Founder
February 28, 2026
25 min read
Information technology law is, in its most basic terms, a modern branch of law concerned with the production, processing, storage and transmission of information in the electronic environment and with the resolution of disputes arising from these processes; it consists of a unique synthesis of technical and legal norms. Classical legal disciplines, built on the boundaries of the physical world, concepts of property and traditional understandings of sovereignty, have proved inadequate in the face of the internet’s decentralised, border-crossing and instantaneous nature. This inadequacy has made inevitable the emergence of a new, flexible and proactive regulatory logic capable of grasping the distinctive dynamics of the digital ecosystem. Yet information technology law does not exist in isolation, as an island; rather, it functions as a “meta-discipline” or intersecting set that encompasses the projections of all existing classical branches of law in cyberspace and synchronises them with digital reality.
This multidisciplinary structure of information technology law lies in the potential for a single virtual act or violation to engage more than one branch of law at once. For this integrated structure to be better understood, the organic links and points of intersection between information technology law and fundamental disciplines such as human rights law, criminal law, commercial law and private law must be examined from an analytical perspective.
The relationship between human rights law and information technology law is the scene of some of the digital age’s most difficult legal and philosophical debates. The internet is, on the one hand, the most powerful catalyst for freedom of expression, the right of access to information and democratic participation; on the other, it is a medium where privacy, personal data and individual reputation are most easily violated. At this point, information technology law takes on the mission of striking a balance within the framework of Constitutional and European Convention on Human Rights (AİHS) standards. For example, the persistent presence on news sites of a negative event from an individual’s past creates a serious conflict between the right to receive information and the person’s “right to be forgotten.” The mechanisms of information technology law make a direct contribution to human rights law by developing modern legal instruments such as removal from search engine indexes or takedown of content, with the aim of enabling the person to exercise control over their digital past and protecting their reputation.
When assessed in the context of criminal law, it is clear that information technologies have fundamentally altered the practice of committing crimes. The fact that technology serves both as the environment in which the crime is committed (target) and the instrument used to commit it (means) has given rise to the concept of “information technology crimes” (cybercrimes). Alongside offences directly targeting the system—unauthorised access to the system, blocking or disrupting the system, destroying or altering data—as set out in the Turkish Criminal Code (Türk Ceza Kanunu, TCK), the commission of traditional crimes (insult, fraud, threat or blackmail) by means of information systems is among the areas where criminal law and information technology law intersect most intensely. The catalogue of offences listed in Article 8 of Law No. 5651 on the Regulation of Publications Made in the Internet Environment and the Combating of Crimes Committed Through Such Publications—incitement to suicide, sexual abuse of children, obscenity, facilitation of drug use and provision of place and opportunity for gambling—is the most concrete example of the reflection of criminal law’s reflex to protect public order in the cyber sphere. Furthermore, the processes of obtaining evidence, search and seizure in the electronic environment are conducted under the provisions of the Code of Criminal Procedure (Ceza Muhakemesi Kanunu, CMK) No. 5271, and the “E-Tespit” procedures performed by notaries play a vital role in preserving the chain of evidence.
The commercial law and intellectual property law dimension forms the legal foundation of the digital economy. The operation of e-commerce platforms, domain name disputes, electronic contracts and acts of unfair competition carried out in the digital environment are areas where information technology law is closely intertwined with commercial law. For example, a company’s use of a competitor’s registered trademark as a “keyword” (AdWords) in search engines to direct consumers to its own site constitutes unfair competition and infringement of trademark rights within the scope of the Turkish Commercial Code. The determination of competent courts in such disputes and the evaluation of access-blocking requests fall within the shared expertise of commercial and information technology law. Likewise, the unauthorised copying, distribution and sharing of works in the digital environment is assessed within the framework of Law No. 5846 on Intellectual and Artistic Works (Fikir ve Sanat Eserleri Kanunu, FSEK), and the legal responsibilities of hosting and access providers in preventing copyright infringement are regulated by “notice and takedown” (uyar-kaldır) mechanisms.
