Subject 23- Blockchain and Artificial Intelligence Law

tarafından | Eki 22, 2023 | Cyber Law | 0 yorum

Subject 23- Blockchain and Artificial Intelligence Law

  • Blockchain

Blockchain is a type of database that differs in how it stores information compared to a typical database. Blockchains store data in a way where information is stored in blocks that are later chained together.

As new data comes in, it gets entered into a new block. After a block is filled with data, it is chained to the previous block, which, in turn, chains the data in chronological order.

It first entered our lives with an article written by an individual named Satoshi Nakamoto around the year 2009.

The general application areas where blockchain is expected to be effective are as follows:

Voting and Elections

Banking

FinTech

Creation and Storage of Valuable Documents

E-commerce and Payments

Stocks and Exchanges

E-Notary

Donation Systems

Cloud Computing and Secure Cloud Storage

  • Blockchain Security

Once a block is added to the end of a blockchain, it becomes very difficult to go back and alter the content, unless a consensus is reached by the majority. This is because each block contains its own hash along with the hash of the block before it and a specified timestamp. Blockchain technology addresses security and trust in various ways. First and foremost, new blocks are always stored linearly and chronologically. That is, they are always added to the “end” of the blockchain.

 

Therefore, even if someone wanted to steal something protected by blockchain technology, such as cryptocurrency, changing the contents of a single block would require altering all subsequent blocks, which is practically impossible. That’s why it is known as one of the most secure network systems.

  • Systems Using Blockchain Technology
  • Cryptocurrencies

Cryptocurrencies are one of the systems that utilize blockchain technology. In this case, the blockchain is used in a decentralized manner, meaning there is no single person or group in control – instead, all users collectively hold the control.

Decentralized blockchains are immutable, meaning that data entered cannot be reversed. To steal or hack a cryptocurrency, one would need to hack all the chains that make up that cryptocurrency. Hence, hacking cryptocurrency is an almost impossible task. However, the security of the device or wallet where cryptocurrencies are stored is crucial.

One of the most well-known cryptocurrencies, Bitcoin, determines when and how much will be produced through a process involving encryption and algorithms. Only those who can solve this algorithm can produce Bitcoin. This process is often likened to gold mining and is referred to as Bitcoin mining.

  • Legal Regulations Regarding Cryptocurrency Assets
  • Regulation on the Non-Usage of Crypto Assets in Payments

The Regulation on the Non-Usage of Crypto Assets in Payments was published in the Official Gazette on 16 April 2021 and came into effect on 30 April 2023. This regulation, consisting of six articles, defines the concept of crypto assets and imposes restrictions on their usage:

Purpose and Scope

Article 1 – The purpose of this Regulation is to determine the principles and procedures regarding the non-usage of crypto assets in payments, the non-usage of crypto assets directly or indirectly in the provision of payment services and the issuance of electronic money, and the prohibition of payment and electronic money institutions from providing services for the transfer of funds to or from platforms that offer the purchase or sale, custody, transfer, or export of crypto assets.

Basis

Article 2 – This Regulation has been prepared based on Article 4 of the Law on the Central Bank of the Republic of Turkey, numbered 1211, dated 14/1/1970, Subparagraph (f) of the first paragraph of Article 3 and the fourth paragraph of Article 12 of the Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions, numbered 6493, dated 20/6/2013.

Non-Usage of Crypto Assets in Payments

Article 3 –(1) In the implementation of this Regulation, crypto assets are virtual assets created virtually using distributed ledger technology or similar technology and distributed over digital networks, but are not considered as fiat money, recorded money, electronic money, payment instrument, security, or other capital market instruments.

(2) Crypto assets cannot be used directly or indirectly in payments.

(3) Services for the use of crypto assets directly or indirectly in payments cannot be provided.

