Artificial Intelligence, Law, and the Human: What the European AI Act Tells Us

The European AI Act is the first comprehensive legal framework adopted by the European Union to regulate artificial intelligence systems. Officially known as Regulation (EU) 2024/1689, the Act was adopted on 13 June 2024, published in the Official Journal of the European Union on 12 July 2024, and entered into force on 1 August 2024. Its provisions will apply gradually, with most of the Act becoming fully applicable as of 2 August 2026.

This law is not a flawless text that answers every ethical, legal, and social question raised by artificial intelligence. That would not be a realistic expectation. AI is developing rapidly, its areas of use are constantly expanding, and many of its effects only become visible through use. For this reason, the European AI Act should be read not as a final solution but as an important starting point that seeks to bring the concrete short-term risks of AI under regulatory control.

The Act is based on a risk-based regulatory approach. Under this logic, not all AI systems are treated as equally dangerous or equally harmless. A recommendation algorithm does not carry the same social weight as a system that can affect whether a person is hired, granted access to credit, evaluated in education, or allowed to cross a border.

This is why the real importance of the European AI Act lies not in trying to stop artificial intelligence altogether but in creating a reference point for transparency, oversight, responsibility, and the protection of fundamental rights in areas that directly touch human life. On the one hand, the Act aims to support the development of trustworthy and human-centric AI. On the other hand, it places health, safety, fundamental rights, democracy, the rule of law, and environmental protection at the center of regulation.

In this article, I will approach the European AI Act through this very tension. I will discuss what the law seeks to protect today, what kind of control mechanism it introduces for the use of AI, where it leaves gaps, and what kind of reference point it may offer for countries such as Turkey, which will also have to define its own path in the field of artificial intelligence.

Not Perfect, But a Necessary Control Mechanism

The risk-based approach of the European AI Act classifies artificial intelligence not as an abstract technology but according to the context in which it is used and the impact it may have on human beings. A music recommendation algorithm cannot be evaluated in the same way as a system that affects whether a person is hired. A chatbot and a biometric identification system used in border control do not carry the same social and legal weight. This approach matters because discussions around AI often get trapped between two extremes. On one side are those who see AI as an almost limitless field of progress; on the other are those who read every use of AI as a threat from the start. Yet the real issue is not the mere existence of the technology but where it is used, how it is used, what data it relies on, and who it is used on. The European AI Act makes this distinction visible.

The Act classifies certain practices as unacceptable risk. Systems that manipulate human behavior, exploit people's vulnerabilities, or classify and punish people across different areas through a logic similar to social scoring are at the center of this discussion. Social scoring is a particularly critical example. Such a system carries the risk of evaluating a person not through a single behavior in a specific context but through a general score that follows them across different areas of life. If access to public services, financial opportunities, or other areas is affected by this logic, the person may cease to be treated as a rights-bearing subject and instead become an object that is constantly measured and ranked.

Biometric identification systems are equally sensitive. These systems turn a person's face, voice, gait, body, or other identifying characteristics into data. This data is not merely a technical tool for verification; it is also connected to privacy, surveillance, and the digital traceability of the body. Today, many technologies, from phones and smartwatches to augmented reality products and security systems, make bodily and behavioral data more visible. The uncontrolled spread of biometric systems is therefore not only a matter of individual privacy but also a broader question about how we exist in public space.

The European AI Act attempts to draw certain red lines in these areas. Its aim to prohibit practices such as social scoring and to subject biometric identification and emotion recognition systems to certain conditions is valuable in this respect. Still, even though the Act recognizes these risks, it does not eliminate all of them. The exceptions left in areas such as law enforcement, border management, migration, and national security are among the points most frequently criticized by human rights organizations. In other words, while the Act acknowledges that these areas are dangerous, it also leaves certain doors open in some of the most sensitive contexts of use. For this reason, the European AI Act must be read with two things in mind at the same time. It is an important step because it recognizes the impact of AI on human rights. At the same time, it remains open to debate whether it is strong enough in the areas where those rights become most fragile.

