The Constitution of the Republic of Turkey (“the Constitution“) does not embody any specific provisions in the field of AI. However, as the operating logic of AI is based on the collection of data which has indeterminate potential future consequences, privacy is the foremost fundamental human right that is at risk. Article 20 of the Constitution regulates privacy and underlines that everyone has the right to request the protection of their personal data, which includes being informed about, having access to and requesting the correction and deletion of their personal data, and to be informed whether these are used in line with envisaged objectives. 

Moreover, since AI technologies use algorithmic decisions which categorise the collected data depending on different variables, the right to equality comes to the forefront as one of the fundamental human rights that is at stake. The Constitution emphasises that everyone is equal before the law without distinction as to language, race, colour, sex, political opinion, philosophical belief, religion and sect, or any such grounds. However, as the listed characteristics are potential variables for AI technologies, there is a high risk that the right to equality may be infringed by the use of AI technologies.

Turkey is a party to the Universal Declaration of Human Rights, International Covenant on Economic, Social and Cultural Rights and the European Convention on Human Rights, in addition to many others. 

The Constitutional Court of the Republic of Turkey has yet to render a decision on AI technologies and their consequences. 

While there are currently no provisions relating to AI under the main local legislation regulating intellectual property rights in Turkey, Law No. 6769 on Intellectual Property (IP Law) and Law No. 5846 on Intellectual and Artistic Works (Copyright Law) contain provisions that allow interpretation to contribute to the ongoing discussion about whether outputs created using AI infringe intellectual property rights, and the new crucial discussion about using copyrighted work as an input to train generative AI.

Under the IP Law, patents are granted for inventions in any field of technology provided that they are new, involve an inventive step and are applicable to industry. Furthermore, the IP Law does not accept computer programs as an invention. However, inventions that involve AI may qualify as a patent, if the AI serves a specific technical purpose and is used within a specific technical application.

However, Turkey does not currently recognise AI as an inventor regarding patent applications. This is due to the fact that the IP Law underlines that there must be an inventor in terms of patent applications and that it is generally accepted that an inventor must be a real human being. 

The Copyright Law underlines that a “work” must comprise the independent effort of its author/creator. It is generally accepted that the author of a work must be a human and Turkey does not currently recognise AI as an author of intellectual and artistic works, including scientific, literary, musical, or cinematographic works or works of fine arts. An issue to be considered further is whether an intellectual or artistic work created by a human using AI is subject to protection under the Copyright Law.

The Copyright Law provides copyright protection for “databases obtained by the selection and compilation of data and materials according to a specific purpose and a specific plan, which are in a form that can be read by a device or in any other form”. While it is generally accepted that websites are protected as a database, the transfer of publicly available content from unprotected databases to other media is generally not directly unlawful. Accordingly, AI technologies that are based on data scraping for the creation of their algorithms could be considered in violation of the Copyright Law.

Furthermore, as the datasets educating generative AI both reproduce and adapt the initial work of an author, AI potentially presents a threat to the right of reproduction and the right of adaptation under the Copyright Law.

Where patent or copyright lack protection for AI applications, protecting trade secrets becomes essential. In Turkey, there is no specific regulation in effect regarding trade secrets and their protection. Commercial Code No. 6102 regulates protection against unfair competition and recognises: (i) unauthorised exploitation of the work products of others; and (ii) unlawful disclosure of production and trade secrets as situations that constitute unfair competition. Furthermore, trade secrets can also be protected under Turkish Civil Code No. 6098, where there is a violation of personal rights. Case law sets forth that a trade secret owner should take necessary measures for confidentiality (High Court of Appeal, Decision No. 2016/6958 – 2019/4349, dated 21 October 2019).

Currently there are no notable cases in Turkey regarding AI and intellectual property.

The main piece of legislation covering data protection in Turkey is the Law on the Protection of Personal Data No. 6698 dated 7 April 2016 (DPL). The DPL further regulates personal data processing, which can include any activity carried out on personal data, such as collecting, recording, storing, retaining, altering, disclosing, transferring, etc. 

