Turkey

Overview

Turkey’s privacy landscape is shaped by the tension between a civilian data protection framework modeled on the GDPR and an expansive state surveillance apparatus with limited judicial oversight. The Personal Data Protection Law No. 6698 (KVKK), enacted in March 2016, established Turkey’s first comprehensive data protection regime and an independent authority. Turkey ratified the Council of Europe’s Convention 108 in February 2016, and the KVKK was drafted in part to satisfy EU accession conditions — Turkey has been an EU candidate state since 1999, though accession negotiations have been effectively frozen since 2018. Turkey does not hold an EU adequacy decision for data transfers.^[1][2]

Behind this framework, Turkey operates one of the most extensive internet censorship regimes among Council of Europe members. In 2024, authorities blocked access to over 311,000 websites and 740,624 domain names. Freedom House rates Turkey’s internet freedom score at 31 out of 100 (“Not Free”) — the lowest in Europe. The National Intelligence Organization (MİT) received vastly expanded surveillance powers in 2014, and the failed coup of July 2016 triggered a crackdown that has resulted in over 113,000 arrests, with the encrypted messaging app ByLock used as primary evidence for tens of thousands of convictions.^[3][4]

Snowden documents revealed that Turkey occupies a dual role for the NSA: it is both the agency’s “oldest partner in Asia” and a leading surveillance target. The NSA provided Turkey with hourly PKK location data while simultaneously infiltrating the computers of Turkey’s top political leaders through the “Turkish Surge Project Plan” beginning in 2006. Turkey has been a NATO member since February 18, 1952, and a Council of Europe member since April 13, 1950.^[5][6]

Data Protection Authority: KVKK

The Personal Data Protection Authority (KVKK — Kişisel Verileri Koruma Kurumu) was established by Law No. 6698, which was ratified on March 24, 2016 and published in the Official Gazette on April 7, 2016. The Authority became operational in January 2017 and is governed by a nine-member Personal Data Protection Board appointed by the President and Parliament. The KVKK operates the VERBİS (Data Controllers’ Registry Information System), a publicly accessible registry in which all data controllers — domestic and foreign — must register before processing personal data.^[1][7]

Notable Enforcement Actions

Total administrative fines imposed in 2024 reached TRY 552,668,000. For 2025, the fine ranges were updated: failure to inform data subjects (Article 10) carries fines of TRY 68,083–1,362,021; failure to provide data security (Article 12) carries fines of TRY 204,285–13,620,402; and failure to register with VERBİS (Article 16) carries fines of TRY 272,380–13,620,402. Turkey does not currently hold an EU adequacy decision.^[11]

Key Legislation

Personal Data Protection Law No. 6698 (KVKK)

Turkey’s comprehensive data protection law, ratified March 24, 2016 and effective April 7, 2016. Modeled substantially on the EU Data Protection Directive (95/46/EC) and later aligned more closely with the GDPR through 2024 amendments. Key provisions include: consent-based processing with enumerated exceptions, purpose limitation, data minimization, mandatory data breach notification, cross-border transfer restrictions, and data subject rights including access, correction, and deletion. A March 2024 amendment to Article 9 restructured international data transfers by introducing adequacy decisions, standard contractual clauses (SCCs), and binding corporate rules (BCRs), eliminating explicit consent as a transfer mechanism after September 1, 2024.^[1][12]

Law No. 5651 (Internet Regulation)

The Regulation of Publications on the Internet and Suppression of Crimes Committed by Means of Such Publications, enacted May 4, 2007, is Turkey’s primary internet censorship law. Amended significantly in 2014, 2020, and 2022. The law empowers the Information and Communication Technologies Authority (BTK) and courts to order content removal or access blocking. Social network providers with over one million daily Turkish users must appoint a local representative, respond to content complaints within 48 hours, and store Turkish user data in Turkey. Non-compliance triggers escalating sanctions including fines, advertising bans, and bandwidth throttling of up to 90%. The Venice Commission of the Council of Europe has raised concerns about the law’s breadth and its potential for abuse.^[13][14]