In the context of private law (civil law and law of obligations), the link is established mainly through tort liability and the protection of personality rights. A false news item, defamatory comment or photograph published without consent in the internet environment bears the character of a tort within the scope of the Turkish Civil Code No. 4721 and the Turkish Code of Obligations No. 6098. According to the case law of the Court of Cassation (Yargıtay), personality rights are legal entitlements acquired by the individual at birth, encompassing their physical and moral integrity, name, professional career and reputation. Where these rights are violated in cyberspace, Sulh Ceza Hâkimlikleri (criminal courts of peace) come into play under Article 9 of Law No. 5651, extending the protective shield of private law into the digital environment through decisions on removal of content or blocking of access.
Follow industry developments from Genesis Hukuk and receive priority information on industry analyses from expert attorneys in the education sector.
In Türkiye there is no single “Information Technology Law” (umbrella law / codification) that regulates the fields of information technology, the internet, electronic communications and cybersecurity in a comprehensive manner and brings all legal disputes under one roof. Instead, there is a highly fragmented and dispersed legislative structure consisting of norms adopted reactively (in response to circumstances) or partly proactively in connection with emerging specific technological needs, crises or sectoral developments, and scattered across different legislative instruments.
The most important factor underlying this fragmented structure is the asymmetry between the exponential (compound) pace of technological evolution and the traditional, slow and bureaucratic nature of legislative bodies. In the classical understanding of law, statutes are codified in the form of casuistic (case-based) or abstract norms as a result of long years of experience, doctrinal debate and social consensus. Yet information technologies (artificial intelligence, blockchain, the internet of things, cloud computing, big data) develop and mutate so rapidly that preparing a vast “Information Technology Code” covering all these areas carries the risk that some of its provisions will become obsolete and inoperative before the law is even published in the Official Gazette (Resmî Gazete). Faced with this inescapable reality, the Turkish legislator has been compelled to forego creating a monolithic (single-piece) law and to adopt a “modular,” “flexible” and “open to development” regulatory strategy.
As a reflection of this strategic choice (or necessity), the relevant legal provisions are spread across different laws as follows: The boundaries of internet broadcasting, the responsibilities of internet actors (content, hosting, access and collective use providers) and the mechanisms for combating cybercrime are framed by Law No. 5651 on the Regulation of Publications Made in the Internet Environment and the Combating of Crimes Committed Through Such Publications, which entered into force in 2007 and has been revised repeatedly over the years. However, the physical infrastructure on which the internet operates, cable and wireless networks, frequency allocations and the rules of competition between telecommunications operators have been assigned to a completely different statute—Law No. 5809 on Electronic Communications.
The social dimension of the system—that is, state subsidisation of disadvantaged regions’ access to the internet and technology and the prevention of the digital divide—is regulated by Law No. 5369 on Universal Service. The validity and security of legal transactions conducted over the internet are secured by Law No. 5070 on Electronic Signature, while the confidentiality of data constantly processed, transmitted and stored across this entire digital ecosystem has been turned into a distinct regulatory domain by Law No. 6698 on the Protection of Personal Data (Kişisel Verilerin Korunması Kanunu, KVKK).
Moreover, with cyberspace having become a matter of national security, Law No. 7545 on Cybersecurity was enacted in the 2025/2026 period; the protection of critical infrastructure, cyber resilience and substantial administrative sanctions are regulated separately by this new law.
The main advantage of this fragmented structure is that it allows a radical change needed in a particular area (e.g. only in cybersecurity or only in personal data) to be made easily in the relevant law without affecting other areas. Yet the drawbacks are also quite clear: for actors in the sector (e.g. a technology company or a university’s distance education centre), the compliance process becomes extremely complex. When a data breach occurs, the company must simultaneously contend with compensation claims by victims in private law, fines imposed by KVKK in administrative law, investigation launched by the Chief Public Prosecutor’s Office (Cumhuriyet Savcılığı) in criminal law, and multi-million fines imposed by the Cybersecurity Presidency (Siber Güvenlik Başkanlığı, SGB) under Law No. 7545 in the field of cyber regulation. This increases the potential for conflict in the hierarchy of norms and makes specialised legal advice inevitable.
Türkiye’s vast and ever-expanding digital ecosystem is governed by a multi-tiered regulatory architecture operating across a broad spectrum—from macro planning to micro supervision, from infrastructure construction to content intervention. The main building blocks of this architecture are the Ministry of Transport and Infrastructure, the Information Technologies and Communication Authority (Bilgi Teknolojileri ve İletişim Kurumu, BTK) and the newly established Cybersecurity Presidency (Siber Güvenlik Başkanlığı, SGB).
