Turkey: TMT

Regulatory regime for technology is constructed based on the subcategories of issues. Accordingly, Electronic Communications Law No.5809 (“Electronic Communications Law”) regulates the provision of electronic communications services and the construction and operation of the infrastructure and the associated network systems, as well as manufacture, import, sale, construction and operation of all kinds of electronic communications equipment and systems.

Law No. 5651 on Regulation of Publications on the Internet and Combating Crimes Committed by Means of Such Publication (“Internet Law”) regulates the obligations and responsibilities of content providers, location providers, access providers and mass use providers; and the fight against certain crimes committed on the internet.

Law No.6112 on the Establishment of Radio and Television Enterprises and Their Media Services, and especially Regulation on Radio, Television and On-Demand Broadcasting Provided Through the Internet Platforms (“RTUK Regulation”), extends the licensing, content and advertisement related regulation and supervision powers of Turkey’s Radio and Television Supreme Council (“RTUK”) to cover online service providers.

Law No. 6563 on Regulation of Electronic Commerce (“Electronic Commerce Law”) regulates principles and procedures regarding e-commerce, as well as direct marketing, responsibilities of service providers and intermediary service providers, and contracts with electronic communication tools.

The Law No. 7194 on Digital Services Tax and Amending Various Laws and the Statutory Decree numbered 375 (“DST Law”) regulates digital services tax to be applied to digital service providers, regardless of whether they are fully liable or limited taxpayers or whether the taxpayer performs activities through a workplace in Turkey or its permanent representatives.

Moreover, the Personal Data Protection Law No.6698 (“DPL”), Industrial Property Law No. 6769 (“Industrial Property Law”), and Law No. 5846 on Intellectual and Artistic Works (“Intellectual Property Law”) also play critical role within the regulatory framework for technology.

Recently, Regulation on not Using Crypto Assets in Payments, which introduced certain prohibitions for the use of crypto assets, has been published in the Official Gazette. Thus, the CBRT has aimed for an early intervention necessary to establish a controlled market, by clarifying the status of crypto assets at provision of and utilization from payment services, and signalled for an enactment of a more comprehensive regulation.

Yes, Electronic Communications Law No. 5809 regulates the provision of electronic communications services and the construction and operation of the infrastructure and the associated network systems.

In order to provide electronic communication services and/or to establish and operate an electronic communications network or infrastructure in Turkey, it is necessary to be authorized by the Information Technologies and Communication Authority (“ICTA”). Authorization by the ICTA can be granted to companies by following one of these two methods: (i) only via notification or (ii) notification and granting the right of use.

ICTA is the regulator for communications-related services.

ICTA is a public institution with an administrative and financial autonomy. The ICTA is independent in performing its duties; and no organ, authority, or person can give orders and instructions to the ICTA. On the other hand, ICTA is affiliated with the Ministry of Transportation and Infrastructure which means they are in close collaboration while determining macro strategies and preparing long term projections for nationwide roadmaps.

Yes, the Internet Law regulates the responsibilities of the access providers, content providers, mass use providers, hosting providers that operate on the internet, and covers access blocking requests and measures to be taken regarding violations of the internet. However, the information search engines are not specifically regulated under this law.

Moreover, the Law No. 7253 Amending the Law No. 5651 on Regulation of Publications on the Internet and Combating Crimes Committed by Means of Such Publication (“Law Amending the Internet Law”) has been published in the Official Gazette dated July 31, 2020 and numbered 31202, which introduces a new actor “social network providers”, which is defined as “natural persons or legal entities that enable users to create, display or share content such as texts, image, voice, location, over the internet for purposes of social interaction”, and broadens and aggravates the scope of liable parties and their obligations under the Internet Law.

As per ICTA’s Procedures and Principles on Social Network Provider published in the Official Gazette dated October 2, 2020 and numbered 31262; the scope of social network provider was established. Accordingly, persons that include content for social interaction only in a certain part of the broadcast on the internet and platforms such as personal websites, electronic commerce sites and news sites where content for social interaction is offered as a secondary and ancillary service are excluded.

