Artificial intelligence systems are an area of technology that has developed rapidly in recent years and has become more and more present in our daily lives. With the rapid development of artificial intelligence systems, the protection of personal data is becoming increasingly important.
In the context of using of personal data of natural persons in the development of artificial intelligence, the ability to have an idea about natural persons through these systems and the rights of natural persons on their personal data; that is important for developers, manufacturers, service providers and decision makers operating in the field of artificial intelligence to determine the appropriate legal grounds when processing the personal data of natural persons and to design the systems in accordance with the basic data protection principles. In Turkish Law, the Personal Data Protection Law No. 6698 ("PDPL") and related legislative regulations and the Personal Data Protection Board's ("Board") guidelines and publications provide various regulations on the protection of personal data, while at the global level, there are comprehensive regulations such as the European Union General Data Protection Regulation ("GDPR").
1. Artificial Intelligence and Processing of Personal Data
When the data used in the formation of machine learning, deep learning and generative artificial intelligence are personal data, there is an intersection of artificial intelligence and personal data protection law, and it is necessary to make a legal assessment in terms of the basic principles of personal data protection law in terms of the processing of these data.
a. Personel Data
For a more detailed understanding of the issue, it would be useful to understand what is meant by the concept of personal data. When we look at the definition of personal data in terms of PDPL, it will be seen that "any information relating to an identified or identifiable natural person" is defined as personal data in Article 3 of PDPL. In Article 4 of the GDPR, it is stated that personal data is any information relating to an identified or identifiable natural person ("data subject") and it is also explained what is meant by an identifiable natural person. Accordingly, an identifiable natural person is one who has been identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. It is clearly stated in the GDPR what should be understood by being identifiable. The Personal Data Protection Authority ("Authority") also makes a parallel assessment with the GDPR on what should be understood by being identifiable.
In one of the latest Public Announcements of the Authority , it is stated that personal data includes not only information that enables the identification of an natural person such as his/her name and surname, but also information regarding the physical, familial, economic, social and other characteristics of the natural person, and that the identifiability of a person refers to making that person identifiable by associating existing data with a natural person in any way, the data; the personal data may directly indicate the identity of the person concerned or may not directly indicate the identity of the person concerned, but it also includes all information that enables the person to be identified as a result of its association with any record; and all data that directly or indirectly makes the person identifiable should be considered personal data.
b. Artificial Intelligence
The definition of the concept of Artificial Intelligence is still a subject on which there is no consensus and on which many experts are still working. Although there are many different definitions and approaches, the OECD's (Organisation for Economic Co-operation and Development) current definition of Artificial Intelligence is as follows.
"An AI system is a machine-based system that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments. Different AI systems vary in their levels of autonomy and adaptiveness after deployment."
In the Council of Europe Framework Convention on Artificial Intelligence, Human Rights, Democracy and the Rule of Law, the definition of has been revised in line with the OECD's current definition. This definition emphasizes how AI systems process data and their ability to adapt in order to achieve goals set by humans. AI systems are autonomous and adaptive systems equipped with techniques such as machine learning, deep learning, big language models and generative artificial intelligence. Autonomy refers to the capacity of an AI system to operate without human intervention, while adaptability describes how AI systems can adapt themselves once deployed. For example, a recommender system can adapt itself to make more accurate recommendations over time based on users' preferences. This adaptation demonstrates the potential for AI systems to continuously improve their performance.
c. Processing of Personal Data
Processing of personal data is defined in Article 3/1-e of the PDPL as " any operation which is performed on personal data, wholly or partially by automated means or non-automated means which provided that form part of a data filing system, such as collection, recording, storage, protection, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization, preventing the use thereof". Within the scope of this definition, for example, when an e-commerce platform uses machine learning algorithms to make new product recommendations based on natural persons purchase history, it will automatically process personal data with.
2. Design of Artificial Intelligence Systems: Basic Principles
Article 4 of the PDPL sets out the principles that must be complied with in the processing of personal data. These principles include lawfulness and fairness; being accurate and kept up to date where necessary; being processed for specified, explicit and legitimate purposes; being relevant, limited and proportionate to the purposes for which they are processed.
Complying with these principles is the first threshold for processing personal data. In other words, if these principles are not complied with, personal data processing will not be possible even if the consent of natural persons is obtained.
Lawfulness and fairness
The principle of lawfulness is a broad principle that covers compliance with both Turkish law and universal legal rules. The principle of fairness is that the data controller should act in a way that prevents the occurrence of consequences that the data subject does not expect and should not expect while trying to achieve its objectives in data processing. In its Recommendations on the Protection of Personal Data in the Field of Artificial Intelligence ("Recommendation"), the Authority stated that the risk of discrimination or other adverse effects and prejudices that may occur on the data subjects should be prevented by observing fundamental rights and freedoms at every stage of data processing, including data collection. As an example of the principle of lawfulness; processing personal data for the purpose of merging personal data between platforms, which is one of the manifestations of abuse of dominant position under competition law, will mean that the processed personal data is processed unlawfully.