Anti-Terror Law No. 3713

Published in the Official Gazette on April 12, 1991. Defines terrorism broadly as “any kind of act done by one or more persons belonging to an organization” using “force and violence, pressure, intimidation, and oppression.” Grants police authority to detain persons for 24 hours without a warrant for crimes involving force, and expanded police search-and-surveillance powers. International human rights organizations have criticized the law’s vague and broad definition of terrorism, which has been used to prosecute journalists, academics, and human rights defenders.^[15]

MİT Organization Law No. 2937 (2014 Amendments)

The Law Amending the Law on State Intelligence Services and the National Intelligence Agency (No. 6532), approved April 17, 2014, vastly expanded MİT’s powers. The agency can now collect communications data relating to “external intelligence, national defense, terrorism, international crimes and cyber security” passing via telecommunications channels without a court order. MİT can demand private data from banks, archives, companies, and public bodies, with failure to comply punishable by two to five years imprisonment. Journalists and editors who publish leaked intelligence material face up to nine years imprisonment.^[16]

Electronic Communications Law No. 5809

Enacted November 5, 2008. Establishes the BTK as the telecommunications regulator and sets data retention requirements. Article 51/10-C (amended March 2015) mandates operators retain traffic and location data for one year (fixed-line) to two years (mobile). Transaction records related to personal data access must be stored for two years, and subscriber consent records must be retained throughout the subscription period.^[17]

Turkish Penal Code Privacy Provisions (Articles 132–136)

The Turkish Penal Code criminalizes privacy violations: Article 132 (violation of confidentiality of communication, 6 months–3 years); Article 133 (eavesdropping and recording, 2–6 months); Article 134 (violation of privacy, 6 months–2 years); Article 135 (unlawful recording of personal data, 6 months–3 years); Article 136 (illegally obtaining or disclosing data, 1–4 years).^[18]

Disinformation Law (October 2022)

Amendments to the Press Law and Turkish Penal Code, approved October 13, 2022. New Article 217/A of the Penal Code imposes one to three years imprisonment for disseminating “false information contrary to the facts” about security, public order, or public health “with the motive exclusively to create distress, fear, and panic.” Social media platforms must hand over user data to prosecutors upon request; refusal can trigger up to 90% bandwidth reduction. The Venice Commission issued an urgent opinion raising concerns about the law’s compatibility with freedom of expression under Article 10 of the European Convention on Human Rights.^[19][20]

Surveillance and Intelligence

MİT (National Intelligence Organization)

Turkey’s primary intelligence agency, Milli İstihbarat Teşkilatı (MİT), received sweeping new powers through the 2014 amendments (Law 6532). MİT can access telecommunications data without judicial authorization, demand private records from any institution, and its personnel enjoy broad legal immunity. Human Rights Watch stated the 2014 law “opens the door to abuse” by removing meaningful judicial oversight from intelligence collection. MİT’s budget has surged in recent years, and the agency has expanded its global operations significantly under President Erdoğan.^[16][21]

Post-2016 Coup Surveillance Expansion

Following the failed coup attempt of July 15, 2016, Turkey declared a state of emergency lasting two years. During this period, more than 130,000 public servants were summarily dismissed by executive decree, bypassing judicial oversight. Over 113,000 people have been arrested since 2016, including 216 generals, 15,000+ military personnel, 3,700+ judges, and 1,300+ prosecutors. Criteria for arrest included having a Bank Asya account, subscribing to certain newspapers, or using the ByLock messaging application.^[4]

ByLock Mass Arrests

ByLock, an encrypted messaging application that was publicly available on the App Store and Google Play, became the primary digital evidence for prosecuting alleged Gülen movement members. MİT identified ByLock users through IP address matching with telecommunications providers, though critics noted that Turkish operators use dynamic (not static) IP allocation, making the identification method unreliable. Over 90,000 individuals have been purged or arrested based on alleged ByLock use. On September 26, 2023, the Grand Chamber of the European Court of Human Rights ruled in Yüksel Yalçınkaya v. Türkiye that Turkey violated Articles 6 (fair trial), 7 (no punishment without law), and 11 (freedom of association) of the European Convention on Human Rights in ByLock-based prosecutions. The ECtHR has since found violations in follow-up cases involving thousands of additional applicants.^[22][23]

