Turkey's recent history is rife with human rights-stifling legislation and practices. The Internet Law, its amendments, and the recent decision of Turkey’s regulator (BTK) further cemented that trend. The Internet Law and amendments require large platforms to appoint a local representative, localize their data, and speed up the removal of content on-demand from the government. Turkey has also adopted a data protection law; however, it has failed to protect fundamental rights in practice. For instance, Turkey implemented emergency surveillance decrees, after the 2016 coup, that granted the Turkish government unrestricted access to communications data without a court order—a carte blanche for government spying. Platforms should stand with their users and uphold international human rights law and standards that protect privacy and free expression. We fear that platforms instead might knuckle under pressure from the Turkish government.
All these legal changes are happening in the midst of Turkey's rule of law and democracy deficit, and lack of independence in the judiciary. Turkey has dismissed and forced the removal of more than 30 Turkish judges and prosecutors, which the European Commission explained has led to self-censorship in the judiciary, further undermining its independence and impartiality. The government has also jailed political opponents, which the European Court of Human Rights has recognized, beyond any reasonable doubt, that the extensions of detention of a political opposition leader had pursued the predominant ulterior purpose of stifling pluralism and limiting freedom of political debate, a core component of a democratic society.
Forced Appointment of Turkish Representatives or Face Hefty Fines
In Turkey, foreign companies with a large social media presence in Turkey are required to appoint a local representative by November 2nd--30 days after BTK sent them a first warning. The law requires this of companies with “daily access” of one million; but it is unclear how “daily access” is measured. This representative must be a duly incorporated company under Turkish law or a Turkish citizen. But the appointment of a legal representative is a complex decision that can make companies vulnerable to domestic legal actions, including potential arrest and criminal charges. Appointing a local representative requires difficult line-drawing choices that are hard to get right when legally mandated.
Prior to this requirement, the Turkish government sent takedown content or access-blocking demands to platforms' headquarters in the EU or the U.S. Some local representatives may now respond to such government demands, and can potentially be subject to retaliation for non-compliance with a disproportionate order.
Facebook has communicated to the Turkish Government that they won’t comply with the law. Twitter, Google, and TikTok have not made any official statement about their intentions on appointing Turkish representatives, though the deadline expired on November 2nd. To date, only the Russian social media company, VKontakte appointed a local representative in Turkey. The Turkish regulator BTK announced on November 4th that they imposed a first-time fine of TRY 10 million (more than 1 million USD) on social network providers who have not appointed local representatives, including Facebook, Instagram, Twitter, Periscope, YouTube and TikTok.
The law creates draconian fines for those companies that do not appoint a representative and second-time fines of TRY 30 million (more than 3.5 million USD). If the provider still chooses not to comply, the BTK will prohibit Turkish taxpayers from placing ads on the provider’s platform and making payments to them. Even worse, if the provider still chooses not to appoint a representative, the BTK can apply to the Peace Criminal Court to throttle (slow down) the provider’s bandwidth by 50%. If the provider hasn’t still appointed a representative, BTK can apply for a further bandwidth reduction; this time the judge can decide to throttle the provider’s bandwidth anywhere between 50%-90%. Throttling can make sites practically inaccessible within Turkey, fortifying Turkey’s censorship machine and silencing speech--a very disproportionate measure that practically censors users’ ability to access online content within Turkey.
Forced Data Localization
The amendments to the Internet Law and BTK decision also force tech giants to take “all necessary measures” to keep within Turkey the data of people based in Turkey. These data localization obligations raise significant concerns about user privacy, free speech, and information security. Forcing platforms to localize the data can run afoul of the users' expectation and freedom to sign up to a service hosted outside Turkey--a reason they may have taken into account when choosing such service.
Once the data is stored in the country, the company has less ability to control the exploitation of vulnerabilities and unauthorized access. If companies keep users’ data within Turkey, that nation will have an easier time accessing the data. This forces companies to comply with government demands in a country with a poor human rights record. Here, too, some local representatives may over-comply with government demands out of fear of reprisal.
Overall, this measure seeks to strengthen the Turkish government's ability to control content published in social media and make it easier for it to obtain users’ data, which will expose their associations and locations.
Wide-ranging Privacy Rules, with No Balancing For Free Expression
The new amendments create a number of powerful new tools for those who wish to remove personal information off the Internet: to de-link search engine entries, order hosts to delete information, and to block foreign hosts that refuse to comply. While dealing with the consequences to privacy of an open Internet is a matter that every country is now struggling with, Turkey’s provisions are overbroad, and fail to balance the equally important right of Internet users to send and share information.
De-indexing Contested Search Results for Violation of Personal Rights
The new amendments to the Internet law and BTK decisions would require providers (via its local representative) to de-index from their search results users’ names from the internet address of a publication that violates users’ personal rights upon a court order--a similar provision to that of the 2014 European Right to be Forgotten. The EU standard, however, asks whether an individual’s privacy rights outweigh the public’s interest in having continued access to the data. No matter how carefully a de-indexation provision is drafted, conflicting principles of due process and free expression inevitably render it a complex and contested task. The problem is exacerbated due to Turkey’s lack of independence of the judiciary. Turkey is also infamous for its internet censorship machine, and its government’s obscuring of facts from Turkish online historical records including denunciations of government corruption. (Check several examples of news censored based on “personal rights.” ).
