A new development is added to the recent studies in artificial intelligence (“AI”) regulation in Turkey. After the National Artificial Intelligence Strategy, which we included in the MA Gazette Edition 107, another study came from the Personal Data Protection Authority (“DPA”) front.
The Recommendations on the Protection of Personal Data in the Field of Artificial Intelligence (“Guide”) includes recommendations for the protection of personal data under the Law on the Protection of Personal Data numbered 6698 (“Law”) for developers, manufacturers, service providers and decision makers operating in the field of AI. Also, the previous studies of European Commission and OECD were taken into consideration within the scope of the Guide.
The highlights of the Guide are as follows:
- The ethical framework must be followed in the development of AI applications, an approach that respects basic human rights, is compatible with social values and is transparent should be adopted.
- AI and data collection studies based on personal data processing should be based on the principles of correct and up-to-date personal data, specific and limited purpose of personal data use, and data security approach.
- Privacy impact assessment should be applied in AI studies where high risk is foreseen in terms of protection of personal data, and the legality of data processing activity should be decided within this framework.
- Full compliance with data protection legislation should be ensured at every stage of AI applications based on personal data processing and by each of the stakeholders in this field.
- Algorithm models that are taken out of context (the use of algorithms originally designed for a particular AI model for a different purpose or in an AI model) should be carefully evaluated for the risk of causing adverse effects on individuals and society.
- Persons interacting with AI applications should be informed about the reasons for personal data processing, the details of the methods used in processing personal data and their possible consequences, and an effective data processing approval mechanism should be designed for necessary cases. In this context, it should be made possible for data owners to exercise their respective rights.
Some recommendations are also stipulated in the Guide for institutions and organizations that are in a decision-making position:
- Risk assessment procedures for the protection of personal data should be adopted and an implementation matrix should be established on the basis of sector/application/hardware/software.
- Appropriate measures should be taken, such as codes of conduct and certification mechanisms.
- When the possibility of significantly affecting the fundamental rights and freedoms of the persons concerned arises, the authorities authorized to regulate and/or supervise in the field of AI should be consulted.
You can access the full text of the Guide at this link. (Only available in Turkish)