Turkish Law Blog
Data Localization Law in the time of Corona: Proposed Amendment to the Law No. 5651
Governments all around the world are announcing, initiating, and adopting numerous legal, economic, and financial measures to mitigate the effects of the COVID-19 outbreak. Since mid-March 2020, Turkey has also been taking similar measures by adopting various new laws and regulations. While some of these legislative efforts adopted in Turkey are predictable and expectable (such as rules regarding the extra shifts of the health workers or suspension of judicial proceedings due to social distancing), others come as a surprise due to their rather elusive relation to the fight against a pandemic.
Located at the surprising end of the spectrum is the proposed amendment to the Law on the Regulation of Publications on Internet and Suppression of Crimes Committed by means of Such Publications committed by means of such Publications (“Law No. 5651”). Such proposal is located in an ambitious omnibus bill, proposing to amend as many as 35 different acts with the purpose of “preventing the spread of the pandemic and mitigating its effects” (“Omnibus Bill”). While it has not yet been publicly discussed at the parliament, an unofficial draft of the Omnibus Bill has been circulating since the beginning of April 2020.
With its section devoted to amending the Law No. 5651, the Omnibus Bill introduces a new category for Information and Communication Technology (“ICT”) companies as “social network providers”, which is defined as “natural or real persons operating an internet platform designed to enable users to create, view, or share data online, such as text, visual, audio, or location, with social interaction purposes.” Social media companies, such as Facebook, Instagram, Twitter and YouTube would presumably be categorized as “social network providers” within the meaning of the amended Law No. 5651. (You may refer to my earlier post for further explanations on the existing categories for the ICT companies under the Law No. 5651, such as hosting and content provider definitions, here).
The amended Law No. 5651 would oblige social network providers to delete unlawful content within a short timeframe, appoint a person authorized to receive service by the Turkish authorities, and publish reports on the handling of the complaints about unlawful content on their platforms. Failure to comply with these new rules could incur administrative penalties, including considerable administrative fines.
Such extra burden for social media companies are quintessentially similar to the obligations under Germany’s highly criticized Network Enforcement Act (“NetzDG”). (An English translation of NetzDG is available here). One must note however, that lawyers and legal scholars vociferously criticized NetzDG, as it has placed the burden of making the delicate balancing between the protection of freedom of expression and the prevention of hate speech and fake news on social media companies – and expected such a balancing to take place within as quick as 24 hours. (Such critique of NetzDG may be found here, here, and here). In fact, Human Rights Watch noted that NetzDG “that compels social media companies to remove hate speech and other illegal content can lead to unaccountable, overbroad censorship and should be promptly reversed.”
Despite these worries, NetzDG has achieved its goal and proved effective for “improving enforcement of the law in social networks” (which is the title of Article 1 of NetzDG). According to the Reporters Without Borders, NetzDG “has led [social media] companies to delete large amounts of content that was in fact legal in an effort to ensure that they will not be punished under the Network Enforcement Act.” With this success rate, NetzDG has inspired other countries, such as Russia, Singapore, and the Philippines, to contemplate or propose similar pieces of legislation. As the Omnibus Bill shows, Turkey is one of the latest countries seeking to achieve NetzDG’s success as well.
Countries rushing to mimic NetzDG should keep in mind, however, that NetzDG does not offer a one-size-fits-all solution and legal and socio-economic details and variations could potentially have disastrous effects. One such detail, for instance is the fact that Germany ranks 13th out of 180 states on the World Press Freedom Index, while several of the countries aiming to adopt their own NetzDG seriously lag behind.
Another such detail would be the use of additional measures to enforce laws, such as a data localization requirement. A seemingly innocuous provision within the Omnibus Bill is Additional Article 4(5) of the Law No. 5651, which does not have its counterpart under NetzDG. The new Additional Article 4(5) of the Law No. 5651 would require “both local and foreign social network providers exceeding 1 million daily access from Turkey” to store “data of their users located in Turkey within Turkey”. While it is hard to grasp how data localization would help the Turkish government’s fight against COVID-19, it is clear that it will have tangible impacts on the extraterritorial reach of the Law No. 5651 and legal proceedings in Turkey.
Data localization requirement coupled with the robust enforcement measures under the amended Law No. 5651 may have severe and negative consequences for freedom of expression, independent media, civil society, and political pluralism. While it is understandable for countries to seek ways to enforce their domestic laws, it should not be at the cost of freedom of expression. Thus, (to borrow from the European Court of Human Rights), the means to achieve the goal (data localization) should be proportionate to the legitimate aim pursued (enforcement of the domestic law).
The Rationale for Data Localization from the Government’s Perspective
The clash between domestic laws and the Internet seems to be as old as the Internet itself. The Internet has allowed ICT companies to operate within a country without being present therein and thus, without being fully subject to the rules and regulations of that jurisdiction. Consequently, governments all around the world has been looking for ways to stop this unwanted preferential treatment of ICT companies. Data localization is one way to achieve that goal, since it puts the data, and hence the ICT company, within the reach of the state apparatus.
