The Turkish Parliament has passed a controversial cybersecurity law despite strong warnings from opposition politicians, rights groups and legal experts that it could enable broad surveillance, restrict free speech and lead to potential abuses of power, Turkish Minute reported.
The 21-article law, approved late Tuesday by a vote of 246 to 102, introduces new government oversight mechanisms and expands the powers of the Cybersecurity Directorate established by President Recep Tayyip Erdoğan in January.
The law’s passage follows weeks of debate, during which opposition parties, rights groups and experts warned that it grants excessive powers to the executive branch, potentially eroding privacy and restricting freedom of expression.
The Cybersecurity Board, which will oversee the law’s implementation, will comprise high-ranking government officials, including the president, vice president and the heads of key ministries and security agencies. Opposition members argue that this structure effectively places cybersecurity policy under direct presidential control, sidelining independent oversight.
The law calls for prison sentences of up to five years for people who create or disseminate false information about cybersecurity-related data breaches with the intent to incite fear and panic or to target institutions or individuals.
It also requires that cybersecurity service providers abide by government-approved regulations and report security breaches to authorities, with noncompliance carrying high fines and potential criminal liability.
One of the most contested provisions, Article 8, initially proposed granting the head of the Cybersecurity Board extensive powers to conduct searches, seize data and duplicate digital records.
In response to widespread objections, the ruling Justice and Development Party (AKP) revised the bill, removing this clause entirely. Another significant revision was made to Article 16, which originally criminalized the spread of false information regarding “data leaks.” After concerns that this could be used to silence whistleblowers and journalists, the language was adjusted to specifically address “cybersecurity-related data leaks.”
Despite these changes, concerns regarding the law’s potential impact remain, with critics pointing to vague language that could criminalize legitimate reporting on cybersecurity incidents, while the main opposition Republican People’s Party (CHP) prepares to challenge the law at the Constitutional Court.
Yüksel Mansur Kılınç, CHP spokesperson in the parliament’s Security and Intelligence Committee, said it is “unacceptable” to leave the relation between the Cybersecurity Board and the Secretariat-General of the National Security Council vague in the law.
CHP Bursa MP Orhan Sarıbal also criticized the law during a press conference in parliament on Wednesday, saying it targets press freedom and the right to privacy, among other democratic rights.
“This regulation is being used as a means to eliminate the rule of law and pave the way for a transition to a ‘super dictatorship,’” he said.
The Turkish Journalists’ Association (TGS) also criticized the broad powers granted to the Cybersecurity Board and the vague language in the law, arguing that its primary purpose was to “cover up the truth and silence journalists.”
Law professor Bahadır Erdem also criticized the new regulation during a program on Halk TV on Thursday, warning that it could lead to the imprisonment of anyone who speaks out or criticizes the government.
The government is facing increasing criticism for its inability to prevent data theft. While authorities have acknowledged some breaches in the past, including those during the pandemic, they have denied allegations of more recent incidents.
In previous years journalists including İbrahim Haskoloğlu and Cevheri Güven have reported on systemic vulnerabilities in Turkey’s cyber infrastructure, including the use of pirated software in government facilities. Haskoloğlu was arrested in 2022 after exposing a data breach affecting government databases.
