A close-up of Türkiye's regulatory approach to data governance, content moderation, competition, artificial intelligence, and more.
The “DPA Digital Digest” series provides concise summaries of each G20 nation’s digital policy. Based on the Digital Policy Alert database, we outline rules and enforcement cases in data governance, content moderation, competition, artificial intelligence, and domestic points of emphasis.
Türkiye’s digital economy is growing. Between 2022 and 2023, several sectors grew significantly, including communication technologies (USD 16.1 billion, up from USD 13 billion) and information technologies (USD 16.9, up from USD 11.7 billion), according to the International Trade Administration. Since the pandemic, e-commerce has reached particularly high levels, reaching a 20.3% share of trade in 2023 – a growth of 107% since 2019.
Türkiye’s Twelfth Development Plan, for 2024-2028, targets the integration of competitive production with the green and digital transformation. The government aims to establish research and development infrastructure for key technologies such as artificial intelligence (AI), internet of things (IoT), augmented reality, and big data.
But what do Türkiye’s domestic digital policies stand for? Our Digital Digest provides a succinct overview of the latest policy and enforcement developments in major policy areas and Türkiye-specific points of emphasis.
Data governance: Türkiye has overhauled its cross-border data transfer rules and implemented the registration regime for data controllers.
Content moderation: Türkiye has developed content moderation obligations for e-commerce, online news and social network providers, reworked advertising blocking powers, as well as while enforcement has included issuing blocking orders.
Competition policy: Türkiye imposes specific unilateral conduct regulations on e-commerce companies and merger regulations on large technology companies, while enforcement actions affect some of the world’s largest digital enterprises.
Artificial intelligence: Türkiye is deliberating AI-specific legislation and has issued outlines on the intersection of AI and data governance.
Türkiye’s points of emphasis include taxation, electronic payments, e-commerce providers and electronic communications.
Jump directly to the section that interests you most:
Discover the details of Türkiye's regulatory approach on our dedicated country page.
Remain up-to-date on new and upcoming developments with our free notification service.
Written by Tommaso Giardini and Nils Deeg. Edited by Johannes Fritz.
The Personal Data Protection Law has been in force since 2016. It establishes a general data governance framework, outlining legal bases for data collection and processes, cybersecurity requirements, and establishing the personal data protection authority (PDPA). In June 2024, an amendment of the data protection law updated the categorisation of special categories of personal data and restructured the requirements for processing such data.
The Personal Data Protection Law also establishes a registration requirement for data controllers. As of 2022, data controllers must register with the Data Controllers Registry Information System (VERBIS). The requirement applies to all foreign data controllers as well as those local controllers that exceed employee and revenue thresholds or pursue data processing as their principal business activity, while smaller entities which do not primarily process sensitive personal data are exempt. Registration requires a data processing inventory, the appointment of a local representative and a contact person.
Efforts to update the existing data protection regime are ongoing. In October 2024, Türkiye began considering a Bill which would introduce specific data protection requirements for processing children’s data, such as obtaining parental consent. Previously, in March 2021, the Turkish government launched the Action Plan on Human Rights, including the goal of Protecting the Private Life in the Processing of Personal Data. The plan tasked the Ministry of Justice with proposing amendments to the data protection regime within one year, including harmonising it with European Union (EU) standards.
Türkiye imposes data localisation requirements by sector. The social media law of 2020 established a local storage obligation for social networks accessed by over a million daily users. Such networks are required to take "necessary measures" to localise the data of Turkish users. Further, banks are required to keep their primary and secondary systems within Türkiye while electronic communications service providers are prohibited from transferring traffic and location data abroad for national security reasons.
As of September 2024, an amended Personal Data Protection Law establishes new transfer mechanisms, replacing a consent-based system for data transfers. Personal data may be transferred abroad on the basis of: (1) adequacy decisions, (2) appropriate safeguards, including binding corporate rules and standard contracts, or (3) in exceptional cases, including informed consent and contractual necessity. The criteria for issuing adequacy decisions and using the other safeguards are further specified in the PDPA’s implementing regulation. The PDPA has issued standard contracts for the various configurations of transfers by both data processors (to processors and controllers) and data controllers (to processors and controllers). It has also published application forms for binding corporate rules for both processors and controllers, alongside guidelines for processors and controllers.