Although there is no defined territorial scope under the DPL, the DPL is accepted to have an extraterritorial application based on obligations regulated under the secondary legislation of the DPL for data controllers not established in Turkey, and the decisions of the Turkish Data Protection Authority (DPA) that impose sanctions to data controllers not based in Turkey.

The DPL further regulates general principles, processing conditions, conditions for transferring personal data within the country and abroad, the data controllers’ obligations, data subjects’ rights, and the exemptions from the DPL. Among other rights under the DPL, data subjects have the right to object to automated decision-making (i.e. decisions made against them solely through automated means). 

With regards to AI, the DPA published the Recommendations on the Protection of Personal Data in the Field of Artificial Intelligence (“the Recommendations“) in September 2021, as a guide for AI practices. The Recommendations are directed to service providers, manufacturers and developers as well as decision-makers operating in the field of AI and focus on practices in the AI field that might violate the human rights and freedoms of AI users.

Within the Recommendations, the DPA underlines as a general recommendation that fundamental human rights should be taken into consideration, a privacy by design method should be adopted and that if a high risk is foreseen in terms of data privacy, privacy impact assessments should be utilised. In addition, where sensitive data is concerned, special data protection measures are recommended to be implemented.

As Turkey is not yet an official member of the EU, the EU General Data Protection Regulation (GDPR) does not directly apply to Turkey. However, the DPL, which is the main piece of legislation covering data protection in Turkey, is primarily based on EU Directive 95/46/EC [1995] OJ L281/31. The DPL was recently amended to be better aligned with the GDPR, but there are still significant differences between the DPL and GDPR.

There is no explicit regulation regarding open data and data sharing concerning AI. However, where open data includes personal data, processing and sharing such data will be subject to the conditions of processing personal data, under the DPL.

The National Artificial Intelligence Strategy 2021–2025 aims to make the sharing of open data more widespread, and one of the projects of the Presidency of the Republic of Turkey’s Digital Transformation Office is to establish and run the National Open Data Portal, in order to contribute to the advancement of AI and innovative technologies in Turkey. Another aim is to encourage private sector organisations to share open datasets.

The Turkish Data Protection Authority (DPA) published Guidelines on Matters to Consider when Processing Biometric Data (the Guidelines) on 17 September 2021. 

When defining biometric data in the Guidelines, the DPA refers to the EU General Data Protection Regulation and divides it into two categories: physiological and behavioural data. According to the Guidelines, biometric data processing principles must be complied with, such as not violating the essence of fundamental rights and freedoms, or if there is a less intrusive way to achieve a purpose, the processing should not be performed. In addition, the DPA lists certain administrative and technical measures to provide security of biometric data, such as storing biometric data in cloud systems by using cryptographic methods or creating an access authorisation and control matrix.

In Turkey, any discrimination based on sex, race, colour, language, religion, belief, sect, philosophical and political opinion, ethnic origin, wealth, birth, marital status, health status, disability and age are prohibited by Law No. 6701 on Human Rights and Equality Institution of Turkey (Law No. 6701). Moreover, Law No. 6701 provides a list of certain circumstances where a claim of discrimination cannot be asserted, without providing any circumstances relevant to AI technologies. Considering the discriminative nature of AI, it may be claimed that AI technologies that create an outcome by evaluating people based on the characteristics listed above, for instance human resources tools for choosing amongst candidates, which could violate the basic principles regulated under Law No. 6701.

In Turkey, AI is utilised in certain identification methods based on cybersecurity. Accordingly, General Communiqué No. 19 of the Financial Crimes Investigation Board allows remote identification processes to be concluded in whole or in part by AI-based methods, provided that they are recorded online and in real time. The role of AI in such cases is to verify that the remotely identified person is a real person and that the applicant is the owner of the submitted identity card by comparing the photograph on the identity card with the images.

