Cybercrimes in Turkish Criminal Law and European Convention on Cybercrime

Information technologies and the Internet, which entered our lives rapidly towards the end of the last century and continue to develop at the same pace, find a place for themselves in every aspect of daily life today. Although the informatics world has made human life extremely easy with innovations, our personal data have also been transferred to the cyber environment as a result of this situation. The fact that the information systems contain such a large data pool and the ability to hide identity have paved the way for the increase of actions that will cause illegal results. As a result of the increase in these actions, the concept of "cybercrime" has come into our lives and the necessity to make regulations in this field with both domestic laws and international conventions has emerged in order to protect the victims of these crimes. At this point, we consider it necessary to examine cybercrimes, firstly within the scope of the Turkish Penal Code No.5237 ("Law") and then the European Cybercrime Convention ("Agreement") dated 1 July 2004.

The Concept of Cybercrime in Turkish Law

The fact that information technologies are still developing is the main reason why a generally accepted definition has not been made in terms of "cybercrime". Considering these developments, the concepts in the field of cybercrimes have been defined in general terms and have been left open to be adapted to changes that may occur in the future. To make a general definition, cybercrimes, also known as computer crimes, are crimes committed by targeting the security of an information system (e.g., communication devices such as smartphones, computers and tablets), the data contained in it, or the people using these systems, and also by using an information system. In order to qualify a crime as a cybercrime, it must have been committed through an information system, therefore these crimes are specific to information systems and the Internet.

As mentioned above, as a result of the widespread use of the Internet, there has been a great increase in cybercrimes, and the commitment of these crimes has become easier and the way they are committed is diversified. According to a study conducted in 2015, cybercrimes have become a more profitable type of crime for their perpetrators than money laundering and drug trade, and the rate of these crimes has increased by 34% in the last 1 year. In line with these figures, the loss to be incurred in this context is expected to exceed 6 million dollars until the end of 2021. [1]

In the light of these developments, the necessity of making inclusive new legal arrangements by states has emerged. However, while making these arrangements, it should be taken into account, that the Internet is such a platform where freedom of expression is used most comprehensively due to its nature. Therefore, when it comes to crimes specific to the Internet, it would be appropriate to make libertarian legal arrangements rather than an oppressive and censorship approach. [2]

The first regulation in Turkish law in terms of cybercrimes was realized with the addition of the 11th chapter titled "Offenses in the Field of Informatics" to the Turkish Penal Code No. 765 dated March 1, 1926. (The amendment in question was made with the Law No. 3756 Art. 20, dated June 6, 1991.). It can be seen that the Turkish Penal Code No. 765 regulated cybercrimes only as a separate type of crime and did not bring any innovations in terms of the classic types of crime being committed through information systems. In the Turkish Penal Code No. 5237, which entered into force on June 1, 2005, a mixed system was adopted, unlike the old penal code. In accordance with this system adopted, both special provisions have been introduced for “offenses in the field of informatics” and new acts have been added to some of the provisions regulating classic types of crime. Thus, a distinction has been made in the Law, as "crimes against information systems"and "crimes committed through information systems".[3]

Cybercrimes are classified under two different headings in the doctrine as in the Law. At this point, we would like to mention the decision of the Supreme Court Assembly of Criminal Chambers, which handles the said dual distinction in an explanatory manner. According to the decision of the Supreme Court Assembly of Criminal Chambers, dated 17 November 2009 and with merits no. 2009/193, cybercrimes are divided into two as “direct cybercrimes (real information crimes)” and “indirect cybercrimes (crimes related to information)”.

Crimes defined as direct cybercrimes are regulated under the title of "Offenses in the field of informatics" in the Book 2, Part 3, Chapter 10 of the Law. These crimes can be classified as follows.

  • Entering the information system
  • Monitoring the information system
  • Blocking and disrupting the information system
  • Disposing or destroying data
  • Placing new data in the information system or changing the location of existing data
  • Misuse of debit or credit cards
  • Using fake debit cards or fake credit cards
  • Using prohibited devices and programs

Unlawful and unauthorized access to an information system (e.g., social media accounts) constitutes a cybercrime. This crime can also be committed by illegally monitoring the data flow in information systems with other tools without actually entering the system. Just like this action, actions such as making changes that prevent the entry of the main user of the system or preventing the system from working are also within the scope of cybercrime.

In addition, there has been a noticeable increase in crimes committed in this way as the habit of cash payment is decreasing and the demand for credit and debit cards has increased. In this context, seizing someone else's bank and credit cards, using them without the consent of the cardholder and obtaining a benefit in this direction will also constitute a cybercrime. Likewise, obtaining benefits by creating a fake credit card by using someone else's bank accounts is also a cybercrime committed through the misuse of credit cards.

