Artificial Intelligence Comparative Guide-Part 1

Ece Özelgin, Special Counsel & Head of Public Policy

Miray Muratoğlu, Associate

1 Legal and enforcement framework

1.1 In broad terms, which legislative and regulatory provisions govern AI in your jurisdiction?

AI is not currently regulated under Turkish law; but when AI issues arise, it is possible to apply existing legal provisions by analogy. In this regard, question 9 discusses the positive rules in terms of liability that apply where the autonomous decisions and actions of AI result in damages. However, before examining these rules in detail, the legal status of AI should first be evaluated.

Thus far, several opinions on the legal status of AI have been presented in the legal doctrine. The most common is the property view, which states that AI should be considered as under the ownership of real and legal persons. Another view has also been proposed following the European Parliament's publication of the European Parliament Legal Affairs Commission Robotics Advisory Report, which suggests that a special status of electronic personality should be created to apply to AI. The final view presented in the legal doctrine is the legal personality view, whose supporters argue that there is a relationship between AI and the company that creates and/or manages it, and with the board of directors of that company.

1.2 How is established or ‘background' law evolving to cover AI in your jurisdiction?

Although several countries have been taking legal and regulatory steps in the AI space, this is a completely new concept for every country and Turkey is no exception. Both in Turkey and elsewhere in the world, these initiatives have been launched in response to technological developments.

In Turkey, the government attaches great importance to AI applications and aims to promote the production and use of AI technologies, as stated in government strategies and policies. Thus, while AI remains unregulated, the evolution of both the background law and future regulations may be expected.

1.3 Is there a general duty in your jurisdiction to take reasonable care (like the tort of negligence in the United Kingdom) when using AI?

Under Turkish law, even where a party is not at fault, it may still be found liable for compensation under the regime of liability without fault. Under Articles 66 and following of the Turkish Code of Obligations (TCO), employers, animal keepers and building owners may be found liable for damages caused by an employee, an animal or defects in a building if they have not exercised all reasonable care to prevent the damage from arising.

The TCO also provides for the concept of liability on the grounds of equity in terms of a general duty to take reasonable care. Pursuant to Article 65 of the TCO, a court can order compensation for loss and damage caused partially or fully by a mentally incapable person on the grounds of equity. According to this provision, in order for a mentally incapable person to be held responsible for damages that he or she has caused, the action must be defective and against the objective law and have been committed personally by the mentally incapable person.

It may thus be possible to apply this liability regime by analogy to hold parties that use AI liable for compensation due to damages caused by the AI.

1.4 For robots and other mobile AI, is the general law (eg, in the United Kingdom, the torts of nuisance and ‘escape' and (statutory) strict liability for animals) applicable by analogy in your jurisdiction?

As discussed in question 1.3, under the concept of liability without fault, a party that uses AI technologies may be held liable for the actions of the AI under the applicable provisions of the TCO.

1.5 Do any special regimes apply in specific areas?

No, there is no AI regime in Turkey.

1.6 Do any bilateral or multilateral instruments have relevance in the AI context?

Turkey is not a party to any such bilateral or multilateral instruments. However, AI is closely related to cybersecurity, and Turkey transposed the Council of Europe Convention on Cybercrime into domestic law as of 1 January 2015 through the Agreement on Cyber Crimes. This will thus apply where relevant.

1.7 Which bodies are responsible for enforcing the applicable laws and regulations? What powers do they have?

No specific authority is responsible for enforcing the applicable laws and regulations. However, given that the 2023 Industry and Technology Strategy provides for the establishment of an Artificial Intelligence Institute within the Scientific and Technological Research Council of Turkey (TUBITAK) (please see question 8.1), we expect that initiatives in this regard will be taken by the Ministry of Industry and Technology together with TUBITAK. The duties of the ministry include:

  • setting policy recommendations and strategies in order to increase the research and development (R&D) and production competencies of individuals and businesses in critical areas, including big data, AI and cybersecurity;
  • ensuring that these policies and strategies are implemented;
  • supporting R&D, investments and initiatives;
  • issuing regulations; and
  • conducting inspections in the relevant areas.

