Privacy Law: Turkish Personal Data Protection Board Publishes Guideline on Artificial Intelligence

On September 15th 2021, Turkish Personal Data Protection Board (“Board”) published Guideline on Suggestions Regarding Personal Data Protection in the Field of Artificial Intelligence (“Guideline”) which provides suggestions for ongoing and future works on AI and aims to clarify the subject of personal data privacy in this field. The Guideline is based on “Guidelines on Artificial Intelligence and Data Protection” by Council of Europe Directorate General of Human Rights and Rule of Law, “Suggestion of the Council on Artificial Intelligence” by OECD, and “Ethics Guidelines for Trustworthy AI” by European Commission. In this regard, the Suggestions of the Board are presented under three topics: (i) General Suggestions, (ii) Suggestions for Developers, Manufacturers, and Service Providers, (iii) Suggestions for Policy Makers.

General Suggestions

General Suggestions under the Guideline include below:

• Protection of human dignity and safeguarding fundamental rights and liberties, shall be respected in development and practice of artificial intelligence applications.
• Data processing based artificial intelligence projects and data collection activities shall be conducted lawfully with respect to fundamental rights and liberties, and the general principles for data privacy such as proportionality, transparency, purpose specification, etc.
• In data processing, an approached focused on avoiding and minimizing potential risks that considers democratic, social, and ethical values shall be adopted.
• Artificial intelligence applications should allow control by data subjects over the data processing.
• For artificial intelligence applications based on personal data protection with high projected data privacy risk, lawfulness of the data processing activity shall be determined in accordance with a privacy impact assessment.
• The principal of privacy by design shall be adopted and compliance with the data privacy regulations shall be ensured from the first steps of artificial intelligence applications.
• Special data privacy rules and stricter technical and administrative precautions shall be considered in development and application of artificial intelligence that process special categories of personal data.
• If personal data processing is not necessary for achieving the same results for development and application of artificial intelligence technologies, data anonymization methods shall be adopted.
• Data controller and data processor positions of different parties to artificial intelligence applications shall be determined from the beginning of the projects and compliance with data privacy regulations shall be ensured accordingly.

Suggestions for Developers, Manufacturers, and Service Providers

• Suggestions for developers, manufacturers, and service providers under the Guideline include below:
• A data privacy focused approach shall be adopted that is consistent with local and international data privacy regulations throughout the design of artificial intelligence designs.
• Possible adverse consequence on fundamental rights and liberties shall be assessed and appropriate risk prevention and minimization precautions shall be adopted.
• In all phases of data processing, including data collection, fundamental rights and liberties shall be protected and potential biases including discrimination or other adverse consequences against data subjects shall be avoided.
• The quality, nature, origin, amount, categories, and content of personal data shall be assessed, and the amount of personal data used shall be reduced accordingly, the accuracy of the developed model shall be monitored in all stages.
• The risk of adverse consequences on individuals and society caused by de-contextualized algorithm models shall be adequately assessed.
• Academic institutions that can contribute to the development of human rights-based and ethically and socially oriented artificial intelligence applications and detection of potential biases shall be consulted; independent professionals and institutions shall be consulted in areas where transparency and stakeholder engagement may be difficult.
• Proper objection rights shall be established against processes based on technologies affecting views and personal development of individuals.
• Data subjects’ rights originating from local and international regulations shall be safeguarded in data processing.
• Risk assessments with active contribution from individuals and groups that are likely to be affected from artificial intelligence applications shall be encouraged.
• Products and services shall be designed in a manner that does not allow individuals to be subjected to a decision solely based on automated processing, without taking their views into consideration.
• Alternatives that are less intrusive to data subjects’ rights shall be offered as well and users’ right to choose shall be safeguarded.
• Algorithm that will ensure accountability for all stakeholders in terms of personal data protection rules shall be adopted in all stages of products and services including their design.
• Data subjects shall be allowed to exercise their rights to stop data processing, and request erasure, deletion, or anonymization of user data.
• Data subjects interacting with artificial intelligence applications shall be duly informed on the reasons of data processing, methods and possible consequences of data processing, and an effective data processing consent mechanism shall be designed when necessary.

Suggestions for Policy Makers

• Suggestions for policy makers under the Guideline include below:
• The principle of accountability shall be safeguarded in all stages.
• Personal data protection risk assessment procedures shall be adopted, and an application matrix based on sector/application/hardware/software.
• Necessary measures such as codes of conduct and certification mechanisms shall be taken.
• Necessary funding shall be allocated for monitoring whether artificial intelligence models are being used for a different context or purpose.
• The role of human intervention in decision making processes shall be established. The rights of individuals not to trust the results of suggestions presented with artificial intelligence applications shall be preserved.
• Supervisory authorities — Institutions authorized to regulate and/or supervise the field of artificial intelligence — shall be consulted in cases the possibility of data subjects’ fundamental rights and liberties being significantly affected arises.
• Cooperation between supervisory authorities and other authorized bodies on data privacy, consumer protection, facilitation of competition, and anti-discrimination should be encouraged.
• Research based on assessing the impact of artificial intelligence applications in terms of human rights, ethics, sociology, and psychology shall be supported.
• Individuals, groups, and stakeholders should be educated, and their active inclusion shall be facilitated in discussions regarding the role of artificial intelligence along with big data systems in shaping social dynamics and relevant policy making processes.
• Appropriate public software-based mechanisms should be encouraged to establish a digital ecosystem supporting secure, just, legal, and ethical sharing of data.
• Digital literacy and education resources should be funded to increase awareness of data subjects on artificial intelligence applications and their effects.
• Data privacy education for application developers should be encouraged to increase awareness on personal data protection.

Kortan Gödekoğlu