IT LAW: THE NEW LEGAL PARADIGM? `or` PARADOX? IN THE TECH AGE

IT LAW: THE NEW LEGAL

PARADIGM? `or` PARADOX?

IN THE TECH AGE

1. Introduction: The Digital Tsunami and the Evolution of Law

In our current era, defined by the exponential advancement of information technologies, the law finds itself confronting a "digital tsunami." This new epoch demands that legal frameworks regulate not only human behavior but also the actions of algorithms and autonomous digital systems. The production, processing, storage, and borderless dissemination of information have triggered a profound transformation, challenging the foundational principles and predictive capacity of classical law.

IT Law has emerged as a technology-focused, interdisciplinary field regulating the complex new network of interactions humans have forged via digital tools. Disruptive technologies, particularly artificial intelligence (AI), big data, cloud computing, blockchain, and the Internet of Things (IoT)—have introduced novel phenomena that strain the boundaries of legal interpretation and application.

These developments have brought urgent, fundamental questions to the forefront of the legal world:

• Property : Who is the true owner of data? The individual, the platform processing it, or the device that generated it?
• Liability : When an autonomous vehicle crashes or an AI provides a faulty medical diagnosis, who is responsible? The programmer, the data provider, or the system's owner?
• Copyright Ownership : A piece of music, art, or text originally generated by AI—to whom does the work belong?
• Jurisdiction : When cyber-attacks and data breaches are cross-border in nature, which country's laws will apply, and which court will have jurisdiction?

The answers to these questions must be sought within the inseparable triangle of technology–ethics–law, which lies at the heart of IT law.

2. The Digital Ecosystem and the Scope of IT Law

Contrary to popular belief, IT law is not merely concerned with internet bans or data protection rules. This broad field defines the legal framework for highly technical subjects, ranging from information system design and software development processes to data security protocols, algorithmic governance systems, and digital identity verification mechanisms.

In a legal sense, an information system must be regarded as more than a passive tool; it is an active “data processing actor.” With its dynamic structure that collects (input), processes (process), and produces (output) data, the system often takes autonomous actions on behalf of, or about, the user.

Sub-fields of IT Law:

• Software Law : Intellectual property protection for source code, compiled code, and database structures.
• Data Protection Law : The processing, storage, and transfer of personal data.
• E-Commerce Law : Online contracts, distance sales, and consumer rights.
• Cybercrime Law : Unauthorized access to information systems, data theft, and fraud.
• E-Communications Law : Telecommunications infrastructure and the obligations of internet service providers.

Software Law, is one of the main pillars of IT law. A software's source code, its compiled executable form (binary/executable), and its database structure (schema) are each separately subject to intellectual property protection. Even open-source libraries (e.g., Apache, MIT, GNU GPL licenses) used during development can lead to serious international liability if their license conditions are violated.    

3. The Data Economy, KVKK, and GDPR: The New Frontiers of Privacy

Data is the new currency and the strategic raw material of the digital economy. However, the production and processing of this economic value hold significant potential for conflict with personal privacy and fundamental human rights.

The Law on the Protection of Personal Data No. 6698 (KVKK), in effect in Turkey, aims to protect all personal data processed in digital or physical environments and ensure it is processed lawfully. KVKK defines personal data very broadly as "any information relating to an identified or identifiable natural person." In this context, it is not just a name, surname, or TCKN (national ID number); IP addresses, device IDs, emails, location data, cookie data, and behavioral analysis outputs are also considered personal data. Furthermore, individuals' biometric information is strictly prohibited from being stored on foreign servers, in the cloud, or in similar environments. This is why banks, in particular, are currently unable to fully leverage advancements in cloud security applications. Their use is limited, or they still rely on agent-type applications.

The European Union's General Data Protection Regulation (GDPR) has a global reach and binds all companies offering goods or services to EU citizens, regardless of their geographical location. Fines under GDPR can reach up to 4% of global turnover or 20 million Euros. Under KVKK, fines can reach up to 1.9 million TL.

Additionally, under KVKK, individuals can update their communication consent preferences for various organizations via the “Message Management System (İYS)” through the e-Devlet portal.

4. Artificial Intelligence Law and Algorithmic Justice

Artificial intelligence systems possess the ability to learn, make inferences, and take action without human intervention. This situation has introduced a concept non-existent in classical law: the “autonomous digital entity.”

This autonomy creates a serious vacuum, especially in liability law. Consequently, some legal scholars advocate for granting complex AI systems a limited “electronic personality” status, similar to that granted to corporations.

Machine Learning (ML) models can unknowingly learn and reproduce the biases present in their training data. This leads to algorithmic discrimination. For example:

A hiring algorithm trained on historical, male-dominated hiring data may systematically score female candidates lower.

A crime prediction system trained on data suggesting a specific ethnic group has a higher crime rate might label individuals from that group as "potential criminals."