Yes, the Internet Law does not make any distinction between the resident and non-resident actors of the internet.

Moreover, in order to ensure that obligations arising from the Internet Law are fulfilled and there is an addressee in Turkey to whom the requests will be delivered, the Law Amending the Internet Law published in the Official Gazette on July 31, 2020, obliges the social network providers that have more than one million access from Turkey per day to appoint a representative in Turkey, to take necessary actions on notice, declaration or requests to be sent by the ICTA, the Access Providers Union, judicial or administrative authorities and to respond to applications made by individuals in accordance with the Internet Law. Additionally, with the Law Amending the Internet Law, the notifications relating to the administrative fines imposed under the Internet Law to those, who are residing outside of Turkey, may be served to the e-mail addresses as well as to the other contact information discovered through the website, IP address or relevant means, without being required to consummate international notification procedures. In this context, social media companies such as Twitter, Instagram, Facebook, YouTube, TikTok and Periscope have each been subject to an administrative fine of TRY 10 million, back in November 2020, for not appointing a representative in the specified time period (1 month upon the notification of ICTA). Furthermore, due to failure to appoint a representative again within the next month after the first administrative fine, second tier of administrative fines were imposed on Facebook, Twitter, YouTube, TikTok and Instagram on December 2020, in the amount of TRY 30 million. The next tiers of administrative sanctions if a representative is still not appointed after the second administrative fine are regulated as follows: (i) advertisement bans (which were imposed on Twitter, Periscope and Pinterest on January 2021), (ii) internet traffic bandwidth reduction by 50%, and finally, (iii) internet traffic bandwidth reduction by 90%.As of July 2021, social media companies such as Facebook, YouTube, Twitter, Instagram, WhatsApp, VK and LinkedIn have appointed representatives in Turkey.

Yes, companies applying for authorization (for serving communication services) before the ICTA must be established as a joint-stock or limited liability company in accordance with the Turkish laws, in order to carry out only the activities that are subject to the authorization or the activities required, and/or relevant while performing the service subject to the authorization.

No, however, as we have stated above, the telecom operators must be a joint-stock or limited liability company established in Turkey, in accordance with the Turkish laws.

Yes. Network-to-network interconnection and access is regulated by the Electronic Communications Law and Regulation on Access and Interconnectivity (“Interconnectivity Regulation”).

Pursuant to the Interconnectivity Regulation, upon an access request by another operator, operators have the obligation to negotiate interconnection with each other with an aim to reach an agreement within a reasonable time. In this case, if an operator denies interconnection or imposes unreasonable terms not to make a negotiation, and if the ICTA decides that the actions of that operator damages the competition or the interests of end-users, such operator may be required to settle an agreement to provide an interconnection.

Yes, the ICTA may require operators with significant market power to provide interconnection or to make available the technical specifications, network specifications, terms and conditions regarding supply and usage, fees and similar information. In such cases, operators are obliged to provide interconnection on a non-discriminatory basis to the other operators.

Regulation on Consumer Rights in the Electronic Communications Sector is the main regulation for consumer protection that applies especially to telecoms services. Accordingly, rights such as protection against discrimination, right to enter into contract with the operator, right to ask for a detailed bill, right to request information on the scope of service, right to access updated information and being informed regarding changes in the tariff, the right to easily withdraw from the services are provided to the consumers of telecom services.

Moreover, the Law on the Procedure of Execution Proceedings for the Collection of Monetary Receivables Arising out of Subscription Agreements regulates the initiation and execution of proceedings in the electronic environment regarding the receivables arising from the invoice of the goods or services, which are presented to the consumer for the purpose of performing the subscription contracts and the subscription contracts regulated in the relevant laws and regulations.

The computer software is regulated as “work” under the name of computer programs in Article 2 of the Law No. 5846 on Intellectual and Artistic Works (“Law No. 5846”). In addition, Article 6 of the Law No. 5846 states that the adaptation, editing or making any changes to a computer program is also considered as a “work”.

