TÜRKIYE Law and Practice Contributed by: Bora Yazıcıoğlu, Kübra İslamoğlu Bayer, Simge Yüce and Yiğit Aktimur, YAZICIOGLU Legal
or other practitioners who follow investigation files as complainants or representatives. To the best of our knowledge, the highest fine issued by the DPA to date is TRY11.5 million, imposed on Instagram in 2024. This fine was due to Instagram’s failure to implement ade - quate technical and administrative measures to ensure data security. Additionally, the platform was penalised for converting private Instagram accounts of child users into business accounts without proper age verification or parental con - sent. Another notable fine was imposed in 2023 when WhatsApp and Meta were each fined approxi - mately TRY2.65 million for failing to register with VERBIS and ordered to comply with the registra - tion requirement. Recently, a significant DPA decision was shared online by its complainant. This decision addressed location-based marketing and the concept of joint controllership – a concept not explicitly outlined in the DP Law. In this case, a mobile operator processed location data to send SMS messages promoting discounts on behalf of a clothing store. Both parties jointly deter - mined the purpose and means of processing, which the DPA interpreted as joint controllership. The DPA also emphasised obtaining explicit consent, specific to the intended purpose, from data subjects for location-based marketing and subsequent SMS communications. Due to non- compliance, the DPA issued administrative fines of approximately TRY1 million to the clothing store and TRY2 million to the mobile operator. 1.5 AI Regulation Currently, there is no specific legislation dedi - cated solely to AI. Nevertheless, general provi -
sions from existing laws apply to the use of AI systems. In particular, the principles outlined in the DP Law apply whenever AI systems involve the pro - cessing of personal data. The DPA issued Rec - ommendations on the Protection of Personal Data in the Field of Artificial Intelligence, pro - viding guidance for developers, manufacturers, service providers, and decision-makers. These recommendations address AI-related concerns in the context of personal data processing. The DPA has also published an informational docu - ment on chatbots, emphasising transparency principles, potential risks related to the use of AI chatbot applications, and specific measures to be considered when developing such appli - cations. Additionally, sector-specific regulations may also apply to AI use. For instance, the Regulation on Remote Identification Methods Used by Banks and the Establishment of Contractual Relation - ships in the Electronic Environment, grants authority to the BRSA to establish principles and procedures for ID verification transactions conducted by customer representatives using AI-based methods. However, the BRSA has not yet issued regulations on this matter. The Digital Transformation Office, responsible for coordinating the digital transition of public institutions and organisations and matters such as cybersecurity and AI, also closely monitors AI topics. In June 2023, it published a research report on “Chatbot Applications and the Chat - GPT Example.” Türkiye is also closely following international legislative trends in AI. The National AI Strategy for 2021–2025 emphasised the importance of global legislative efforts and Türkiye’s commit -
479 CHAMBERS.COM
Powered by FlippingBook