TMT Comparative Guide - Part 5

9. Data security and cybersecurity

9.1. What data security regimes apply in the following sectors: (a) Telecommunications; (b) Internet; (c) Media (broadcasting + print) and (d) Social media?

(a) Telecommunications

The Regulation on the Processing of Personal Data and Protection of Confidentiality in the Electronic Communications Sector specifically stipulates provisions for the processing of personal data, including traffic and location data, by operators and other stakeholders in the electronic communication sector.

The regulation requires operators to take the necessary technical and administrative set out in the Electronic Communications Law, the Law on the Protection of Personal Data and national and international standards to ensure the security of personal data of subscribers/users and their services. These security measures must be implemented at a level appropriate to the possible risk, taking into account technological capabilities to the level of the possible risk. In this regard, operators must, at a minimum:

• implement security policies on the processing of personal data;
• protect personal data against data breaches;
• ensure that only authorised persons have access to personal data; and
• ensure the security of systems in which personal data is stored and applications are used to access personal data.

While the regulation states that it is essential that traffic and location data not be transferred abroad for national security reasons, it does allow for the cross-border transfer of traffic and location data based on the explicit consent of subscribers/users.

Before obtaining the explicit consent of subscribers/users, operators must clearly inform them of:

• the type and the scope of personal data, as well as traffic and location data, to be processed;
• the purposes of the processing; and
• the retention periods.

In case of any transfer of traffic and location data to third parties, the data controller must obtain the explicit consent of the data subjects by informing them of:

• the scope of the personal data to be transferred;
• the name and address of the recipient;
• the purpose and duration of the transfer; and
• the third country, if the recipient is located abroad.

Any change in such information will require the data controller to obtain explicit consent from the data subjects again. Consent should not be bundled into the conditions for the provision of an electronic communication service, including the creation of a subscription or the provision of an electronic communication device.

Operators should also inform subscribers/users about any risk that threatens the security of their networks and services. If the risk falls outside the measures taken by the operator, the operator should inform subscribers/users as soon as possible about the scope and mitigation methods of the risk.

(b) Internet

On 15 February 2022, the Personal Data Protection Authority (DPA) published on its website an announcement on measures to be taken to ensure website/mobile application user security. This announcement is aimed at all data controllers that operate a website and/or mobile application with an account login function. Accordingly, website and/or mobile application providers should undertake the following measures:

• Implement a two-factor authentication system and offer it to users as an alternative security measure in the course of registration;
• Inform users via email/SMS or similar when they log into their account from devices other than those which they usually log in from;
• Protect web/mobile applications with HTTPS or a method that provides the same level of security;
• Use safe and hashing algorithms to ensure the protection of user passwords against cyberattacks;
• Limit the number of unsuccessful log-in attempts from an IP address;
• Inform users of at least the last five successful and unsuccessful log-in attempts;
• Remind users not to use the same passwords on different platforms;
• Prepare a password policy and ensure that user passwords are changed periodically or remind users to change their passwords periodically;
• Prevent newly created passwords from being the same as old passwords (at least the last three passwords), using technologies such as security codes that distinguish computer and human behaviours, and limit the IP addresses which are authorised to access;
• Ensure the use of strong passwords for website/mobile application systems, with a minimum of 10 characters and a mix of upper and lower-case letters, numbers and special characters; and
• If a third-party software or service is used to connect to the website/mobile application's systems, perform regular security updates on such software and services, and conduct necessary checks.

In addition, according to the Internet Law, hosting providers and access providers must keep traffic records. Accordingly, hosting providers must:

• keep traffic information about the services they host for a period of time specified in the regulations – which is not less than one year and not more than two years; and
• ensure the accuracy, integrity and confidentiality of that information.

Access providers, on the other hand, must:

• keep traffic information related to the services they provide for a period specified in the regulations – not less than six months and not more than two years; and
• ensure the accuracy, integrity and confidentiality of that information.

(c) Media (broadcasting + print)

There are no special provisions under Turkish law regarding the protection and security of personal data in the media sector.

(d) Social media

There are no special provisions under Turkish law regarding the protection and security of personal data in the social media sector.