Pursuant to the Law No. 5846, the owner of a work is the person who creates it, and thus, the developer, who creates a new software or development, is accepted as the owner of the work. The owner of the work will own both the intangible and financial rights on the developed work.

To give an example to intangible rights, the owner of the work can exclusively determine the representation, timing, and the means of the promulgation of a work. Besides, abbreviations, additions or other changes cannot be made on the work or the name of its owner without the permission of the owner of the work. Also, the right to make use of a work not yet publicised in any way whatsoever belongs exclusively to the owner of the work.

Under the scope of financial rights, the right to partially or wholly duplicate the original or adaptations of a work belongs exclusively to the owner of the work. The right to disseminate, lease, lend or sell or make a subject of trade in any way whatsoever a work and its copies obtained by duplication from the original or adaptation of it and to benefit from this way belongs only to the owner of the work.

Under the Intellectual Property Law, databases obtained by the selection and compilation of data and materials according to a specific purpose and a specific plan, which are in a form that can be read by a device or in any other form are deemed as adaptations. However, it is stated that this protection cannot be extended to the data and materials contained in the database.

On the other hand, the Intellectual Property Law recognizes that the maker of a database who has made qualitatively and/or quantitatively substantial investment in either creation, verification or presentation of the contents shall have the right of permitting or prohibiting (i) permanent or temporary transfer to another medium by any means and in any form, and (ii) distribution or sale, rental or communication to the public in any way, of all or a substantial part of the content of the database contents with the exceptions specified in this Law and required by purposes of public security and administrative and judicial procedures

The protection of personal data is recognized as a fundamental right under Article 20(3) of the Constitution of the Republic of Turkey as of its amendment in 2010. Since the aforementioned Article requires the principles and procedures regarding the protection of personal data to be laid down in law; the constitutional guarantee for the protection of personal data is intended to manage the processing of personal data on a regulatory level. In this respect, Law on the Protection of Personal Data No. 6698 (“DPL”), which constitutes the main legislative instrument that specifies the principles and procedures concerning the processing and protection of personal data, has been published in the Official Gazette on 7 April 2016 and is in effect as of this date.

The DPL provides almost the same definitions as GDPR and for sets forth the legal grounds on which personal data may processed fairly. We can say that the majority of the legal grounds are same while there are some divergences from EU’s regulations (see question 12). In addition to the legal grounds, providing clear information to data subjects about data processing purposes and respective data categories is obligatory. Also, similarly, the DPL provides a general requirement for taking technical and administrative measures for data controllers alongside with a mandatory data breach notification within 72 hours. Finally, we can say that most important and problematic issues are related to cross border data flow (see questions 10 and 13), divergencies from EU’s regulations (see question 12) and administrative fines (see question 11).

DPL provides an enhanced set of rules to be followed when transferring personal data from Turkey to abroad. In this respect, the DPL shall not be comprehended as wholly or directly prohibiting the transfer of personal data, but rather necessitating the existence of pre-determined conditions, and subsequently prescribing the cross-border data transfer regime.

The transfer regime foreseen under Article 9 of the DPL requires adherence to the either one of the following transfer mechanisms:

• Explicit consent: In the event that the data exporting party obtains explicit consent from the related data subjects, for the cross-border transfer of personal data, the cross-border transfer operation is permitted.
• Adequate level of personal data protection: In the event that (i) the conditions specified for the due processing of personal data are deemed applicable, and that (ii) the recipient country is considered to ensure an adequate level of personal data protection (safe country), the cross-border transfer operation is permitted.
• Ad hoc approval of the Board: In the event that the recipient country is unable to provide an adequate level of personal data protection, the cross-border transfer operation is permitted provided that (i) a written privacy undertaking agreement between the data transferring parties is concluded, and that (i) the Board’s approval is obtained following the submission of such undertaking to Board’s clearance.
• The DPL also envisages that provisions of other laws concerning cross-border personal data transfers are reserved and international agreements concerning data transfers are prioritized.