The Department of Big Data and Artificial Intelligence Applications under the Presidential Digital Transformation Office has also been tasked with developing strategies and facilitating coordination within the scope of the policies determined by the president to ensure the efficient use of big data and AI applications in the public sector.

1.8 What is the general regulatory approach to AI in your jurisdiction?

There are no specific regulations governing AI in Turkey and no legislative preparations for such regulations have as yet been made. While the legal issues associated with AI are currently resolved through general rules under the TCO, strategic plans and programmes have focused on developing AI and setting certain standards, such as in relation to the management, protection and dissemination of data. Thus, while standards may be introduced on practice-oriented issues, no legislative initiatives are expected in the near future.

However, the Turkish legislature also monitors the work of the European Commission and may use this as a model for the preparation of legislation. Hence, the approaches of EU member states towards the regulation of AI may directly affect how legal disputes are interpreted in future. Moreover, the recent EU white paper entitled Artificial Intelligence: A European Approach to Excellence and Trust and report entitled Policy and Investment Recommendations for Trustworthy Artificial Intelligence may shape future policies regarding AI.

In addition to the above, as it is known, the Council of Europe (Ad hoc Committee on Artificial Intelligence) ("CAHAI") is currently preparing a convention that aims to regulate artificial intelligence on the basis of human rights, rule of law and democracy. In addition, various policy documents and impact analysis templates are prepared for the implementation of the convention. In this regard, Turkey takes an active role in these works and is at the forefront among the countries working in preparation of the convention. As the Council of Europe's works aim alignment with the European Union's efforts in the same area, they are expected to facilitate Turkey's harmonization with the EU through the outputs created. Therefore, Turkey's potential regulations are expected to be compatible with the CAHAI and EU.

2 AI market

2.1 Which AI applications have become most embedded in your jurisdiction?

The AI applications that have become most embedded in Turkey are primarily in the education, defence, health, finance, retail, business and agriculture sectors. Turkey has no official AI strategy as yet. However, workshops on AI and AI strategies are taking place, such as the Turkish Asian Strategic Research Centre workshop held in February 2020. The workshop was initiated by the Turkish Asian Centre for Strategic Studies and other bodies under the Turkey-based, multi-programme BRAINS2 TURKEY initiative, and reported on the requirements for and the pathway towards an AI strategy.

Turkey currently benefits from AI applications in many ways. According to sectoral impact analysis, AI applications are commonly used, in order of impact, in the health, telecommunications, e-commerce, banking and business, media and retail sectors. One of the main reasons for this is that funding and research and development have tended to focus on these sectors. Thus, there are many companies, initiatives and start-ups working on AI applications in Turkey.

2.2 What AI-based products and services are primarily offered?

Finance, business and e-commerce implementations are some of the most common AI-based products and services in Turkey. According to the Turkey Artificial Intelligence Initiative's (TRAI) Turkey AI Initiative Enterprise Report, published in July 2020, initiatives are ongoing involving systems such as:

  • image processing;
  • natural language processing;
  • optimisation;
  • chatbots and dialogue-like AI;
  • machine learning;
  • robotic process automation;
  • smart platforms;
  • prediction and data analytics; and
  • search engines and search assistants.

The TRAI also updated its Turkey Artificial Intelligence Initiative Map in July 2020 to reflect the presence of 134 new start-ups.

Examples of available products and services include the following:

  • CBOT, a Turkey-based conversational AI platform for enterprises, offers services such as banking chatbots, e-commerce chatbots, enterprise applications, customer support and text classification. It recently began providing MEB Asistan, an AI-based digital assistant, to the Ministry of Education.
  • DECE provides services in several sectors, such as retail, business, energy, IT, smart cities and defence. It aims to accelerate digital transformation through its proprietary AI-based GEODI product, which does not require manual data entry and has automated geographic information system integration, smart searches and more.

