Image by Arzu Geybullayeva for Global Voices, created using Canva Pro.
Turkey's new cybersecurity law, enacted on March 13, 2025, has sparked heated debate about its impact on digital rights, freedom of speech, media freedom, and access to information from the moment the bill was introduced in the parliament on January 10, 2025. Many Turkish experts, civil society groups, and international observers saw the law as a potential tool to restrict independent reporting and stifle dissent. The country already has a list of restrictive laws including the disinformation law adopted in 2022. As such, the new law is seen as yet another tool in the hands of the authorities to censor voices and content.
What is in the law?
At its core, the law introduces stringent measures such as criminalizing reporting on data leaks and granting extraordinary powers to the head of the Cybersecurity Directorate, a newly created institution. Critics argue that the law's vague and far-reaching language places disproportionate emphasis on controlling online narratives rather than securing digital infrastructure.
The ruling Justice and Development Party (AKP) introduced the draft bill of 21 articles for the first time on January 10, 2025. The authors of the bill — AKP lawmakers — argued the law aimed to enhance the country's defenses against cyber threats, strengthen national security and safeguard both public institutions and private sector entities. AKP lawmakers believe that the current disinformation law, enacted in 2022, fails to adequately address cybersecurity threats. They assert that the new law will enhance the effectiveness of efforts to combat cybercrimes.
Two out of 21 articles of the law were especially scrutinized: articles 8 and 16. In the original iteration of the bill, article 8 called for broad powers and authority handed to the head of the Cybersecurity Directorate, including the ability to conduct searches, seize materials, and copy digital content without needing prior court approval. In its final version, following backlash during discussions of the bill, the authority to search, copy, and seize data was removed from the text of the law and this authority was given to the prosecutor.
Article 16 in the original version contained two specific terms that also led to disagreements over the bill. The terms “data leak” and “those who spread content,” were replaced in its final version with “cybersecurity related data leak,” and “those who create content.” The prison sentence of five years for violating this article and its provisions remained unchanged. As such, according to paragraph 5 of article 16,
Those who create false content about data leak related to cybersecurity, even though they know that there is no data leak in cyberspace, or those who spread this content for this purpose, shall be sentenced to two to five years in prison.
In its legal analysis of the law, the Media and Rights Studies Association (MLSA) highlighted several problematic nuances, such as punishing journalists working on data security with the same penalties as the perpetrators behind the leaks. MLSA concluded the law is a new censorship tool in the hands of the authorities.
The head of the Cybersecurity Directorate (who will be appointed by President Recep Tayyip Erdoğan as per the newly adopted law), holds the authority to request information and documents from all institutions and organizations and to audit the computer systems of these organizations. In this context, explained MLSA, the head of Cybersecurity Directorate will be able to access and store the data of any institution and organization. Those who refuse to comply with requests will be imprisoned for up to three years.
Such broad powers and punishments are concerning in the context of civil society groups and the work they do as they provide an easy route to the abuse of power with the directorate demanding access to organization's communications, sensitive data, monitoring of their activities. The law could have a chilling effect on freedom of expression — civil society groups may hesitate to express their views in light of threat of imprisonment. The authority to access and store data can seriously jeopardize the right to privacy for organizations and individuals and, in the case of journalists, the privacy of their sources. The law could lead to the targeting of specific groups, some of whom are often critical of the authorities and may face a disproportionate response with the new law, suppressing, and undermining the accountability mechanisms within the democratic processes. It could allow arbitrary interpretation and enforcement, making civil society groups more vulnerable as the law does not clearly define the parameters for compliance and the criteria for action by the directorate.
There are more penalties introduced as part of the law, summarized by independent news site Bianet:
8 to 12 years in prison for carrying out cyber attacks targeting elements of Turkey's national power in the cyberspace;
2 to 4 years in prison and fines for operating without the required licenses and permits;
4 to 8 years in prison for failing to comply with confidentiality obligations;
3 to 5 years in prison for sharing or selling personal or sensitive government data obtained through a cybersecurity breach;
2 to 5 years in prison for falsely claiming that a cybersecurity-related data leak has occurred to cause public panic or defame institutions or individuals.
In addition to the directorate, a Cybersecurity Council will be set up, headed by the president of the country, and will include as members, the head of the Cybersecurity Directorate, the vice-president, the intelligence chief and several ministers, according to reporting by Bianet.
Turkey's long history of data leaks
Turkish citizens have long been exposed to personal data breaches. Some of the documented instances so far include the 2016 breach, when the personal data of some 50 million Turkish citizens (names, addresses, parents’ first names, cities of birth, birth dates, and national ID numbers) were leaked.
In 2017, some 60 million subscribers of Turkey's major GSM operator Turkcell had their personal data breached. In 2021, a cyberattack on the country's biggest food delivery app, Yemeksepeti, resulted in a leak of the data of 19 million customers, including login, phone numbers, emails, and address information.
In 2023, following a hack on the country's main public administration portal e-Devlet (e-State), the personal data of 85 million Turkish citizens and millions of residents were leaked.
In 2024, a cyber attack on the information management system of a local hospital in Istanbul leaked the medical records of millions of patients. The same year, Turkish authorities revealed that a data breach during the pandemic led to the stolen data of over 100 million citizens, including those living abroad, refugees and other individuals whose were registered with official institutions. In January 2025 there was a breach of satellite data.
These examples are by no means exhaustive. And reporting on these breaches has been one way to keep the public informed, even if Turkish citizens do not expect any privacy online or better protection of their personal data.
It is in light of these examples, and the country's overall score on freedoms, in particular with freedom of the media and expression, that implications of the new cybersecurity law should be assessed. In an interview with Turkey ReCap, Özgür Ceylan, the commission spokesperson of the main opposition Republican People's Party (CHP), said:
In a situation where critical views and the right to inform the public are already faced with the risk of arbitrary punishment, this regulation will pave the way for them [the ruling government] to go one step further. In this context, posts claiming data leaks or breaches of cybersecurity that closely concern the public could be targeted. Individuals’ ability to express themselves freely may be restricted, and people who report data breach claims may be tried under this crime — foreseeing heavy penalties.
Already, within the scope of the 2022 disinformation law, there are at least 66 investigations of journalists and over 4,500 inquiries into individuals accused of “spreading misleading information,” launched since 2022.