The PDPA regularly issues guidance on data protection:
In 2024, the PDPA issued guidelines comparing Turkish and EU data processing laws and published an information note on the circumstances under which personal data may be processed without explicit consent by the data subject.
In 2023, the PDPA issued guidelines on the processing of genetic data and provided guidance on privacy in mobile applications, recommending privacy by design.
In 2022, the PDPA issued guidelines on data protection considerations of customer loyalty programmes and cookie use by website operators.
Finally, in 2021, the PDPA issued guidelines on sharing personal data with third parties, the protection of biometric data, and the right to be forgotten in relation to search engines.
The PDPA takes an active stance in enforcing Türkiye’s data protection requirements:
In August 2024, the PDPA fined 16,350 data controllers a total of around TRY 503 million (approx. USD 14.4 million) for failing to comply with registration requirements.
In July 2024, the PDPA issued a data breach notification to the public in connection to a potential data breach at Uber.
In March 2023, the PDPA fined Meta and WhatsApp TRY 2.67 million each (approx. USD 76,000), for failing to comply with registration requirements.
In the same month, the PDPA fined TikTok TRY 1.75 million (approx. USD 50,000) for insufficient data security measures and privacy policies and failure to prevent unlawful data processing, among other things.
For failing to obtain consent, the PDPA fined WhatsApp TRY 1.95 million (approx. USD 56,000) in 2021 and Amazon Türkiye TRY 1.2 million (approx. USD 34,000) in 2020.
Türkiye has implemented a range of content moderation obligations across different sections of the digital economy.
The Internet Law provides the basic framework for internet regulation and specifies illegal content, such as obscenity and gambling. The 2020 Social Media Law added obligations for social networks, requiring providers with over one million daily users to maintain a local legal presence and respond to content removal requests within 48 hours. Non-compliance is punished with increasing fines, an advertisement ban and internet bandwidth reduction.
The October 2022 Disinformation Law incorporated Internet news sites into the scope of the Press Law, criminalised the dissemination of certain misinformation, and added further sanctioning powers.
Commercial advertisements are subject to the Advertising Council’s blocking powers. As of May 2024, the Council must follow a notification procedure requesting content removal following the Turkish Constitutional Court’s annulment of the Council’s direct blocking powers.
E-commerce intermediary providers must remove unlawful content, including advertisements, from the listings on their platforms and notify authorities of the relevant infringements.
A 2021 guideline prohibits influencers and advertisers from using hidden advertisements and threatens advertisement suspensions for non-compliance.
The Turkish legislature is currently considering further proposals on content moderation.
As of October 2024, the Grand National Assembly is considering a bill which would require platforms to implement age verification and content moderation measures aimed at protecting children, including AI content moderation tools and restricting location sharing.
In May 2024, the Grand National Assembly began considering a bill that would impose strict content blocking obligations on TikTok. The same Bill would require social media accounts to be linked to phone numbers, mandate timers displaying social media use time, and enable users to limit their own use time.
The Information Technologies and Communications Authority (ITCA) enforces the Social Media Law’s local presence requirement. In 2020, ITCA fined foreign companies, including Twitter, Facebook, Instagram and Youtube, multiple times, while in 2021, the authority imposed advertising bans on Pinterest, Twitter and Periscope.
Blocking orders have been issued against Discord, over child sexual abuse and obscenity, and Instagram, for failing to comply with the country’s framework regarding catalog crimes. The latter blocking was lifted following commitments by Meta.
The Constitutional Court has issued rulings clarifying the scope of the Internet Law’s blocking powers:
In November 2023, the Court found that the decision to block an internet news site had violated freedom of expression and the press, stressing the need for careful assessment for the use of such powers.
In January 2022, the Court published a ruling overturning blocking orders against online news issued without notice or hearing, limited the use of the blocking procedure to criminal cases with a heightened harm threshold, and implemented safeguards and reversal procedures.