2.3 How are AI companies generally structured?

AI companies are generally structured as limited liability start-ups that will serve their function in a given sector or business, or as technology companies that provide AI software.

2.4 How are AI companies generally financed?

AI technologies are expected to contribute $15.7 trillion to the global economy by 2030 and to row national economies by 26%. One of the ways in which AI companies are financed is through government funding and incentives. The European Union, on the other hand, has announced that it will invest $24 billion in AI research by 2020. Some European countries have also established national initiatives. For example, the French government has announced that it will invest $1.85 billion in funding AI research and initiatives.

The private sector also plays an active role in the AI field. There are several methods in which Turkish start-ups are funded, which include:

  • capital stock;
  • accelerators and incubation centres;
  • venture capital;
  • angel investors; and
  • crowdfunding.

For instance:

  • Monument is a domestic initiative that collects a large amount of funds through Kickstarter;
  • Archmir is another start-up that is funded by a domestic incubation centre called KWORKS; and
  • Inoven, funded by ITU Technokent, is another domestic incubation centre that supports AI start-ups.

2.5 To what extent is the state involved in the uptake and development of AI?

The state is involved to a considerable extent in the uptake and development of AI, through policy initiatives such as the following:

  • The Artificial Intelligence Research Initiative and Door Technology prepared a National Artificial Intelligence Strategy Preliminary Report, consisting of 10 items;
  • The Department of Big Data and Artificial Intelligence Applications was established to track developments and conduct studies in relation to AI and big data;
  • The Open Data Portal aims to determine the procedures, principles and standards for the transfer of data of public institutions;
  • The Artificial Intelligence Institute is being established within the Scientific and Technological Research Council of Turkey; and
  • The Health Institutes of Turkey was established within the Health Data and Artificial Intelligence Research Institute in 2019.

3 Sectoral perspectives

3.1 How is AI currently treated in the following sectors from a regulatory perspective in your jurisdiction and what specific legal issues are associated with each: (a) Healthcare; (b) Security and defence; (c) Autonomous vehicles; (d) Manufacturing; (e) Agriculture; (f) Professional services; (g) Public sector; and (h) Other?

AI is being treated as an asset that should be regulated. Sectoral impact analysis of commonly used AI applications in the health, telecommunications, e-commerce, banking and business, media and retail sectors is currently being carried out. These sectors use AI in a range of processes, including:

  • image processing;
  • predictive and data analytics;
  • search assistants and search engines;
  • natural language processing;
  • chatbots;
  • machine learning;
  • optimisation;
  • autonomous vehicles;
  • robotic process automation; and
  • smart platforms.

However, as yet these efforts have not extended to the preparation of a regulatory framework for AI. Moreover, these efforts do not focus on particular sectors, but rather seek to determine the positive effects of AI technology and applications in general, and to expand the use cases thereof.

While there is no sectoral divide in Turkey in terms of AI, certain localisation requirements in the Turkish regulatory environment will be applicable and may impact on AI technology. Although there is no framework regulation that governs data residency principles, certain sector-specific data localisation rules and obligations will apply to AI to the extent that it falls within such sectors. Moreover, in the absence of a framework regulation setting out procedures and principles regarding data residency or sovereignty, the Personal Data Protection Law 6698 – which transposed EU Directive 95/46/EC and its ancillary regulations into national law (collectively, ‘DPL') – constitutes the main regulatory framework that governs the hosting, processing and flow of data in and out of the country. While the DPL subjects the cross-border flow of data to a regime which is compatible with that of the European Union, the political challenges faced by the local authority have strengthened data sovereignty concerns, leading to the application of restrictive measures.

(a) Healthcare

The most specific regulation that regulates the processing of health data is the Regulation on Personal Health Data, enacted on 6 July 2019. However, the scope of this regulation is limited to operations of public and private bodies relating to processes and practices run by the Ministry of Health. Therefore, unless the relevant operation relates to the duties and authorities of the Ministry of Health, the main applicable legislative instrument is still the DPL.

