Artificial Intelligence Under Turkish Law

1) Executive Summary

Türkiye does not yet have a stand-alone “AI Act.” Compliance for AI systems is achieved by mapping use cases onto a layered framework: personal data protection (Law No. 6698, “KVKK”), civil liability and contracts (Turkish Code of Obligations No. 6098, “TCO”), the Turkish Commercial Code No. 6102, consumer protection (Law No. 6502), product safety and recalls (Law No. 7223), internet and intermediary obligations (Law No. 5651), e-commerce and commercial communications (Law No. 6563), competition (Law No. 4054), copyright (Law No. 5846), and industrial property (Law No. 6769), all with a potential criminal overlay under the Turkish Penal Code No. 5237. Policy direction is informed by national AI strategy instruments; operationally, a risk-based approach with human oversight, explainability, and robust record-keeping is essential.

---

2) The Legal Building Blocks at a Glance

• Data protection & automated decisions: Law No. 6698 (KVKK)
• Civil liability & contracts: TCO (No. 6098)
• Commercial context: TCC (No. 6102)
• Consumers & services: Consumer Protection Law (No. 6502)
• Product safety & recalls: Law No. 7223
• Platforms & internet: Law No. 5651
• E-commerce & commercial communications: Law No. 6563
• Competition & algorithms: Law No. 4054
• Industrial property: Law No. 6769
• Copyright: Law No. 5846
• Criminal data offences: Turkish Penal Code (No. 5237)

---

3) Personal Data and Automated Decision-Making (KVKK)

Lawful basis and transparency. Any model ingesting personal data must rely on a valid legal ground (explicit consent, contractual necessity, legal obligation, vital interests, legitimate interest with balancing, etc.). Controllers must provide clear notices covering identity, purposes, recipients, method/legal reason for processing, and data subject rights.

Solely automated decisions. KVKK grants the right to object where a person faces an adverse result produced solely by automated systems. For materially impactful use cases (credit scoring, insurance underwriting, hiring, fraud detection, healthcare triage), controllers should implement:

• a documented human-in-the-loop review path,
• meaningful explanations identifying the main decisional factors, and
• accessible objection and reversal/confirmation workflows.

Data discipline. Embed purpose limitation, minimization, retention schedules, access controls, encryption, deletion/anonymization routines, and—where applicable—VERBIS registration into “privacy by design.”

Criminal overlay. Alongside KVKK administrative fines, Penal Code provisions on unlawful acquisition, disclosure, or failure to delete personal data can apply—particularly relevant when assembling training corpora or transferring data to third countries.

---

4) Consumers, Product Safety and Defect Liability

B2C AI services and “dark patterns.” Law No. 6502 applies to AI-enhanced services and interfaces. Misleading claims, manipulative interfaces, or unfair practices can trigger administrative measures and damages in addition to contractual remedies.

Embedded AI as a product. Where AI is part of a product, Law No. 7223 requires safety and conformity assessment, technical documentation, post-market surveillance, and recall capabilities. Autonomous features, cybersecurity updates, and version control belong in the product safety file.

Strict-defect logic in consumer contexts. Producers/sellers may face liability without fault. For AI, defect theories often center on dataset defects, model drift, or unsafe updates. Preserve causation defenses with immutable logs, model version histories, and A/B test evidence.

---

5) Platforms, Intermediary Duties, and E-Commerce

Under Law No. 5651, hosting and access providers using AI for content ranking, moderation, or ad delivery remain subject to notice-and-takedown, logging, and data retention obligations. Law No. 6563 governs e-commerce transparency and commercial communications; AI-driven personalization must be clear, accurate, and consent-compliant. Build formal complaint/intake, takedown, and audit-log processes for any AI-mediated content or recommendation outputs.

---

6) Competition Law and Algorithmic Conduct

Algorithmic pricing and self-preferencing raise risks under Law No. 4054, including facilitation of tacit collusion or abuse of dominance. Practical guardrails include:

• strict segregation between pricing engines and competitively sensitive data,
• pre-deployment and ongoing compliance testing of algorithm behavior,
• transparency and non-discrimination commitments for ranking or “buy-box” logics, supported by audit trails.

---

7) Intellectual Property and Training Data

Patents and inventorship. Under Industrial Property Code No. 6769, inventorship attaches to humans, not AI systems. Ensure employee-invention and assignment procedures are tight in AI R&D programs.