In Deep Learning models, the decision-making process is often a “black box,” where the logical connection between inputs and outputs cannot be deciphered. This lack of transparency makes legal accountability nearly impossible. To address this, transparency tools such as “Model Cards” (documents explaining a model's capabilities and limitations) and “Data Sheets for Datasets” (documents detailing a dataset's content and collection methods) are being proposed.

5. Intellectual Property, Code, and AI-Generated Content

Artworks created, music composed, texts written, and code snippets generated by AI have now transcended simple productivity tools; they have begun to redefine the very concepts of creativity and authorship.

• US Copyright Office (USCO): Its current approach grants copyright only to content that includes a significant levelof human contribution. An image generated entirely by AI cannot benefit from copyright protection.

• European Union: Discussions are ongoing as to whether content produced through human-AI collaboration could be considered a "joint work," or if the AI could be granted a limited "related right."

The fundamental legal uncertainty in this domain stems from the human-centric nature of the "author" concept. A significant number of new regulations are required in this field. For instance, the images in this article were generated by AI.

6. Cybersecurity, Blockchain, and Digital Contracts

Cybersecurity is not just a technical issue for companies; it is an integral part of national security and the legal order. International standards like ISO/IEC 27001, PCI DSS, etc., provide a framework for organizations to establish information security management systems and serve as crucial proof of fulfilling the legal "duty of care."

Blockchain technology promises secure transactions through its decentralized and immutable record structure. However, the anonymity this structure affords creates serious challenges for Anti-Money Laundering (AML) and counter-terrorism financing (CTF) laws. Furthermore, this anonymity, especially since the COVID-19 pandemic, has contributed to a sharp rise in ransomware attacks, as this technology is used to make payments untraceable.

Smart Contracts are programs that codify an agreement between parties and execute automatically when certain conditions are met. They operate on the "Code is law" principle, but this can lead to irreversible and unjust outcomes in the event of flawed or maliciously written code. When legal intent and the code's intent conflict, which one prevails remains a contentious legal question.

For all these reasons, companies must provide "Information Security" training to all employees in IT and other departments. To ensure this knowledge is retained, structuring the training as a game can be highly effective. A test may also be administered at the end of the training. This training must be constantly renewed and updated, particularly to account for the impact of AI entering our daily lives.

7. Cloud and Edge Computing: The Data Sovereignty Problem

Storing and processing data on servers geographically located in other countries creates the challenge of data sovereignty. For example, if a company in Turkey stores its user data in the Irish data center of a US-based cloud provider, that data may be subject to the laws of Turkey (KVKK), Ireland (GDPR), and the US (laws like the CLOUD Act). This situation leads to complex conflicts regarding data security and legal jurisdiction.

As noted earlier, KVKK does not permit biometric data to be held abroad. Since this poses a significant problem, especially for banks and health institutions, Edge AI systems offer a partial solution by processing data directly on the device without sending it to the cloud. This enhances privacy but makes it even more ambiguous who holds legal responsibility in the event of an error. This is why "agent systems" are still often preferred.

8. Conclusion: The Law of the Future and New Competencies

In conclusion, any action or transaction classically subject to legal regulation can now fall under the purview of IT law. The mandatory element for an action to be evaluated in this context is that information is collected, stored, processed, or transferred in an orderly and rational manner, primarily via electronic machines. In recent years, "Artificial Intelligence" has only added to this conceptual complexity.

IT law is not merely a field that punishes digital crimes or regulates data transfer. This discipline is, at its core, a dynamic structure that draws the social, ethical, and economic boundaries of human-machine interaction. In this new age, the law must build a robust and comprehensible bridge between ethical codes and technical codes.

Therefore, the lawyer of the future is obligated to understand not only legal texts and case law but also the structure of an API, data flow diagrams, basic machine learning algorithms, and cybersecurity protocols. It will not be possible for a lawyer who lacks technological fluency to resolve the complex disputes of the digital age fairly and effectively.

In recent years, IT law, cybersecurity, and information security have attracted significant interest from lawyers as subjects for undergraduate and graduate degrees more than IT staff.

References

1. 6698 Sayılı Kişisel Verilerin Korunması Kanunu (KVKK), 2016.
2. GDPR (General Data Protection Regulation), EU Regulation 2016/679.
3. EU Artificial Intelligence Act, 2024.
4. ISO/IEC 27001:2022 Information Security Management.
5. WIPO (2023) AI and Intellectual Property Report.
6. OECD AI Governance Framework, 2023.
7. Yener, O. (2023). Bilişim Hukuku, Siber Güvenlik ve Dijital Regülasyonlar.
8. Kılıç, A. (2023). Yapay Zeka Hukuku: Algoritmik Adalet ve Etik Sorunlar.
9. Budapest Convention on Cybercrime, 2001.
10. Images – Graphics : ChatGPT 5
    

 This article has been written by Barış Karataş.