With regards to the domestic and international transfer of health data, the Regulation on Personal Health Data refers to the procedures and rules set out under the DPL. However, the storage of health data abroad by public bodies is restricted (and in certain circumstances prohibited) by Article 1 of Circular Note 2019/12 on Information and Communication Security Measures, which states that: "Critical information and data such as population, health and communication registration information, and genetic and biometric data shall be stored domestically in a safe environment."

Certain registration and physical audit requirements may also be interpreted as limiting health-related AI applications within the country.

(b) Security and defence

As per the Law on the Security of the Defence Industry and the Regulation on the Security of the Defence Industry, certain information can be categorised as classified information. The sharing of classified information requires a person security certificate and a facility security certificate, which are issued only to those who work in the industry. This requirement may be interpreted as limiting the transfer of security data abroad, although not limiting security-related AI applications.

(c) Professional Services

The Judicial Reform Strategy of the Ministry of Justice states that studies on the use of AI in judicial proceedings is one such reform under consideration, in line with the standards and guidelines of the Council of Europe, as well as the principles of legal equality and security. If AI technology is implemented in judicial proceedings, this will transform the sector and may set a precedent for disruption in professional services.

(d) Public sector

As a public sector-specific regulation, Presidential Circular 2019/12 on Information and Communication Security Measures was published in Official Gazette 30823 dated 6 July2019. The circular sets out 21 security measures to be adopted by public entities. One of these imposes a blanket ban on hosting data outside of the Turkish territory. The circular also referred to a guide that would set out further details on the scope of these measures and clarify their implementation by the public authorities. The Presidential Guide on Information and Communication Security, which was duly published on 28 July 2020, applies to public IT officials, who are expected to conduct internal IT security checks and anyone in the IT industry that engages with public institutions. The guide relaxed the localisation requirement by introducing a new definition and limited the localisation requirement to critical information only. Although the definition of ‘critical information' is unclear and open to interpretation, the guide is seen as promising in terms of relaxing the restrictions and enabling certain services and operations of public authorities to be processed via AI solutions that are not hosted in Turkey.

(e) Other

Strict localisation requirements are also imposed in the Turkish financial sector. Since the economic crisis of 2001, the Banking Regulation and Supervision Agency has imposed data localisation requirements on most financial institutions, and primarily on banks. An information system localisation requirement was first included in the Abolished Regulation on Internal Systems of Banks and Evaluation Process for Efficiency of Internal Capital of 1 July 2012 and was preserved in the current Regulation on Information Systems of Banks and Electronic Banking Services. On-site audits were provided for in the earliest version of the Banking Law dated 19 October 2005, but the abolished Banking Law 4389 included no provisions in this regard. It is planned that payment service providers and e-money institutions will also be subject to localisation obligations. Accordingly, the Draft Regulation on Payment Services and Electronic Money Issues and Payment Service Providers and the Draft Communiqué on the Information Systems of Payment and Electronic Money Institutions and Data Sharing Services in the Payment Services of Payment Service Providers require that payment institutions and e-money institutions keep their primary and secondary systems within Turkey. The localisation requirements that dominate the financial sector should also be taken into consideration when developing AI applications in the sector.

4 Data protection and cybersecurity

4.1 What is the applicable data protection regime in your jurisdiction and what specific implications does this have for AI companies and applications?

The Personal Data Protection Law of Turkey (DPL) covers the processing of personal data by automated and non-automated means. AI companies and applications should comply with the general principles set out in the DPL, which provide as follows:

  • The processing of personal data must be lawful and fair;
  • The personal data processed must be accurate and kept up to date;
  • The personal data must be processed for specified, explicit and legitimate purposes;
  • The personal data processed must be relevant, limited and proportionate to the purposes for which it is processed; and
  • The personal data must be stored for the period laid down by relevant legislation or required for the purposes for which it is processed.