Non-Usage of Crypto Assets in the Provision of Payment Services and the Issuance of Electronic Money

Article 4 – (1) Payment service providers cannot develop business models for the direct or indirect use of crypto assets in the provision of payment services and the issuance of electronic money or provide any services related to such business models.

(2) Payment and electronic money institutions cannot act as intermediaries for the transfer of funds to or from platforms that offer the purchase or sale, custody, transfer, or export of crypto assets.

Effective Date

Article 5 – (1) This Regulation shall enter into force on 30/4/2021.

Execution

Article 6 – The provisions of this Regulation shall be executed by the President of the Central Bank of the Republic of Turkey.

  • 2021 Amendment to the Regulation on the Prevention of Money Laundering and the Financing of Terrorism through Measures Regarding the Prevention of the Financing of Crime

On May 1, 2021, an amendment was made to the Regulation on Measures Regarding the Prevention of Money Laundering and the Financing of Terrorism through Measures. This amendment included cryptocurrency service providers among the “obligated parties” concerning the implementation of the Law on the Prevention of Money Laundering. Certain financial and non-financial institutions, as well as specific businesses and professions, may be used as intermediaries by criminals due to the nature of their activities and services.

In other words, transactions and services provided by these “obligated parties” can be used by criminals to commit crimes. To prevent this, “obligated parties” are expected to play a “preventive” role by increasing their awareness and understanding of anti-money laundering and counter-terrorism financing and actively participating in the fight against financial crimes.

Therefore, “obligated parties” are considered one of the most important stakeholders in the fight against financial crimes. These parties are defined by Article 2/1-d of Law No. 5549 on the Prevention of Money Laundering. According to the amendment added to Article 4/1 of the Regulation on Measures Regarding the Prevention of Money Laundering and the Financing of Terrorism through Measures, published in the Official Gazette dated 01 May 2021 and numbered 31471, “crypto asset service providers” were included among the “obligated parties” as of the date of this change. (Source: https://ms.hmb.gov.tr/uploads/sites/12/2021/05/Kripto-Varlik-Hizmet-Saglayicilar-Rehberi.pdf)

Obligations of Crypto Asset Service Providers According to the Regulation

  • Obligation to Verify Identity:

Obligated parties must identify the identities of the parties conducting transactions or on whose behalf transactions are conducted before any transactions are carried out. Identity verification is completed before establishing a business relationship or conducting a transaction. In the case of an ongoing business relationship, information regarding the purpose and nature of the business relationship is obtained.

  • Obligation to Report Suspicious Transactions:

As per Article 4 titled “Report of Suspicious Transactions” in Law No. 5549, obligated parties are required to report to the Financial Crimes Investigation Board (MASAK) any information, suspicion, or circumstance that suggests that the assets subject to transactions carried out within or through them have been obtained through illegal means or are being used for illegal purposes.

  • Obligation to Provide Information and Documents:

Public institutions, real and legal persons, and unincorporated organizations must provide all information, documents, and related records requested by the Presidency and its supervisory staff, and must provide all information and passwords necessary to access and make such records readable in a complete and accurate manner.

  • Obligation to Preserve and Submit:

Obligated parties are required to preserve, for a period of eight years from the date of the document’s preparation, the date of the last entry in the books and records, and the date of the last transaction for identity verification, all records of any kind relating to the obligations imposed by these laws and their transactions, and to submit them to authorized personnel upon request.

  • Smart Contracts:

Smart contracts are a system that defines all the processes and outcomes of a contract, automatically executing them on a blockchain. Ethereum blockchain systems are used for smart contracts.

Smart contracts are characterized by precise definitions and thorough consideration of all details. They also operate autonomously without the need for third-party intervention. Smart contracts:

Establish rules

Verify rules

Enforce rules

In practice, this system can be likened to a vending machine. A vending machine sets a price for a drink (establishing a rule), the user inserts the specified amount of money, and the machine checks if the inserted money is correct (verifying the rule). If the right amount is inserted, the machine dispenses the drink to the user (enforcing the rule).

