1. The European Union Adopted First Artificial Intelligence Regulation

The European Parliament adopted the EU Artifical Intelligence Act (“AI Act”) on 13.03.2024. The AI Act introduced the first legal framework to regulate artificial intelligence. The AI Act aims to improve the functioning of the internal market and promote the uptake of human-centric and trustworthy AI, while ensuring a high level of protection of health, safety, fundamental rights, including democracy, the rule of law and environmental protection, against the harmful effects of AI systems in the EU and supporting innovation.

The AI Act adopts a risk-based approach which defines four levels of risk for AI systems. On the other hand, AI systems using a general-purpose AI model are also regulated. The AI Act applies to providers and deployers offering services in the EU, irrespective of whether those providers are established within the EU. Additionally, it also applies to providers and deployers of AI systems that are located in a third country, if the output produced by the AI system is used within the EU. Therefore, in case the persons or market of the EU are involved, the relevant AI system (including those are provided or exported by Turkish undertakings) will be subject to the AI Act. Further details regarding the AI Act can be found here.

2. First International Convention on Artificial Intelligence Opened for Signature

The Council of Europe Framework Convention on Artificial Intelligence, Human Rights, Democracy and the Rule of Law (“AI Framework Convention”), the first-ever international legally binding treaty on artificial intelligence, opened for signature on 05.09.2024. The AI Framework Convention aims to ensure that activities within the lifecycle of artificial intelligence systems are fully consistent with human rights, democracy and the rule of law, and aims to fill any legal gaps that may result from rapid technological advances.

The AI Framework Convention has so far been signed by the European Union, the United States of America and the United Kingdom, and by Andorra, Georgia, Israel, Iceland, the Republic of Moldova, Montenegro, Norway and San Marino. The AI Framework Convention will enter into force after ratification by at least five signatory countries, three of which are members of the Council of Europe. Further details regarding the AI Framework Convention can be found here.

3. Action Plan on National Artificial Intelligence Strategy Announced

Due to the recent developments in the world, especially the EU AI Act, which is also mentioned above, the National Artificial Intelligence Strategy had to be updated as the “National Artificial Intelligence Strategy 2024-2025 Action Plan” (“Action Plan”). The Action Plan aims to train artificial intelligence experts and increase employment in this field, support research, entrepreneurship and innovation, expand access to quality data and technical infrastructure, implement regulations to accelerate socioeconomic integration, strengthen international collaborations, and expedite structural and labour transition. Further details regarding the Action Plan can be found here.

4. Information Note on Chatbots Published

The Personal Data Protection Authority (“Authority”) published the Information Note on Chat Robots (“Information Note”) on 08.11.2024. As stated in the Information Note, the transparency of artificial intelligence chatbots is important in terms of personal data security. Adequate information should be provided on how and for what purposes the personal data processed by such applications are used, to whom they will be transferred, how long the data will be stored, the identity of the data controller and, if any, its representative, and the rights of the data subject. A proactive approach should be adopted to ensure accurate and reliable age determination for children and to prevent children from having negative experiences. Further details regarding the Information Note on Chatbots can be found here.

5. European Data Protection Board Published Opinion on the Use of Personal Data in AI Model Training

Upon a request from the Irish Data Protection Commission, the European Data Protection Board (“EDPB”) has published its opinion (“Opinion”) on compliance with personal data protection legislation in artificial intelligence model training. In the Opinion, the EDPB discusses (i) when and how an AI model can be considered as “anonymous”; (ii) how controllers can demonstrate the appropriateness of legitimate interest as a legal basis in the development and deployment phases; and (iii) how unlawful processing of personal data during the development phase of an AI model will affect the subsequent processing and operation of the AI model.

Although the Opinion is of great importance as an assessment on the data protection of personal data in the process of developing artificial intelligence, it is foreseen that it will be subject to criticism in the light of problems in practice, as it leaves too many uncertain areas and does not follow the Hamburg thesis which was expected to resolve various problems in a practical way. Further details regarding the Opinion on the Use of Personal Data in AI Model Training can be found here.