While the DPL allows cross-border of personal data by introducing mechanisms in this regard, we would like to underline that Turkey has not announced the list of safe countries, and in September 2020, the Board disregarded applicability of the Convention No. 108 on the Protection of Individual with regard to Automatic Processing of Personal Data, despite the specific provision recognizing priority of international agreements. Additionally, the undertaking option is also not very preferrable option as the Board approved only 4 companies’ application.

As the criticism over the Board’s practice increased, the Economic Reform Package announced in March 2021 puts forward that the necessary amendments to bring the cross-border data transfer mechanism of the DPL in line with the provisions of the GDPR will be made by March 31, 2022. Additionally, the Board announced that the approval procedures will be accelerated until the necessary amendments are made.

The maximum fine, which can be applied to i) those, who do not fulfil the obligations related to data security, ii) those who do not fulfil the decisions issued by the Board, iii) those who act contrary to the obligations for registry with the Data Controllers’ Registry and for notification, is determined as TRY 1,000,000, which is updated evert year based on the be subject to the reevaluation rate announced by the state (for year 2021, this fine is calculated as TRY 1,966,860.)

First of all, the DPL is prepared based on the Directive 95/46/EC of the European Parliament, which was repealed by the GDPR; therefore, although the Personal Data Protection Authority follows the implementation of GDPR in many areas, the exact comparison is not possible.

In the DPL, stricter regime is applied for processing of personal data concerning health and sexual life. Accordingly, these data may only be processed, without seeking explicit consent of the data subject, by persons, who are subject to secrecy obligation or competent public institutions and organizations, for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as their financing. While DPL increases the protection level of the personal data concerning health and sexual life by way of restricting the people that may process them, which is a narrower scope compared to GDPR, this results in difficulties in practice.

Moreover, GDPR and DPL also differ in terms of the regime that they stipulate for cross-border transfer of personal data. While GDPR introduces multiple alternatives facilitating the transfer of personal data, due to cyber security concerns and economic interest of the retention of data, DPL introduces a more controlled and authority-centered structure for the transfer, when the personal data is not transferred with the explicit consent of the data subject. In this regard, higher level of protection for personal data is aimed, while it results in a block and/or restriction on use of certain services, including cloud services.

Unlike GDPR, the DPL requires a notification to be made to the data subjects affected by a data breach, regardless of the scope of the effect and whether any measures are taken by the data controller.

Lastly, the Human Rights Action Plan published in March 2021 sets forth that the DPL will be harmonized with the European Union standards until March 31, 2022. Therefore, certain amendments are expected in that regard.

There is no specific regulation governing the provision and procurement of cloud services in Turkey. In the absence of a specific legislative framework, the DPL is considered to function as the main legislative instrument governing cloud-related practices. The provisions thereunder concerning the cross-border transfer of personal data is deemed as having a significant and direct impact on the procurement of cloud-based services which are hosted outside Turkey, as they led to an unmanageably restrictive application as mentioned under the Question 10.

In addition, Turkey has many local laws that govern the collection, receipt, transmission, or use of certain data as part of an IT product or service, which may apply apart from or in addition to the DPL in terms of cloud-based services. There are certain sector specific regulations scattered amongst a variety of legislations which, in general, require entities operating in such sectors to refrain from procuring cloud-based services which are hosted outside Turkey with data residency requirements. Said sectoral restrictions are mainly intended to localize information systems and to allow for on-premise audits to be conducted by the respective regulatory and supervisory authorities.

It is observed that an increase in the number of vertical sectoral regulations that contain data residency requirements, since 2018, without making a sectoral distinction. Thus, the demand for localization of data and information systems, which first appeared regarding the banks, has been persistently applied by the regulator Banking Regulatory and Supervisory Authority (“BRSA”) thereof to whole financial services industry.

