Turkey: KVKK recommendations on AI
Artificial intelligence ('AI') is a concept that is progressively becoming more important in our daily lives and in most industries. Although its most prominent aim is to make our lives easier, data privacy concerns surrounding AI raise questions for regulators and individuals. AI's swift emergence and development in most markets and industries demands a more rigorous approach to establishing guidelines for it. İlay Yılmaz, Can Sözer, Yigit Acar, and Ecenur Etiler, from Esin Attorney Partnership, discuss the emergence of various guidelines, ethical rules, and recommendations on AI practices from the EU and Turkey.
The Council of Europe published its Guidelines on Artificial Intelligence and Data Protection1 and the European Commission published its white paper on Artificial Intelligence – A European approach to excellence and trust2. The white paper defines the risks associated with AI and provides a framework for future AI legislation. The EU is currently discussing its Proposal for a Regulation on laying down harmonized rules on artificial intelligence ('the AI Act'). The AI Act provides three different categories of AI: (i) prohibited AI systems (unacceptable risk level); (ii) high- risk AI systems; and (iii) low- or minimal-risk AI systems. Different requirements and/or measures are envisaged for each risk category. Some examples of these requirements include concepts of transparency, human oversight, accuracy, cybersecurity, risk management, monitoring, and reporting.
Following this trend, Turkey published the National Artificial Intelligence Strategy 2021-20253 ('the Strategy') on 24 August 2021. The Strategy sets out the principles of the AI field as well as organisational plans and development goals for AI in Turkey for the years 2021-2025.
Further to the Strategy, the Turkish Personal Data Protection Authority ('KVKK') published Recommendations on the Protection of Personal Data in the Field of Artificial Intelligence4 ('the Recommendations') on 15 September 2021. The Recommendations include advice for the protection of personal data for developers, manufacturers, service providers, and decision-makers operating in the field of AI.
Definition of AI and recommendations from the KVKK
In the Recommendations, the KVKK initially defines AI in the following way:
'Artificial intelligence analyzes human-specific features and turns them into machines and is concerned with the development of algorithms and computer software that can think, interpret and make decisions like humans'.
Further to the definition, the KVKK underlines the importance of the protection of the fundamental rights and freedoms of individuals. Accordingly, the use of AI technologies needs to be compliant with Law on Protection of Personal Data No. 6698 ('the Law') and its secondary legislation. The Recommendations consist of three sections: (i) general recommendations; (ii) recommendations for developers, manufacturers, and service providers; and (iii) recommendations for decision-makers.
The general recommendations emphasise the importance of data protection in AI practices. General principles of data protection (such as processing being accurate, lawful, up-to-date, and pursuing a specific and limited purpose, as well as transparency and accountability) are applicable for AI practices. As part of the protection of personal data, for each AI project, a data protection compliance program should be established. Furthermore, the data subjects must be in control of the processing of their personal data. The main principles in the general recommendations section are as follows:
- a Privacy Impact Assessment must be conducted if a high risk for data privacy is foreseen in AI practices;
- AI applications must be developed in accordance with data protection principles;
- if AI practices involve the processing of sensitive personal data, special data protection measures must be implemented accordingly;
- if data processing is not necessary for the AI practice, data anonymisation must be the preferred option for processing of data; and
- the data controller and data processor status of the parties must be determined at the beginning of AI projects.
The recommendations for developers, manufacturers, and service providers emphasise the importance of compliance with both national and international regulations on AI technologies. Accordingly, the rights of the data subjects with respect to their personal data within the scope of national and international legislation must be protected. This protection involves less interference with personal data by several mechanisms such as allowing deletion, destruction, and anonymisation of data. Developers must lean on alternative technologies that offer less interference with personal rights in the development phase of the AI and ensure that the individuals' 'freedom to make a choice' is protected. It is also important that the AI developers fulfil their notice requirement and establish a consent mechanism, where and if necessary. The main recommendations for developers, manufacturers, and service providers are as follows:
- The quality, nature, quantity, category, and content of the data used must be evaluated and, accordingly, data usage must be minimised. The accuracy of the developed AI model must be monitored regularly.
- The opinion of academic institutions must be taken into consideration in: (i) the development and designing of AI practices concerning human rights, ethnical, and social orientations; and (ii) the identification of potential prejudices against AI. Individuals must have the right to object to technologies that affect their personal development.
- A risk assessment based on the active participation of individuals must be encouraged.
- Products must not be designed in a manner that exposes data subjects to decisions/consequences based on an automated data processing practice without exclusively obtaining data subjects' opinion on the matter.
- Algorithms that ensure accountability regarding the Law must be used.
- Users must be given the right to suspend the data processing activity, and systems must allow deletion, destruction, and anonymisation of user data.
- Users must be notified of the grounds for processing, methods and possible consequences of data processing, and a consent mechanism must be established, where and if necessary.
The decision-makers/regulators also play an integral role in the AI field in order to ensure an environment where AI applications pursue their operations without infringing the rights of data subjects. The main recommendations for decision-makers are as follows:
- the principle of accountability must be observed;
- risk procedures regarding the protection of personal data should be determined and an implementation matrix must be established;
- codes of conduct, certification mechanisms, and similar measures must be established;
- the role of human intervention in AI decision-making processes must be identified and users must be given the chance to distrust the outcomes of recommendations made by AI; and
- necessary resources must be allocated for studies in the AI field, personal data protection training must be organised, and active participation of individuals in these processes must be encouraged.
While AI is yet to be regulated in detail in Turkey, the Turkish government has taken a pivotal step in acknowledging the necessity of regulating AI in line with the developments in the EU, and has demonstrated its legislative efforts in this area. The Strategy and Recommendations set forth basic principles for data processing as part of AI and provide a roadmap for the near future in Turkey in the field of AI. The companies and initiatives working on and using AI should cautiously review the recommendations of the DPA, and follow the authorities' guidance on the matter. As emphasised by the Recommendations, companies must especially focus on transparency, accountability, data minimisation and protection of data subjects in designing and developing AI technologies.
1. See: https://rm.coe.int/guidelines-on-artificial-intelligence-and-data-protection/168091f9d8
2. See: https://ec.europa.eu/info/sites/default/files/commission-white-paper-artificial-intelligence-feb2020_en.pdf
3. See: https://cbddo.gov.tr/SharedFolderServer/Genel/File/TRNationalAIStrategy2021-2025.pdf
4. See: https://kvkk.gov.tr/SharedFolderServer/CMSFiles/25a1162f-0e61-4a43-98d0-3e7d057ac31a.pdf (only available in Turkish)