AI companies and applications should also comply with:

  • the legal conditions set out in the DPL for the processing of personal data;
  • the requirements relating to the erasure and transfer of data;
  • the obligation to inform;
  • the obligation to take necessary technical and administrative measures to ensure data security; and
  • the obligation to register with the Data Controllers' Registry if they meet a minimum threshold of number of employees.

Specifically, they should be aware that data subjects have the right to object, where the processing of personal data exclusively through automated means has a direct result for the data subject, which is likely to occur in relation to AI practice. Lastly, as Turkey has transposed Convention 108 for the Protection of Individuals with regards to Automatic Processing of Personal Data into domestic law, the data protection regime set out under this agreement will also apply.

Additionally, the Personal Data Protection Authority has signed a protocol with Istanbul Technical University's AI and Data Science Application and Research Centre to conduct research into data protection, privacy and data security in AI practice.

4.2 What is the applicable cybersecurity regime in your jurisdiction and what specific implications does this have for AI companies and applications?

Turkey has no dedicated cybersecurity legislation, but legislative bodies and regulatory authorities are currently working towards the establishment of a cybersecurity environment and legislation in this regard is under development. Accordingly, the provisions on cybersecurity are not set out in a single legislative instrument, but can rather be found scattered through separate sector-specific regulations.

The recently enacted Presidential Circular 2019/12 on Information and Communication Security Measures sets out extensive obligations that mainly apply to public bodies with respect to cybersecurity. In addition, the Communiqué on Procedures and Principles on the Establishment, Duties and Practices of Cyber Incident Response Centres 2013 sets out the obligations of cyber incident response centres to report and notify all cybersecurity breaches to the competent regulatory authorities as soon as the cyber breach occurs or the cyber threat is discovered.

In addition, criminal offences in the field of informatics are set out in the following provisions of the Criminal Code:

  • Article 243 (entering an information system without authorisation);
  • Article 244 (blocking, disrupting, destroying or modifying an information system);
  • Article 245 (credit card crimes and crimes against banks); and
  • Article 246 (implementation of security measures about legal persons).

In 2017, the minister of transport, maritime affairs and communications announced the completion of work on the draft Cybersecurity Law, which will be a binding framework regulation for cybersecurity. While the private sector has welcomed this initiative, the regulation still has not been enacted by the legislature.

5 Competition

5.1 What specific challenges or concerns does the development and uptake of AI present from a competition perspective? How are these being addressed?

In terms of the development and uptake of AI, one critical issue to address is the possible detrimental effect of pricing algorithms on competition, in particular by facilitating collusive practices. Moreover, as in tort law, the determination of antitrust liability arising from the use of algorithms becomes harder, as emerging technological advancements are weakening the link between the algorithm and the human beings who use it; although most of the algorithms used today still operate under the instructions of humans and humans can thus be held responsible for anti-competitive behaviour.

The Turkish Competition Authority (TCA) has not yet published any studies on the effects of algorithms on competition or on the digital economy more generally, and no cases thus far have investigated algorithmic commercial behaviour. Nonetheless, TCA officials have shared their attitudes on regulation and enforcement in this space with the press and the public. Given that prices can be automatically altered by algorithms developed by undertakings that can access huge amounts of data which are not available in the physical markets, TCA officials have expressed concern that small adjustments to algorithms could result in significant changes to the competitive order of the market and have stated that the TCA can address these issues using its traditional enforcement methods. In this regard, while the TCA has not specifically focused on the AI systems used, it has initiated a comprehensive study of digital markets, which is expected to examine AI-related issues relating to competitive behaviour. The TCA is also tracking emerging trends in competition enforcement around the world, including in the work of the Organisation for Economic Co-operation and Development, EU bodies and the national authorities of member states; and is prepared to respond to any sudden policy or legislative shift in relation to the digital economy.