In a move that has stirred significant controversy, Turkey’s Parliament has passed a new cybersecurity law, despite strong opposition from rights groups, political figures, and legal experts. Critics warn that the legislation could lead to extensive surveillance, limit free speech, and enable potential abuses of governmental power.
Approved late Tuesday with a vote of 246 to 102, the 21-article law introduces extensive government oversight and expands the authority of the Cybersecurity Directorate, a body created by President Recep Tayyip Erdoğan earlier this year. This passage follows weeks of intense debate, with opponents raising alarms over the increased powers it grants the executive branch and the potential threats to privacy and free expression.
Government Oversight and Centralization of Power
One of the key concerns raised is the law’s establishment of a Cybersecurity Board, which will oversee its implementation. The board will include high-ranking officials such as the president, vice president, and heads of various ministries and security agencies. Critics argue that this structure centralizes cybersecurity policy under the direct control of the president, sidelining independent oversight mechanisms that are crucial to ensuring transparency and accountability.
Prison Sentences for False Cybersecurity Information
Under the new law, individuals who spread false information related to cybersecurity breaches with the intent to create panic or target specific institutions or people could face prison sentences of up to five years. This provision has raised concerns about the potential misuse of the law to suppress dissent and limit press freedom, particularly in an era where the dissemination of information is crucial for transparency.
Moreover, the law imposes strict regulations on cybersecurity service providers, mandating that they comply with government-approved regulations and report security breaches to authorities. Failure to comply could lead to significant fines or criminal charges, which some see as a tactic to increase government control over private sector cybersecurity operations.
Controversial Provisions and Revisions
Perhaps the most contentious element of the law was Article 8, which initially granted the head of the Cybersecurity Board sweeping powers to conduct searches, seize data, and duplicate digital records. However, in response to widespread objections, the ruling Justice and Development Party (AKP) amended the bill, removing this provision entirely. Another revision was made to Article 16, which originally criminalized the spread of false information regarding data leaks. After concerns emerged that this could be used to stifle journalists and whistleblowers, the language was changed to focus specifically on “cybersecurity-related data leaks.”
Despite these amendments, many critics remain uneasy, particularly due to the vague language used throughout the law. This ambiguity, they argue, could lead to the criminalization of legitimate reporting on cybersecurity issues. The main opposition party, the Republican People’s Party (CHP), is preparing to challenge the law in Turkey’s Constitutional Court.
Growing Criticism Over Impact on Press Freedom
Yüksel Mansur Kılınç, the CHP spokesperson in the parliament’s Security and Intelligence Committee, has expressed strong opposition to the law, calling it “unacceptable” that the relationship between the Cybersecurity Board and the National Security Council’s Secretariat-General remains undefined. CHP members have also criticized the law for undermining press freedom and privacy rights, framing it as a tool to enable authoritarian governance.
Orhan Sarıbal, a CHP MP, also condemned the law, warning that it could pave the way for an oppressive regime. “This regulation is being used as a means to eliminate the rule of law and pave the way for a transition to a ‘super dictatorship,’” he argued.
The Turkish Journalists’ Association (TGS) echoed these concerns, arguing that the broad powers given to the Cybersecurity Board, coupled with vague legal language, could be used to silence investigative journalists and cover up critical information.
Warnings from Legal Experts
Law professor Bahadır Erdem voiced his concerns on a recent Halk TV program, cautioning that the law could result in the imprisonment of anyone who speaks out against the government. This fear is compounded by the government’s track record of mishandling data breaches, which has led to criticism from both the public and experts.
While Turkish authorities have acknowledged some cybersecurity breaches in the past, including during the pandemic, they have consistently denied allegations of more recent incidents. Notably, journalists like İbrahim Haskoloğlu and Cevheri Güven have reported on systemic vulnerabilities in Turkey’s cyber infrastructure, including the use of pirated software in government facilities. Haskoloğlu was arrested in 2022 after revealing a major data breach involving government databases.
The passage of Turkey’s cybersecurity law marks a significant shift in the country’s approach to digital security and surveillance. While the government argues that it is necessary to protect national security and address emerging cyber threats, critics remain deeply concerned about its potential to infringe on basic freedoms, including privacy and freedom of the press. As the law faces challenges in the Constitutional Court, its implementation will likely continue to be a subject of intense debate.
For more security updates, click here.