Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.    

Privacy and data security

Net neutrality

What is your jurisdiction’s regulatory stance on net neutrality?

There is no specific legislation or current strategic plan relating to net neutrality in Turkey.

Encryption

Are there regulations or restrictions on encryption of communications?

Encrypted communications are governed by the Regulation on the Procedures and Principles for Encoded or Encrypted Communication between Public Authorities and Organisations and Real and Legal Persons in Electronic Communication Services (the Encryption Regulation). The Encryption Regulation establishes the principles and procedures, along with the work and transactions to be performed, for the:

  • creation;
  • application;
  • evaluation;
  • approval;
  • security and safety measures;
  • auditing;
  • sanctions; and
  • recording of encoded or encrypted communication systems.

In this respect, operators wishing to provide encoded or encrypted communication services must apply to the Information and Communication Technologies Authority (ICTA) for authorisation. Those who install and operate encoded or encrypted electronic communication devices or systems are obliged to take necessary measures to prevent any use and access to the systems by unauthorised persons.

Data retention

Are telecoms operators bound by any rules or requirements on the retention of consumer communications data? If so, for how long must data be retained?

While there are currently no regulations in force governing data privacy in electronic communications specifically, the ICTA has recently published a draft Regulation Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communication Sector (the Regulation on Privacy in the Electronic Communication Sector).

The draft regulation covers, among other things, the data categories to be retained by the operators and the retention periods thereof.

In this respect, operators must retain the categories of data listed under Article 11 of the draft regulation as follows:

  • To trace and identify the source of a communication:
    • For fixed network telephony and mobile telephony, including failed calls:
      • the calling telephone number;
      • the name and address of the subscriber; and
      • the name and address of the subscriber to whom and when the telephone number was allocated;
    • For internet access, email and internet telephony:
      • the user ID and telephone number allocated;
      • the internet protocol address at the time of communication; and
      • the name and address of the subscriber;
  • To identify the destination of a communication:
    • For network telephony and mobile telephony:
      • the number(s) dialled;
      • in cases involving supplementary services such as call forwarding or call transfer, the number or numbers to which the call is routed; and
      • the name and address of the subscriber(s);
    • For email and internet telephony:
      • the user ID of the email recipients;
      • the user ID or telephone number of the intended recipients of internet telephony call; and
      • the name(s) and address(es) of the internet telephony or email recipients;
  • To identify the date, time and duration of a communication:
    • For fixed network telephony and mobile telephony: the date and time of the start and end of the communication;
    • For internet access, email and internet telephony:
      • the date and time of the log-in and log-off of the internet access service;
      • the IP address (whether dynamic or static) allocated, port information with the IP address in the networks used Network Address Translation and the user ID of the subscriber and user; and
      • the date and time of the log-in and log-off of the internet email service or internet telephony service;
  • To identify the type of communication:
    • For fixed network telephony and mobile telephony: the telephone service used;
    • For internet email and internet telephony: the internet service used;
  • Data necessary to identify users’ communication equipment or what purports to be their equipment:
    • For fixed network telephony: the calling and called telephone numbers;
    • For mobile telephony:
      • the calling and called telephone numbers;
      • the international mobile subscriber identity of the calling and called parties;
      • the international mobile equipment identity of the calling and called parties; and
      • in the case of pre-paid anonymous services, the date and time of the initial activation of the service and the location label from which the service was activated;
    • For internet access, internet email and internet telephony:
      • the calling telephone number for dial-up access; and
      • the digital subscriber line or other end point of the originator of the communication; and
  • To identify the location of mobile communication equipment where necessary under the relevant legislation:
    • the location label at the start of the communication;
    • data identifying the geographic location of cells by reference to their location labels during the period for which communications data are retained; and
    • the cell address and dates when the Cell ID was designated to and removed from such address.

Pursuant to Article 12 of the draft Regulation on Privacy in the Electronic Communication Sector, the data categories listed above must be retained by the operators for a period of two years from the date of the communication.

