Türkiye’s Personal Data Protection Act

1. Overview

In order to control the processing of personal data and safeguard people’s privacy, the Personal Data Protection Law of Turkey (Law No. 6698) was created in 2016. It applies to modified media where a personal identification is present, even though it doesn’t expressly address deepfakes.

2. Scope of the Law

The law protects people from the manipulation, distribution, or unauthorized acquisition, including deepfakes such as voice, tampered images, or video. The law targets both these materials when they involve personal data. The law can indirectly address non-consensual deepfake pornography, harm, or reputation identity theft. Only legal purposes, artistic, or journalistic purposes, unless exploitative, are excluded.

3. Key Provisions

• Forbidden Actions: Article 12 mandates data controllers to “adopt all necessary technical and organisational measures to ensure the personal data are not made available in an unwarranted manner to unauthorized persons.”
• Processing with no legal basis or consent is a breach under Article 6(1):” It is forbidden to process special categories of personal data unless the data subject gives their explicit consent.”
• Consent Requirements: Article 5(1) mandates: Personal data shall not be processed without the explicit consent of the data subject,” unless an exemption applies.
• Platform Obligations: Article 15 allows the Persona Data Protection Board to adjudicate complaints and order erasure or anonymization of illegally processed data. Platforms are bound to comply with such orders.

4. Fines and Enforcement

Violations can be subject to financial penalties of up to TRY 50,000 – TRY 1,000,000. In some cases, criminal liability can be imposed under the Turkish Penal Code. It will typically be enforced by the Personal Data Protection Authority (KVKK).

5. Prominent precedents or case law

There are no public deepfake-specific precedents,yet KVKK has issued fines and verdicts for unauthorized biometric information as well as doctored personal images.

6. Global standards comparison

KVKK has a similar structure to the EU’s GDPR, but lacks regulations specifically for deepfakes. Its jurisdiction is broader than U.S. legislation but not as focused on future AI threats as the EU AI Act.

7. Practical Implications

Creators must secure explicit consent prior to publishing manipulated media, making a person appear to do or say something, before resorting to legal action under the Data Protection Act. Victims of deepfakes, which may involve the misappropriation of their personal data, can report the issues through platforms with a mechanism for dealing with them and, in turn, result in content takedown.

8. Future Outlook

Regulatory discussion in Turkey is eyeing AI-specific legislation to control deepfakes and algorithmic transparency. Clarification may be in the works to establish roles for developers and sites.