Turkish Parliament enacts new cybersecurity law

The Cybersecurity Law Proposal has been accepted and passed into law by the Turkish Grand National Assembly (TBMM). The law, which has raised concerns regarding potential arbitrary restrictions on personal data protection, privacy, and freedom of expression, was approved in the General Assembly with 246 votes in favor and 102 votes against.
One of the controversial provisions, related to the powers of the president of the Cybersecurity Board to carry out searches, seize copies, and confiscate property, was amended through a proposal from the ruling Justice and Development Party (AK Party). The amendment removed the clause granting these powers to the president.

Another controversial article, Article 16, paragraph 5, was also altered by an AK Party proposal. The original wording of the article stated: “Anyone who creates or disseminates content that falsely claims a data leak has occurred in cyberspace to cause public fear, panic, or target institutions or individuals will face imprisonment from two to five years.” Through the proposal, the phrase “data leak” was changed to “cybersecurity-related data leak.”
The newly passed law emphasizes that cybersecurity will be an integral part of national security. The primary objective is to protect critical infrastructure and information systems while creating a secure cyberspace.
Cybersecurity efforts will be based on institutionalism, continuity, and sustainability, with measures applied throughout the entire lifecycle of services and products.
Key provisions of Cybersecurity Law include:
- Preference for domestic products: Domestic and national products will be prioritized in ensuring cybersecurity.
- Personal data and commercial secrets: Any personal data or commercial secrets obtained under the defined powers will be deleted, destroyed, or anonymized if the reasons for accessing the data no longer exist.
- Cybersecurity board composition: The Cybersecurity Board will consist of the President of Türkiye, Vice President, Minister of Justice, Minister of Foreign Affairs, Minister of the Interior, Minister of National Defense, Minister of Industry and Technology, Minister of Transport and Infrastructure, Secretary-General of the National Security Council, Director of the National Intelligence Organization (MIT), President of the Defense Industry, and the Cybersecurity President.
- Penalties for cyber attacks: Individuals who carry out cyberattacks on components that constitute Türkiye’s national power in cyberspace or who possess any data obtained through such attacks in cyberspace will face imprisonment ranging from eight to 12 years.
- Failure to provide information or prevent access: Those who fail to provide information, documents, software, data, or hardware requested by authorized authorities or inspection officers or prevent access to these materials will be punished with imprisonment from one to three years, along with a judicial fine ranging from 500 to 1500 days.
- Failure to maintain confidentiality: Individuals who fail to fulfill their duty to maintain confidentiality or misuse their duties and powers will face imprisonment from four to eight years.
With these amendments, the Turkish government has established comprehensive measures to enhance cybersecurity while addressing concerns about the balance between security and individual rights.