Internet Censorship

Turkey’s internet censorship has expanded significantly. In 2024, authorities blocked access to 311,091 websites, the highest annual figure on record, with 82% ordered by the BTK president. Cumulative totals since Law 5651’s enactment in 2007 exceed 1.26 million blocked websites and domain names. In 2024, authorities also blocked 270,000 URLs, 17,000 X (Twitter) accounts, 25,500 YouTube videos, 16,700 Facebook posts, and 16,000 Instagram posts.^[3]

Turkey blocked all language versions of Wikipedia from April 29, 2017 to January 15, 2020, after Wikipedia refused to remove content about Turkey’s alleged collaboration with armed groups in Syria. The Constitutional Court ruled in December 2019 that the block violated human rights.^[24]

In 2025, Turkey repeatedly throttled social media platforms during political events. The BTK throttled X, Instagram, YouTube, TikTok, Facebook, WhatsApp, Telegram, and Signal for 21 hours on September 7–8, 2025, coinciding with a police blockade of opposition CHP headquarters. Earlier in March 2025, social media was throttled for 42 hours following the detention of Istanbul’s mayor. Turkey has also blocked access to at least 27 VPN services, using deep packet inspection to detect and restrict VPN traffic.^[25][26]

NSA “Partner and Target”

Documents from the Snowden archive, reported jointly by Der Spiegel and The Intercept in August 2014, revealed Turkey’s dual status as both intelligence partner and surveillance target. The NSA provided Turkey with hourly mobile phone location data on PKK leaders and information about PKK money flows and exiled leaders’ whereabouts. Simultaneously, the NSA infiltrated the computers of Turkey’s top political leaders through the “Turkish Surge Project Plan” (2006), monitored the Turkish Embassy in Washington under the codename “Powder”, and surveilled Turkey’s UN representation under the codename “Blackhawk.” The NSA was tasked with divining Turkey’s “leadership intention” across 18 key areas.^[5][6]

Internet Infrastructure

Internet Exchange Points

DE-CIX Istanbul, founded in 2015 by DE-CIX, is a carrier and data-center-neutral internet exchange point. It is the only IXP that connects to both Europe and Asia within the same country, serving ISPs from Turkey, Iran, the Caucasus, and the Middle East. DE-CIX Istanbul provides access to networks across multiple Turkish cities, including Istanbul, Ankara, Bursa, and İzmir.^[27]

Submarine Cable Infrastructure

Turkey’s geographic position at the crossroads of Europe and Asia makes it a critical node in international telecommunications. Key submarine cable systems include:

• SEA-ME-WE 5: A 20,000 km submarine cable connecting Western Europe, the Middle East, and Southeast Asia. Türk Telekom International invested in a branching unit at Marmaris on the Mediterranean coast, with a $50 million EBRD loan.^[28]
• KAFOS (Black Sea Fibre Optic System): A 504 km subsea cable connecting Istanbul to Bucharest, Romania, with 8 Tbps design capacity, operational since January 2021.^[29]

BTK and Telecommunications Regulation

The Information and Communication Technologies Authority (BTK), established under Law 5809, serves as Turkey’s telecommunications regulator and plays a central role in content blocking and surveillance. The BTK oversees mandatory data retention, issues content removal orders (responsible for 82% of website blocks in 2024), and can throttle platform bandwidth on executive order without a court order where “peril in delay” is cited under Article 22 of the Constitution. The major operators — Türk Telekom, Turkcell, and Vodafone Turkey — operate under BTK oversight.^[17][25]

Data Retention

Turkey imposes mandatory data retention on telecommunications operators under Electronic Communications Law No. 5809. As amended in March 2015 (Article 51/10-C), operators must retain traffic and location data for a minimum of one year and a maximum of two years. Mobile services data must be retained for two years; fixed-line data for one year. Transaction records relating to personal data access must be stored for two years, and records of subscriber consent for data processing must be maintained throughout the subscription period.^[17]

Under KVKK (Law 6698), personal data under investigation, examination, audit, or dispute must be retained until the conclusion of the relevant process. The BTK may additionally require retention of specific categories of data for regulatory or national security purposes.^[1]

International Data Sharing

NATO Membership

Turkey joined NATO on February 18, 1952, making it one of the alliance’s earliest members. NATO membership entails extensive intelligence sharing obligations and interoperability requirements with allied nations. Turkey hosts the NATO Allied Land Command headquarters in İzmir and the Kürecik radar station, which is part of NATO’s missile defense system.^[30]