6. Amendments to the Personal Data Protection Law

With the Amending Law, the system stipulating the rules and exceptions that special categories of personal data cannot be processed without explicit consent has been completely changed. Instead, the scope of exceptions to the processing of special categories of personal data has been expanded in line with the general data processing grounds and the GDPR. Accordingly, the scope of the situations in which special categories of personal data may be processed has been expanded.

Prior to the Amending Law, it was regulated that personal data could be transferred abroad with explicit consent. However, personal data could be transferred abroad without explicit consent of data subject upon the existence of one of the conditions of the general data processing or one of the conditions for the processing of special categories of personal data other than health and sexual life. Adequate protection is required in the country where the personal data are to be transferred. If adequate protection is not provided, the existence of commitment for adequate protection by the data controllers and authorisation of the Board were required.

With the Amending Law, the system stipulating the rules and exceptions that personal data cannot be transferred abroad without explicit consent has been completely changed. Instead, transferring personal data abroad is permitted without explicit consent, provided that one of the conditions for processing general data or special categories of personal data is met, and one of the additional conditions stipulated in the Law is fulfilled.

7. Procedures and Principles regarding the Transfer of Personal Data Abroad Regulated

The Authority had prepared a draft regulation in order to regulate the procedures and principles regarding the transfer of personal data abroad and opened the draft for public opinion and assessment. The draft regulation, largely unchanged, has entered into force through its publication in the Official Gazette dated 10.07.2024 by the Authority under the title of Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad (“Regulation“).

Firstly, it will be required that the Personal Data Protection Board (“Board”) has issued an adequacy decision on the third country, international organisation, or a specified sector within that third country. Adequacy decisions and the decisions to amend, suspend or repeal the adequacy decisions shall be published in the Official Gazette and on the website of the Authority.

In the absence of an adequacy decision made by the Board, it will be required that the controller or processor should provide appropriate safeguards such as agreements that are not international conventions, binding corporate rules, standard data protection clauses, commitment, etc., provided that enforceable data subject rights and effective legal remedies for data subjects are available in the country where the personal data are to be transferred. Application forms for binding corporate rules and standard contractual clauses were published on the website of the Authority on 10.07.2024.

Finally, in the absence of an adequacy decision, or of appropriate safeguards, transfer may be made on an incidental basis. However, it should be noted that this provision permits transfers to be made under certain compulsory conditions listed in the Law, such as the informed explicit consent of the data subject, performance of the contract, superior public interest. Further details regarding the transferring personal data abroad can be found here.

Subsequently, the Board published the Guideline on the Transfer of Personal Data Abroad on 02.01.2025 in order to present its expectations regarding the safeguards stipulated by the aforementioned amendments and to eliminate the uncertainties in practice. Further details regarding Guideline on the Transfer of Personal Data Abroad can be found here.

8. Crypto Assets Regulated

Crypto assets have been regulated with the amendment introduced to the Capital Markets Law on 02.07.2024. Amending law defined wallet, crypto asset, crypto asset service provider, crypto asset custody service and crypto asset trading platform and regulated the basic principles regarding crypto assets. The Capital Markets Board (“CMB”) announced on the same day on its website the information and documents requested from service providers that already continue their activities and service providers that will commence their activities for the first time.

Pursuant to the new regulation, service providers are required to obtain authorisation from the CMB in order to be established and launch their operations. Service providers are not subject to the provisions of the Capital Markets Law which do not specifically refer to them. The principles regarding the trading, initial sale or distribution, exchange, transfer and storage of crypto assets through the platforms will be determined by the CMB. Crypto assets shall be stored in the clients’ own wallets. Custody services for crypto assets that clients do not prefer to store in their own wallets shall be provided by banks or other institutions authorised by the CMB to provide crypto asset custody services, and cash belonging to clients shall be stored by banks. In the event that a platform resident abroad opens a place of business in Türkiye, creates a website in Turkish, and engages in promotional and marketing activities, such platforms will be deemed to be operating for Turkish residents, and these activities will be subject to the authorisation of the CMB.