Being Accurate and Up-to-Date Where Necessary
The principle of being accurate and up-to-date where necessary is a principle closely related to the fundamental rights and freedoms of the natural person concerned. The Authority's Recommendation emphasizes the continuous monitoring of the accuracy of the model developed.
Processing for Specific, Explicit and Legitimate Purposes
This principle requires the controller to clearly and precisely identify the purpose of data processing and that this purpose is legitimate. The French Data Protection Authority ("CNIL") has emphasized that, in terms of determining the purpose of processing, the purposes must be determined separately in both the learning and production phases of an artificial intelligence system using machine learning.
Data Minimization (Being Relevant, Limited and Measured for the Purpose of Processing)
This principle is about not processing more personal data than necessary. In the Recommendation of the Authority, it is stated that in the development and implementation of artificial intelligence technologies, if the same result can be achieved without processing personal data, methods of anonymizing and processing data should be preferred.
Determination of the Suitable Timeframe
This principle states that the personal data processed shall be processed for the period of time specified in the legislation, if there is a legal basis, or for a reasonable period of time related to the purpose to be determined by the data controller, if there is no legal basis.
3. Legal Basis Assessment Regarding the Processing of Personal Data Used in the Development of Artificial Intelligence Technologies
In both the learning and production phases of artificial intelligence systems, determining the appropriate legal basis for processing personal data, as outlined in Article 5/1 and Article 6 of the Turkish Personal Data Protection Law (KVKK), alongside the principles mentioned above, is of critical importance. Even if one of the legal grounds specified in these articles exists, opting to obtain explicit consent from natural persons or conditioning the service on explicit consent would still result in processing that is not legally compliant.
For example, in its decision regarding the data processed by OpenAI through its ChatGPT tool, the Italian Data Protection Authority ("Garante") emphasized that OpenAI must clearly specify the legal basis for data processing. It ruled that the legal basis of contract formation and performance was insufficient and that the proper legal basis should be obtaining the consent of the natural persons concerned. The authority also highlighted several other non-compliant practices. It granted a deadline for rectifying these deficiencies and imposed restrictions on the use of the application in Italy until the shortcomings were addressed.
Regarding reliance on the legal basis of legitimate interest, the ICO has made specific assessments concerning a data controller wishing to rely on legitimate interest in the development of artificial intelligence. Legitimate interest can provide the broadest scope for experimenting with different variables in developing an AI model; however, as part of a legitimate interest assessment, the data controller must demonstrate that the variables and models they plan to use represent a reasonable approach to achieving the intended purpose.The data controller can best fulfill this requirement by clearly defining all their objectives and justifying the use of each type of data collected, thus reviewing the necessity and balancing elements in the legitimate interest assessment. As the objectives become clearer, the legitimate interest assessment should also be revisited. For instance, the mere possibility that certain data might be useful for making predictions is insufficient, on its own, to prove that processing this data is necessary for building the model.
In the development of artificial intelligence systems, the most commonly used personal data are publicized personal data due to their accessibility. However, for personal data to be processed based on the legal basis of publicization, it is not sufficient for the data to merely be publicly accessible. The purpose of publicization by the natural person must also be identified. If the natural person's purpose for publicizing the data is not aligned with the purpose of data processing, the personal data cannot be processed. A significant decision regarding the use of publicized data in AI development was made by the French Data Protection Authority ("CNIL"). The CNIL deemed Clearview AI's use of internet-sourced photographs to develop its facial recognition system without natural person's consent unlawful. It explicitly stated that this system collected data beyond natural person's reasonable expectations.
4. The Importance of Determining Data Controller, Data Processor, and Joint Data Controller Responsibilities
In artificial intelligence projects based on personal data processing, the roles of stakeholders as data controllers or data processors must be determined at the outset of the project, and if joint data controllership exists, this should also be identified. This is crucial for defining the responsibilities to be assumed and determining who will fulfill the obligation to provide information to data subjects.
5. The Use of Artificial Intelligence Systems for Social Scoring and Mass Surveillance
Social scoring and mass surveillance refer to the continuous monitoring of natural persons and the use of the collected data to assign scores within a system that impacts their social or economic status. These systems function by regularly tracking and recording natural person's behaviors, habits, and relationships, potentially affecting their ability to secure employment, access education, or benefit from public services. Such practices are prohibited under UNESCO's Recommendation. The Recommendation emphasizes that AI system developers should design products and services that prevent natural persons from being subject to decisions based solely on automated processing without considering their exclusive perspectives.
6. Risk-Based and Rights-Based Approach in the Development of Artificial Intelligence Systems
While the rights-based approach focuses on the fundamental rights of inaturl p, it includes data protection rights, such as the rights to consent, access and erasure, and provides regulations to prevent harm to natural persons. In contrast, the risk-based approach treats data protection as a risk regulation discipline and emphasizes taking organizational and technological measures to prevent harm. Both approaches make sense in the context of AI, but the risk-based approach is particularly important. As in some public sector applications in the US, measures such as regular audits, user access to data, and testing of systems are recommended to prevent adverse impacts of AI. The GDPR provides several measures aimed at preventing the misuse of AI through privacy design and privacy by default principles. It is also argued that differentiated risk prevention measures should be applied according to the size and resources of data controllers, and that these measures should be determined in line with the financial and technical capacities of controllers.