For example, consider a scenario where a certain amount of money is being collected for a charity project. Those who want to donate can do so by using a smart contract to contribute any amount they desire. If the target amount is reached by a specific date, the collected funds are transferred to the charity as defined in the contract. If the target amount is not reached, the contributions are automatically returned to the donors.

 

Another example could involve a smart contract for an airline ticket. When a person buys a ticket, they pay the ticket fare into the system. As the flight is delayed, the system automatically initiates refunds to passengers. Once the flight reaches its destination, the ticket fare goes to the airline, and any compensation due to delays is paid to the passenger. A similar system is employed by Axa insurance. (Source: http://fintechtime.com/tr/2017/09/axa-ucus-sigorta-urunleri-icin-ethereum-blockchain-teknolojisini-kullaniyor/ )

One key difference between smart contracts and traditional contracts is that smart contracts cannot be terminated or revised in any way. With blockchain technology, each step is locked and defined, requiring the resolution and alteration of each chain’s algorithm to make any changes.

Smart contracts may pose some legal challenges in Turkish law, including:

-Officially conducted contracts, such as real estate purchase agreements that should take place in the land registry office or vehicle sales agreements that should take place at a notary, cannot be made in the form of smart contracts. Legislation changes would be needed to enable these contracts as smart contracts.

-Contracts that require a specific ceremony, such as marriage contracts officiated by a marriage officer, cannot be executed as smart contracts.

-Parties would not be able to claim a lack of free will when entering into contracts. Claims such as mistake, duress, or undue influence under the Turkish Code of Obligations would be ineffective.

-During the operation of the blockchain, any dispute between the parties cannot be taken to court for the interpretation of the contract. However, regardless of the court’s decision, the fundamental principles of the blockchain will remain unchanged, and the contract will be executed as specified.

-Understanding and implementing the blockchain system, which is highly technical and foreign to the judicial system, will be challenging and time-consuming for the courts. Therefore, it is important to train experts who are knowledgeable in this field.

-Smart contracts require a combination of legal and technical expertise. Therefore, lawyers with coding and technical infrastructure knowledge and programmers with expertise in the legal field are needed.

-There may be confusion regarding which jurisdiction applies to smart contracts.

-If smart contracts are used for unlawful transactions, ethical, moral, and criminal issues may arise.

-When used in consumer transactions, powerful companies could potentially subject less knowledgeable consumers to unfavorable terms through smart contracts.

The UK Jurisdiction Taskforce, in a report published in 2020, stated that smart contracts qualify as contracts under English law, and written agreements can be executed with double encryption (private keys) on the blockchain.

  • NFT (Non-Fungible Token)

NFT, short for “Non-fungible token,” can be described as a unique digital asset recorded on the blockchain, which can be the subject of various legal transactions.

NFTs are based on blockchain technology, similar to cryptocurrencies. However, the distinguishing feature of NFTs is their non-fungibility, meaning that each NFT is unique and cannot be replicated. In other words, no two NFTs are identical. This uniqueness is often referred to as a digital certificate within the blockchain context.

While NFTs are commonly associated with art, they are fundamentally digital data, and this data can encompass various digital contents such as images, audio, video, internet source code, and more. For example, the documentary “Claude Lanzmann: Spectres of the Shoah” was minted as an NFT by Adam Benzine on March 13, 2021. Additionally, in 2021, numerous well-known musicians released their songs as NFTs.

Various Legal Issues Associated with NFTs

  • NFTs and Personal Data 

NFTs can be created from not only works but also from personal actions (e.g., a video of a person making a basketball shot) or personal attributes (e.g., an individual’s photograph or voice). When personal data is included in an NFT, it creates Personal Data Protection Regulation compliance issues. Processing personal data without compliance with data protection laws and often without obtaining clear consent could result in legal violations.

