Artificial Intelligence Comparative Guide-Part 1
AI is not currently regulated under Turkish law; but when AI issues arise, it is possible to apply existing legal provisions by analogy. In this regard, question 9 discusses the positive rules in terms of liability that apply where the autonomous decisions and actions of AI result in damages. However, before examining these rules in detail, the legal status of AI should first be evaluated.
Thus far, several opinions on the legal status of AI have been presented in the legal doctrine. The most common is the property view, which states that AI should be considered as under the ownership of real and legal persons. Another view has also been proposed following the European Parliament's publication of the European Parliament Legal Affairs Commission Robotics Advisory Report, which suggests that a special status of electronic personality should be created to apply to AI. The final view presented in the legal doctrine is the legal personality view, whose supporters argue that there is a relationship between AI and the company that creates and/or manages it, and with the board of directors of that company.
Although several countries have been taking legal and regulatory steps in the AI space, this is a completely new concept for every country and Turkey is no exception. Both in Turkey and elsewhere in the world, these initiatives have been launched in response to technological developments.
In Turkey, the government attaches great importance to AI applications and aims to promote the production and use of AI technologies, as stated in government strategies and policies. Thus, while AI remains unregulated, the evolution of both the background law and future regulations may be expected.
Under Turkish law, even where a party is not at fault, it may still be found liable for compensation under the regime of liability without fault. Under Articles 66 and following of the Turkish Code of Obligations (TCO), employers, animal keepers and building owners may be found liable for damages caused by an employee, an animal or defects in a building if they have not exercised all reasonable care to prevent the damage from arising.
The TCO also provides for the concept of liability on the grounds of equity in terms of a general duty to take reasonable care. Pursuant to Article 65 of the TCO, a court can order compensation for loss and damage caused partially or fully by a mentally incapable person on the grounds of equity. According to this provision, in order for a mentally incapable person to be held responsible for damages that he or she has caused, the action must be defective and against the objective law and have been committed personally by the mentally incapable person.
It may thus be possible to apply this liability regime by analogy to hold parties that use AI liable for compensation due to damages caused by the AI.
As discussed in question 1.3, under the concept of liability without fault, a party that uses AI technologies may be held liable for the actions of the AI under the applicable provisions of the TCO.
No, there is no AI regime in Turkey.
Turkey is not a party to any such bilateral or multilateral instruments. However, AI is closely related to cybersecurity, and Turkey transposed the Council of Europe Convention on Cybercrime into domestic law as of 1 January 2015 through the Agreement on Cyber Crimes. This will thus apply where relevant.
No specific authority is responsible for enforcing the applicable laws and regulations. However, given that the 2023 Industry and Technology Strategy provides for the establishment of an Artificial Intelligence Institute within the Scientific and Technological Research Council of Turkey (TUBITAK) (please see question 8.1), we expect that initiatives in this regard will be taken by the Ministry of Industry and Technology together with TUBITAK. The duties of the ministry include:
The Department of Big Data and Artificial Intelligence Applications under the Presidential Digital Transformation Office has also been tasked with developing strategies and facilitating coordination within the scope of the policies determined by the president to ensure the efficient use of big data and AI applications in the public sector.
There are no specific regulations governing AI in Turkey and no legislative preparations for such regulations have as yet been made. While the legal issues associated with AI are currently resolved through general rules under the TCO, strategic plans and programmes have focused on developing AI and setting certain standards, such as in relation to the management, protection and dissemination of data. Thus, while standards may be introduced on practice-oriented issues, no legislative initiatives are expected in the near future.
However, the Turkish legislature also monitors the work of the European Commission and may use this as a model for the preparation of legislation. Hence, the approaches of EU member states towards the regulation of AI may directly affect how legal disputes are interpreted in future. Moreover, the recent EU white paper entitled Artificial Intelligence: A European Approach to Excellence and Trust and report entitled Policy and Investment Recommendations for Trustworthy Artificial Intelligence may shape future policies regarding AI.
In addition to the above, as it is known, the Council of Europe (Ad hoc Committee on Artificial Intelligence) ("CAHAI") is currently preparing a convention that aims to regulate artificial intelligence on the basis of human rights, rule of law and democracy. In addition, various policy documents and impact analysis templates are prepared for the implementation of the convention. In this regard, Turkey takes an active role in these works and is at the forefront among the countries working in preparation of the convention. As the Council of Europe's works aim alignment with the European Union's efforts in the same area, they are expected to facilitate Turkey's harmonization with the EU through the outputs created. Therefore, Turkey's potential regulations are expected to be compatible with the CAHAI and EU.
