Levent Kenez/Stockholm
An ambitious cybersecurity bill recently introduced in the Turkish Parliament has drawn harsh reactions, with critics raising alarms over potential threats to human rights and individual freedoms. While the bill aims to bolster the nation’s defenses against escalating cyber threats, its provisions have sparked concern about surveillance, data privacy and the concentration of authority in government institutions.
The bill was passed by parliament’s National Defense Committee on January 20 and has been submitted for floor approval. The bill is expected to be fast-tracked through parliament to provide a legal foundation for the Cybersecurity Directorate, established by President Recep Tayyip Erdogan on January 8.
The proposed legislation grants sweeping authority to the newly established directorate, including the ability to collect and store extensive data from public institutions and critical infrastructure providers. Article 6 allows the directorate to gather log data and transfer it to its systems, raising fears of unchecked surveillance.
Additionally, Article 8 permits on-site inspections and private searches of homes and workplaces with minimal safeguards. In “urgent” cases, such actions could proceed without prior judicial approval, prompting concerns over potential abuse and violations of privacy rights.
Key terms such as “cyber threat” and “critical infrastructure” remain vaguely defined in the text of the bill. Critics argue that this ambiguity could lead to arbitrary enforcement and overly broad applications of the law, disproportionately impacting individuals, organizations or businesses deemed to fall in these categories. Journalists and civil society groups have expressed alarm over Article 16, which imposes severe penalties, including imprisonment, for spreading “false information” about data leaks or targeting institutions with unverified claims. This provision, they argue, could be used to stifle whistleblowers, investigative reporting or dissenting voices under the guise of protecting national cybersecurity.
Text of the proposed cybersecurity bill submitted to parliament:
Under articles 5 and 6, the directorate is positioned as the central authority for implementing and enforcing cybersecurity measures. However, the lack of an independent oversight mechanism raises concerns about unchecked power. Judicial safeguards appear limited, particularly with provisions allowing data collection and invasive actions to occur without sufficient judicial review in urgent situations.
Another contentious aspect of the bill is its provision for sharing data with international entities (Article 6). Critics warn that the absence of explicit data protection measures could expose sensitive information to misuse by foreign governments or organizations.
While the bill includes a commitment to human rights and the rule of law in Article 4, the lack of specific protections for individual privacy and freedom of expression has drawn significant scrutiny. Civil liberties advocates are calling for a more balanced approach that addresses national security concerns without compromising democratic principles.
Saadet (Welfare) Party MP Alev Sezen strongly criticized the new bill, highlighting its controversial measures. Sezen wrote on X that “the law and the legal profession have never been devalued as much as they are during this era,” emphasizing that “the ability to order searches in homes and workplaces, including seizing and copying data, without sufficient judicial oversight, is a dangerous precedent” and adding, “This bill shifts essential judicial powers to a politically affiliated institution, undermining the integrity of our legal system.”
The Freedom of Expression Association also voiced strong concerns about the bill. In a public statement on January 16 the association detailed the serious risks the bill poses to fundamental human rights, including freedom of expression, personal data protection and privacy. While the bill claims to strengthen national cybersecurity, it introduces provisions reminiscent of an “Orwellian” approach, granting the proposed Cybersecurity Directorate sweeping and unchecked powers. These provisions risk directly curtailing individual rights and freedoms, the association warned.
The association emphasized that the bill’s reliance on vague concepts, such as “critical infrastructure” and “critical public services,” coupled with disproportionate judicial and administrative penalties, violates the principle of legal certainty. The delegation of authority to define these terms to the directorate (under Article 5) undermines parliamentary oversight and could lead to arbitrary classifications of institutions, including autonomous entities such as universities. This concentration of authority raises significant constitutional concerns, including violations of the principle of legality enshrined in Article 123 of the constitution. The association urged parliament to either substantially revise or completely withdraw the bill to safeguard fundamental rights and democratic principles.
The proposed law comes at a time when cybersecurity threats are rising locally. Concerns about the security of personal data in Turkey have grown following a series of high-profile revelations and increasing allegations of state database breaches. Media reports have highlighted how citizens’ personal information, including sensitive data from government databases, has been offered for sale online for as little as $20 to $30. Opposition lawmakers have even presented documented evidence in parliament, demonstrating the widespread availability of such data. Among the most alarming claims are repeated breaches of the Supreme Election Council’s (YSK) database and the alleged lack of security of the Ministry of Health’s records.
In a striking demonstration of these vulnerabilities, journalist İbrahim Haskoloğlu published copies of identity documents purportedly belonging to President Recep Tayyip Erdogan and then-National Intelligence Organization (MİT) leader Hakan Fidan in 2022. Haskoloğlu shared the images on social media on April 12, 2022, stating that he had been approached by a hacker group that claimed to have stolen data from the government website E-devlet, where citizens’ information is stored and other state platforms. “About two months ago, a hacker group contacted me during a broadcast,” Haskoloğlu wrote. “They claimed they had accessed data from the E-devlet and other state websites and were still leaking this information. They even shared details of some government officials with me, including new identity cards.” Haskoloğlu’s exposé drew sharp attention to systemic weaknesses in data security but also resulted in his arrest on April 19, 2022. He was detained for eight days before being released to stand trial.