On the other hand, one of the most severe developments relating to the matter of data residency is presently being realized in the public sector. In this regard, it should be specifically noted that the Presidential Circular No.2019/12 on Information and Communication Security Measures explicitly states that critical data relating to public institutions and organizations shall not be retained within cloud storing services, other than institutions’ own systems or systems which are controlled by such and local service providers. Additionally, while the Regulation on the Information System of Banks and Electronic Banking Services allows banks to use cloud computing services as an outsourced service provided that certain conditions are met (which restricts the use of public cloud systems), it also introduces system localization by saying that if cloud computing services fall under the definition of primary or secondary systems, the on-soil requirement will be applicable and such systems may only be hosted on Turkish territory.

Yes. While contracts executed online are valid in Turkey, the effect of an online/electronic contract as an evidence may be questioned, due to the Turkish Civil Procedure Code. The Code requires a contract executed with a handwritten signature or secure electronic signature for proving the transactions with a value exceeding TRY 4,880 as of 2021. It should be noted that this issue does not regard the validity of the agreement but its quality as a proof (especially in the event of a dispute), in case of a dispute before Turkish courts regarding an electronic contract. In this context, under the E-Signature Law, a secure electronic signature shall be a signature that;

• is obtained from an e-signature provider authorized by the ICTA,
• is exclusively assigned to the signature owner,
• is generated with the secure electronic signature creation device which is kept under the sole control of the signature owner,
• enables the identification of the signature owner based on the qualified electronic certificate,
• enables detection as to whether signed electronic data has or has not been altered or not subsequent to the signature being applied.
• In principle, an electronic signature, which meets the conditions stated above, shall have the same legal effect as that of a handwritten signature. However, a secure electronic signature cannot be used for legal proceedings subject to a special procedure or an official form pursuant to laws and warranty contracts.

Furthermore, as per ICTA’s Regulation on Verification Process of the Applicant’s Identity in the Electronic Communication Sector, published in the Official Gazette dated 26 June 2021 and numbered 31523, for the transactions within the scope of the regulation, the operator/service provider cannot obtain the biometric data of individuals electronically by using an electronic pen or a similar method, therefore, biometric signature may not be used. Accordingly, Turkish Personal Data Protection Board, with its decision dated 27 August 2020 and numbered 2020/649, concluded that biometric signature would be contrary to the principle of proportionality and broadens the interpretation Turkish data protection legislation. Finally, as per the Regulation on Remote Identification Methods and Establishment of Contractual Relations in Electronic Environment to be Used by Banks which entered into force on 1 May 2021, banks are allowed to verify customer identity with video call method and to establish contracts in electronic environment, where contracts with customers can be signed electronically. It is stipulated that the customer’s declaration of will must be signed with the customer-specific encryption secret key and be forwarded to the bank. In this respect, the way has been cleared for not only contracts at the stage of identification, but also for contracts based on individual transactions to be signed electronically.

No, automatic transfer of employees, assets or third-party contracts to the outsourcing supplier is not yet regulated under Turkish legislation.

Liability in terms of Artificial Intelligence (AI) malfunctions is not specifically regulated under Turkish laws, and thus, the general provisions of the Turkish Code of Obligations (“TCO”) in terms of “tort” will apply. In accordance with the Article 41 of the TCO, the tort must contain four vital elements such as unlawful act, damage, omission and causality link. On the other hand, it should be noted that causality link should be assessed in each specific case since algorithm, underlying data, mechanics or the user/operator of AI based system may be individually or jointly the root cause of respective damage.

In addition, even though a person does not have a fault in its action, which causes a damage, it may be liable for compensation under the regime of “liability without fault”. Under the Article 66 and its continuation in the TCO, it is regulated that employer, animal keeper and building owner may be liable for damages caused by their employee, animal or defects in the construction provided that they do not exercise all reasonable care to prevent the damage.

Besides, the TCO also envisages a concept of “liability on grounds of equity” in terms of a general duty to take reasonable care. Pursuant to the Article 65 of the TCO, the judge is entitled to rule on compensation of loss and damage partially or fully caused by a mentally incapable person on the grounds of equity. According to this provision, in order for a mentally incapable person to be held responsible for the damage it caused, the action must be defective and against the objective law and committed personally by the mentally incapable person.

