With the EU’s implementation of a new data protection regulation in 2018, the development of personal data protection globally has reached an important turning point and has sparked the interest of scholars and businesses. Text coding was employed to compare the current personal data protection regulation landscape in the EU and in China to discover the differences between the General Data Protection Regulation and the personal data protection regulations of the fastest-growing economy in e-commerce. The results show that while there are several similarities in regard to general requirements, such as principles of data processing and basic rights for data subjects, China’s personal data protection regulations tend to lack specific operational requirements and strong legal enforcement. Based on the research results, implications and recommendations for the government and companies are provided.

Secure communication between patients and health care facilities is especially important In 2016, the European Union (EU) introduced a new regulation — the General Data Protection Regulation (GDPR), applicable in all EU member states — aimed at improving protection of personal data. The GDPR provides broad guidelines on data protection, but generally lacks specific details. Consequently, although member states must comply with the GDPR, there is some flexibility to develop new regulations to suit national characteristics and practices, especially in key economic sectors, such as health care. The aim of the present article is to discuss the benefits and limitations of legal provisions governing the patient identification (both in-person and remotely). This analysis is based on Polish laws that were recently passed to comply with the GDPR. In some cases, these data protection regulations may be unnecessarily strict, making routine care more difficult than intended by the GDPR. National legislation in Poland imposes strict data protection measures, such as prohibiting the public display of patient names or calling out the patient’s name in public. However, after health care personnel around the country criticised many of these measures, the law will be modified to address those concerns. For example, the patient’s name can be displayed on a wrist band and on containers with the patient’s medicines. Nonetheless, numerous questions still need to be resolved to adapt the general data protection rules to ensure the effective operation of the hospital to avoid problems related to accurate patient identification.

The exponential growth of personal data in the digital era has raised significant concerns regarding data protection and privacy. This work delves into the global perspectives and trends surrounding data protection laws, data security, cross-border data transfers, and data subjects' rights. It emphasizes the importance of balancing data utilization for economic benefits with safeguarding individuals' personal data. As the risks revealed by high-profile incidents, such as the Cambridge Analytica/Facebook scandal, Equifax data breach, and Yahoo data breaches, the hazards associated with unauthorized data exploitation have been underscored. The work examines the impact of the EU's General Data Protection Regulation (GDPR) and the proliferation of data protection legislation worldwide. It explores three international trends in data protection and utilization, including balancing personal data protection and data value utilization, promoting the sharing and utilization of public data, and establishing jurisdictional control over overseas data. However, providing an extraterritorial effect in data protection regulation faces challenges rooted in state sovereignty and non-interference. Evaluating the legitimacy of such claims requires consideration of international law sources, international conventions, customs, and general legal principles. Moreover, the benefit orientation of enterprises and technological progress limits the effectiveness of the "Brussels Effect," leading to jurisdiction-specific differentiation and fragmenting the global market.

The implementation of personal data protection regulations in the Indonesian fintech sector, specifically Law Number 27 of 2022 concerning Personal Data Protection and Financial Services Authority Regulation Number 77 of 2016, shows significant progress in implementing a comprehensive legal framework. This framework adopts international standards such as the General Data Protection Regulation, is supported by the establishment of a Personal Data Protection Agency, and mandates reporting of data breach incidents. However, covering personal data remains a serious threat, resulting in financial losses, psychological distress, and reputational damage for consumers. This highlights the challenges in consistent law enforcement, low digital literacy among the public, and the need for wider implementation of advanced security technologies. To improve legal protection, it is important to strengthen oversight and law enforcement mechanisms, improve digital literacy among the public through continuing education, mandate the implementation of advanced security technologies by fintech providers, and regulate reporting and complaint mechanisms.