Content Removal and Blocking for Violation of Personal Rights
The Internet Law and BTK decision already compel content providers (via their local representative) to take down online content (post, photos, and other comments) that the user claims violates their personal rights. If the providers can not be reached, then the hosting provider must comply with such requests. This provision would encourage social media platforms like Facebook and Twitter, in their haste to avoid hefty fines, TRY 5 million (more than 500,000 USD), to remove perfectly legal expression. It also deputizes platforms to police speech at the behest of the government.
Users can also directly ask the Peace Criminal Court to order the Union of Access Providers to remove content or block access within 24 hours. According to the new amendments, the Union of Access Providers (an association that reunites all access providers in the country) will notify hosting, access, and content providers (via the local representatives) to comply with the court order in four hours, and in Turkish.
This quick turnaround would encourage providers to remove legal speech to avoid steep fines. Turkey lacks an independent judiciary and refuses to respect due process standards creates a fertile ground for meritless court orders. This can lead to the removal of speech that silenced voices that deserve to be heard, including those denouncing government corruption or other misconduct.
Companies should push back against orders that are inconsistent with the permissible limitation test under international human rights law. In addition to legal pressure and hefty fines, the UN Special Rapporteur on Free Expression expressed concern that Internet Service Providers have also “faced extralegal intimidation in certain jurisdictions, such as threats to the safety of their employees and infrastructure in the event of non-compliance.”
Access Blocking for Violation of the Right to Private Life
Under the Internet Law and BTK decision, any person based in Turkey can ask BTK to block access to an online publication that the user claims has violated the users’ right to private life. The BTK can decide to order the Union of Access Providers to comply within four hours or social network providers may face hefty fines of TRY 5 million (more than 500,000 USD). Like before, this speedy response would encourage platforms, in their haste to avoid steep fines, to block legal expression.
Further, the individual must also submit their request to the Peace Criminal Court within 24 hours. The judge will decide within 48-hour deadline, otherwise the access blocking ends automatically. In case of emergency, BTK can carry out the access blocking directly upon the BTK’s Chairman order and submit it to the Peace Criminal Court. The judge can review the request retroactively within 48 hours.
Content Removal and Blocking under International Human Rights Standards
Article 19 of the International Covenant on Civil and Political Rights allows states to limit freedom of expression under select circumstances, provided they comply with a three-step test: be prescribed by law; have legitimate aim; and be necessary and proportionate. Limitations must also be interpreted and applied narrowly. Permissible limitations, as explained by the UN Human Rights Committee, are generally content-specific; generic bans are incompatible with the permissible limitation test.
Further, prohibiting a site or a dissemination system from publishing material that may be critical of the government or the political social system espoused by the government is also inconsistent with the three-step test. Nor can it be invoked as a justification for “the muzzling of any advocacy of multi-party democracy, democratic tenets and human rights. Nor, under any circumstance, can an attack on a person, because of the exercise of their freedom of expression, including such forms of attack as arbitrary arrest, torture, threats to life and killing.” The UN Special Rapporteur on Freedom of Expression has gone further recommending States to only seek to restrict content upon a court order issued by an independent and impartial judicial authority, with due process and full compliance with the legality, necessity, proportionality, and legitimacy principles.
When it comes to blocking, the Council of Europe has recommended that public authorities should not, through general blocking measures, deny access by the public to information on the Internet, regardless of frontiers. The four special mandates on freedom of expression explained that:
“Mandatory blocking of entire websites, IP addresses, ports, network protocols or types of uses (such as social networking) is an extreme measure – analogous to banning a newspaper or broadcaster – which can only be justified in accordance with international standards, for example where necessary to protect children against sexual abuse.”
Blocking of websites is always an inherently disproportionate measure under international human rights law. It leads to over-blocking, false positives, false negatives, causes a serious interference with the Internet’s infrastructure, reduces internet traffic speed, and does not solve the root cause problem.
Press Freedom Crisis in Turkey and Podcasts as Alternative Channels
Amidst the state capture of media, the Internet plays a pivotal role. As we’ve said, journalists, academics, and writers who criticize the government risk criminal prosecution and harassment. Turkish citizens increasingly experience social and economic problems, too; the Turkish lira has hit record lows against the U.S. dollar. Amidst this atmosphere, Turkish citizens find it hard to obtain newsworthy information in a neutral, objective manner, or to voice their concerns.
Podcasts have become a safe haven for communication of ideas in Turkey. However, a recent regulation threatens this last bastion of freedom. In August 2019, the government required platforms that offer radio, television, or on-demand publication services over the internet to obtain a license to continue operating in Turkey. Spotify was recently compelled to obtain the license, to avoid access blocking within Turkey. Netflix, upon obtaining the license, faced systematic censorship on its platform. Academics predict the licensing requirement will pave the way for censoring on Spotify as well.