Thus, it may be possible to apply the aforementioned liability regime by analogy for person using AI to be liable for compensation due to the damages caused by AI.

Cybersecurity rules in Turkish law are not consolidated under one legislative instrument but rather scattered under different sector-specific regulations. Accordingly, the Circular Note on Information and Communication Security Measures numbered 2019/12 (the Circular) establishes extensive cybersecurity-related obligations that are mainly applicable to public authorities and institutions. The most notable measures contained within the Circular are (1) significantly limiting the use of cloud systems; and (2) seriously restricting social media use in the public sector. Additionally, the Circular refers to an “Information and Communication Security Guide, (the Guide) that has been prepared under the coordination of the Digital Transformation Office of the Presidency. The Guide brings detailed technical requirements and rules in relation to procurement and use of cloud services by public institutions, among others.

There are multiple sector-specific regulations that require organisations from critical sectors to employ cybersecurity measures to safeguard their information systems. For example, their sector-specific legislation requires organisations related to capital markets (including on-stock companies) and entities from sectors such as insurance, banking and payment services to employ certain measures related to cybersecurity.

Cyber-crimes are described directly in the Turkish Criminal Law (“TCL”) which entered into force as of 26 September 2004. Although DDoS attacks are not specifically regulated under TCL, “unlawful access to data information system” and “hindrance or destruction of the system, deletion or alteration of data” are defined as criminal acts respectively under articles 243 and 244 of TCL. If parties organising DDoS attacks unlawfully capture others’ devices, they will be having “an unlawful access to information systems”. Also, if the attacking parties are aiming to hinder the operationality of a certain system, this will trigger Article 244 (up to 5 years of imprisonment). Additionally, if such an attack is committed against to a bank or credit institution, or public institutions or corporations, respective sanctions will be aggravated.

Lastly, the Presidential Circular on National Cyber Security and Action Plan (2020- 2023), which has been published in the Official Gazette on December 29, has underlined that within the scope of the fight against cyber threats, which are rapidly increasing in number and nature, it is important to take the necessary measures at national level, identify strategic goals and develop and implement action plans to achieve these goals. Presidential Circular has also referred to the National Cyber Security Strategy, which is published on the website of the Ministry of Treasury and Finance, and the National Cyber Security Action Plan, which will only be shared with institutions and organizations, who are responsible for the realization of such actions and who the Ministry will cooperate with in this regard. However, following the publishment of the strategy, there has been no regulation enacted to pursue such aims.

We opine that given the recent government plans and strategies, cyber security and fintech may continue to create significant impact in our jurisdiction in terms of legal change and disrupt their respective ecosystems.

Turkey has a strong and significant financial sector. In parallel to the government’s goals towards digitalization, financial technologies will transform the sector and create a disruptive impact, which as a result will trigger legal change. As one of the most heavily regulated sectors, financial sector will evolve along with financial technologies. On the other hand, in order to ensure data security and to eliminate the cyber security related risks in the market, regulations on cyber security and resulting obligations to become compliant with the same may also be discussed.

Additionally, as Turkey experienced difficulties during the year with the collapse of a few cryptocurrency exchange platforms, the Capital Markets Board of Turkey is expected to introduce a new regulation imposing a license requirement for these platforms.

Lastly, rise of e-commerce, especially with the pandemic, as well as concerns with respect to digital platforms, resulted in a need for amendments to current regulations. In this regard, the Ministry of Trade and Turkish Competition Authority initiated their works to introduce the Digital Services Act and Digital Markets Act alike regulations.

Greatest impediment to economic development/commerce in Turkey with respect to technology is the delay in adopting the necessary legal framework, which will not hinder, but enhance the technological advances, and accelerate the growth of digital economy. This does not only correspond to delays in the regulatory processes, but also to delays in apprehending the current needs of the sector and regulatory void that need to be filled with a good understanding of technology, its impact and international benchmarks. Moreover, growing tendency towards local and national also impairs the investment ecosystem of Turkey. In line with the government officials’ recent statements, the emphasis on local and national and the unfair approach to encourage local companies in the sector have been creating reservations in foreign investors. The localization and local representation requirements add further to the discouraging situation for the foreign investment environment where big multinational sector players are subject to fulfilling these obligations with additional operational burdens, putting them in a less advantageous situation compared to local companies.