The Ministry of Transport and Infrastructure is the supreme executive and planning body for Türkiye’s policies on information technology, communications and cyberspace. The Ministry’s role is not day-to-day operational intervention but to design the country’s digital future, set strategic objectives and ensure coordination between the public and private sectors.
Under Article 474 of Presidential Decree No. 1, the Ministry’s remit is very broad. The Ministry is tasked with conducting work to determine national policy, strategy and targets in communications, intelligent transport systems, and postal operations and services. The planning, establishment and operation of electronic communications networks and systems in line with commercial, economic and social needs and technical development constitute the Ministry’s core vision.
The Ministry is also responsible for ensuring that the sector operates in an equitable, swift, secure and sustainable environment of free competition and for monitoring the implementation of universal service policies (within the framework of Law No. 5369). The processing in management centres of vast data (big data) obtained in the context of intelligent transport systems, the planning of national exercises to strengthen the cybersecurity shield, and the encouragement of production of strategic cyber intervention tools by domestic and national means form the backbone of the Ministry’s strategic plans for 2024–2028.
BTK is the most effective sectoral authority with administrative and financial autonomy, established to ensure effective competition in the electronic communications sector, protect consumer rights, conduct frequency planning and directly supervise the implementation of information technology legislation in the field. The macro strategies drawn by the Ministry are regulated and implemented by BTK at the micro level through secondary legislation (regulations, circulars, board decisions).
One of BTK’s most critical powers is the comprehensive supervisory mechanisms it conducts over information technology companies and authorised operators through the Directorate of Sectoral Supervision. Under the “Regulation on the Supervisory Activities of the Information Technologies and Communication Authority,” BTK supervises companies in three dimensions:
İzleme (Monitoring) consists in assessing operators’ compliance with legislation by inspection in the Authority’s archives, electronic data processing centres or on site where necessary; in cases not involving serious violations, the operator is given up to 30 days to submit a defence and an administrative sanction or fine may be applied directly without the need to open an examination or investigation. İnceleme (Examination) is in-depth supervision initiated by the Board Chair on his/her own motion, upon notification or complaint; identified non-compliances are communicated to the operator by “examination query” and 30 days’ written defence is requested. Soruşturma (Investigation) is a supervision mechanism initiated directly by decision of the Telecommunications Board in cases of more serious violations and conducted in great detail; “investigation query” and defence procedures (including oral defence where necessary) are carried out, and the Board may suspend or restrict the company’s activities for up to 6 months to prevent harm that is difficult to remedy.
During these inspections, BTK inspectors are granted extraordinary powers. Inspectors may enter companies’ management premises and buildings, inspect electronic communications infrastructure, equipment and software on site, take copies of documents or obtain samples of electronic data against a record. Furthermore, by virtue of the “remote supervision” power added to the regulation as a requirement of the modern age, inspectors have the right to remotely access the operator’s virtual networks by technical means and supervise systems in real time. Companies are obliged to keep the infrastructure necessary for such remote access available.
BTK’s other major power stems from its authority under Law No. 5651 in respect of intervention in internet content, blocking and filtering. The BTK President may issue a decision to block access directly on his/her own motion where there is sufficient suspicion that offences listed in Article 8 (e.g. obscenity, abuse of children) have been committed and the content or hosting provider is located abroad (or where delay is prejudicial although located domestically). In addition, blocking decisions issued by courts on the ground of violation of personality rights or privacy are transmitted directly to BTK; through the technical infrastructure within the Authority and the Access Providers Association (Erişim Sağlayıcıları Birliği, ESB), the Authority ensures that these decisions are immediately (within 4 hours at latest) implemented by internet service providers.
The establishment of the Cybersecurity Presidency (Siber Güvenlik Başkanlığı, SGB) with the entry into force of Law No. 7545 on Cybersecurity in the 2025/2026 period represents a revolutionary change in Türkiye’s regulatory architecture. The National Cyber Incident Response Centre (Ulusal Siber Olaylara Müdahale Merkezi, USOM), which previously operated under BTK and the Ministry with more limited powers, has been fully transferred to SGB with all its technical and administrative capacity.