  • NFTs and Sales

When an NFT is purchased, the value is recorded on the blockchain. However, the apparent digital value may not fully reflect the value of the NFT in all aspects. This creates various possibilities. For instance, NFTs can include automatic terms via coding or smart contracts that provide automatic payments to the original creator from every resale or impose conditions detrimental to the buyer.

  • NFTs and Intellectual Property

Under Law No. 5856, an “artwork” is defined as any intellectual and artistic product in the fields of science, literature, music, fine arts, or cinema, bearing the personal characteristics of its creator. NFTs can qualify as artworks if they possess the uniqueness required by the law.

While the transfer of moral rights is not possible, the transfer of economic rights such as reproduction, representation, and communication to the public can be negotiated between parties. However, this transfer is limited to the digital asset recorded on the blockchain.

In recent times, various artworks, whether physical or digital, have been transformed into NFTs through “minting.” These artworks are protected by copyright and other intellectual property laws. In the absence of a written transfer of economic rights under the relevant legislation, creating NFTs from these artworks may constitute a legal violation.

  • NFTs and Taxation

The lack of direct taxation regulations for NFTs poses challenges. This legal vacuum may lead to potential issues related to money laundering and tax evasion. For example, the U.S. Internal Revenue Service (IRS) has clarified that transactions involving cryptocurrencies will be subject to taxation, including capital gains tax.

  1. Artificial Intelligence Law
  • Artificial Intelligence and Its Varieties

Artificial intelligence is a system that emerges as a result of computers and devices having capabilities similar to some human abilities, such as analyzing, problem-solving, and decision-making.

The difference between artificial intelligence and smart contracts is that artificial intelligence makes its own decisions, while in smart contracts, parties come together to create a system in which they determine the outcomes themselves.

Artificial intelligence is categorized into different types today:

Machine Learning: It’s a system in which artificial intelligence structures itself based on the data it collects and the results it deduces from user behavior. For example, recommendations like “people you may know” on social media apps, facial recognition, and online chatbots.

Deep Learning: This system mimics the human brain in data processing and decision-making. For example, self-driving cars, automatic translations, and applications like Siri.

Natural Language Processing: It facilitates interaction between human language and computer language. For example, spell-checking and voice messaging.

  • Legal Aspects of Artificial Intelligence

The legal dimension of artificial intelligence is a globally debated issue, but a comprehensive solution has yet to be found.

  • Artificial Intelligence and Legal Personality

In Turkish law, artificial intelligence does not fall within the definition of “personality” as defined in the Civil Code. Therefore, artificial intelligence is neither a natural person nor a legal entity. This situation results in the need to develop separate legal provisions for artificial intelligence in the field of law.

According to Article 28 of the Civil Code in the section on Real Persons, “Personality begins at the very moment the child is full born and ends by death.” Article 47 states, “Group of persons organized to create a single body and independent property groups constructed for special object, are defined as legal entity as per the provisions contrasting its qualities, relations etc”

Artificial intelligence does not fit into the definitions of natural or legal persons as granted rights and legal capacity by the Civil Code. However, the legal framework has been predominantly constructed with natural and legal persons in mind.

In reports published by the European Parliament, the concept of a “digital personality” for artificial intelligence has been suggested, which would hold it legally and criminally responsible for its actions and transactions.

  • Artificial Intelligence and Intellectual Property Rights

According to the Intellectual and Artistic Works Law, “a work” is defined as “intellectual and artistic products bearing the personality of their owner.” However, in works produced by artificial intelligence, such as a piece of music composed by artificial intelligence, the work bears the personality of the artificial intelligence itself. Since artificial intelligence does not have a personality, it cannot have intellectual property rights. This raises questions about the ownership of the work.

Another debated topic related to artificial intelligence is the protection of personal data. Entities with artificial intelligence, when given explicit consent regarding personal data, often find it difficult to “forget” this data. At the same time, artificial intelligence can analyze vast amounts of data and draw conclusions.