These amendments have entered into force through its publication in the Official Gazette dated 02.07.2024. Service providers were obliged to apply to the CMB until 02.08.2024 for an operating licence if they will continue their operations, or to declare that they will take a liquidation decision within three months if they will not continue their activities. The CMB regulated the conditions for the establishment of crypto asset platforms with the Decision dated 08.08.2024. The CMB regulated the listing of crypto assets and the advertising activities of platforms due to the different practices in receiving and storing customer cash and receiving customer orders via social media with the Decision dated 19.09.2024. Further details regarding Guideline on the Transfer of Personal Data Abroad can be found here.

9. Significant Amendments to the Communiqué on Principles Regarding Venture Capital Investment Funds

The Communiqué (III-52.4.c) (“Amending Communiqué”) Amending the Communiqué on Principles Regarding Venture Capital Investment Funds (III-52.4) (“Communiqué”) entered into force upon its publication in the Official Gazette dated 21.09.2024. The Amending Communiqué introduced significant amendments regarding venture capital investment funds (“VCIF”).

The Amending Communiqué replaces the investor information form with a fund issuance agreement. The fund issuance agreement will be concluded individually or collectively between the fund and the holders of participation shares and will contain the minimum elements listed in the fourth annex of the Communiqué. A fund issuance agreement shall be signed prior to the sale of participation shares to qualified investors. Prior to the Amending Communiqué, VCIFs could not be established as umbrella funds or basket funds. Pursuant to the Amending Communiqué, it is now possible for the VCIFs to issue funds under an umbrella fund by issuing a separate issuance document for each issuance of participation shares. Pursuant to the Communiqué, VCIFs could invest in venture capital companies established or to be established in Türkiye, or established abroad as of the date of investment, but at least 80% of the assets of which consisted of subsidiaries or affiliates established in Türkiye according to the latest annual financial statements. This ratio was reduced from %80 to 51% for companies established abroad.

The Communiqué already regulated convertible notes under the provision that VCIFs may invest in venture capital companies in the form of structured financing as a mix of debt and equity financing. The Amending Communiqué explicitly regulates that investments made through agreements that grant or will grant the right to become a shareholder in venture capital companies in the future will be considered as venture capital investments. Nevertheless, in order for this amendment to have an impact, convertible notes should be regulated as they can be used legally in the light of regulations such as the prohibition of the company’s acquisition of its own shares, thin capitalisation, usury offence, and unauthorised loan utilisation.

10. The Withholding Tax Rate on Earnings from Shares of Venture Capital Investment Fund Changed

The withholding tax rate was reduced to 0% for the income and gains derived by real person investors from the participation shares of venture capital investment funds, regardless of how long the participation shares were held. With the amendment, the withholding tax rate is increased to 7.5% for the participation shares acquired between 01.05.2024 and 31.07.2024 which are held for less than two years, and the withholding tax rate is increased to 10% for the participation shares to be acquired after 31.07.2024 which will be held for less than two years. On the other hand, the withholding tax rate will continue to be 0% for the income and gains to be derived from participation shares held for more than two years.

11. Witholding Tax for Electronic Commerce Regulated

With the Presidential Decree dated 22.12.2024 and numbered 9284, it has been regulated that intermediary service providers and electronic commerce intermediary service providers shall apply 1% withholding tax to the payments to be made to service providers and electronic commerce service providers due to their activities within the scope of electronic commerce legislation.

12. Amendment to Taxation of Employee Share Options

Law No. 7524 on the Amendment of Tax Laws, Certain Laws and Decree Law No. 375 published in the Official Gazette dated 02.08.2024 introduced significant regulations regarding the taxation of shares acquired through employee share option plans. Pursuant to the Amending Law, it is regulated that if technology startups grant shares to their employees free of charge or at a discount, income tax will not be accrued for the portion of the fair value of the shares that does not exceed the amount of one year’s gross salary in the relevant year. However, the Amending Law also regulated that the employer may have to pay the uncollected income tax in some cases. The said regulation is criticised as it does not foresee any practical change that encourages the issuance of employee share option plans. Further details regarding taxation of employee share options can be found here.

Should you have any inquiries, please do not hesitate to contact us.