For further information,
please contact:
Legal Alerts
09/06/2022

Turkish DPA Publishes Recommendations on Protection of Personal Data in the Artificial Intelligence Field

Legal Alerts
IT & Communications
General

Recent Development

On 15 September 2021, the Personal Data Protection Authority (DPA) published Recommendations on the Protection of Personal Data in the Field of Artificial Intelligence (“Recommendations“). The Recommendations include advice for the protection of personal data for developers, manufacturers, service providers and decision-makers operating in the field of artificial intelligence (AI). (Turkish version available here.)

What Do the Recommendations Day?

The Recommendations consists of three sections: (i) general recommendations; (ii) recommendations for developers, manufacturers and service providers; and (iii) recommendations for decision-makers. The DPA underlines that developments and practices in the AI field should respect fundamental rights and freedoms and protect the human rights of its users. The main recommendations from each section are as follows:

General recommendations

  • Privacy impact assessment should be applied if a high risk for data privacy is foreseen in AI practices.
  • AI applications should be developed in accordance with data protection principles and a data protection compliance program should be implemented for each project.
  • If AI practices process sensitive personal data, special data protection measures should be implemented accordingly.
  • If data processing is not necessary for the AI practice, data anonymization should be preferred for processing of data.
  • The data controller and data processor status of the parties should be determined at the beginning of AI projects.

Recommendations for developers, manufacturers and service providers

  • AI oriented designs should adopt an approach that complies with national and international regulations and respect data privacy.
  • The rights of the data subjects with respect to their personal data within the scope of national and international legislation should be protected.
  • The quality, nature, quantity, category and content of the data used should be evaluated and, accordingly, data usage should be minimized. The accuracy of the developed AI model should be checked regularly.
  • Opinion of academic institutions should be taken into consideration during AI practices and individuals should have the right to object to the technologies that affect their personal development.
  • Risk assessment based on active participation of individuals should be encouraged.
  • Products should not be designed in a way that exposes data subjects to an automated data processing practice.
  • Designs should have alternatives that offer less interference with personal rights and individuals’ freedom to make choices should be protected.
  • Algorithms that ensure accountability regarding the personal data protection law should be used.
  • Users should be given the right to terminate the data processing activity and systems that allow deletion, destruction and anonymization of data should be used.
  • Users should be notified about the reasons, methods and possible consequences of data processing, and a data processing consent mechanism should be established if necessary.

Recommendations for decision makers

  • The principle of accountability should be established.
  • Risk procedures regarding the protection of personal data should be determined and an implementation matrix should be established.
  • Codes of conduct, certification mechanisms and similar measures should be established.
  • The role of human intervention in the AI decision-making processes should be determined. Users should be given the chance to distrust the outcomes of recommendations made by AI.
  • Supervisory authorities should be consulted when there is a possibility that AI applications may interfere with personal rights. Supervisory authorities are defined by the DPA as institutions and organizations authorized to regulate and supervise in the AI field.
  • Necessary resources should be allocated for studies in the AI field and personal data protection, training should be provided and active participation of individuals in the processes should be ensured.

Conclusion

As the AI practices develop consistently, the protection of personal data in such practices has become a matter of importance. With the recommendations, the DPA intends to guide the developers and decision-makers through their practices in the AI field.