The processing of personal data is inevitable during the use of artificial intelligence technologies. The processing of personal data in accordance with fundamental principles and the protection of the rights of data subjects and the accurate and adequate response to their requests will essentially minimize the risks of harm to individuals arising from the processing of personal data in artificial intelligence technologies and serve to protect their personal rights at all times.
The Personal Data Protection Law (the DPL) essentially regulates the fundamental rules of personal data processing. Under Article 4 of the DPL, the general principles for processing personal data include compliance with the law and the rules of good faith, processing to be accurate and necessary, being up to date, processing for specific, explicit, and legitimate purposes, and relevant, limited, and proportionate to the purpose of processing. These principles also apply to artificial intelligence technologies. On the other hand, Article 11 of the DPL grants the data subject the right to object to a negative result concluded through the analysis of personal data by exclusively automated systems. These two provisions form the basis for protecting personality rights in the context of the processing of personal data by artificial intelligence technologies and the impact of such processing on individuals. Those whose personality rights are violated retain the right to claim compensation under general legal provisions, and in cases where personal data are processed unlawfully, data subjects also have the right to seek compensation for damages.
The General Data Protection Regulation (the GDPR) of the European Union (EU) regulated the processing of personal data through automated decision-making systems (ADM) under Article 22 before the enactment of the AI Regulation. Even if specific regulations were to be established regarding artificial intelligence, the provisions under Article 22 of the GDPR would continue to apply directly to the processing of personal data through ADM systems.
Article 22 of the GDPR grants data subjects the right not to be subject to a decision based solely on automated processing —with certain exceptions— regardless of whether the outcome is in their favor or not. In such cases, data subjects have the right to request meaningful human intervention, to express their point of view, and to contest the decision.
Automatic decision-making systems affect people's rights in various ways, such as evaluating candidates' CVs and online interviews in human resources, filtering content on social media, delivering personalized ads in advertising, and making credit ratings in banking.
Considering the practice in Türkiye, data subjects often may not even be aware whether the outcome concerning them has been generated through exclusively ADM systems, or whether such outcomes are favorable or unfavorable. On the other hand, the data subjects are only granted the right to appeal against decisions that adversely affect them but are not granted any right to prior protection. The outcome of decisions made through ADM systems also remains unclear. Given that the privacy notices on this matter is often insufficient and considering the complexity of artificial intelligence systems, it can be said that data subjects’ rights are at risk and are not adequately safeguarded.
It can be said that the EU application is more protective, both in terms of its legal framework and its practical implementation. For Article 22 of the GDPR to be applicable, three key elements must be present:
As can be seen, EU legislation looks for a “direct” or “significant impact” for intervention, rather than requiring a “negative outcome.” The nature of the impact, whether in favor of or against the data subject, is not relevant.
Under Article 22 of the GDPR, the use of ADM systems is permitted in cases where such processing is necessary for the performance of a contract, is based on a legal authorization from the EU or a member state, or is based on the explicit consent of the data subject. However, it should be noted that even in these cases, the general principles of fairness, transparency, proportionality, and purpose limitation, as well as the requirement for personal data processing to be based on one of the legal grounds specified in the GDPR, will always apply. Furthermore, in cases where the data subject's explicit consent is given or when processing is necessary for the establishment or performance of a contract, individuals subject to ADM processes have the right to request human intervention, express their views, and contest the decision.
For instance, the Italian Data Protection Authority imposed an administrative fine on the food delivery company Deliveroo in July 2021 for violations of the law regarding its algorithmic management practices. In this case, while it was acknowledged that the ADM algorithm may be necessary for managing contractual relationships with drivers, the company was fined for violating general data protection rules during this process.
In another case, the Norwegian Data Protection Authority determined that the International Baccalaureate (IB) violated GDPR principles when it canceled exams during the pandemic and graded students based on their school history and context. It was stated that this approach was unfair, did not reflect individual academic performance, and could lead to school-based discrimination. The lack of explanation regarding the logic behind IB's grading algorithm was also found to be in violation of the transparency principle.
With the amendments to the KVKK that came into effect on 1 June 2024 in Turkey, the KVKK has been brought closer to the GDPR and solutions have been produced for many problems encountered in practice. However, in light of the rapidly evolving artificial intelligence technologies, it is essential to ensure stricter protection of data subjects’ rights. Due to the complexity of artificial intelligence systems and the inability to fully explain their operational mechanisms, controlling the processing of personal data in this field is challenging, and such processing is likely to result in outcomes that impact data subjects’ rights. Data subjects, at the very least, have the right to learn whether their personal data is being processed in accordance with the KVKK under the current legislation, request information under Article 11 of the KVKK, and, especially when data is processed solely through automated systems, contest any decision that leads to an adverse outcome for them. In the event of harm, they also have the right to seek compensation. However, there is no doubt that there is a need for more proactive regulations to prevent ADM mechanisms from producing results affecting rights beyond their control and to enable individuals to exercise their rights to object and seek rectification in a more proactive manner.
Special thanks to İsmail Arslan for his contributions.
Author:
Begüm Yavuzdoğan Okumuş, Partner
Email: begum.yavuzdogan@gun.av.tr