In this regard, General Communiqué No. 19 requires a report from the Turkish Standards Institute demonstrating that the false positive rate of the utilised AI model must be less than one in 10 million. If the relevant AI model is sourced from a non-domestic organisation and the organisation in question is certified to internationally recognised standards, there is no need to obtain a report from the Turkish Standards Institute.

On another note, one of the focal points mentioned under the NAIS is increasing the number of research and development studies in the field of AI, developing entrepreneurship, and providing access to high-quality data and technical infrastructure. Accordingly, the NAIS underlines that secure and scalable technical infrastructures and governance mechanisms should be established for the utilisation of AI technologies as they require data collection, storage, sharing, and processing on a large scale.

In Turkey, the Regulation on Commercial Advertising and Unfair Commercial Practices explicitly prohibits dark patterns, which are defined as “methods that adversely affect consumers’ will to make a decision or choice by means of tools such as guiding interface designs, options, or expressions regarding a good or service on the internet, or that aim to cause changes in favour of the seller or provider in the decision the consumer would make under normal conditions”. 

Even though there is no direct regulation for AI-related anti-competitive behaviour, the Turkish Advertisement Board recently imposed administrative sanctions related to advertisements that use expressions such as “… is also Turkey’s largest fashion retail brand according to ChatGPT”, or “Turkey’s most iconic private television channel ... according to ChatGPT, the most popular artificial intelligence based chatbot”, based on being misleading and violating the principles of accuracy and honesty.

In Turkey, there are specific thresholds determined under Communiqué No. 2010/4 for undertakings that are obligated to obtain permission from the Turkish Competition Authority, with regard to their mergers and acquisition transactions. 

In 2022, the term “technology undertakings” was included within Communiqué No. 2010/4 as “undertakings operating in the fields of digital platforms, software and gaming software, financial technologies, biotechnology, pharmacology, agrochemicals and health technologies or their related assets”. Additionally, the acquisition of technology undertakings operating in the Turkish geographical market or having research and development activities or providing services to users in Turkey, is exempted from the thresholds and are required to be declared to the Turkish Competition Authority.

Regulations specifically tailored to AI do not yet exist in Turkey.

Turkey has yet to take any regulatory actions to govern AI technologies. However, with the widespread adoption of AI technologies and the regulatory developments in the EU, Turkey is expected to prepare AI legislation which stipulates the rules on principles and procedures regarding the governance of AI.

The NAIS, which covers the period of 2021–2025, was prepared by the Digital Transformation Office of the Presidency of Republic of Turkey and the Ministry of Industry and Technology on 20 August 2021. Although the NAIS aims to create value on a global scale with an agile and sustainable AI ecosystem within Turkey, Turkey has fallen short on building an ecosystem and regulatory framework since the NAIS’s publication. 

The NAIS focuses on six strategic priorities, namely: training AI experts and increasing employment in the domain; supporting research, entrepreneurship and innovation; facilitating access to quality data and technical infrastructure; regulating to accelerate socioeconomic adaptation; strengthening international cooperation; and accelerating structural and labour transformation. However, the NAIS does not provide a demanding or comprehensive framework for AI technologies. 

8.1. Can we use personal data to train AI?

There is no direct prohibition for using personal data for AI training purposes. However, as training AI using personal data would be considered personal data processing under Turkish data protection legislation, it is important to comply with the principles and procedures determined for personal data processing.

8.2. Do we need to conduct a privacy impact assessment when using new AI technology in our business?

Even though there is no specific regulation that obligates conducting privacy impact assessments before using new AI technology, the DPA recommends such under its Recommendations on the Protection of Personal Data in the Field of Artificial Intelligence.

8.3. Can we use copyrighted material available online to train AI? 

There is no specific regulation that allows the use of copyright material published online to train AI. However, under Turkish Copyright Law, as a rule, the author of a work is the owner of the rights related to copyright and reproduction, and the distribution, publication and adaptation of a work is not allowed without the author’s permission.