In reports issued by the European Parliament, it has been suggested that artificial intelligence should not be granted intellectual property rights, and the creations of artificial intelligence should be given to the natural and legal persons operating the artificial intelligence.

  • Artificial Intelligence and Legal and Criminal Liability

According to Article 37 of the Turkish Criminal Code, “Each person who jointly commits an act constituting a crime in accordance with the statutory definition shall be criminally liable as a perpetrator.” Additionally, according to Article 20 of the Turkish Criminal Code, “Criminal liability is personal. No one shall be held responsible for the act of another.”

In the Turkish Criminal Code, only natural persons can be perpetrators of a crime. Since artificial intelligence is not a natural person, there is a problem of determining responsibility for crimes committed with artificial intelligence.

According to Article 37/2 of the Turkish Criminal Code, a person who uses another as an instrument in committing a crime is also held responsible as a perpetrator. Therefore, those who produce crime robots with the intention of committing intentional crimes may be held responsible. The issue of liability for crimes committed by artificial intelligence often arises in cases of negligence. In the activities of artificial intelligence, the connection between the person who programmed it and the operations it has learned and defined on its own is often severed. In such cases, the question of whether the operator of artificial intelligence is at fault becomes a matter of debate.

According to Article 49 of the Turkish Code of Obligations, “A person causing harm to another with a wrongful act shall be liable to compensate the damage.” Article 66 states, “An employer shall be liable to compensate for the damage caused by the employee in the course of performing the work assigned to him.” When these two articles are considered together, it can be said that the actions of artificial intelligence will be the responsibility of its owner. However, there may still be problems in determining fault.

In reports from the European Parliament, it was suggested that those operating artificial intelligence should be held accountable under the law and required to take out insurance for the damages they may cause. Additionally, two years ago, the European Parliament passed a decision prohibiting the development and use of autonomous weapon systems that could potentially kill people.

  • Protection of Personal Data in Artificial Intelligence

With the expansion of the use of artificial intelligence, questions related to personal data processing activities have also increased. Especially in the advertising sector, artificial intelligence applications have become a topic of discussion, and the need to define their boundaries has been emphasized.

Artificial intelligence can extract unexpected results from the personal data it collects, results that individuals did not anticipate and did not consent to. The Cambridge Analytica scandal, where an individual’s preferences were accurately determined based on 500 likes on Facebook, serves as an example of this.

Additionally, due to artificial intelligence’s ability to analyze data and derive insights, it is often challenging to completely erase data even when consent to the use of personal data is revoked. The Law on Protection of Personal Data defines a “data controller” as “a real or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.” In this context, it is conceivable that artificial intelligence could determine the purposes and means of data processing based on its own learning.

To address these concerns, data protection authorities have prepared guidelines specifically for the field of artificial intelligence. In 2020, the UK Information Commissioner’s Office published a guide on “AI and Data Protection.” (https://ico.org.uk/for-organisations/guide-to-data-protection/key-dp-themes/guidance-on-ai-and-data-protection/

In 2021, the Personal Data Protection Authority in Turkey published a guide on “Protection of Personal Data in the Field of Artificial Intelligence.”(https://www.kvkk.gov.tr/Icerik/7048/Yapay-Zeka-Alaninda-Kisisel-Verilerin-Korunmasina-Dair-Tavsiyeler

  • Guide on the Protection of Personal Data in the Field of Artificial Intelligence by the Personal Data Protection Authority

The guide, titled “Recommendations on the Protection of Personal Data in the Field of Artificial Intelligence,” published by the Personal Data Protection Authority, provides recommendations for developers, manufacturers, and service providers, emphasizing the “privacy by design” approach, which includes ensuring compliance with privacy principles in system design. It calls for an approach based on safeguarding fundamental rights and personal data privacy, while ensuring legality, fairness, proportionality, accountability, transparency, accuracy of personal data, and a clear and limited purpose for personal data usage.