In addition, Article 51(10) of the Electronic Communications Act lays out the retention periods for different types of data as follows:

  • Personal data subject to inspection, examination, investigation or dispute must be retained until the relevant period has expired;
  • Transaction records regarding the access to personal data and to other relevant systems must be retained for two years; and
  • Records showing the explicit consents of subscribers and users for the processing of their personal data must be retained for at least the term of the subscription.

Government interception/retention

What rules and procedures govern the authorities’ interception of communications and access to consumer communications data?

One of the fundamental principles of the Turkish Constitution is the privacy of communication. However, pursuant to Article 22 of the Turkish Constitution, communication may be intercepted if:

  • a court has issued a decision on the basis of one or several of the following grounds:
    • national security;
    • public order;
    • prevention of crime;
    • protection of public health and public morals; or
    • protection of the rights and freedoms of others; or
  • an agency authorised by law has issued a written order in cases where delay is prejudicial, also on the above-mentioned grounds.

The specific conditions, principles and procedures for interception of communication, as well as the judicial and administrative authorities' powers in relation to the interception of communication are governed by various pieces of legislation, including:

  • the Criminal Procedure Code 5271;
  • Law 5651 on the Regulation of Publishing on the Internet and Prevention of Crimes Committed Through the Internet; and
  • Law 2937 on State Intelligence Services and National Intelligence Institution. 

Within the scope of the Authorisation Regulation, the ICTA may suspend, interrupt or prevent operators from providing an electronic communication service if the legal conditions of “protecting the public safety, public health, public morals and other public interests as such” are met.

Under the draft Regulation on Privacy in the Electronic Communication Sector, the ICTA is entitled to request information and documents from the operators regarding:

  • the systems where personal data is stored;
  • the security measures taken; and
  • the changes in such security measures if deemed necessary.

Operators are required to put in place appropriate intercept functionalities. Authorised operators must comply and cooperate with valid intercept requests from enforcement authorities if and when they are received.

Moreover, according to Article 12(5) of the Electronic Communications Act, the Authorisation Regulation and the Administrative Sanctions Regulation, operators must possess or, where applicable, upgrade their infrastructure in a way that will allow them to accommodate any lawful interception or access-blocking orders.

In line with this requirement, authorised operators are not allowed to offer their services to end users or other operators who have not upgraded their infrastructure to accommodate access-blocking or lawful intercept requests arising from the applicable legislation. In addition, all authorised operators must possess the necessary infrastructure to accommodate any access-blocking or determination of communication requests issued by the ICTA.

Data security obligations

What are telecoms operators’ general data security obligations to consumers?

Article 51 of the Electronic Communications Act imposes certain data privacy obligations on operators, including the following:

  • Personal data must be processed in compliance with the general principles under Law 6698 on the Protection of Personal Data – that is, in a manner that is accurate and up to date for specific, clear and legitimate purposes, and relevant, limited and proportional to the purposes for which they are processed. The personal data must be kept no longer than is stipulated by law or necessary for the purposes for which the data was collected;
  • Communication may not be listened to, recorded, stored, intercepted or tracked without the consent of all the relevant parties to the communication, except in cases where the relevant legislation and judicial decisions so require;
  • Operators must take appropriate technical and administrative measures to ensure the security of the networks and personal data belonging to the subscribers; and
  • Traffic and location data may be transferred abroad only with the explicit consent of the data subjects.

Further, Article 13 of the draft Regulation on Privacy in the Electronic Communication Sector provides that the operators must ensure, with respect to data retained, at the minimum level that:

  • the retained data shall be of the same quality and subject to the same security and protection as data on the network;
  • the data shall be subject to appropriate technical and organisational measures to protect the data against:
    • unlawful;
    • unauthorised or accidental access;
    • destruction;
    • loss;
    • deletion;
    • alteration;
    • storage;
    • processing; or
    • disclosure;
  • appropriate technical and organisational measures are taken to ensure that the data can be accessed by specially authorised personnel only; and
  • the data processed and retained shall be irrecoverably deleted or anonymised within one month of the end of the period of retention and such processes shall be recorded in the form of a report or electronically with a timestamp.

Click here to view the full article.