Council of Europe and Convention 108

Turkey became a Council of Europe member on April 13, 1950 (the 13th member state). Turkey signed Convention 108 (Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data) in 1981 but did not ratify it until February 2016, alongside ratification of the Additional Protocol requiring an independent data protection authority. Both ratifications were prerequisites for Turkey’s KVKK legislation and part of the EU accession process.^[2]

EU Candidate Status

Turkey was officially recognized as an EU candidate country on December 10–11, 1999, at the Helsinki European Council summit. Accession negotiations opened on October 3, 2005. Of the 35 negotiating chapters, only 16 were opened and one provisionally closed by 2016. In 2018, the Council determined that accession negotiations had “effectively come to a standstill” due to backsliding on democracy, fundamental rights, and judicial independence. Turkey does not hold an EU adequacy decision for data transfers.^[31]

US-Turkey Mutual Legal Assistance Treaty

The US-Turkey Treaty on Extradition and Mutual Assistance in Criminal Matters entered into force on January 1, 1981 (32 UST 3111; TIAS 9891). Turkey was one of the first three countries to sign an MLAT with the United States, alongside Switzerland and the Netherlands.^[32]

Intelligence Sharing

Beyond NATO’s collective intelligence-sharing framework, Turkey maintains a bilateral intelligence relationship with the United States that involves both cooperation (PKK targeting data, counterterrorism) and adversarial surveillance (NSA operations against Turkish political leadership). Turkey is not a member of the Five Eyes, Nine Eyes, or Fourteen Eyes alliances, but participates in NATO’s intelligence structures and various bilateral arrangements.^[5][6]

Recent Developments

Cross-Border Data Transfer Overhaul (2024–2025)

The March 2024 amendment to Article 9 of Law 6698 fundamentally restructured international data transfers. The Regulation on Cross-Border Transfer of Personal Data, published July 10, 2024, introduced adequacy decisions, SCCs, BCRs, and written undertakings as transfer mechanisms, eliminating explicit consent as a basis after September 1, 2024. The KVKK published mandatory SCCs that must be used without modification, with Turkish-language versions prevailing and notification to authorities within five business days of signing.^[12]

2025 KVKK Amendments

Further amendments introduced new data subject rights including data portability and restriction of processing, mandatory data protection officer appointments for medium and large companies, strengthened breach notification obligations (within 72 hours), and higher fine ranges with stricter enforcement.^[11]

Mass VERBİS Enforcement (2024)

The KVKK investigated 16,350 organizations for non-compliance with VERBİS registration, resulting in total penalties of TRY 503,935,000 (~€14 million). Sanctions applied to domestic and foreign data controllers, including public institutions.^[7]

ECtHR Yalçınkaya Judgment and Follow-Up (2023–2025)

Following the Grand Chamber’s September 2023 ruling in Yüksel Yalçınkaya v. Türkiye, the ECtHR has continued to find violations in follow-up cases. In July 2025, the court faulted Turkey for terrorism convictions of 239 applicants, and in December 2025, it found violations in cases involving 2,420 additional applicants. The ECtHR has been notified of a further 4,800 pending applications related to Gülen-linked convictions.^[23]

Social Media Throttling (2025)

Turkey throttled major social media and messaging platforms during political events in March and September 2025. A draft regulation would grant the BTK power to block social media platforms on national security grounds, with non-compliant platforms facing up to 95% bandwidth reduction and eventual service suspension.^[25]

VPN Blocking Expansion

Turkey has progressively blocked access to VPN services, with 27 providers blocked as of 2024, including ProtonVPN, NordVPN, Surfshark, and ExpressVPN. While VPNs remain technically legal, authorities use deep packet inspection to detect and throttle VPN traffic on major networks including Türk Telekom and Turkcell Superonline.^[26]

Record Internet Censorship (2024)

Turkey blocked a record 311,091 websites in 2024, up from 240,857 in 2023 and 137,717 in 2022. Since 2007, cumulative blocking decisions issued by 852 institutions and courts have reached 1,264,506 websites and domain names. Additionally, 8,762 news reports and 1,897 social media accounts (including those of 51 journalists) were restricted in 2024.^[3]

Sources