Although artificial intelligence ("AI") is not a new concept and is already widely integrated into our daily lives and in various business sectors, many countries, spearheaded by the European Union, are now working on regulating frameworks for AI. These efforts aim to ensure the ethical use, safety and accountability of AI technologies as they continue to evolve and become more pervasive.
On 12 July 2024, the European Union's Artificial Intelligence Act, Regulation 2024/1689 (the "EU AI Act") was published in the Official Journal of the European Union (the "EU"). The EU AI Act, the first comprehensive horizontal legal framework for the regulation of AI systems across the EU, entered into force on 1 August 2024.
In Türkiye, a Draft Artificial Intelligence Law (the "Draft AI Law") was submitted to the Turkish Grand National Assembly on 24 June 2024. The Draft AI Law appears to be modelled on the EU AI Act, reflecting a growing trend towards harmonising AI regulations with international standards.
In this client alert, we will explore the latest developments in Turkish AI regulations, including the Draft AI Law, to understand how these changes may impact businesses and legal entities operating within and outside Türkiye. Additionally, we will discuss the key provisions and implications of the EU AI Act for Turkish entities.
CURRENT REGULATIONS ON THE ARTIFICIAL INTELLIGENCE UNDER TURKISH LEGISLATION
Currently, Turkish legislation does not have a law directly addressing AI. However, there are several regulations related to AI issues, including Personal Data Protection Law No 6698 and Consumer Protection Law No 6502. Notably, the Recommendations on the Protection of Personal Data in the field of AI, issued by the Turkish Data Protection Authority (the "DPA") have been significant in guiding AI matters. The DPA's recommendations with an approach based on the protection of personal data include:
- Adopting an approach that complies with national and international regulations and does not disregard data privacy in AI-oriented designs.
- Implementing a privacy impact assessment in AI applications based on personal data processing if high risk is foreseen in terms of data protection.
- Avoiding the design of products that expose data subjects to applications based on automated data processing.
However, it has been recognised that the existing legislation is insufficient in terms of regulating AI applications, leading to the submission of the Draft AI Law to the Grand National Assembly on 24 June 2024.
WHAT THE PROPOSED TURKISH AI LAW BRINGS
The Draft AI Law establish a regulatory framework for the development and use of artificial intelligence systems that would apply to (i) providers, (ii) suppliers/users, (iii) importers, (iv) distributors and (v) individuals affected by these systems. Here are the definitions of the relevant terms:
- Artificial Intelligence: Computer-based systems capable of performing human-like cognitive functions, such as learning, reasoning, problem-solving, perception and language understanding.
- Provider: Individuals or legal entities that develop, produce and market AI systems.
- Supplier/User: Individuals or legal entities that distribute AI systems for commercial purposes or use them in their operations.
- Importer: Individuals or legal entities that import AI systems from abroad.
- Distributor: Individuals or legal entities that market and sell AI systems.
- AI Operators: Refers collectively to providers, suppliers, users, importers and distributors.
Although the definitions in the Draft AI Law are similar to the those in the EU AI Act, there are notable differences:
- The definitions of provider and supplier/user under the Draft AI Law do not include public institutions and organisations,
- While the EU AI Act clearly states that anyone using AI in their personal and non-professional activities do not fall within the scope of deployer, the Draft AI Law does not clarify whether the phrase "use them in their operations" in the definition of supplier/user includes those who use AI in their personal and non-professional activities.
Fundamental Principles and Risk Assessment
The Draft AI Law stipulates that the AI systems must comply with (i) safety, (ii) transparency, (iii) fairness, (iv) accountability and (v) privacy principles. These principles aim to ensure that AI systems do not harm or discriminate against users, provide clear and understandable information on how the systems operate, and take necessary measures to protect data privacy.
The Draft AI Law requires risk assessments during the development and use of AI systems, with special assessments for high-risk systems. High-risk AI systems must be registered with the relevant regulatory authorities and subjected to conformity assessments. However, the Draft AI Law does not specify which systems are considered high risk, how this assessment should be made, or what additional measures should be taken by providers and distributors of high-risk systems to ensure compliance with the basic principles.
On the contrary, the EU AI Act introduces classifications of unacceptable risk, high risk, limited risk and minimal risk, with clear criteria for each category. It is expected that the relevant provisions will be added to the Draft AI Law in line with the criteria set out in the EU AI Act, or that these issues will be determined through secondary regulations.
Audit and Sanctions
The Draft AI Law authorises the relevant supervisory authorities to inspect AI systems for compliance and to detect violations. However, it is unclear which administration will be the supervisory authority, or how these inspections will be carried out.
AI operators who breach the provisions of the Draft AI Law may be subject to the following sanctions:
| Violation Type | Administrative Fine |
|---|---|
|
Prohibited AI Applications |
TRY 35,000,000 or up to 7% of annual turnover |
|
Breach of Obligations |
TRY 15,000,000 or up to 3% of annual turnover |
|
Providing False Information |
TRY 7,500,000 or up to 1.5% of annual turnover |
THE EXTRATERRITORIAL REACH OF THE EU AI ACT: IMPLICATIONS FOR
TURKISH ENTITIES
The territorial scope of application of the EU AI Act will be wider than the EU. Entities based in Türkiye that offer products to the EU market using AI systems, or whose outputs are used in the EU market, must comply with the criteria in the EU AI Act regardless of the enactment of the Draft AI Law. Because the EU AI Act has an extraterritorial application scope as in the General Data Protection Regulation. The EU AI Act will apply to:
- Providers of AI systems to be placed on the market in the EU or to provide services in the EU (regardless of whether they are located within the EU);
- Providers and deployers of AI systems (regardless of whether they are located within the EU) where the output produced by the AI system is used in the EU.
Therefore, the EU AI Act is not limited to the EU, but will also apply to public and private legal entities outside the EU to the extent that the use of AI systems affects those within the EU.
The EU AI Act entered into force on 1 August 2024, and effective from 2 August 2026, except for certain provisions. (e.g. the enforcement of general provisions, definitions and rules regarding prohibited uses of AI, which starts from 2 February 2025).
CONCLUSION
While the Draft AI Law represents a significant advancement in AI regulation in Türkiye, further refinement and alignment with international standards, particularly those set by the EU AI Act, will be crucial for its successful implementation and effectiveness.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.