SGB is the supreme competent authority that governs cyberspace not as an area of commercial service but from the perspective of national security, survival and border defence. Among SGB’s tasks are setting cybersecurity policy and standards for public institutions and private sector organisations, testing the cyber resilience of critical infrastructure, and conducting certification (testing and approval) processes for cybersecurity software and hardware. In particular, the requirement to obtain SGB approval for the export of domestic cybersecurity products is evidence that these technologies are viewed as strategic weapons/tools.
SGB’s supervisory and sanctioning power is very heavy. It is authorised to impose substantial administrative monetary fines ranging from 1,000,000 TL to 10,000,000 TL (increased by revaluation rates) on institutions that fail to comply with cybersecurity standards, do not report data breaches or do not take the infrastructure measures determined by the Presidency.
Three principal laws that form the backbone of information technology law aim to regulate different layers of the internet (content, infrastructure, accessibility).
Law No. 5651 “On the Regulation of Publications Made in the Internet Environment and the Combating of Crimes Committed Through Such Publications,” adopted in 2007, is the foundational text that defines internet actors, sets out liability regimes and determines the procedures for combating crimes committed over the internet. The Law classifies actors into four main categories:
İçerik Sağlayıcı (Content Provider): A natural or legal person that produces, modifies and provides any kind of information, data, text or image offered to users in the internet environment. The Law does not impose strict (objective) liability on content providers; however, the content provider is directly liable for any content it produces and makes available on the internet. As a rule it is not liable for third-party content to which it provides a link, but liability arises if the manner of presentation shows that it endorses that content.
Yer Sağlayıcı (Hosting Provider): Enterprises that host and hold on their servers information produced by content providers (e.g. data centres, social media platforms, video hosting sites). For hosting providers the Law adopts the principle of “no duty to investigate.” That is, the hosting provider is not obliged to proactively check whether the content it hosts is unlawful. However, under the “notice and takedown” (uyar-kaldır) mechanism, when it is notified by a court or competent authority of unlawful content it must remove the content from publication to the extent of its technical capability. Otherwise it may face heavy monetary fines (10,000 TL – 100,000 TL). It also has an obligation to retain traffic data for six months.
Erişim Sağlayıcı (Access Provider): Telecommunications operators (İSS) that enable users to access the internet network. Their responsibilities are to implement promptly in technical terms the access-blocking decisions (on an IP, domain name or URL basis) transmitted by the court or BTK, and to retain user traffic data (log records) for the period specified by the law.
Toplu Kullanım Sağlayıcı (Collective Use Provider): Natural or legal persons that offer the possibility of internet access in a certain place (internet cafés, hotels, university campuses). These actors too must record traffic on their internal networks and block access to sites containing elements of crime by means of filtering software.
The crime-combating mechanism of Law No. 5651 rests essentially on Article 8 and Article 9.
Article 8 represents the state’s direct reflex against catalogue offences that deeply affect public health and morals (abuse of children, prostitution, incitement to drug use). Where there is sufficient suspicion, access to the entire site may be blocked by administrative or judicial decision.
Article 9 serves the protection of personality rights. When legal persons under private law or citizens claim that their personality rights have been harmed by a publication on the internet, they apply to the Sulh Ceza Hâkimliği. The judge conducts a balancing test between freedom of expression and the right to personality. If the judge will issue a blocking decision, the prohibition on censorship requires that as a rule only the URL of the relevant publication be blocked. However, if the violation is so systematic that it cannot be overcome by URL blocking, the judge also has the power to block access to the entire domain name, with reasons stated. Failure to comply with these decisions is subject to heavy sanctions including criminal monetary fines from 500 to 3,000 day-fines.
If Law No. 5651 is the “soul and content” of the internet, Law No. 5809 is the “body and infrastructure” of the internet. This law, which entered into force in 2008, is the foundational regulation that ensures the liberalisation of Türkiye’s electronic communications market, the establishment of competition and the encouragement of investment.