At this point, it should be noted that the victim's consent is a reason for compliance with the law in terms of these crimes, and if the crime of entering an information system is committed in terms of systems that can be used for a fee, the penalty will be reduced. On the contrary, the commitment of cybercrimes over the information systems of a credit institution, bank or public institution or organization is one of the situations that increase the penalty.

Pursuant to Article 244, Paragraph 4 of the Law, if the defendant, who commits these crimes provides him with unfair benefit, he will be received imprisonment and imposed a punitive fine at the same time. A detail to be considered in the provision of law regulating this issue is the phrase; "if the act does not constitute another crime". If the act in question constitutes another crime, the provisions regarding that crime will be applied.

According to the decisions of the Penal Department no. 8 of the Supreme Court, the legal benefit mentioned here may be a financial benefit with economic value or a moral benefit. For example, the moral benefit provided by a student by entering the e-school system (an online platform where the status of student at school can be followed) and raising his/her grade is also the legal subject of this crime.

At this point, the heading "Indirect Cybercrimes" in the Supreme Court Assembly of Criminal Chamber Decision should be examined. What is mentioned here is the commitment of classic types of crime regulated in the Law “by using information systems”. Using an information system as a tool while committing these crimes will constitute the major form of this crime. The legislator has regulated this provision as a collateral norm by using the phrase "if the act does not constitute another crime" in the Article we mentioned above. This means that if an unfair benefit has been obtained through information systems, it should be examined whether another crime (e.g., theft, fraud, etc.) has occurred, and if this action does not constitute one of the classic types of crime, then the Article 244/4 of the Law must be applied.

This distinction made in the decision of the Supreme Court Assembly of Criminal Chamber and the Law will become more understandable with the examination of some Supreme Court decisions. [4]

  • The defendant's use of the Internet password after leaving the workplace, which is given to him due to his duty while working at the intervening company, even though he is not entitled to use it, and entering the company's IT system is a direct cybercrime and must be punished according to Article 243 and the following provisions of the Law. (Penal Dep. no. 11 of the Supreme Court, 19.03.2012, merits no. 2009/22385, decision no. 2012/3683)
  • Entering the operating system (Windows, Linux etc.) of the victim's personal computer without his/her consent constitutes the crime of “entering the information system” regulated in Article 243 of the Law. (Penal Dep. no. 8 of the Supreme Court, 11.10.2017, merits no. 2016/12839, decision no. 2017/11114)
  • The defendant unlawfully seized the password of the victim's employer's Facebook account and talked to the victim as if he were his employer, told the victim to buy a 700 TL top-up card, made him send the necessary passwords for this to him, and used the credit by loading it on his own line. This act is a fraud offense committed by using the information system as a tool and must be punished according to the fraud provisions. (Penal Dep. no. 8 of the Supreme Court, 24.12.2012, merits no. 2012/21826, decision no. 2012/39370)
  • The defendant's unlawful access to the e-school platform, reducing the number of his absent days and increasing his course grades is “the change of information system data” and should be punished within the scope of Article 244 of the Law. (Penal Dep. no. 8 of the Supreme Court, 08.01.2014, merits no. 2014/33044, decision no. 2014/236)
  • The defendant's unlawful access to the bank account of the intervening party, transferring the money in the bank to the account he opened on his behalf, and withdrawing this money partly from his own account on other dates constitutes a "crime of theft by using the information system", and must be punished in accordance with Article 142/2-e of the Law. (Penal Dep. no. 6 of the Supreme Court, 27.05.2014, merits no. 2012/7246, decision no. 2014/10715)
  • The defendant's act of unlawfully entering the information system belonging to someone else and requesting money from the victim with the threat of publishing the photo he downloaded here, constitutes the crimes of both blackmail, violation of privacy, and unauthorized access to the information system. The court must be given consecutive sentence and the defendant must be punished separately for each crime. (Penal Dep. no. 4 of the Supreme Court, 18.03.2015, merits no. 2014/2222, decision no. 2015/24755)

The last point to be mentioned in terms of the Law under the title of cybercrimes is the penalties to be imposed on legal entities. With the Turkish Penal Code No. 5237, for the first time in our criminal law, a sanction has been issued against legal entities. Pursuant to the law, specific security measures will be applied to the legal entities who have benefited unfairly through the crime committed by the defendant.

The fact that such a sanction provision against legal entities is included in the Turkish Criminal Law is an indication that the legislator has taken a concrete step in terms of "corporate liability" stipulated in the European Cybercrime Convention.

Cybercrimes in the Scope of the European Cybercrime Convention

Today, the fact that almost everyone has Internet access from all over the world and the possibility of accessing even an informatics system with a single click, made it necessary to make international legal regulations in terms of cybercrimes. Since cybercrimes can be committed in many countries at the same time by their nature, they are difficult to investigate and difficult to follow the evidence, so international cooperation is essential in combating these crimes.