The guide also highlights the need to grant individuals the right to object to processes based on technologies that affect their opinions and personal development. It suggests that relevant individuals should be informed when artificial intelligence is used in decision-making processes, and they should be given the opportunity to appeal such decisions.

For decision-makers, the guide emphasizes the importance of accountability at all stages, the establishment of human oversight in decision-making processes, allocation of resources to increase awareness, and raising awareness.

  • European Union Artificial Intelligence Regulation

On April 21, 2021, the European Commission approved the proposal for the Regulation on Artificial Intelligence (referred to as the “Regulation”), which is considered the first legal framework related to artificial intelligence.

On May 11, 2023, the European Union Artificial Intelligence Act was adopted by a large majority in the European Parliament.

On June 14, 2023, the European Parliament approved the European Union Artificial Intelligence Regulation with 499 votes in favor and 28 against. The Regulation is expected to come into effect in 2024.

  • Scope of the EU Artificial Intelligence Regulation:

This Regulation applies to:

(a) Providers offering artificial intelligence systems within the European Union, irrespective of whether they are established within the Union or in a third country.

(b) Users of AI systems within the Union.

(c) Providers and users of AI systems located in a third country when the output generated by the system is used within the Union.

*”User” means any natural or legal person, public authority, agency, or other body using an AI system under their authority, excluding situations where the AI system is used for non-professional purposes (Article 3/4).

Definition and Technological Scope (Article 3):

It defines AI as software that can generate outputs in the form of content, predictions, or recommendations and affect human interactions, based on techniques defined by humans for specific purposes.

Annex 1 – Techniques:

(a) Various machine learning approaches, including supervised, unsupervised, and reinforcement learning, including deep learning.

(b) Logic programming, knowledge representation, knowledge bases, inference engines, and deductive reasoning, including symbolic reasoning and expert systems.

(c) Statistical approaches, Bayesian estimation, search, and optimization methods.

  • Regulatory Areas in the EU Artificial Intelligence Regulation:

The EU Artificial Intelligence Regulation categorizes AI systems into the following risk levels:

Unacceptable Risk

High Risk

Low Risk

Minimal Risk

It prohibits all AI applications that violate EU values and fundamental rights for all AI systems.

Unacceptable-risk AI systems are banned. This category includes AI systems that contradict EU values, such as those that violate fundamental rights and engage in social scoring.

High-risk AI systems have requirements for establishing a quality management system to ensure accuracy and robustness. These systems should operate under human oversight and use data that is fit for the intended purpose. Examples of high-risk systems include AI used in hiring and medical devices. Adequacy assessments are required before deployment.

Low-risk AI systems must provide users with information on their use of AI but do not have further obligations.

Minimal-risk AI systems do not have specific requirements.

The Regulation introduces additional transparency requirements, such as the disclosure of the use of smart software, emotion recognition, biometric categorization systems, and synthetic content (deepfake). Users of AI systems that generate content that significantly resembles individuals, objects, places, or other entities and creates a realistic impression must clarify that the content is artificially generated or manipulated.

Similar to the General Data Protection Regulation (GDPR), the EU Artificial Intelligence Regulation includes sanctions for non-compliance, which may include limitations or prohibitions on the use of high-risk AI systems, market withdrawal, and administrative fines.

—————————————————————————————————————————————————————————

The copyrights pertaining to these lecture notes and all of their content, including the rights to reproduce, distribute, duplicate, represent, transmit via signals, and publicly communicate through any means of text, sound, and/or visual presentation, are protected by the Turkish Intellectual and Artistic Works Law and related legislation.All these intellectual and moral rights belong to Attorney and Lecturer Ozge EVCI ERALP. These lecture notes cannot be duplicated, published, or used without permission, and they cannot be published on internet websites without obtaining the necessary permissions. Ozge Evci ERALP 2023-2024