The first article of the Law aims at the establishment of effective competition in the sector, the observance of consumer rights and the efficient use of resources. Because building information technology infrastructure requires substantial capital, it is inevitable that the first (incumbent) operators to enter the market will gain monopoly power. Law No. 5809 emphasises in its fourth article the principle of “Equality and Non-Discrimination” and establishes mechanisms to ensure that operators share their infrastructure with other operators (right-of-way agreements, facility co-location), so as to break this monopolisation. Agreements between the operator and the right-of-way provider (e.g. a municipality or another company) are concluded freely but are subject to BTK approval and notification. In this way, waste of resources in processes such as laying fibre-optic cable and installing base stations is prevented and the path is opened for technological development.
In a digitalising world, access to the internet has ceased to be a luxury and has become a fundamental human right. Yet market mechanisms by nature aim at profitability; this leads telecommunications companies to direct investment to densely populated cities, while rural and rugged geography is left without the internet (digital divide).
Law No. 5369 on Universal Service was enacted in 2005 precisely to remedy this market failure through state intervention. The purpose of the Law is to ensure that communications services whose provision by commercial operators involves financial difficulty are delivered at a predetermined minimum quality and at a reasonable price affordable to all in every corner of Türkiye through operators designated as universal service obligors. Through the Universal Service Fund, to which a certain proportion of revenues is transferred, the Law finances the installation of base stations or laying of fibre lines to villages and mountainous areas. Thanks to this law, access to information technology services is sought to be made available to all citizens regardless of regional or economic class distinction. This infrastructure equality is the sole physical condition for the success of distance education (UZEM) systems, detailed below, especially in periods of pandemic and emergency.
Today, Distance Education Application and Research Centres (UZEM) operating within universities and large educational institutions have long transcended the status of merely an “academic unit.” These structures, to which hundreds of thousands of students connect in real time and where data is produced, stored and shared on a vast scale, are from the perspective of information technology law full-fledged “information technology organisations.” For this reason, UZEM management sits at the very heart of a complex legal matrix composed of Law No. 5651, the Law on Intellectual and Artistic Works (Fikir ve Sanat Eserleri Kanunu, FSEK), the Law on the Protection of Personal Data (Kişisel Verilerin Korunması Kanunu, KVKK) and Law No. 7545 on Cybersecurity, alongside the legislation of the Council of Higher Education (Yükseköğretim Kurulu, YÖK).
Although a university or institution may technically have the capacity of “Yer Sağlayıcı” (hosting provider) by virtue of hosting its own servers, by reason of its core activity a UZEM’s legal identity is “İçerik Sağlayıcı” (content provider). Under Articles 2 and 4 of Law No. 5651, a content provider is a natural or legal person that produces, modifies and provides any kind of information, lecture videos, assignments, exam questions or presentations offered to users (students) in the internet environment.
The content provider capacity imposes on UZEM management direct liability for all content it makes available. This liability invalidates the “I did not know” defence where content uploaded to the platform is unlawful (e.g. copyright infringement or defamation).
The legal obligations that UZEM management must comply with under the parameters of information technology law and the sanctions in case of breach are as follows. Imprint/information obligation (Law No. 5651, Art. 3) requires that on the main page of the UZEM website and of the Learning Management System (LMS), under the “İletişim” (Contact) heading accessible directly to users, the institution’s name, address, authorised personnel and contact e-mail be present in an up-to-date and correct form; in case of deficiency, the BTK Presidency imposes an administrative monetary fine of between 2,000 TL and 50,000 TL (increased by revaluation rates) on the legal person to which the UZEM belongs (or on those responsible). Intellectual property (copyright) and content control (FSEK No. 5846 and Law No. 5651, Art. 4) protect as works the books, articles or images in PDF format uploaded by teaching staff, and UZEM as direct content provider must prevent the uploading of works copied without authorisation; upon application by right holders, “notice and takedown” procedures apply, and if content is not removed, access blocking or content removal decisions may be issued through compensation claims and the Sulh Ceza Hâkimliği, with additional administrative fines of 10,000–100,000 TL for non-compliance. Liability for providing links (Law No. 5651, Art. 4/2): a link by the instructor to an external source does not as a rule make UZEM liable, but if the manner of presentation shows endorsement of the content, liability arises under the general provisions and tort liability, compensation and court-based access-blocking sanctions may apply. Cybersecurity and infrastructure resilience (Law No. 7545 on Cybersecurity) require that UZEM servers storing critical data (TC Kimlik no, grades, biometric data in proctored exams) be tested against external cyber attacks and secured with certified domestic products; in data breaches due to security vulnerability, SGB may impose administrative monetary fines of between 1,000,000 TL and 10,000,000 TL. Traffic data (log) retention (Law No. 5651 where the Yer Sağlayıcı function is performed) obliges UZEM, when it hosts its own servers, to retain students’ IP addresses, connection times and traffic data in the format specified in the regulation; failure to retain traffic data for the period provided (6 months to 2 years) results in administrative monetary fine and legal liability upon inspection.
