Personal Data Protection Authority has published its Recommendations on the Protection of Personal Data in the Field of Artificial Intelligence

On 15.09.2021, Personal Data Protection Authority (“Authority”) published its Recommendations on the Protection of Personal Data in the Field of Artificial Intelligence (“Recommendations”) on its official website.

The guideline includes recommendations for the protection of personal data within the scope of the Law No. 6698 on the Protection of Personal Data (“Law”) for developers, manufacturers, service providers and decision makers operating in the field of artificial intelligence. Recommendations state that artificial intelligence applications should be developed and implemented in compliance with the Law and secondary legislation and that the fundamental rights and freedoms should be respected thereof. The recommendations consist of three headings:

  1. General Recommendations 
  • Artificial intelligence and data collection studies based on personal data processing should comply with the principles of legality, fairness, proportionality, accountability, transparency, correct and up-to-date personal data, specific and limited purpose of personal data use, and data security approach.
  • If a high risk is foreseen for data protection in the artificial intelligence studies, a privacy impact assessment should be applied.
  • In artificial intelligence studies, all systems should be developed according to the data protection principles starting from the design and a data protection compliance program should be implemented for each project.
  • If artificial intelligence studies include processing of personal data of special nature, special technical and administrative measures should be implemented in accordance with the Law.
  • If processing of personal data is not necessary for artificial intelligence studies to achieve the same result, anonymization should be preferred.
  • The data controller and data processor status should be determined at the beginning of artificial intelligence projects.
  1. Recommendations for Developers, Manufacturers and Service Providers 
  • During the design stage, an approach which respects personal data privacy and complies with national and international regulations should be adopted.
  • Risk prevention and mitigation measures should be adopted for possible negative consequences on fundamental rights and freedoms.
  • Data usage should be minimized by evaluating the quality, nature, source, quantity, category and content of the personal data used, and the accuracy of the developed artificial intelligence model should be constantly monitored.
  • Academic institutions should be consulted for artificial intelligence studies; opinions of impartial experts and institutions should be obtained.
  • Individuals should have the right to object to data processing technologies that affect their views and personal development.
  • Risk assessment based on the active participation of individuals and groups most likely to be affected should be encouraged.
  • Products and services should not be designed based on automated processing without taking into account individuals’ own opinions.
  • Alternatives should be offered to users that interfere less with their personal rights and their freedom and the right to choose should be provided.
  • Algorithms should be developed to ensure accountability in accordance with the personal data protection legislation.
  • Users should have the right to stop data processing and the option to delete, destruct or anonymize their personal data.
  • Users should be informed about the reasons for personal data processing, the methods used and possible consequences, and a data processing approval mechanism should be designed for the necessary cases. 
  1. Recommendation for Decision Makers
  • The principle of accountability should be adopted at all stages.
  • Risk assessment procedures for protection of personal data should be adopted and an implementation matrix should be established on sector / application / hardware /software basis.
  • Appropriate measures should be adopted such as code of conduct and certification mechanisms.
  • Adequate resources should be allocated by decision makers to monitor whether artificial intelligence models are used for a different context or purpose.
  • The role of human intervention in decision-making processes should be established.
  • Supervisory authorities should be consulted when there is a possibility of affecting the fundamental rights and freedoms of data subjects.
  • Appropriate open software based mechanisms should be encouraged.
  • Investment should be made in digital literacy and educational resources for data subjects.

Trainings should be provided for application developers within the framework of data privacy

Fatoş Otcuoğlu
In Socials: