African Union
The African Union's Continental AI Strategy sets the stage for a unified approach to AI governance across the continent.
Artificial intelligence (AI) has made enormous strides in recent years and has increasingly moved into the public consciousness.
Increases in computational power, coupled with advances in machine learning, have fueled the rapid rise of AI. This has brought enormous opportunities, as new AI applications have given rise to new ways of doing business. It has also brought potential risks, from unintended impacts on individuals (e.g., AI errors harming an individual's credit score or public reputation) to the risk of misuse of AI by malicious third parties (e.g., by manipulating AI systems to produce inaccurate or misleading output, or by using AI to create deepfakes).
Governments and regulatory bodies around the world have had to act quickly to try to ensure that their regulatory frameworks do not become obsolete. In addition, international organizations such as the G7, the UN, the Council of Europe and the OECD have responded to this technological shift by issuing their own AI frameworks. But they are all scrambling to stay abreast of technological developments, and already there are signs that emerging efforts to regulate AI will struggle to keep pace. In an effort to introduce some degree of international consensus, the UK government organized the first global AI Safety Summit in November 2023, with the aim of encouraging the safe and responsible development of AI around the world.
Most jurisdictions have sought to strike a balance between encouraging AI innovation and investment, while at the same time attempting to create rules to protect against possible harms. However, jurisdictions around the world have taken substantially different approaches to achieving these goals, which has in turn increased the risk that businesses face from a fragmented and inconsistent AI regulatory environment. Nevertheless, certain trends are becoming clearer at this stage:
Businesses in almost all sectors need to keep a close eye on these developments to ensure that they are aware of the AI regulations and forthcoming trends, in order to identify new opportunities and new potential business risks. But even at this early stage, the inconsistent approaches each jurisdiction has taken to the core questions of how to regulate AI is clear. As a result, it appears that international businesses may face substantially different AI regulatory compliance challenges in different parts of the world. To that end, this AI Tracker is designed to provide businesses with an understanding of the state of play of AI regulations in the core markets in which they operate. It provides analysis of the approach that each jurisdiction has taken to AI regulation and provides helpful commentary on the likely direction of travel.
Because global AI regulations remain in a constant state of flux, this AI Tracker will develop over time, adding updates and new jurisdictions when appropriate. Stay tuned, as we continue to provide insights to help businesses navigate these ever-evolving issues.
The African Union's Continental AI Strategy sets the stage for a unified approach to AI governance across the continent.
Voluntary AI Ethics Principles guide responsible AI development in Australia, with potential reforms under consideration.
The enactment of Brazil's proposed AI Regulation remains uncertain with compliance requirements pending review.
AIDA expected to regulate AI at the federal level in Canada but provincial legislatures have yet to be introduced.
The Interim AI Measures is China's first specific, administrative regulation on the management of generative AI services.
The Council of Europe is developing a new Convention on AI to safeguard human rights, democracy, and the rule of law in the digital space covering governance, accountability and risk assessment.
The successful implementation of the EU AI Act into national law is the primary focus for the Czech Republic, with its National AI Strategy being the main policy document.
The EU introduces the pioneering EU AI Act, aiming to become a global hub for human-centric, trustworthy AI.
France actively participates in international efforts and proposes sector-specific laws.
The G7's AI regulations mandate Member States' compliance with international human rights law and relevant international frameworks.
Germany evaluates AI-specific legislation needs and actively engages in international initiatives.
National frameworks inform India’s approach to AI regulation, with sector-specific initiatives in finance and health sectors.
Israel promotes responsible AI innovation through policy and sector-specific guidelines to address core issues and ethical principles.
Japan adopts a soft law approach to AI governance but lawmakers advance proposal for a hard law approach for certain harms.
Kenya's National AI Strategy and Code of Practice expected to set foundation of AI regulation once finalized.
Nigeria's draft National AI Policy underway and will pave the way for a comprehensive national AI strategy.
Position paper informs Norwegian approach to AI, with sector-specific legislative amendments to regulate developments in AI.
The OECD's AI recommendations encourage Member States to uphold principles of trustworthy AI.
Saudi Arabia is yet to enact AI Regulations, relying on guidelines to establish practice standards and general principles.
Singapore's AI frameworks guide AI ethical and governance principles, with existing sector-specific regulations addressing AI risks.
South Africa is yet to announce any AI regulation proposals but is in the process of obtaining inputs for a draft National AI plan.
South Korea's AI Act to act as a consolidated body of law governing AI once approved by the National Assembly.
Spain creates Europe's first AI supervisory agency and actively participates in EU AI Act negotiations.
Switzerland's National AI Strategy sets out guidelines for the use of AI, and aims to finalize an AI regulatory proposal in 2025.
Draft laws and guidelines are under consideration in Taiwan, with sector-specific initiatives already in place.
Turkey has published multiple guidelines on the use of AI in various sectors, with a bill for AI regulation now in the legislative process.
Mainland UAE has published an array of decrees and guidelines regarding regulation of AI, while the ADGM and DIFC free zones each rely on amendments to existing data protection laws to regulate AI.
The UK prioritizes a flexible framework over comprehensive regulation and emphasizes sector-specific laws.
The UN's new draft resolution on AI encourages Member States to implement national regulatory and governance approaches for a global consensus on safe, secure and trustworthy AI systems.
The US relies on existing federal laws and guidelines to regulate AI but aims to introduce AI legislation and a federal regulation authority.
Turkey has published multiple guidelines on the use of AI in various sectors, with a bill for AI regulation now in the legislative process.
Currently, there is no specific law or regulation that directly regulates AI in Turkey, though it is anticipated that this may change in the foreseeable future. The government is keen to encourage the responsible use of AI through various measures, including the creation of "AI hubs" to support Turkish businesses, and such measures have been reflected in Turkey's National Strategic Plans since 2021.
The Turkish Personal Data Protection Authority (the "KVKK1") has published a series of privacy-focused guidelines concerning the implementation of AI solutions in different sectors. The KVKK's "Recommendations on the Protection of Personal Data in the Field of Artificial Intelligence" (the "AI Recommendations2") set out the KVKK's expectations regarding respect for fundamental human rights and freedoms, and imposing limits on the use of personal data in AI applications. Further, the KVKK's "Guidelines on Good Practices regarding the Protection of Personal Data in Banking Sector3" provide recommendations for financial institutions and banks processing personal data through, among others, AI-based products. Finally, the KVKK's "Guidelines on Protection of Privacy in Mobile Applications"4 clarify that AI-based mobile applications should adhere to the principles of transparency and predictability. Although these guidelines are non-binding, they illustrate the KVKK's current stance on AI.
As noted above, there are currently no specific laws or regulations that directly regulate AI in Turkey. The Digital Transformation Office of the Presidency of Turkey (the Digital Transformation Office)5 created in 2018 as the policy-making body to spearhead digital and technological developments in the country, is actively working on building a legal framework to support and regulate AI. To date, the Digital Transformation Office has published a series of strategic planning notes related to promoting the use and development of AI in Turkey (e.g., by investing in education, training, research, and infrastructure), but nothing related to the regulation of AI.
On June 25, 2024, a bill for the regulation of AI in Turkey (the "AI Bill")6 was presented before parliament. The Bill is currently with the parliamentary committee review in accordance with Turkish legislative process. If the AI Bill passes this review, it will be presented to the Grand National Assembly of Turkey (the National Assembly) for deliberations and voting to be adopted as law. The AI Bill comprises eight articles that seek to set a general framework around AI regulation based on the principles of safety, transparency, equality, accountability, and privacy. It lacks any specificity as to how these principles will be adopted and enforced in practice. Whether the majority political parties will support the AI Bill remains to be seen.
Turkey has in place a broad legislative framework around technology, including cybersecurity, internet, and social media, which may affect the use of AI, including:
There is currently no specific definition of AI under Turkish Law. The KVKK suggests in its AI Recommendations that the term AI refers broadly to computation ability to execute tasks normally associated with humans, such as thinking, interpreting, and making decisions. Further, Turkey's National Artificial Intelligence Strategy, published by the Digital Transformation Office in 2021 (the National AI Strategy)7 offers a similar interpretation.
Similarly, under Article 2 of the AI Bill, AI is defined as "computer-based systems that are able to carry out human-like skills such as learning, rationalization, problem solving, perception, semantic comprehension and cognitive functions."
As noted above, there are currently no specific laws or regulations in Turkey that directly regulate AI.
The strategic plans and guidelines the Turkish government has published so far suggest that the expected AI regulations will focus on the sectors of banking, finance, legal, health, automotive, personal data (privacy), e-commerce, intellectual property, capital markets, national security and e-government. In particular, the National AI Strategy focuses on promoting the use and development of AI, specifically generative AI, to support and assist the following sectors:
As noted above, there are currently no specific laws or regulations in Turkey that directly regulate AI. Accordingly, there are currently no legal obligations specifically assigned to developers, users, operators and/or deployers of AI systems. The KVKK's AI Recommendations provide definitions of data processors, developers, manufacturers, and service providers, but do not make any compliance recommendations for any of these roles specifically.
The AI Bill sets forth four different compliance roles, "provider", "implementor/user", "importer", and "distributor", and introduces the blank term that covers all these four roles, "operator". The AI Bill does not impose any specific obligations on these compliance roles; rather, it simply requires that all "operators" comply with the general principles of safety, transparency, equality, accountability, and privacy.
There are currently no specific laws or regulations in Turkey which directly regulate AI. However, both the AI Recommendations and the National AI Strategy underline the need for "ethical AI." We expect the notions of responsibility, transparency, and predictability to be the core elements of regulation of AI in Turkey.
Turkey is known to closely observe the legal developments in the European Union (e.g., EU AI Act), which it frequently relies on as models for national legislation. We can expect Turkey to regulate AI in a manner consistent and compatible with the relevant EU regulations.
