Protection of Personal Data In the Field of Artificial Intelligence

With the rapid expansion of the use of artificial intelligence (AI) and its integration into all areas of life, it has become essential to establish a legal framework that regulates the safe and ethical development, distribution and use of AI systems, considering the complexity and unique characteristics of this technology.

In addition to promoting the safe, transparent, and human rights-respecting development of AI technologies, and aiming to protect the safety, rights, and freedoms of users and society, the European Union Artificial Intelligence Act ("AI Act"), which came into force on August 1, 2024, to ensure the ethical development of AI and the protection of personal data. As a pioneering regulation, it is considered that the AI Act will guide many countries in determining their national policies and strategies and in legislative efforts concerning AI and related issues.

Unlike the regulations made in the European Union, there is currently no specific regulation on artificial intelligence in Turkiye. However, with the widespread use of artificial intelligence applications in Turkiye, the creation of legal and regulatory frameworks in this area has become one of the key issues on the agenda.

2024 was a year in which important steps were taken in the development and implementation of artificial intelligence technology in Turkiye. Within the scope of the "National Artificial Intelligence Strategy" prepared for the years 2021-2025, Turkiye has also created an action plan for 2024-2025, outlining a roadmap for the development and use of this technology. The action plan includes actions such as preparing a report on the legal assessment of artificial intelligence applications and monitoring their compliance with laws, but a specific legal regulation for artificial intelligence has not yet been foreseen. On the other hand, independent of the action plan, some efforts have been made to regulate artificial intelligence legally, and the first draft law on this topic was presented to parliament in 2024. Although this draft law is considered not to provide a sufficient framework yet, it is expected that Turkiye will adopt an approach similar to the European Union's regulations on artificial intelligence.

The Personal Data Protection Authority has not remained indifferent to the developments in the field of artificial intelligence. In its publication titled "Recommendations for the Protection of Personal Data in the Field of Artificial Intelligence," it shared its suggestions for developers, manufacturers, service providers, and decision-makers involved in artificial intelligence activities regarding the protection of personal data under the Law. It is worth noting that the recommendation published by the Board includes main elements of Article 22 of the GDPR which once again shows us the fact that the Board has its guidance from the GDPR and although not yet enacted officially, the principals under Article 22 of the GDPR are already taken into account by the Board. According to the recommendations, AI applications should be managed with a human-centered approach. Algorithms that ensure accountability in compliance with data protection laws must be adopted from the design phase of products and services and throughout their entire lifecycle. Risk assessments must be conducted with the participation of individuals and groups likely to be affected by the applications.Products and services must be designed to ensure that individuals are not subjected to decisions affecting them solely based on automated processing without considering their exclusive views.

If the same outcome can be achieved without processing personal data in the development of artificial intelligence technologies, the data must be processed in an anonymised form.

In artificial intelligence initiatives, all systems must be developed in accordance with the principle of data protection from the design phase onwards.

Human intervention must be established in decision-making processes, and individuals' freedom to distrust the outcomes of AI-generated recommendations must be preserved.

The quality, nature, source, and quantity of personal data used should be assessed to ensure minimal data usage, and the accuracy of the developed model must be monitored.

If high risks are anticipated in terms of personal data protection in AI projects, a privacy impact assessment should be carried out, and the lawfulness of data processing activities must be evaluated within this framework.

To raise awareness of personal data protection, training and information initiatives on data privacy must be encouraged.

The processes of collecting, analyzing, and using personal data by artificial intelligence systems raise significant questions regarding individuals’ privacy rights and compliance with data protection regulations. The Law mandates principles such as transparency, data minimization, legality, and accountability in the development and use of artificial intelligence. Managing AI systems in a legally sustainable manner is crucial from a legal perspective and the Law definitely needs a revision and detailed rules on this.

First published by Gün + Partners in Mar 04, 2025.