Is Regulation the Opposite of Innovation?

One of the most common objections to AI regulation is that rules will slow down innovation. This objection should not be dismissed entirely. Rules that are too heavy, unclear, or impossible to implement can indeed be challenging, especially for small startups and technology developers. Yet this does not mean that the field of AI should be left without rules.

Law and regulation often come not before innovation but after it. First, a technology develops, spreads, and makes its risks visible; then society begins to discuss the boundaries within which that technology should be used. This has often been the case in transportation, healthcare, finance, pharmaceuticals, the internet, and data protection. Rules usually emerge not to stop invention but to make it safer for human life.

For this reason, the European AI Act should not be seen as an obstacle positioned against innovation. It is more accurate to view it as a control and reference mechanism for systems that have already entered our lives. Biometric scanning systems, algorithmic decision-making tools, chatbots, applications that process health data, and transportation technologies are already in use. The real question is not whether they will be used but within which boundaries, under which transparency principles, and with which responsibility mechanisms.

Chatbots are a good example in this respect. People often interact without knowing whether they are speaking to a real human being or an AI system. This knowledge changes human expectations. A person who believes they are speaking to a customer service representative may have a different level of trust, disclose different information, and hold different expectations than someone who knows they are speaking to an AI system. This is why transparency is not merely a technical detail. Knowing whether the entity in front of us is a human being or a system is necessary for protecting our own behavior and decisions.

The same issue becomes even more pronounced in high-risk areas such as education, healthcare, and transportation. In education, AI is not used only to prepare materials. It can also be used to track students' development, evaluate their performance, or guide their learning processes. If such a system operates with errors or bias, it may have lasting effects on a student's future. In healthcare, when AI is used as a decision-support system, an error is no longer merely a technical error; it may directly affect human health. In transportation, autonomous or semi-autonomous systems raise serious questions about safety, testing processes, and responsibility.

In these areas, regulation is necessary not to stop innovation but to make trust possible. A technology that society does not trust can hardly develop in a healthy way over the long term. An AI ecosystem in which people do not know how their data is used, cannot understand how systems make decisions, cannot contest errors, and cannot see where responsibility lies does not only create a legal problem. It also creates a social crisis of trust.

This is why the risk-based approach of the European AI Act does not have to be the enemy of innovation when implemented properly. On the contrary, by providing predictability and trust in high-risk areas, it can help create a healthier environment for innovation. For this to happen, however, the Act must be implemented in a way that is understandable, applicable, and attentive to actors of different scales.

What the Act Protects and Where It Leaves Gaps

One of the strongest aspects of the European AI Act is its attempt to bring AI into a human rights framework. The Act does not treat trustworthy AI as merely a system that works correctly from a technical point of view. A system may be fast, efficient, and impressive. If it produces discrimination, processes personal data disproportionately, makes decision-making opaque, or weakens a person's ability to object, it cannot truly be considered trustworthy.

In this approach, the human being is not merely a user or a source of data for AI systems. The human is also understood as someone affected by these systems, someone whose rights must be protected and who must be able to object to decisions when necessary. The European AI Act does not place the human outside the system; it treats the human as the central element that must be protected from the system's effects.

Of course, this approach has its limits. The main criticisms directed at the European AI Act by civil society organizations reveal precisely those limits. Although the Act offers an important framework from a human rights perspective, it leaves serious uncertainties around transparency, surveillance, migration, border management, national security, and access to remedies.

The introduction of transparency obligations for high-risk AI systems is a positive development. At the same time, critics argue that public oversight may remain limited in certain private-sector uses as well as in areas such as law enforcement, migration, asylum, and border control. Yet the risk of rights violations is often higher precisely in these areas. When an AI system is used at the border, in a migration application, in a security assessment, or in policing, the affected person may already have limited access to remedies. If transparency is reduced in such contexts, oversight becomes even more difficult.