Tech Platforms Must Respect Human Rights
Social media companies must respect international human rights law, even when it conflicts with local laws. The UN Special Rapporteur on free expression has called upon companies to recognize human rights law as the authoritative global standard for freedom of expression on their platforms, not domestic laws. We agree. Human rights law “gives companies the tools to articulate and develop policies and processes that respect democratic norms and counter authoritarian demands.” Likewise, the UN Guiding Principles on Business and Human Rights provides that companies must respect human rights and avoid contributing to human rights violations. Companies must also “seek to prevent or mitigate adverse human rights impacts that are directly linked to their operations ..., even if they have not contributed to those impacts.”
“First, it carefully examines the domestic law cited to assess its specific requirements and application to the particular data access or removal requested. If the law is ambiguous, Google may interpret it in a narrow manner to avoid or restrict the government’s request. Next, its practice is to apply domestic law only to content and data within the scope of the issuing jurisdiction.”
GNI also explains that Google reaches out to the relevant government entity to seek clarification on how the content is violating local laws when the removal request is unclear. This may include, for example, where the content is precisely located (specific URLs) and which portion of the content allegedly infringes the law. The GNI report also explains how Google assesses risks to users in individual jurisdictions when determining where data should be physically collected and retained:
“The company may vary the nature of data collected or processed in specific jurisdictions based on these risks. The company also uses encryption, and limits on internal access, to mitigate risks to data that is collected and stored.”
Google’s Transparency report for Turkey explains that Google assesses such government demands under its community rules. Google has reported that they refused to take down content including speech by Kurdish minorities and Gezi Parki protestors as well as corruption claims involving public officials and politicians. On the other hand, Google complied with requests when the content concerned national security interests or violated Google community rules. It remains to be seen if or to what extent Google will comply with the Social Media Law.
Turkey Data Protection Adequacy Standards After the Schrems Rulings
While, after a 35-year legislative process, Turkey adopted a data protection law that mirrors the previous EU Data Protection Directive, Turkey has not yet obtained an adequate level of data protection equivalent to the European Union. The adequacy standard allows the transfer of personal data from the EU to Turkey (and vice versa) without any further safeguard being necessary. Turkish Data Protection Authority recently published a public announcement stating they are preparing for negotiations with the European Commission for an adequacy decision.
However, the European Commission has already recommended Turkey to ensure that the Turkish data protection authority can act independently and that the activities of law enforcement agencies fall within the scope of the law. In the Court of Justice of the European Union judgement related to international transfers, namely Schrems II, the court directed the EU Commission which elements must be taken into account when assessing if the third-country legal framework provides an adequate level of protection:
“the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data, as well as the implementation of such legislation…, case-law, as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are being transferred;”
The Court of Justice of the European Union judgment in Schrems I. v. Data Protection Commissioner, also made clear that legal frameworks that grant public authorities access to data on a generalized basis compromise "the essence of the fundamental right to private life," as guaranteed by Article 7 of the EU Charter of Fundamental Rights. In other words, any law that compromises the “essence to right private life” cannot ever be proportionate nor necessary.
Turkey has also adopted more than thirty decrees during its two-year state of emergency, extended seven times. Following the 2016 coup attempt in Turkey, the Executive Branch adopted these decrees without parliamentary approval or oversight. The decrees resulted in permanent legislative and structural changes and mass dismissal of public servants, falling short of EU human rights standards. One decree grants many unspecified institutions unfettered access to communications data without a court order. The surveillance decree was designed to be used against coup plotters and so-called “terrorist organizations.” Such unfettered power violates the rule of law and the Principle of Legality, necessity and proportionality under international human rights law. The decree also compels companies to comply with BTK requests. Failure to do so leads to hefty fines, and the possibility that the BTK will take over an ISP’s premises.
EFF has not done a full assessment of Turkish surveillance laws and practice, however, we’ve learned from Citizen Lab that Turkey’s largest ISP, Türk Telekom, (of which the Turkish government owns 30%) had used deep packet inspection to redirect hundreds of users in Turkey to nation-state spyware when those users attempted to download certain apps. Citizen Lab also found that DPIs were being used to block political, journalistic, and human rights content. Another leaked document revealed that Türk Telekom uses deep packet inspection (DPI) tools to spy on users and extract not only “usernames and passwords from unencrypted traffic, but also their IP addresses, what sites they’d visited and when.” These are just a tip of the iceberg of the real level of privacy and data protection in Turkey.
Turkey's poor human rights records should be a wake-up call for platforms to stand with their users and uphold international human rights law. Companies should not remove content that is inconsistent with the permissible limitation test. Blocking measures, in our opinion, are always inconsistent with the necessary and proportionate principles. Companies should legally challenge such blocking orders. They should also fight back strategically under any pressure from the Turkish government.