With the rapid expansion of the use of artificial intelligence (AI) and its integration into all areas of life, it has become essential to establish a legal framework that regulates the safe and ethical development, distribution and use of AI systems, considering the complexity and unique characteristics of this technology.
In addition to promoting the safe, transparent, and human rights-respecting development of AI technologies, and aiming to protect the safety, rights, and freedoms of users and society, the European Union Artificial Intelligence Act ("AI Act"), which is the first legal regulation in this field, was approved by the European Parliament on March 13, 2024 to ensure the ethical development of AI and the protection of personal data. Finally, the AI Act was also approved by the Council of the European Union on May 21, 2024. As a pioneering regulation, it is considered that the AI Act will guide many countries in determining their national policies and strategies and in legislative efforts concerning AI and related issues.
You can access our article on the AI Act here.
First Legislative Actions in Turkiye
Following the approval of the AI Act in the European Union ("EU"), a Draft Law on Artificial Intelligence Law ("Draft Law" or “Bill”) was also prepared in Turkey by a parliament member and submitted to the Grand National Assembly of Turkey on June 24, 2024 with the aim of establishing a regulatory framework in this area in Türkiye.
The regulatory framework introduced by the AI Act includes strategies to minimize potential risks while benefiting from the innovative solutions offered by artificial intelligence, with different regulations and requirements based on risk levels. When we compare the AI Act with the Draft Law, it is evident that while the Draft Law is inspired by some of the AI Act's regulations, it presents a much narrower framework in terms of scope.
In the Draft Law, it is noted that the detailed classifications and specific obligations for these classifications are not adequately defined, there are also deficiencies regarding conformity assessment mechanisms, the impacts of AI systems on the fundamental rights and freedoms of individuals are not sufficiently addressed in detailed analyses within the context of fundamental rights and freedoms. The definitions are arranged in a way that lags behind current discussions around the world and could lead to misunderstandings. Apart from the content and scope, the Draft Law, in its current form, contains significant shortcomings in terms of legislative drafting methodology.
Comparative Assessment of AI Act with the Bill
The AI Act adopts a "risk-based" approach where the rules to be applied become stricter as the risk of artificial intelligence systems harming society increases. This approach foresees different regulations based on the risk level to ensure the safe, ethical, and transparent use of AI technologies. High-risk applications are subject to stricter monitoring and compliance requirements, while low-risk applications have lighter regulations, with appropriate regulations for each category. This approach is significant as it balances the protection of societal security with the promotion of technological innovation. One of the most critical shortcomings of the Draft Law is that it introduces a blanket regulation regarding risk management and assessment, covering all risk classifications, measures, and conformity assessments.
The AI Act classifies AI systems into four main risk levels: (i) unacceptable, (ii) high, (iii) limited, and (iv) low risk, and sets out the obligations and requirements for developers and users according to these risk levels. In the Draft Law, such a classification for AI systems has not been made, and it has been limited to regulating that a risk assessment should be conducted during the development and use of AI systems. In the legislative work to be carried out on AI systems, classifications should be made in parallel with the regulations in the AI Act, and obligations should be distributed according to these classifications.
In the AI Act, the unacceptable risk category represents the highest risk level and includes AI systems that are incompatible with EU values and fundamental rights, such as subliminal manipulation, exploitation of vulnerabilities, real-time remote biometric identification in public spaces, and scraping of facial images. These systems are prohibited in the EU. Therefore, any legal regulation in this area in Turkey should also prohibit AI systems in the unacceptable risk category, in parallel with the EU.
High-risk AI systems encompass all AI applications that could negatively impact people's health and safety, fundamental rights, or the environment. Additional areas have been identified that classify AI systems as high-risk, including the management and operation of critical infrastructure, access to essential private and public services and benefits, and the management of migration, asylum, and border control.