Most regulations adopted in Turkey especially in the field of digital services and technology are transposed from the EU. Having said that, in various cases this does not eliminate the discrepancies and hardships in the very implementation of legal provisions and in practice. One example to such hardship may be given as the international data transfer regime under DPL. The list of countries providing adequate level of protection has not been announced yet by the Turkish Personal Data Protection Authority. Given the fact that other mechanisms envisaged under DPL (as explained above in this document) are burdensome and operationally unfeasible to many, this also creates an impediment to economic development, and a negative perception with respect to the investment environment and ease of doing business in Turkey.

The government in Turkey pays utmost attention to digital services and the digital transformation of public institutions. In fact, as per the new government system, Digital Transformation Office has been established, which is tasked to realize the digital transformation of public institutions and to carry out any and all necessary works and studies in this regard. This stance of the government also manifests itself through all government plans and strategies.

On the other hand, as mentioned before, there is a rising trend and tendency of the government that favours local and national corporations and technologies. Although it is the natural consequence of today’s digital world and digital economy to have companies that operate in Turkish market yet are not residents, localization requirements and the restraining stance of the government that only continue to increase and weighs on the sector.

The most recent example in this regard is the Law Amending the Law No. 5651 on Regulation of Publications on the Internet and Combating Crimes Committed by Means of Such Publication (“Law”), which imposes strict restrictions on social media providers and includes a provision that obliges social network providers established abroad and that has more than one million access from Turkey per day to appoint a representative in Turkey for taking necessary actions on notice, declaration or requests to be sent by the Information and Communication Technology Authority (“Authority”), the Access Providers Union, judicial or administrative authorities and for responding to applications by persons.

On the other hand, the Digital Mediums Commission (“Commission”) is established within the Turkish Parliament, in order to carry out investigations, discussions, reports, recommendations and opinions regarding the measures taken and the works and processes carried out to prevent the use of the internet in violation of the laws. In a meeting of the Commission, invitation of social network representatives to the Commission to discuss the issue of cooperation on their activities, and invitation of experts to be informed on the issues such as digital transformation, cyber-fascism and the transformation of social networks as supranational entities have been suggested, which demonstrates the willingness of the government for cooperation with experts before taking actions regarding new regulations on social media.

As we have stated above, currently, there is no specific regulation or provision regarding artificial intelligence, and the problems that may arise this respect are trying to be solved with general principles that may be relevant. In this regard, it could be stated that Turkish legal system is not competent to responds the legal issues that may occur and legislative works to be done with relevant stakeholders are needed. On the other hand, Turkish legislators tend to monitor EU Commission’s legislative works and may use them as bases for a legislation to be prepared. Accordingly, it could be stated that any developments in this context may be affected by the EU policies, especially Proposal for a Regulation of the European Parliament and of the Council Laying Down Harmonised Rules on Artificial Intelligence (Artificial Intelligence Act) and Amending Certain Union Legislative Acts. Moreover, with the leadership of the Ministry of Justice and the Presidency’s Digital Transformation Office (“DTO”), Turkey takes an active role in the works of the Council of Europe’s Ad hoc Committee on Artificial Intelligence (“CAHAI”), which currently prepares a binding convention and soft-law documents on regulation of artificial intelligence on the basis of human rights, rule of law and democracy; and Turkey may sign the convention soon as the Human Rights Action Plan specifically envisages that artificial intelligence applications will be used in the judiciary in conformity with the principles and recommendations of the Council of Europe.

On the other hand, the DTO has also been preparing Turkey’s National Artificial Intelligence Strategy and the final document is expected to be published soon. Additionally, the Human Rights Action Plan sets forth that until March 2022, the legislative framework and ethical principles concerning the field of artificial intelligence will be established in consideration of international principles, and measures will be taken regarding the protection of human rights from this aspect.