Since the beginning of 2024, the amended Law on the Regulation of Electronic Commerce governs the unilateral conduct of e-commerce intermediary platforms. The Law prohibits platforms from selling their own trademarked goods. Further, platforms with an annual transaction volume exceeding TRY 10 billion (approx. USD 291 million) cannot use the data collected from their e-commerce platform to compete with other providers. Finally, platforms with an annual transaction volume exceeding TRY 60 billion (approx. USD 1.7 billion) are prohibited from entering certain new industries, including transportation.
Since May 2022, large technology companies, such as digital platforms, software and gaming companies, must report all acquisitions to the Turkish Competition Authority (TCA). The usual notification threshold of TRY 250 million (approx. USD 7.1 million) annual turnover does not apply in these cases.
The TCA analyses competition dynamics in the digital economy by conducting sectoral inquiries. In April 2023, it found in a preliminary report for a sectoral inquiry on the online advertising sector that Google and Meta engaged in practices affecting the level of competition in the market. In March 2023, the TCA concluded an inquiry on the Fast-Moving Consumer Goods sector with suggestions to amend e-commerce regulations.
The TCA regularly enforces competition rules in digital markets against large digital companies:
The TCA has opened investigations into Apple, regarding its app store payment systems, and e-commerce platforms, including Amazon, regarding automatic pricing mechanisms.
In May 2024, the TCA issued a final fine of approximately TRY 551.5 million (approx. USD 15.8 million) against Meta for abusing its dominant position by combining data from its core services Facebook, Instagram and WhatsApp. Previously, in October 2022, the TCA issued an initial fine of approx. TRY 346.7 million (approx. USD 9.9 million) and required the implementation of adequate compliance measures. In May 2024, Meta also received a fine of TRY 335.7 million (approx. USD 9.6 million) for merging user data from Instagram into the platform Threads.
For interfering with resale prices, the TCA fined e-commerce platform Arçelik Pazarlama AŞ TRY 365 million (approx. USD 10.4 million), Samsung TRY 227.1 million (approx. USD 6.5 million), and LG TRY 33.8 million (approx. USD 1 million) in August 2023.
In March 2023, Twitter was fined for failing to request authorisation before Elon Musk’s acquisition thereof, but the transaction was subsequently allowed.
The TCA cleared Google’s acquisition of Mandiant in June 2022, which was subject to the new merger notification rules.
In recent years, Google has been the subject of several TCA investigations into abuse of dominance:
In July 2024, the TCA found that, although Google held a dominant market position in the general search services market, it did not abuse it through the features on its results pages.
In June 2024, the TCA fined Google approximately TRY 482 million (approx. USD 13.8 million) for failing to implement compliance measures in relation to its search market and price comparison tools. An initial fine of TRY 296 million (approx. USD 8.5 million) was issued in 2021 because Google favoured its price comparison tool for accommodations and search services and disadvantaged competitors.
In June 2023, the TCA opened an investigation into Google regarding the online advertising market and advertising technology.
In a 2020 investigation into the search market and shopping comparison tools, the TCA fined Google TRY 98 million (approx. USD 2.8 million) for channelling internet traffic away from competitors to its Google Shopping service.
Regarding the digital advertising market, the Administrative Court of Ankara confirmed a fine of TRY 196.7 million (approx. USD 5.6 million) for preferencing its own advertisement platforms (Google Adsense / Adwords) in 2022.
In June 2024, Türkiye began deliberating an Artificial Intelligence Law, which would establish a general framework for AI development and use. The Law would require AI developers to carry out risk assessments and observe certain principles, including security, transparency, fairness, accountability, and privacy. The Law also contains a classification system designating certain AI systems, such as those used in autonomous vehicles, medical diagnostic systems, and the justice system, as high-risk. High-risk AI systems would have to be registered and undergo a conformity assessment. Finally, the Law provides for a number of supervisory powers, including carrying out conformity assessments, requesting additional information from operators, and imposing sanctions for violations such as deploying prohibited AI systems, general violations of AI operator obligations, and providing false information.