9.2. What cybersecurity regimes apply in the following sectors: (a) Telecommunications; (b) Internet; (c) Media (broadcasting + print) and (d) Social media?

(a) Telecommunications

Turkey has no general cybersecurity law.

Presidential Circular 2019/12 on Information and Communication Security Measures imposes certain measures on operators to mitigate and neutralise security risks and ensure the security of critical data that could jeopardise national security or harm the public order if its confidentiality, integrity or accessibility were compromised. One of these measures is for operators authorised to provide communication services to establish an internet exchange point in Turkey. Necessary measures must be taken to prevent the export of domestic communication traffic that should be exchanged domestically.

In addition, the Digital Transformation Office has the task of developing projects to increase information security and cybersecurity, and to this end has published the Information and Communication Security Guide. This guide covers the security measures that public institutions and organisations providing critical infrastructure services should take to mitigate security risks in information systems and to secure critical data. Organisations providing critical infrastructure services are those operating in the following sectors:

• telecommunications;
• energy;
• water management;
• critical public services;
• transportation; and
• banking and finance.

Telecommunications operators must thus comply with the measures in the Information and Communication Security Guide.

Moreover, the Information and Communication Technologies Authority (ICTA) has the authority to:

• prevent cyberattacks;
• provide a deterrent; and
• impose sanctions for non-compliance.

To this end, it has established a National Cyber Incidents Response Centre (USOM). Cyber incident response teams (CIRTs) operate in institutions and organisations, especially in critical infrastructure sectors.

The ICTA has also published the Network and Information Security Regulation in the Electronic Communications Industry, which covers the procedures and principles for operators to ensure network and information security.

(b) Internet

The ICTA:

• coordinates with content, hosting and access providers and other relevant organisations which are subject to the Internet Law on the detection and prevention of cyberattacks; and
• carries out planning to undertake necessary measures.

The Network and Information Security Regulation in the Electronic Communications Industry published by the ICTA also regulates obligations for ISPs to ensure network and information security. Accordingly, ISPs should:

• design and implement business continuity plans in order to prevent disruption of services and critical systems and minimise losses that may occur to their assets as a result of natural disasters, environmental threats, accidents, hardware failures, intentional actions or cyberattacks;
• inform subscribers of malicious software, slave computer networks and possible cyber threats in order to raise awareness and take necessary precautions;
• establish an in-house CIRT and take the necessary measures to coordinate with the USOM and the sectoral CIRT established within the ICTA under the principles determined to ensure national cybersecurity;
• implement mechanisms such as:
• • signal processing control;
  • user authentication and access controls on IP addresses;
  • communication ports; and
  • application protocols; and
• provide protection against cyber-attacks if requested.

(c) Media (broadcasting + print)

There are no dedicated cybersecurity laws in Turkey that apply to the media sector.

(d) Social media

There are no dedicated cybersecurity laws in Turkey that apply to social media.

9.3. What other specific challenges or concerns do the relevant sectors present from a data security/cybersecurity perspective?

The 11th Development Plan for 2019–2023 states that Turkey must improve its capacity to develop cybersecurity and privacy technologies. It is anticipated that various plans and strategies will be implemented during the period covered by the plan, including the establishment of new public bodies and commissions dedicated to cybersecurity. Also, the Digital Transformation Office works on projects in the field of cybersecurity and data security to ensure the digitisation of public services and raise public awareness.

10. Trends and predictions

10.1. How would you describe the current TMT industry landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?

The Law on the Protection of Personal Data (6698) is anticipated to be amended in order to harmonise it with the provisions of the EU General Data Protection Regulation (GDPR). The Scientific Commission of the Ministry of Interior has worked on harmonising its provisions on sensitive personal data and cross-border transfers of personal data with those under the GDPR.

11. Tips and traps

11.1. What are your top tips for TMT players seeking to operate in your jurisdiction and what potential sticking points would you highlight?

As Turkey has a regulatory regime governing TMT, players wishing to enter the Turkish market should examine whether they are subject to any licensing requirements as a result of their activities. Due to the devaluation of the Turkish lira, the requirements for company establishment and licensing have eased considerably; and it seems that Turkey remains an attractive market thanks to its young population, who can adapt relatively quickly to developments in technology and media.