The parliament has approved the first 13 articles of a cybersecurity bill that has drawn criticism for threatening privacy, freedom of expression, and the inviolability of private residences. Opponents argue that the legislation is unconstitutional.
A parliamentary amendment removed an earlier provision that would have granted the Cybersecurity Directorate head the power to conduct searches, make copies, and seize data.
Under the revised bill, searches of private residences, workplaces, and non-public areas will require a court order for reasons of national security, public order, crime prevention, or cybersecurity threats. However, in cases where delays pose a risk, a written order from a prosecutor will be sufficient to conduct a search. Seized copies will be stored without causing prolonged service disruptions, and a copy will be provided to the relevant party. The entire process will be documented and signed.
For searches conducted without a court order, authorities will have to submit the case to a judge for approval within 24 hours.
In data centers operated by authorized providers, searches, copying, and data seizure will only be permitted with a court order.
Judges will be required to issue a ruling within 48 hours. If no decision is made within this period, any copied data and decrypted texts must be immediately destroyed, and the seizure order will automatically be lifted. The Ankara Criminal Judgeship of Peace will have exclusive jurisdiction over such requests. However, in cases involving public institutions, no court approval will be required.
Cybersecurity Board to be established
Under the other approved articles, a Cybersecurity Board will be established as the central authority overseeing national cybersecurity policies. A Cybersecurity Directorate will operate under this board.
The directorate will be authorized to collect and store data and log records. It will also have the power to request and extract information, documents, data, and records from operational centers and communication infrastructure. These records can be stored for up to two years and shared with relevant institutions and organizations through official reports.
To deter cyberattacks, the directorate will take or enforce necessary precautions. It will also have the authority to establish Cyber Incident Response Teams (SOME) to address cybersecurity threats.
Local administrators, law enforcement agencies, and public institutions will be required to assist and cooperate with those conducting cybersecurity inspections.
Inspectors will be authorized to examine electronic data, documents, infrastructure, devices, systems, software, and hardware as part of their oversight duties. They may also make copies, request written or verbal explanations, prepare official reports, and inspect facilities and operations.
Entities subject to inspections must ensure access to devices, systems, software, and hardware within the given time frame, provide the necessary infrastructure for the inspection, and keep systems operational.
Discussions on the remaining eight articles of the bill are set to resume on Mar 11. (HA/VK)