The AI applications that have become most embedded in Turkey are primarily in the education, defence, health, finance, retail, business and agriculture sectors. Turkey has no official AI strategy as yet. However, workshops on AI and AI strategies are taking place, such as the Turkish Asian Strategic Research Centre workshop held in February 2020. The workshop was initiated by the Turkish Asian Centre for Strategic Studies and other bodies under the Turkey-based, multi-programme BRAINS2 TURKEY initiative, and reported on the requirements for and the pathway towards an AI strategy.
Turkey currently benefits from AI applications in many ways. According to sectoral impact analysis, AI applications are commonly used, in order of impact, in the health, telecommunications, e-commerce, banking and business, media and retail sectors. One of the main reasons for this is that funding and research and development have tended to focus on these sectors. Thus, there are many companies, initiatives and start-ups working on AI applications in Turkey.
Finance, business and e-commerce implementations are some of the most common AI-based products and services in Turkey. According to the Turkey Artificial Intelligence Initiative's (TRAI) Turkey AI Initiative Enterprise Report, published in July 2020, initiatives are ongoing involving systems such as:
The TRAI also updated its Turkey Artificial Intelligence Initiative Map in July 2020 to reflect the presence of 134 new start-ups.
Examples of available products and services include the following:
AI companies are generally structured as limited liability start-ups that will serve their function in a given sector or business, or as technology companies that provide AI software.
AI technologies are expected to contribute $15.7 trillion to the global economy by 2030 and to row national economies by 26%. One of the ways in which AI companies are financed is through government funding and incentives. The European Union, on the other hand, has announced that it will invest $24 billion in AI research by 2020. Some European countries have also established national initiatives. For example, the French government has announced that it will invest $1.85 billion in funding AI research and initiatives.
The private sector also plays an active role in the AI field. There are several methods in which Turkish start-ups are funded, which include:
The state is involved to a considerable extent in the uptake and development of AI, through policy initiatives such as the following:
AI is being treated as an asset that should be regulated. Sectoral impact analysis of commonly used AI applications in the health, telecommunications, e-commerce, banking and business, media and retail sectors is currently being carried out. These sectors use AI in a range of processes, including:
However, as yet these efforts have not extended to the preparation of a regulatory framework for AI. Moreover, these efforts do not focus on particular sectors, but rather seek to determine the positive effects of AI technology and applications in general, and to expand the use cases thereof.
While there is no sectoral divide in Turkey in terms of AI, certain localisation requirements in the Turkish regulatory environment will be applicable and may impact on AI technology. Although there is no framework regulation that governs data residency principles, certain sector-specific data localisation rules and obligations will apply to AI to the extent that it falls within such sectors. Moreover, in the absence of a framework regulation setting out procedures and principles regarding data residency or sovereignty, the Personal Data Protection Law 6698 – which transposed EU Directive 95/46/EC and its ancillary regulations into national law (collectively, ‘DPL') – constitutes the main regulatory framework that governs the hosting, processing and flow of data in and out of the country. While the DPL subjects the cross-border flow of data to a regime which is compatible with that of the European Union, the political challenges faced by the local authority have strengthened data sovereignty concerns, leading to the application of restrictive measures.
The most specific regulation that regulates the processing of health data is the Regulation on Personal Health Data, enacted on 6 July 2019. However, the scope of this regulation is limited to operations of public and private bodies relating to processes and practices run by the Ministry of Health. Therefore, unless the relevant operation relates to the duties and authorities of the Ministry of Health, the main applicable legislative instrument is still the DPL.
With regards to the domestic and international transfer of health data, the Regulation on Personal Health Data refers to the procedures and rules set out under the DPL. However, the storage of health data abroad by public bodies is restricted (and in certain circumstances prohibited) by Article 1 of Circular Note 2019/12 on Information and Communication Security Measures, which states that: "Critical information and data such as population, health and communication registration information, and genetic and biometric data shall be stored domestically in a safe environment."
Certain registration and physical audit requirements may also be interpreted as limiting health-related AI applications within the country.
(b) Security and defence
As per the Law on the Security of the Defence Industry and the Regulation on the Security of the Defence Industry, certain information can be categorised as classified information. The sharing of classified information requires a person security certificate and a facility security certificate, which are issued only to those who work in the industry. This requirement may be interpreted as limiting the transfer of security data abroad, although not limiting security-related AI applications.
(c) Professional Services
The Judicial Reform Strategy of the Ministry of Justice states that studies on the use of AI in judicial proceedings is one such reform under consideration, in line with the standards and guidelines of the Council of Europe, as well as the principles of legal equality and security. If AI technology is implemented in judicial proceedings, this will transform the sector and may set a precedent for disruption in professional services.
