Legal AlertRecommendations on the Protection of Personal Data in the Field of Artificial Intelligence

16 September 2021

The Personal Data Protection Authority has Published the “Recommendations on the Protection of Personal Data in the Field of Artificial Intelligence” Guide.

The Personal Data Protection Authority published the guide titled “Recommendations on the Protection of Personal Data in the Field of Artificial Intelligence” (“Guide”) on 15.09.2021.

The Guide has been prepared by taking into account the studies “Guidelines on Artificial Intelligence and Data Protection” of the Directorate General of Human Rights and Rule of Law of the Council of Europe, “Recommendation of the Council on Artificial Intelligence” of the Organisation for Economic Co-operation and Development (OECD), and “Ethics Guidelines for Trustworthy AI” of the European Commission.

Firstly, the Guide refers to the necessity of managing the artificial intelligence techniques and applications properly, which have made great progress, within the scope of the protection of personal data, since such techniques and applicationshave started to affect many areas of life directly. In this framework, artificial intelligence studies and applications should comply with the Personal Data Protection Law numbered 6698 and its secondary legistation (all together the “PDP Legislation”). 

The Guide, after stating the general recommendations, sets certain recommendations on the protection of personal data in artificial intelligence applications, carried out by developers, manufacturers, service providers and decision makers in the field of artificial intelligence.

The Guide, under the “General Recommendations” concerning the artificial intelligence application and development processes, recommends that:

  1. the fundamental rights and freedoms of the data subjects should be respected and the right to the protection of human dignity should be paid regard;
  2. the data collecting activities should be based on the principles of compliance with the law, proportionality, accountability, transparency, correct and up-to-date status of personal data, specific and limited use of personal data, and data security approach;
  3. a perspective focusing on the prevention and reduction of potential risks when processing personal data while taking into account the human rights, the functioning of democracy, and social and ethical values should be adopted;
  4. The control of the personal data processing activity by the data subjects should be possible;
  5. A privacy impact assessment should be implemented when necessary;
  6. Compliance with the PDP Legislation from the initial stage and constituting a compliance program specific to each project should be maintained;
  7. Strict technical and administrative measures regarding the special categories of personal data should be taken; 
  8. The use of personal data should be by anonymizing the data as much as possible;
  9. The data controller and data processor roles of the stakeholders should be determined from the beginning, and legal relation between the same should be established as compatible with the PDP Legislation

In the Guide, under “Recommendations for Developers, Manufacturers and Service Providers” section, concerning the artificial intelligence application and development processes recommends that:

  1. A special attention should be paid to personal data privacy in a way that is consistent with national and international regulations;
  2. Appropriate risk prevention and mitigation measures should be considered to protect fundamental rights and freedoms;
  3. The data subjects should be prevented from being exposed to discrimination or other negative effects and prejudices at all stages of personal data processing;
  4. Data minimization principle should be applied;
  5. The risk of causing adverse effects on individuals and society, that could arise from the out-of-context algorithms should be taken into consideration diligently;
  6. Relevant academic institutions, neutral experts and organizations should be collaborated within the design phase of human-rights based ethical and socially oriented artificial intelligence application;
  7. The data subjects should be given the right to object to personal data processing activities which are based on technologies that affect their opinions and personal development;
  8. Risk assessments based on the active participation of data subjects who are likely to be affected by practices should be promoted;
  9. Mechanisms should be designed to prevent data subjects from being exposed to a decision that will be affected by processes based on automated personal data processing;
  10. Alternatives that have less interference with personal rights should be provided to ensure the freedom of choice of users;
  11. Accountability in accordance with the PDP Legislation for all stakeholders throughout the artificial intelligence in lifecycle should be ensured;
  12. The users should be provided with the right to stop the processing of personal data and the possibility of deletion, destruction, or anonymization of their personal data;
  13. Mechanisms should be designed to inform the data subjects and obtain approval in necessary situations in accordance with the PDP Legislation.

Finally, the Guide, under the “Recommendations for Decision Makers” section, regarding the artificial intelligence application and development processes, mentions that:

  1. Special attention should be paid to the principle of accountability at all stages;
  2. Risk assessment procedures should be adopted application matrices should be created for the protection of personal data;
  3. Action should be taken for codes of conduct and certification mechanisms;
  4. The freedom of individuals not to trust recommendations offered by artificial intelligence applications should be preserved;
  5. Supervisory authorities should be applied in the case the fundamental rights and freedoms of data subjects are significantly affected;
  6. Cooperation between supervisors and competent bodies should be encouraged;
  7. Individuals, groups, and stakeholders should be informed about the social dynamics of artificial intelligence and shaping decision-making mechanisms, and their active participation in these discussions should be ensured;
  8. Open software-based mechanisms should be encouraged to create a digital ecosystem that supports the processing of personal data in accordance with the PDP Legislation;
  9. Digital literacy and educational resources shall be invested and trainings should be encouraged to raise awareness about artificial intelligence and personal data privacy.

You can access the full Turkish text of the Guide via the link below.

https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/25a1162f-0e61-4a43-98d0-3e7d057ac31a.pdf