Data localisation requirements under Turkish law have so far been sector-specific and, hence, limited in scope.
The internet’s age of adolescence is over. For decades, we tolerated many things, waiting for the kid to grow up. But now as an adult, the internet has responsibilities. Every sovereign nation is now discussing how to regulate the Internet according to its own economic and social priorities. Once a free and homogenous network, the global Internet has effectively been split into three co-existing blocs (the so-called “splinternet”):
The other countries around the world are at a crossroads whether to follow one of these models or design their own. While China is the only emerging market country that has enforced strict data localisation requirements for many years and restricted the activities of global big tech behind the so-called Great Internet Wall, many other emerging market countries implemented bits and pieces of data localisation requirements without a coherent internet policy strategy. This piece summarises the recent experience in Turkey with the purpose of illuminating how a mid-sized, emerging market G20 member approaches internet policy issues and what types of political and policy challenges it faces.
It should be reminded that, in terms of internet and social media usage rates, Turkey is among the top countries globally (6th largest on both Twitter and Instagram). The increasing number of digital platforms has caused political polarisation, disinformation and social manipulation propaganda to occur. Hyper-partisan approaches, political polarisation and a severe lack of trust became the main characteristics of contemporary media platforms. In an environment where disinformation has become the norm, not the exception, a significant number of foreign government supported outlets have also become major sources of news on social media – Sputnik (Russia), Independent (Saudi Arabia), DW (Germany) and BBC (UK). Large disinformation campaigns have been implemented throughout election campaigns since 2018.
Over time, with disinformation and social media gathering speed and the additional triggering effects caused by Covid-19, there has been an urgency for new regulations in 2020. An unofficial draft bill surfaced in early April 2020, seeking to expand the scope of social media surveillance and monitor online users, as many people have become victims of actions conducted by fake profiles. According to the draft bill, social network providers that had more than 1 million daily users were required to open a representation office in Turkey, and those who wished to have accounts on these platforms had to create their accounts with their Turkish ID number to prevent fake profiles. The bill also included a forced data localisation provision for social media outlets.
The social media debate has become one of the hottest topics over the summer of 2020. This was further galvanised on 11 June, 2020, when Twitter announced the takedown of 7,340 accounts that tweeted about 37 million times in a rare action of its kind. At the same time, the Stanford Internet Observatory Cyber Policy Center published a white paper regarding these fake accounts and their effects on the political atmosphere. Most of the accounts taken down were claimed to be affiliated with the ruling AK Party.
Data localisation requirements under Turkish law have so far been sector-specific and, hence, limited in scope. Several sectors are already under obligation to keep primary and secondary data in Turkey: banking, e-sim technology companies, finance, healthcare and energy.
When the social media law discussed above was formally enacted in July 2020, the Turkish ID number requirement for social media logins was dropped and the data localisation measure became a request to the outlets “to take the necessary measures towards hosting Turkey-based users' data in Turkey” without enforcement. With no clear enforcement mechanism for the data localisation requirement in the Turkish social media law, Turkey diverged from the Russian approach of forced data localisation in social media and approximated to the social media regulation approaches of other G20 member emerging markets such as South Africa and India.
Yet another blow towards forced data localization came from the "Personal Data Protection Board" in September 2020, rendering the Convention No. 108 of the Council of Europe (to which Turkey is a signatory) on cross-border transfers of personal data not applicable for Turkey. As a background, Turkey recognised protection of personal data as a fundamental right in its constitution in 2010. In 2016, with the implementation of legislation, the "Personal Data Protection Board" was established as the independent supervisory authority.
Since the Board was established, it has refused to announce a list of safe harbour countries to which personal data of Turkish citizens can be transferred without permission. In the EU legislation and in many other jurisdictions, data protection authorities announce such a list of countries that provide protection of personal data at equal or better standards. Turkey’s refusal to announce such a list is based on diplomatic reciprocity, because no other country, most importantly not the EU, recognises Turkey as a safe harbour. It was nevertheless possible to transfer personal data under the Convention No. 108 to which Turkey is a signatory. With this decision, the Board put Turkish law before international convention and effectively restricted transfer of all personal data, including those on social media, to other countries.
The repercussions of these wide-ranging data localisation requirement and administrative restrictions are yet to be seen. Given the fact that the historical reason for Turkey to establish a personal data protection system was mainly to comply with EU requirements and candidacy obligations, attempting to harmonise Turkish legislation with the European system based on the Data Protection Directive 95/46/EC, the utilization of the same legal framework to restrict data transfers will potentially attract a lot of reaction.
Recent debates and policy actions in Turkey present a mixed picture. Apparently, the splinternet trend has echoed with the policy makers in Turkey. Yet there is no clear and consistent strategy on to what extent and in which areas data should be localised. Different government departments in executive or legislative branch take reactive and sporadic actions to localize or not to localize data. The level of awareness and discussion regarding the security and economic benefits of forced data localisation is extremely limited. The arguments of politicians are shaped more by existing polarised political positions rather than an informed debate. The outcome is a patchy regulatory framework and an uncertain policy environment.
Turkey should engage in strong dialogue with other emerging economies of similar size, possibly within the G20 framework, on its data localisation strategy and overall internet policy. This dialogue can start by sharing experiences to formulate a more informed and balanced approach. The dialogue can then progress towards creating common policy frameworks that would constitute an alternative to the three existing internet blocs and serve the economic and social priorities of emerging market countries.
The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.