For high-risk AI systems, the AI Act stipulates that providers/suppliers of these systems must establish a quality management system/risk management system, use high-quality datasets, maintain technical documentation, keep records, ensure transparency, and provide information to users. Additionally, before the AI system is placed on or put into service in the EU market, a conformity assessment must be conducted to ensure the system complies with the AI Act. The system must also be registered in a publicly accessible database established by the European Commission across the EU. Furthermore, additional obligations include human oversight, conducting data protection impact assessments for users, and more.
AI systems in the limited risk category include those that carry a risk of manipulation or deception. For AI systems in this category, the AI Act imposes specific transparency obligations. These systems must be transparent, and users must be informed that they are interacting with an AI system.
Under the AI Act, low-risk AI systems include all AI systems that do not fall into the aforementioned categories. The classification of these systems is based on an exclusion process rather than a specific definition or criteria. However, low-risk AI systems are not exempt from oversight and must comply with the fundamental principles outlined in the AI Act, such as human oversight, privacy and data management, transparency, non-discrimination, and fairness.
We believe that in any legislative effort in this area in Türkiye, a similar risk-based classification should be implemented.
Evaluation of the Bill
In the Draft Law, the measures to be taken during the development and use of AI systems include conducting necessary risk assessments, implementing special measures and audit mechanisms for high-risk AI systems, registering AI systems with the relevant supervisory authorities, and subjecting them to conformity assessments. However, these measures are expressed in very broad terms, and there is no concrete explanation of how and by whom these measures will be taken and which audit mechanism will oversee them. Although the Draft Law makes all AI operators responsible for these measures, it is not sufficient or accurate to impose the same obligations on every developer without distinguishing between risks.
In the Draft Law, it is unclear which institution will act as the supervisory authority or how it will be authorized, resulting in a general delegation of authority to the supervisory authority that is inconsistent with administrative law principles. The question of which institution will be responsible for the oversight and supervision of AI systems remains unresolved. In our opinion, establishing a new institution specific to this area could be an option, as well as utilizing existing institutions that could be authorized for this purpose. The Digital Transformation Office within the Presidency, established to consolidate efforts related to digital transformation, cybersecurity, national technologies, big data, and AI under one roof, could serve as the competent authority under a national AI law. Given the close relationship between AI and personal data, establishing a new directorate within the Personal Data Protection Authority could also be considered. This would enable more effective management and supervision of the impacts of AI technologies on personal data.
Considering the penalty amounts in the AI Act, it could lead to the establishment of quite high monetary limits for Turkiye, potentially causing the cessation of activities of developers within the country. Therefore, we believe that there might be a need for a reassessment of penalties and sanctions.
Conclusion and Other Developments
During the period in which the Draft Law is being discussed, the Digital Transformation Office of the Presidency of Turkiye announced that the “National Artificial Intelligence Strategy 2021-2025 Action Plan,” which is the first national strategy document of Turkiye in the field of artificial intelligence, has been updated in line with the 12th Development Plan, taking into account recent developments in artificial intelligence and the country's needs. The National Artificial Intelligence Strategy 2024-2025 Action Plan outlines six strategic priorities: training AI experts and increasing employment in the sector, supporting research, entrepreneurship, and innovation, expanding access to quality data and technical infrastructure, accelerating regulations that will enhance socioeconomic adaptation, strengthening international collaborations, and speeding up structural and workforce transformation. However, it does not include any provision for drafting legislation in the field of artificial intelligence.
While the Draft Law submitted to the parliament is a positive development in terms of initiating work in this area, we believe that ensuring broader stakeholder participation and gathering the opinions of experts from various sectors during the preparation process, as well as further efforts to adapt the legislation to the EU framework, would significantly contribute to making the legislative activity more responsive to needs and more practically applicable.
In light of these developments, it is not expected that the current Draft Law, as it stands, will pass the committee stage and be submitted to the general assembly.
First published by Legalink European Monthly Newsletters in Sep 20, 2024.