With the increased use of technology in our lives, a significant part of the relevant information for any case under investigation is tied to our online presence, such as our posts on social media accounts. Put differently, any data the Turkish judiciary or the government needs is currently beyond its reach. (You may refer to my earlier post for various data requests that the Turkish authorities issue). While the Turkish authorities may initiate international judicial cooperation to issue data requests from the social media companies located abroad, international rogatory commission is costly, lengthy, and often unfruitful. (A lengthy analysis of costs and benefits of international judicial cooperation and mutual legal assistance treaties may be found here). With the legal measure (i.e. rogatory commission) ineffective, the Turkish authorities have been seeking voluntary cooperation of the foreign social media accounts. Yet, these efforts have been similarly in vain.
By way of an example, while a company that is incorporated in Turkey or has assets in Turkey would be hesitant to decline data requests by the Turkish authorities (due to legal and practical consequences of such non-compliance), a social media company based in the US (that has no office, assets, or employees in Turkey) may easily reject such voluntary cooperation requests. In fact, ICT companies, such as Facebook or Twitter, generally do not voluntarily cooperate with the Turkish authorities unless the investigation relates to an imminent threat to life, such as an attempt to commit suicide or murder. Accordingly, the majority of the voluntary cooperation requests are declined and Turkish authorities do not possess either the carrot or the stick to induce such cooperation, especially if the ICT company has no presence in Turkey. At least, that was the case until April 2020.
In the absence of the carrot, the Turkish government seems eager to create the stick for the ICT companies through the proposed amendment to the Law No. 5651. By adopting rules similar to NetzDG, the Turkish government would require social media companies to have (some) presence in Turkey. Data localization would further strengthen the grasp of the state apparatus, since it would enable the state to conduct its own search in the absence of the ICT company’s cooperation. That is, even if the ICT company does not comply with the Law No. 5651, servers of the ICT company may be searched through a search warrant (of course such search would be subject to the Turkish domestic law standards).
Summarily, since it helps overcoming the preferential treatment of ICT companies, to many governments, data localization seems as the panacea to ensure the enforcement of their domestic laws. However, this medicine comes with many side effects.
Ramifications of Data Localization
Data localization and the idea of a global and free Internet are contradictory, if not mutually exclusive. Among others, data localization laws lead to the Balkanization of the Internet and increase the conflict-of-laws issues ICT companies have to deal with on a daily basis (and hence, hinder innovation). Moreover, it renders the data prone to cyber-threats and incapacitates ICT companies to use technologies such as cloud computing. (You may find detailed analysis of such ramifications here, here, and here)
Most importantly, data localization facilitates domestic surveillance over the (domestic) users’ data. That is, when international judicial cooperation systems, such as a mutual legal assistance treaty, is utilized to obtain data stored abroad, the user’s data is protected with not one, but two domestic legal systems. For instance, even if the request for data was lawful under Turkey, (if the social media company is located in the US,) the US authorities may reject the production of data if they believe that such a request runs against the freedom of speech enshrined under the US constitution.
Application of two domestic legal systems, which is one of the core mechanisms for international judicial cooperation, before handing in the requested data is akin to using two different sieves with different hole sizes. If there is an unwanted consequence that may arise due to the data request, even if one sieve does not catch it, the other (most probably) will. Data localization subject the data request to only one sieve, the hole size of which is determined solely by the government who produced the data request. This is why, in the wrong hands, data localization paves the way for censorship and potential abuse of user information.
Hitherto, data localization requirements under Turkish law have been sector-specific and, hence, limited in scope. Namely, banking sector, e-sim technology companies, and public companies are currently under the obligation to keep primary and secondary data in Turkey. However, with the amended Law No. 5651, social media companies, such as Facebook (potentially with WhatsApp, Instagram, and Facebook Messenger), Twitter, YouTube and TikTok would all be required to store their data related to Turkish users within Turkey. Digital platforms like Facebook, Google and Twitter are an essential component of the modern public sphere as well as private communications. This means that much of the users’ online communication and presence would be within the easy reach of the government. Alternatively, these companies may refuse to build servers in Turkey due to the related costs, and Turkish users would be deprived of these social media platforms.
With so many possible ripple effects, the decision to adopt a new data localization law should not be taken so lightly – and as lawyers and non-lawyers, we have to follow both the adoption and the implementation of such data localization laws with increased attention.
 Author notes that Facebook voluntarily cooperates when a person is about to commit suicide, when there are pieces of evidence suggesting a murder or child abuse offences are taking place, when a missing person may be found due to the evidence provided by Facebook. See Murat Volkan Dülger, Bilişim Suçları ve Internet İletişim Hukuku, (7th ed.), Seçkin, 2018, Bilişim Suçları, 209.
 Stanislaw Tosza, Cross-Border Gathering of Electronic Evidence, La Coopération Internationale Face aux Défis de la Société Numérique, 275 (‘[Voluntary cooperation] has also clear limitations as there is no remedy for law enforcement in case of lack of will to cooperate on the side of the ISP.’).
 Theodore Christakis, Lawful Access to Data: The US V. Microsoft Case, Sovereignty in the Cyber-Space and European Data Protection, 11, https://cdn2.hubspot.net/hubfs/3821841/docs/Whitepaper_EN_WEB.pdf, (“This is, also, an understandable impulse – an enhanced version of data localization is one of the only ways to ensure that a country’s law applies to the data of their own citizens by requiring it to be held domestically by a provider who will comply with local law.”)
- The conclusions, suggestions and views are entirely the author’s own and does not represent her law firm