The European Cybercrime Convention is the first international treaty on crimes committed via the Internet and other computer networks. This Convention, which was opened for signature in Budapest on 23 November 2001 and entered into force on 1 July 2004, provides the contracting parties with the general framework of the substantive criminal law provisions and procedural law provisions necessary to combat cybercrimes, and it enables states to coordinate quickly in terms of investigations and prosecutions outside their borders. Turkey signed the Convention on 10 November 2010 and put into force on September 29, 2014 has thus become one of the contracting parties.[5]

The Convention essentially has the purpose of preventing difficulties in combating cybercrimes, ensuring uniformity among states' legislation and achieving international judicial cooperation. In the Contract consisting of three parts, the first part regulates the definitions, the second part regulates the measures to be taken at the national level, and the third part regulates the measures to be taken at the international level.

The most important of the measures to be taken at the international level is “mutual legal assistance”. In accordance with the 23rd article of the Convention, legal assistance should be provided in the widest possible way for the contracting countries and should comply with the procedures stipulated by the Convention. At this point, another important detail that should be mentioned is that mutual legal assistance should be provided not only in terms of cybercrimes but also in terms of classic type crimes, whose evidence is in electronic environment.

The crimes committed through information systems are defined in the section of the Convention that regulates the measures to be taken at national level. As we have mentioned before, these definitions are made in a flexible way that can be interpreted in line with the new technological developments that may occur in the future, rather than in a clear way. Consequently, the types of crimes defined in the contract can be listed as follows.

  • Crimes against the confidentiality, integrity and availability of computer, data or systems,
  • Forgery and fraud crimes committed by computer,
  • Content-related crimes,
  • Infringement of intellectual property rights and their distribution at international level.

Contracting parties are obliged to regulate these acts defined as crimes in the Convention as crimes in their own domestic law. Turkey also has made these arrangements in its domestic law as a contracting party. "Crimes against the confidentiality, integrity and accessibility of computer, data or systems" regulated in the first, are regulated in the Law in accordance with this Convention. The missing provisions in the Law at the time the contract entered into force in our country have been largely completed by the lawmaker with the amendments made by Law No. 6698 dated 24.03.2016.

"Violation of intellectual property rights and their distribution at international level", which is the last category in the Convention, has been regulated in accordance with the Convention in the Law on Intellectual and Artistic Works No. 5846. This Convention also obliges contracting parties, to establish a 24/7 accessible liaison office. In Turkey, “General Directorate of Security Affairs, Department of Combating Cybercrimes” is determined as the liaison office.


Some of the features that make the investigation and prosecution phases of cybercrimes most difficult are the ability to hide the identity of the defendant and the globality of the Internet. At this point, in order to overcome the judicial authority problems that may arise with the determination of the place where the crime was committed, it is essential that the fight against these crimes be global. If the fight against these crimes is not global, the criminals will benefit from the concept of “forum shopping” and identify the countries, that stipulate the least punishment in their domestic law or the countries, which have not accepted the international legal assistance provisions to continue their illegal actions in these countries. This Convention, which was made to prevent this situation, is one of the most important instruments in the fight against cybercrimes, despite its criticized aspects. "In order to prevent cybercriminals from finding safe harbors to shelter, developing or underdeveloped countries should be persuaded to join this struggle."[6]


[1] “Avrupa Siber Suçlar Sözleşmesi ve Türkiye’nin Dahil Olma Süreci”, Cahit Aliusta, Recep Benzer, Uluslararası Bilgi Güvenliği Mühendisliği Dergisi, Cilt:4, No:2, S:35-42, 2018.

[2] “Türk Ceza Hukuku’nda Bilişim Suçları”, Umut EKER. (TBB Dergisi, Sayı 62, 2006)

[3] [3] “2004 Türk Ceza Kanunu’nun Bilişim Suçları Bakımından Değerlendirilmesi”, Olgun DEĞİRMENCİ. (TBB Dergisi, Sayı 58, 2005)

[4] “Yargıtay Kararları Işığında Doğrudan Bilişim Suçları”, Nevzat Özsoy, Yaşar Hukuk Dergisi C.1 S.2 Temmuz 2019.

[5] “Avrupa Siber Suçlar Sözleşmesi ve Türkiye’nin Dahil Olma Süreci”, Cahit Aliusta, Recep Benzer, Uluslararası Bilgi Güvenliği Mühendisliği Dergisi, Cilt:4, No:2, S:35-42, 2018.

[6] “Avrupa Konseyi Siber Suç Sözleşmesi Işığında Siber Suçlarla Mücadelede Uluslararası İşbirliği”, Murat ÖNOK.