On a broader level, the National AI Strategy focuses on the integration of AI as a political priority to increase the social welfare and strengthen the country's national security. Turkey also aims to increase its global competitiveness, achieve economic and technological independence, and undertake policies and practices that will lead to breakthroughs in critical technologies, including AI. These will be the other key considerations for Turkey in regulating AI.
In accordance with the AI Guidelines and the National AI Strategy, the AI Bill requires that all "operators" comply with the general principles of safety, transparency, equality, accountability, and privacy. It also introduces a hefty monetary fine for the provision of "false information". Unlike the AI Guidelines and the National AI Strategy, however, the AI Bill is silent on child safety.
Because Turkey currently has no AI-specific laws or regulations in Turkey, there is no official risk categorization.
The National AI Strategy states that "standardization and certification" will be promoted to reduce the risks of AI use. The National AI Strategy also envisions the use of AI to support responses to national and global crises such as pandemics and natural disasters.
On a broader level, Turkey has recently taken measures to combat misinformation, hate speech and financial fraud online. These are high-risk areas where Turkey may rely on AI to address these problems more effectively while also restricting any use of AI that could exacerbate them.
The AI Bill refers to "high-risk AI systems" without any definition. In its Preamble, the AI Bill gives the examples of "self-driving vehicles", "medical diagnosis systems", and "judicial systems that rely on AI" as high-risk AI systems. The AI Bill does not introduce any specific obligations regarding high-risk AI systems but subjects them to a "registration" requirement. The AI Bill does not specify how this registration requirement will work in practice but sets forth that competent supervisory authorities must conduct continuous monitoring and auditing of such systems. The AI Bill calls for specific, secondary regulations dealing with high-risk AI systems, which may clarify some of these uncertain provisions.
As noted above, there are currently no specific laws or regulations in Turkey that directly regulate AI. That said, in light of the AI Recommendations and National AI Strategy, we expect that the key compliance requirements will focus on the principles of transparency, accountability, protection of privacy and personal data, safety of individuals and specifically children, non-discrimination and reliability of information.
There is currently no AI-specific regulation or regulator in Turkey. The KVKK is the main privacy regulator under Turkey's Personal Data Protection Law (No. 6698)8 and may indirectly regulate the AI field through various privacy-focused regulations that are in place in Turkey. The Information and Communications Technologies Authority, the Financial Crimes Investigation Board, the Capital Markets Board, the Banking Regulation and Supervision Agency, the Advertising Board and the Turkish Competition Authority, may each indirectly regulate AI within their own spheres. Turkey's anticipated AI regulations may create a new regulator specifically to regulate AI or distribute specific roles and duties among the existing regulators.
The AI Bill does not propose an AI-specific regulator, nor does it designate any existing regulator (such as the KVKK) to assume the role or the responsibility for the registration of high-risk AI systems (see "Risk categorization" section above for further details regarding the registration requirement).
As stated above, there is no specific regulation that directly regulates AI in Turkey. However, other laws and regulations that may indirectly regulate AI (please refer to "Other laws affecting AI" section above) provide the Turkish regulators with a large toolbox of enforcement measures and penalties. For example, under Turkey's Law on Protection of Personal Data (No. 6698), sanctions for non-compliance include administrative fines. Under the Law on Regulation of Broadcasts through Internet and Combatting of Crimes Committed Through Such Publications (No. 5651), sanctions for non-compliance include, in addition to administrative fines, advertising bans and bandwidth reduction.
In September 2023, the Advertising Board imposed fines9 on advertisers to sanction practices that rely on AI-generated information to promote their products without "any factual research" proving "product or brand superiority." For example, one clothing brand claimed in its online advertisements that it is "the biggest fashion retailer in Turkey according to ChatGPT," which the Advertising Board found to be "unreliable" because there was no research or independent resource to support that claim and answers generated by ChatGPT may not always be "accurate or up to date." Finally, to the extent AI is used to commit any of the offences set out in the Turkish Penal Code, penalties envisioned therein will apply.
The AI Bill introduces hefty, annual turnover-based fines for certain noncompliance scenarios. These include:
1 See here
2 Recommendations on the Protection of Personal Data in the Field of Artificial Intelligence
3 Guidelines on Good Practices regarding the Protection of Personal Data in Banking Sector (available in Turkish only)
4 Guidelines on Protection of Privacy in Mobile Applications (available in Turkish only)
5 See the website of the Digital Transformation Office of the Presidency of Turkey
6 Draft AI Bill introduced on June 25, 2024 (available in Turkish only)
7 See here
8 Personal Data Protection Law (No. 6698)
9 https://ticaret.gov.tr/haberler/reklam-kurulu-yapay-zeka-reklamlarini-ilk-kez-incelemeye-aldi (available in Turkish only)
White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.
This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.
© 2024 White & Case LLP
Selin Kaledelen (Associate, White & Case, Istanbul) and Cameron Lee (Trainee Solicitor, White & Case, London) contributed to this publication.