Copyright in AI outputs. Law No. 5846 protects works reflecting human creativity. Purely machine-generated outputs may fall outside protection unless human contribution is sufficiently creative. Contractual allocation of output rights and a workflow that documents human contribution are best practice.

Training data/IP risk. Scraping and dataset aggregation can implicate copyright, database rights, and personality rights. Maintain dataset provenance, license mapping, usage restrictions, and destruction schedules.

---

8) Civil Liability Under the TCO and Contract Allocation

Absent an AI-specific statute, most AI harms are analyzed under tort (foreseeable, preventable harm) and contract (non-performance or defective performance). Effective contract architecture is the frontline risk tool:

• service levels and performance metrics (uptime, latency, accuracy, precision/recall),
• model monitoring and update duties,
• explainability hooks and audit rights,
• comprehensive logging/versioning and change management,
• warranties on data quality, labeling, and lawful provenance,
• cybersecurity standards and incident notification,
• calibrated liability caps with carve-outs (willful misconduct, gross negligence, personal injury, personal data breaches, third-party IP infringement),
• indemnities and back-to-back regress across the AI supply chain, plus appropriate insurance.

Because consumer and product-safety regimes may curb broad disclaimers, pair general caps with specific exceptions tailored to high-impact risks.

---

9) Sector Snapshots

• Financial services: Automated credit and risk scoring require human review, bias testing, and robust data quality controls; ensure objection and re-assessment channels.
• Healthcare: Special-category data, clinical standards, and malpractice principles converge; implement stringent access control, logging, and incident response.
• Public procurement: Expect clauses on risk management, ethics, explainability, and data sovereignty aligned with national AI policy.
• EdTech/AdTech/Media: Profiling, protection of children, ad transparency, and content complaints demand high-volume logging and user-facing disclosures.

---

10) Governance Toolkit: Ten Controls That Actually Work

1. Use-case register: A living inventory mapping each AI use to legal basis, data categories, impact level, and business purpose.
2. Risk tiering: Classify by impact; run DPIA-style impact analyses for high-risk cases with legal/ethics sign-off.
3. Human-in-the-loop: Documented human review for materially impactful decisions.
4. Model cards & data sheets: Training sources, bias tests, metrics, known limitations, and suitable use cases.
5. Change management: Version notes, rollback plans, shadow/canary releases, production approval chains.
6. Incident response: Playbooks for model drift, data leakage, and harmful misclassification spikes.
7. Explainability hooks: Feature importance and rationale summaries that are intelligible to affected users.
8. Third-party diligence: Security, data, IP, and competition compliance questionnaires; audit rights and evidence repositories.
9. Records & VERBIS: Processing maps, retention/destruction plans, transfer logs and privilege controls.
10. Training & accountability: Clear ownership across product–legal–IT; metrics and board-level reporting.

---

11) Sample Clause Suite (Short-Form)

(a) Scope and Performance.
“The Supplier shall provide the AI Service as described in Annex-A. Baseline targets (Annex-B) include accuracy, precision, recall, latency and uptime. Material deviations trigger the corrective plan in Annex-C.”

(b) Data and IP.
“All training, fine-tuning and inference shall comply with applicable data-protection law. Customer Data remains Customer’s property. Supplier warrants lawful provenance of Training Data and grants Customer a non-exclusive right to Outputs. To ensure protectability, the Parties will document human creative contribution as specified in Annex-D.”

(c) Explainability and Human Review.
“For decisions producing legal or similarly significant effects, the Supplier shall provide meaningful information about the main factors of the decision and operate a Human Review channel capable of reversal or confirmation within defined timelines.”

(d) Security and Logs.
“The Supplier shall maintain industry-standard security controls and immutable logs covering data lineage, model versions, prompts, outputs and administrative actions, retained as set out in Annex-E.”

(e) Updates and Model Drift.
“The Supplier shall monitor performance, detect material drift, and notify the Customer without undue delay. Updates follow the change-control process; emergency patches require prompt disclosure of risks and mitigations.”

(f) Liability and Indemnities.
“Liability caps do not apply to willful misconduct, gross negligence, personal injury, breach of data-protection obligations, or third-party IP infringement. The Supplier shall indemnify the Customer for claims arising from unlawful Training Data or infringing Outputs.”

---