In August 2021, the government published the National Artificial Intelligence Strategy 2021-2025 which set out a number of regulatory priorities. The Strategy establishes principles to govern AI technologies, with the aim of developing human-oriented and reliable AI. Strategic priorities include enhancing AI deployment, increasing AI research, enhancing data and infrastructure access, encouraging socioeconomic adaptations while developing international cooperation. The Strategy also sets out plans for a National Artificial Intelligence Strategy Board and Advisory Board.
The PDPA plays an important role in formulating AI guidelines at the intersection of AI with data protection issues. In February 2024, the PDPA issued guidelines on deepfakes describing risks and possible detection methods. Previously, in September 2021, the PDPA issued recommendations relating to artificial intelligence for developers and users, which include privacy impact assessments for high-impact activities, anonymising AI data processing, enabling data subject rights, and providing for human intervention in AI processes.
There are no public, official sources on the Turkish government’s AI enforcement actions.
Since March 2020, the Turkish digital service tax is in force. The tax applies to companies that pursue digital advertising, sales of audio/visual/digital content through a digital platform or digital marketplace services and exceed a global annual revenue of EUR 750 million (approx. USD 787.8 million) or local annual revenue of TRY 20 million (approx. USD 570,000). The president may adjust the tax rate of 7.5% at his discretion within the range of 1-15%. In August 2024, Türkiye implemented an amendment decree raising taxes on goods delivered by mail or fast cargo. In the same month, legislation came into force expanding reporting obligations for e-commerce platforms, social network providers, and digital payment providers.
On 22 November 2021, the United States and Türkiye announced an agreement on the transition from the existing Turkish tax to the OECD/G20 Inclusive Framework. Under the agreement, Türkiye will remove its existing DSTs before the entry into force of Pillar One of the framework, in exchange for the US retracting trade measures originally adopted in response to the tax. In March 2024, the countries updated and extended the agreement. In August 2024, Türkiye published its legislation implementing the Pillar Two minimum tax rate.
In July 2024, an amendment to the Capital Markets Law established a licensing regime for crypto-asset service providers, including digital payment providers and platform intermediaries, and gives the Capital Markets Board supervisory powers. In August 2024, the Board specified these licensing conditions for crypto-asset service providers, including having a certain minimum share capital and meeting certain conditions in the Capital Markets Law. Previously, in 2021, the Turkish central bank imposed a ban on the use of crypto assets in payments and excluded cryptocurrencies as legal tender by tying the definition of electronic money to fiat currencies. The central bank has also conducted its own pilot Digital Turkish Lira Project.
The 2022 amendment to the Law on the Regulation of Electronic Commerce establishes a new licensing regime for e-commerce intermediary platforms from 2025 onwards. Platforms with a transaction volume exceeding TRY 10 billion (approx. USD 290 million) and intermediating more than 100,000 transactions per calendar year must obtain and regularly renew a license. The licensing fee is calculated according to the platforms’ net transaction volume. The government can sanction violations with TRY 20 million (approx. USD 570,000) or 10% of yearly net sales and, if they are not rectified, may block access to the platform. In addition, the amendment increases the Ministry of Trade’s ability to regulate e-commerce activities, which providers must report to every year. In July 2024, Türkiye began deliberating a bill exempting certain e-commerce transactions from license fee calculations.
In December 2022, the government adopted the Regulation on Electronic Commerce Intermediary Service Providers and Electronic Commerce Service Providers. It includes obligations regarding counterpart identification, complaint mechanisms and compliance reporting as well as a requirement to establish a local contact point for e-commerce intermediary platforms.
The 2022 amendment to the Regulation on Consumer Rights in the Electronic Communication Sector imposes various transparency obligations on communications operators. Operators must inform consumers clearly and free of charge regarding fees and publish tariffs in a consistent, transparent format. Regarding subscription agreements, operators must provide one-page summaries on fees, enable electronic agreements and terminations and store information on agreements for 30 years after termination. Finally, service restrictions and suspensions are restricted to cases of severe overuse and excessive failure of payment.