In the Information Note on Chatbots (e.g., ChatGPT) published by the Personal Data Protection Authority on its official website on 8 November 2024, fundamental details about chatbots were presented, accompanied by assessments within the context of personal data protection and principal considerations for application development. Moreover, the document highlighted the necessity for chatbots to adhere to the stipulations set forth in the Personal Data Protection Law No. 6698 and to align with international standards, with the aim of guaranteeing the security of personal data.
The Information Note on Chatbots (e.g., ChatGPT) (“Information Note”) addresses the integration of chatbots in various sectors, including customer support, content creation and information access. Information Note also considers the legal responsibilities that arise from this integration. Although chatbots imitate human speech through the use of natural language processing (NLP) and machine learning, the fulfilment of obligations set forth in Personal Data Protection Law No. 6698 (“DP Law”) and international standards for the processing of personal data is also a key aspect.
In this context, the Information Note outlines a number of issues related to data privacy and security. These include:
- The processing of a variety of personal data by chatbots, including user credentials, message content, device information and IP addresses, the specifics of which depend on the application and context of use.
- The necessity for users of chatbots to be informed about the manner in which their data is processed, including details of data storage, sharing practices and security measures.
- The necessity of addressing privacy concerns related to users’ preferences regarding the processing of their personal data by a chatbot and the importance of user awareness and education.
- The potential risk of data breaches idue to users sharing information at a level that could compromise their privacy (e.g., oversharing) stemming from a lack of user awareness, as well as the susceptibility of chatbot applications to cyberattacks due to technical vulnerabilities.
- The requirement to comply with data protection legislation, including the DP Law, in order to ensure that data processing can be carried out in a manner consistent with lawful practice. It also emphasizes the need to comply with international standards, to be certified, and to consider privacy by design and privacy by default approaches at every stage of the application development process.
- The necessity to conduct a risk assessment before processing personal data, to follow the general principles laid down in the legislation on the protection of personal data and the principle of accountability when defining practices, to comply with the conditions for processing personal data laid down in the DP Law and to explain the legal basis for the processing. It also underlines the importance the fulfilment of the obligation to provide information in accordance with the DP Law and the adoption of the necessary technical and administrative measures regarding the security of personal data.
The full text of the Information Note can be reached via this link. (Only available in Turkish)