Explore the legal guide on copyright, licensing, and IP infringement for educators and institutions creating online course materials.
To see how the legal compliance requirements of a UZEM in Türkiye work in practice, the regulations and directives of the Distance Education Research and Application Centre of Akdeniz University (AKUZEM) may be taken as reference. AKUZEM legislation shows how the centre is integrated with YÖK standards and information technology laws.
First, under YÖK’s “Procedures and Principles on Distance Education,” a UZEM may deliver at most 30% of the courses in face-to-face programmes by distance. For each course hour in the curriculum in these courses, at least 20 minutes of synchronous (live) teaching is a legal requirement. The vast volume of traffic data processed on the Learning Management Systems (LMS) used in this process must be stored securely in accordance with hosting provider obligations (log records).
Second is the dimension of protection of personal data and exam security. The AKUZEM Regulation on Graduate Education (Article 23/5) provides the legal basis for thesis defences and proficiency exams to be conducted in the electronic environment using a video conference (teleconference) system. Yet the use of this method is not only an administrative convenience that reduces the travel costs of jury members from other cities; it also means the transmission over electronic networks of participants’ image, voice and appearance data (personal data). For this reason, UZEM management is obliged to obtain consent from participants before the exam in respect of KVKK information notices and to ensure that video recordings of the exam are retained only for legitimate purposes. Otherwise, in the event of unauthorised leakage or disclosure of these recordings, the provisions of TCK on the recording of personal data and their unlawful transfer/obtainment (TCK Arts. 135, 136) and the substantial administrative monetary fines of the new Law No. 7545 on Cybersecurity for data breaches will come into play.
Lastly, the wording in the AKUZEM directives clearly emphasised to teaching staff—“Course materials must be uploaded to the Learning Management System (ÖYS). Compliance with the Law on Intellectual and Artistic Works and the Law on the Protection of Personal Data is mandatory”—shows that the centre is aware of its content provider capacity and has built a right of recourse mechanism (directing liability to the instructor who committed the violation) through an institutional arrangement.
It is important for UZEM managers to adopt a proactive approach within this matrix of obligations. Rather than treating legal compliance as an “additional check” to be addressed after the technical infrastructure is built, creating from the design stage of the system an architecture that incorporates legal requirements—the approach known as “compliance by design”—both reduces inspection risk and lowers the cost of future revisions. In this field there are law firms that publish guides in Turkish on distance education law, the legal status of digital content producers and KVKK compliance in educational institutions; the publications of Genesis Hukuk, based in Antalya—Türk Hukukunda Uzaktan Eğitim ile İlgili Hukuki Çerçeve (Legal Framework for Distance Education in Turkish Law) and Uzaktan Eğitimde Dijital İçerik Üreticilerinin Hukuki Statüsü (Legal Status of Digital Content Producers in Distance Education)—are of a guiding nature on this subject.
In conclusion, a UZEM management in Türkiye must provide a fully transparent, accountable and secure infrastructure in law in the virtual campus in which it operates. Organising copyright and KVKK awareness training for teaching staff, establishing a “notice and takedown” transmission panel on the web interface to handle complaints, and bringing server infrastructure into line with new cybersecurity regulations (SGB standards) are primary legal duties that UZEM managers cannot avoid. Ensuring the integrity of this digital data and its sharing within legal bounds, as much as the quality of educational activities, has become a core responsibility of modern educational institutions.
Learn about KVKK compliance for special categories of personal data in Turkish schools, managing risks and implementing robust security strategies.
For legal advice on information technology law, UZEM compliance and KVKK, you can contact Genesis Hukuk.