Fundamental rights impact assessments create a similar debate. It is an important gain that such assessments are foreseen for high-risk systems. Even so, it remains contested whether these assessments will be meaningful in practice, who will be involved in them, and whether they will actually help prevent risks. If affected people, civil society, independent experts, and the public remain outside these processes, fundamental rights assessments may turn into bureaucratic forms rather than real tools of protection.

The national security exception is one of the most sensitive issues. It is understandable that every state has certain powers in the field of national security. Still, when this concept is interpreted too broadly, it may become a door through which systems escape fundamental rights oversight. If biometric surveillance, mass monitoring, or risk classification systems are removed from transparency and oversight on national security grounds, some of the most dangerous forms of AI use may not become illegal; instead, they may move into areas that the law can no longer see.

Migration and border management must also be approached with particular care. Migrants, asylum seekers, and people at borders are often already in vulnerable positions, with limited access to remedies and facing language and status barriers. If AI systems are used on these groups while transparency and oversight remain weaker, the Act's rights-based claim loses strength precisely where it is most needed.

For this reason, it is not enough to describe the European AI Act simply as a "rights-based law." A more accurate formulation would be this: the Act is an important beginning that seeks to bring AI into a rights-based framework, yet because of the exceptions it leaves in the highest-risk areas, it is also a text that must be continuously monitored, criticized, and strengthened.

The Chain of Responsibility and Human Oversight

AI systems are often not developed by a single actor and then delivered directly to the user. One company may develop a model, another may integrate it into its own product, another organization may purchase the system, and a public institution or private company may use it in decision-making processes. In such a layered structure, one of the most basic questions is who will be responsible when something goes wrong.

One important aspect of the European AI Act is that it does not concentrate responsibility in a single point. Actors who develop, place on the market, import, distribute, integrate into products, or use AI systems are treated under different roles. This approach is more consistent with the actual structure of the AI economy. In the age of AI, responsibility does not belong only to the company that developed the model. The purpose for which a system is used, whether it has been modified, and the context in which it is deployed are also important.

This is especially critical for deploying organizations. If a company or public institution uses an existing AI system, it cannot always avoid responsibility by saying, "We did not produce this system." If the system evaluates, ranks, eliminates, or affects people's access to certain rights, the organization using it also has duties of oversight, explanation, and responsibility. Using AI should not mean transferring responsibility to the system.

This is where the concept of human oversight becomes important. Human oversight does not simply mean that a person is symbolically present at the head of the system. Real oversight requires a human presence that understands the limits of the system, can recognize its errors, intervene when necessary, and take responsibility for the decision. Otherwise, the human becomes merely an approval mechanism covering over an automated decision.

AI literacy also becomes important at this point. In the age of AI, literacy does not only mean being able to use these tools. It also means knowing when an output should be questioned, understanding what kinds of data may influence a system, recognizing the possibility of bias and error, and seeing that automation does not always mean neutrality. This skill will become increasingly essential, especially for public institutions, companies, educators, healthcare professionals, and decision-makers. One of the things the European AI Act reminds us is that no matter how advanced AI systems become, human responsibility in decision-making processes must not be allowed to disappear. Technology may become part of the decision-making process, but the social and legal consequences of those decisions still emerge in the human world.

Why This Law Will Have to Keep Changing

The European AI Act will inevitably be debated again in the medium and long term. This is not only because of the Act's shortcomings but also because of the nature of the AI field itself. Systems that we consider high-risk today may take different forms within a few years. AI systems that we now place in separate categories may become integrated into one another tomorrow. As general-purpose AI models become the infrastructure for many different systems, from education and healthcare to law and public services, existing classifications may also be strained.

For this reason, the success of the European AI Act will not lie in remaining unchanged. It will lie in its ability to be updated without losing its human rights orientation when new risks emerge. The fact that the Act began to be discussed again shortly after entering into force, through debates on implementation, simplification, and competitive pressure, already shows that AI law is not a fixed field. Law is trying to follow a technology that is constantly moving.