7. Rights of Natural Persons
The rights-based approach focuses on natural persons' fundamental rights, including data protection rights such as consent, access, and erasure, and provides regulations aimed at preventing harm to natural persons. In contrast, the risk-based approach views data protection as a risk regulation discipline, emphasizing organizational and technological measures to prevent harm. Both approaches are meaningful in the context of artificial intelligence; however, the risk-based approach is particularly significant. Measures such as regular audits, user access to data, and testing of systems, as seen in certain public sector applications in the United States, are recommended to prevent the negative impacts of AI. GDPR provides various measures to prevent AI misuse through principles such as privacy by design and privacy by default. Additionally, it is discussed that risk prevention measures should be differentiated based on the size and resources of data controllers, ensuring that these measures align with their financial and technical capacities.
8. Conclusion
The protection of personal data has been established and shaped by compliance laws under the scope of privacy worldwide. As artificial intelligence and privacy laws continue to evolve, it is essential for AI developers, manufacturers, and service providers to adopt an approach aligned with sustainable development the principle of fairness, human rights and democratic values, including privacy. They must also adhere to the principles of transparency, explainability, and accountability in their processes. For data controllers building these systems identifying appropriate legal bases in their risk assessments and personal data processing activities emerges as a critical point.
Footnotes
2. OECD, EXPLANATORY MEMORANDUM ON THE UPDATED OECD DEFINITION OF AN AI SYSTEM, (05 Mar 2024) https://www.oecd-ilibrary.org/science-and-technology/explanatory-memorandum-on-the-updated-oecd-definition-of-an-ai-system_623da898-en
3. https://rm.coe.int/1680afae3c
4. Otomatik olarak veri işleme, bilgisayar, telefon, saat vb. işlemci sahibi cihazlar tarafından yerine getirilen, yazılım veya donanım özellikleri aracılığıyla önceden hazırlanan algoritmalar kapsamında insan müdahalesi olmadan kendiliğinden gerçekleşen işleme faaliyetidir. Kişisel Verileri Koruma Kurumu, 6698 SAYILI KANUNDA YER ALAN TERİMLER https://www.kvkk.gov.tr/Icerik/4186/6698-Sayili-Kanunda-Yer-Alan-Terimler
5. Kişisel Verileri Koruma Kurumu, YAPAY ZEKÂ ALANINDA KİŞİSEL VERİLERİN KORUNMASINA DAİR TAVSİYELER https://www.kvkk.gov.tr/Icerik/7048/Yapay-Zeka-Alaninda-Kisisel-Verilerin-Korunmasina-Dair-Tavsiyeler
6. https://www.rekabet.gov.tr/tr/Guncel/meta-ya-gunluk-4-7-milyon-tl-idari-para-cezasi--762e5db1f4e4ee1193c80050568585c9
7. Kişisel Verileri Koruma Kurumu, KİŞİSEL VERİLERİN İŞLENMESİNE İLİŞKİN TEMEL İLKELER, https://www.kvkk.gov.tr/Icerik/4189/Kisisel-Verilerin-Islenmesine-Iliskin-Temel-Ilkeler
8. Commission Nationale de l'Informatique et des Libertés, AI: ensuring GDPR compliance https://www.cnil.fr/en/ai-ensuring-gdpr-compliance
9. https://www.kvkk.gov.tr/Icerik/7151/6698-Sayili-Kisisel-Verilerin-Korunmasi-Kanunu-Hakkinda-Dogru-Bilinen-Yanlislar-2
10. Kişisel Verileri Koruma Kurumu, Hizmetin Açık Rıza Şartına Bağlanması https://www.kvkk.gov.tr/Icerik/5412/Acik-Rizanin-Hizmet-Sartina-Baglanmasi
11. https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/9874751 (12 Nisan 2023)
12. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/artificial-intelligence/guidance-on-ai-and-data-protection/how-do-we-ensure-lawfulness-in-ai/
13. Kişisel Verileri Koruma Kurumu "Alenileştirme" Hakkında Kamuoyu Duyurusu (16 Aralık 2020) https://www.kvkk.gov.tr/Icerik/6843/-ALENILESTIRME-HAKKINDA-KAMUOYU-DUYURUSU
14. Commission Nationale de l'Informatique et des Libertés, "Facial recognition: 20 million euros penalty against CLEARVIEW AI", 20 Ekim 2022, bkz. https://www.cnil.fr/en/facial-recognition-20-million-euros-penaltyagainst-clearview-ai
15. Unesco, Recommendation on the Ethics of Artificial Intelligence, https://www.unesco.org/en/articles/recommendation-ethics-artificial-intelligence (26 Eylül 2024)
16. https://www.euaiact.com/key-issue/3
17. European Data Protection Board, The impact of the General Data Protection Regulation (GDPR) on artificial intelligence https://www.europarl.europa.eu/RegData/etudes/STUD/2020/641530/EPRS_STU(2020)641530_EN.pdf
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