The paper examines the state of legal regulation of personal data protection of employees in Ukraine. It is established that the national labour legislation does not have special rules on the specifics of regulating the security of processing and storage of personal data in the process of concluding, implementing and terminating employment relations. With this in mind, the authors refer to the experience of international and European institutions in regulating this area. It is established that the ILO and EU instruments have a broader scope than national legislation, namely, they contain not only general rules, but also those regulating relations in the field of employment and employment. Given Ukraine's commitment to improve its personal data protection legislation in order to bring it in line with the GDPR as part of the implementation of the Association Agreement with the European Union, the authors propose a number of measures to improve the mechanisms and means of legal regulation of employee personal data protection in the context of digital and European integration. These include - introduction of international standards for ensuring mechanisms related to the security, protection and defence of employee personal data; - creation of a legal regime for the protection and defence of employee personal data in accordance with the European Regulation; - establishment of liability and determination of types of punishment for violation of legislation in the field of protection of employee personal data; - introduction of special provisions in the Labour Code of Ukraine regarding the employer's obligation to protect personal data. It is noted that in connection with the military aggression of the Russian Federation against Ukraine and the introduction of martial law, this issue has become even more relevant and requires further legislative consolidation and consideration of international experience and analysis of the current state, taking into account the existing practical component.

Issue/problem Collection, storage and sharing RWD raise concerns regarding the privacy, data protection and governance of access. To date, the concerns related to consent and adequate safeguards for data protection in conventional research and health care settings are being discussed in details in the literature. However, collection of RWD from individuals fuels questions regarding the applicability of the regulations for human subjects’ research and personal data protection. Description of the problem The data collected in the framework of RWD need to be protected in line with the overarching principles of human subjects research and personal data protection regulations such as the EU General Data Protection Regulations (GDPR). In particular, the purposes of data collection, potential further uses, duration of storage of data and the authorized users’ access to data should be managed in compliance with applicable data protection regulations. In addition, the adequate models for de-identifications of data should be used in compliance with the applicable data protection regulations. Ethical oversight on the process of data collection, storage and use should also be scrutinized. Effects/changes In order to respect the privacy rights of the patients, it is essential to first identify the potential risks and assess the adequacy of the existing safeguards in protecting the privacy of the patients. Lessons The effectiveness of the current access governance in the context of RWD should be assessed and the required safeguards to be proposed.

Telemedicine allows patients to receive remote medical consultation, diagnosis, and treatment through a digital platform. However, with the development of telemedicine, personal data protection has become one of the main concerns. This research aims to compare the regulation of personal data protection in telemedicine services in Indonesia and the European Union. The type of research in this scientific article is Normative Juridical Research with a comparative legal approach. The data sources obtained in this paper are primary data and secondary data. The data collection method is a literature study. The data analysis method in this paper uses a qualitative approach. The results show that personal data protection in Indonesia is regulated by Law Number 27 of 2022 concerning Personal Data Protection (PDP Law). While in the European Union, Personal Data Protection is regulated in the General Data Protection Regulation (GDPR) which regulates the collection and use of personal data by organizations. Some similarities in personal data protection in both telemedicine in Indonesia and in the European Union are that the same consent requires telemedicine providers to obtain clear and explicit consent from patients. Both telemedicine providers must not disclose the patient's personal data to third parties without the patient's consent. Telemedicine providers to implement security measures to protect patient personal data. Both Indonesia and the European Union give patients the right to access, correct, delete, and limit the use of their personal data

The article presents a comprehensive study of the administrative and legal foundations of personal data protection through the lens of a comparative analysis of leading international regulatory models in this field. The relevance of the study stems from the rapid development of information technologies and the digitalisation of social relations, which underscores the importance of administrative and legal regulation of personal data protection as a key component of ensuring information security and safeguarding citizens’ rights in the digital environment. This issue is particularly pressing in the context of Ukraine’s European integration ambitions and the need to align national legislation with international standards for data protection. The article examines the constitutional and legal approach to defining personal data as an integral part of fundamental human rights, particularly the right to privacy, dignity, and self-realisation in the information sphere. It substantiates the need to enshrine the right to personal data protection in Ukraine’s Constitution, either by amending Article 32 or by introducing a separate provision on individual information rights. A detailed analysis is provided of the European model of personal data protection, embodied in the General Data Protection Regulation (GDPR), which is based on the principles of safeguarding fundamental human rights and maintaining high standards of privacy. The extraterritorial nature of this model and its influence on the development of global data protection standards are highlighted. The article also explores the U.S. regulatory system, which is characterised by a utilitarian approach focused on economic expediency and market principles, with an emphasis on sectoral regulation and business self-regulation. Particular attention is given to the California Consumer Privacy Act (CCPA) as a significant step towards aligning U.S. standards with European data protection requirements. The article argues in favour of developing a hybrid administrative and legal model for Ukraine, combining European standards for the protection of individual rights with flexible mechanisms adapted to national specificities and the dynamic evolution of digital technologies.

SummaryObjective:This survey article presents a literature review of relevant publications aiming to explore whether the EU's General Data Protection Regulation (GDPR) has held true during a time of crisis and the implications that arose during the COVID-19 outbreak.Method and Results:Based on the approach taken and the screening of the relevant articles, the results focus on three themes: a critique on GDPR; the ethics surrounding the use of digital health technologies, namely in the form of mobile applications; and the possibility of cross border transfers of said data outside of Europe. Within this context, the article reviews the arising themes, considers the use of data through mobile health applications, and discusses whether data protection may require a revision when balancing societal and personal interests.Conclusions:In summary, although it is clear that the GDPR has been applied through a mixed and complex experience with data handling during the pandemic, the COVID-19 pandemic has indeed shown that it was a test the GDPR was designed and prepared to undertake. The article suggests that further review and research is needed to first ensure that an understanding of the state of the art in data protection during the pandemic is maintained and second to subsequently explore and carefully create a specific framework for the ethical considerations involved. The paper echoes the literature reviewed and calls for the creation of a unified and harmonised network or database to enable the secure data sharing across borders.

The concept of sensitive data has been a mainstay of data protection for a number of decades. The concept itself is used to denote several categories of data for which processing is deemed to pose a higher risk for data subjects than other forms of data. Suck risks are often perceived in terms of an elevated probability of discrimination (or related harms) to vulnerable groups in society. As a result, data protection frameworks have traditionally foreseen a higher burden for the processing of sensitive data than other forms of data. The sui generis protection of sensitive data (stronger than the protection of non-sensitive personal data) can also seemingly be a necessity from a fundamental rights-based perspective (as indicated by human rights jurisprudence). This paper seeks to analyse the continued relevance of sensitive data in both contemporary and potential future contexts. Such an exercise is important for two main reasons. First, the legal regime responsible for the regulation of the use of personal data has evolved considerably since the concept of sensitive data was first used. This has been exemplified by the creation of the EU's General Data Protection Regulation in Europe. It has introduced a number of requirements relating to sensitive data that are likely to represent added burdens for controllers who want to process personal data. Second, the very nature of personal data is changing. Increases in computing power, more complex algorithms and the availability of ever more potentially complimentary data online mean that more and more data can be considered of a sensitive nature. This creates various risks going forward, including an inflation effect whereby the concept loses its value and also the possibility that data controllers may increasingly seek to circumvent complying with the requirements placed upon the use of sensitive data. This paper analyses how such developments are likely to influence the concept of sensitive data and in particular its ability to protect vulnerable groups form harms. The authors propose a possible interpretative solution: a hybrid approach where a purpose-based definition acquires a bigger role in deciding whether data is sensitive combined with a context-based ‘backstop’ based on reasonable foreseeability.

PurposeGeneral Data Protection Regulation (GDPR) of the European Union (EU) was passed to protect data privacy. Though the GDPR intended to address issues related to data privacy in the EU, it created an extra-territorial effect through Articles 3, 45 and 46. Extra-territorial effect refers to the application or the effect of local laws and regulations in another country. Lawmakers around the globe passed or intensified their efforts to pass laws to have personal data privacy covered so that they meet the adequacy requirement under Articles 45–46 of GDPR while providing comprehensive legislation locally. This study aims to analyze the Malaysian and Saudi Arabian legislation on health data privacy and their adequacy in meeting GDPR data privacy protection requirements.Design/methodology/approachThe research used a systematic literature review, legal content analysis and comparative analysis to critically analyze the health data protection in Malaysia and Saudi Arabia in comparison with GDPR and to see the adequacy of health data protection that could meet the requirement of EU data transfer requirement.FindingsThe finding suggested that the private sector is better regulated in Malaysia than the public sector. Saudi Arabia has some general laws to cover health data privacy in both public and private sector organizations until the newly passed data protection law is implemented in 2024. The finding also suggested that the Personal Data Protection Act 2010 of Malaysia and the Personal Data Protection Law 2022 of Saudi Arabia could be considered “adequate” under GDPR.Originality/valueThe research would be able to identify the key principles that could identify the adequacy of the laws about health data in Malaysia and Saudi Arabia as there is a dearth of literature in this area. This will help to propose suggestions to improve the laws concerning health data protection so that various stakeholders can benefit from it.