This will not be easy. On the one hand, human rights, transparency, and oversight must be protected. On the other, Europe and other countries are concerned about not falling behind in the global technology race. Expressions such as "simplification" and "supporting innovation" should therefore be read carefully. Sometimes it is truly necessary to reduce unnecessary bureaucracy. If oversight obligations are weakened in the name of simplification, however, the human rights claim of the Act may also erode.

For this reason, the real test of the European AI Act will not only be in its text but in its implementation. How institutions will conduct oversight, how companies will interpret their obligations, how much civil society will be included in the process, how accessible remedies will be for individuals, and how far exceptions will be expanded will determine the Act's real impact.

What Does It Mean for Turkey?

The European AI Act is an important reference point not only for Europe but also for countries such as Turkey, where the use of AI is growing rapidly. I do not think Turkey needs to copy this law exactly. Every country has a different technological capacity, economic structure, entrepreneurial ecosystem, public administration, and institutional oversight capacity. Applying a regulatory model as strict or complex as Europe's in the same way could create implementation problems in some areas in Turkey.

This does not mean that Turkey should wait on this issue. On the contrary, Turkey needs a clear legal framework that defines how AI is used within the country, what risks citizens face in relation to these systems, and under which rules entrepreneurs will operate. AI systems will increasingly be used in education, healthcare, customer service, financial processes, public services, security, and business in Turkey as well. As this use expands, legal gaps will become more visible.

For Turkey, the main issue should not be to adopt the European AI Act as it is, but to learn from its risk-based approach. Which AI systems are low risk and which are high risk? In which areas should transparency be mandatory? How should biometric data be protected? What kinds of oversight should apply when public institutions use AI? How should citizens' right to object be guaranteed? These questions will become unavoidable for Turkey as well.

When such a law is prepared, the process should not involve only lawyers or politicians. AI experts, data protection specialists, human rights advocates, educators, healthcare professionals, entrepreneurs, SME representatives, and civil society should also be included. AI is not merely a technical field; it is a broad social field that affects working life, education, public services, data, the body, privacy, and the relationship between citizens and institutions.

In countries such as Turkey, which are still developing in the field of technology, the language of regulation must be built carefully. Rules that are too strict and impractical may make entrepreneurship difficult. Having no rules at all, on the other hand, may leave citizens defenseless against the unregulated use of AI by companies, platforms, or public institutions. What Turkey needs is neither uncontrolled freedom nor rigidity that blocks development. The real need is a balanced framework that protects human rights, provides predictability for entrepreneurs, and establishes clear oversight mechanisms in high-risk areas.

In this respect, the European AI Act is not a perfect model for Turkey, but it is a strong starting point. At the very least, it shows us which questions we need to ask.

The First Legal Threshold for Artificial Intelligence

The European AI Act is neither an anti-technology law that seeks to stop AI nor a flawless text that fully protects human rights. Rather, it is a historic threshold showing that artificial intelligence has now become a matter of law, public oversight, and social responsibility.

The most important aspect of this law is that it tries to make visible the effects of AI systems on human life. It reminds us that we must look not only at how efficient a system is, but also at what risks it carries, who it is used on, what data it is trained on, how it is supervised, and who takes responsibility when something goes wrong.

The Act also shows that protecting human rights is not possible merely by writing well-intentioned principles. Without transparency, oversight, the right to object, accessible complaint mechanisms, civil society participation, and a continuously updated legal framework, AI regulation can easily remain on paper. This is why the European AI Act should be seen as important but unfinished. In the short term, it is a valuable attempt to bring some of the risks created by AI under control. In the medium and long term, its real value will be measured by how effectively it can be implemented, where it can be strengthened, and whether it can be reformed without losing its human rights orientation.

Human rights will not protect themselves in the age of artificial intelligence. Protection is only possible through rules, oversight, transparency, the right to object, and an understanding that sees the human being not as the passive object of the system but as a rights-bearing subject. What the European AI Act ultimately tells us is that as AI advances, we must build the legal and social ground that protects the human with the same seriousness.