(d) Public sector
As a public sector-specific regulation, Presidential Circular 2019/12 on Information and Communication Security Measures was published in Official Gazette 30823 dated 6 July2019. The circular sets out 21 security measures to be adopted by public entities. One of these imposes a blanket ban on hosting data outside of the Turkish territory. The circular also referred to a guide that would set out further details on the scope of these measures and clarify their implementation by the public authorities. The Presidential Guide on Information and Communication Security, which was duly published on 28 July 2020, applies to public IT officials, who are expected to conduct internal IT security checks and anyone in the IT industry that engages with public institutions. The guide relaxed the localisation requirement by introducing a new definition and limited the localisation requirement to critical information only. Although the definition of ‘critical information' is unclear and open to interpretation, the guide is seen as promising in terms of relaxing the restrictions and enabling certain services and operations of public authorities to be processed via AI solutions that are not hosted in Turkey.
Strict localisation requirements are also imposed in the Turkish financial sector. Since the economic crisis of 2001, the Banking Regulation and Supervision Agency has imposed data localisation requirements on most financial institutions, and primarily on banks. An information system localisation requirement was first included in the Abolished Regulation on Internal Systems of Banks and Evaluation Process for Efficiency of Internal Capital of 1 July 2012 and was preserved in the current Regulation on Information Systems of Banks and Electronic Banking Services. On-site audits were provided for in the earliest version of the Banking Law dated 19 October 2005, but the abolished Banking Law 4389 included no provisions in this regard. It is planned that payment service providers and e-money institutions will also be subject to localisation obligations. Accordingly, the Draft Regulation on Payment Services and Electronic Money Issues and Payment Service Providers and the Draft Communiqué on the Information Systems of Payment and Electronic Money Institutions and Data Sharing Services in the Payment Services of Payment Service Providers require that payment institutions and e-money institutions keep their primary and secondary systems within Turkey. The localisation requirements that dominate the financial sector should also be taken into consideration when developing AI applications in the sector.
The Personal Data Protection Law of Turkey (DPL) covers the processing of personal data by automated and non-automated means. AI companies and applications should comply with the general principles set out in the DPL, which provide as follows:
AI companies and applications should also comply with:
Specifically, they should be aware that data subjects have the right to object, where the processing of personal data exclusively through automated means has a direct result for the data subject, which is likely to occur in relation to AI practice. Lastly, as Turkey has transposed Convention 108 for the Protection of Individuals with regards to Automatic Processing of Personal Data into domestic law, the data protection regime set out under this agreement will also apply.
Additionally, the Personal Data Protection Authority has signed a protocol with Istanbul Technical University's AI and Data Science Application and Research Centre to conduct research into data protection, privacy and data security in AI practice.
Turkey has no dedicated cybersecurity legislation, but legislative bodies and regulatory authorities are currently working towards the establishment of a cybersecurity environment and legislation in this regard is under development. Accordingly, the provisions on cybersecurity are not set out in a single legislative instrument, but can rather be found scattered through separate sector-specific regulations.
The recently enacted Presidential Circular 2019/12 on Information and Communication Security Measures sets out extensive obligations that mainly apply to public bodies with respect to cybersecurity. In addition, the Communiqué on Procedures and Principles on the Establishment, Duties and Practices of Cyber Incident Response Centres 2013 sets out the obligations of cyber incident response centres to report and notify all cybersecurity breaches to the competent regulatory authorities as soon as the cyber breach occurs or the cyber threat is discovered.
In addition, criminal offences in the field of informatics are set out in the following provisions of the Criminal Code:
In 2017, the minister of transport, maritime affairs and communications announced the completion of work on the draft Cybersecurity Law, which will be a binding framework regulation for cybersecurity. While the private sector has welcomed this initiative, the regulation still has not been enacted by the legislature.
In terms of the development and uptake of AI, one critical issue to address is the possible detrimental effect of pricing algorithms on competition, in particular by facilitating collusive practices. Moreover, as in tort law, the determination of antitrust liability arising from the use of algorithms becomes harder, as emerging technological advancements are weakening the link between the algorithm and the human beings who use it; although most of the algorithms used today still operate under the instructions of humans and humans can thus be held responsible for anti-competitive behaviour.
The Turkish Competition Authority (TCA) has not yet published any studies on the effects of algorithms on competition or on the digital economy more generally, and no cases thus far have investigated algorithmic commercial behaviour. Nonetheless, TCA officials have shared their attitudes on regulation and enforcement in this space with the press and the public. Given that prices can be automatically altered by algorithms developed by undertakings that can access huge amounts of data which are not available in the physical markets, TCA officials have expressed concern that small adjustments to algorithms could result in significant changes to the competitive order of the market and have stated that the TCA can address these issues using its traditional enforcement methods. In this regard, while the TCA has not specifically focused on the AI systems used, it has initiated a comprehensive study of digital markets, which is expected to examine AI-related issues relating to competitive behaviour. The TCA is also tracking emerging trends in competition enforcement around the world, including in the work of the Organisation for Economic Co-operation and Development, EU bodies and the national authorities of member states; and is prepared to respond to any sudden policy or legislative shift in relation to the digital economy.