Deepfake Videos and Their Legal Consequences in Turkish Law

Deepfake Videos and Their Legal Consequences in Turkish Law. Deepfake technology is a rapidly spreading artificial intelligence application. Method creates fake content by manipulating existing images and sounds. This fake content has brought about a significant threat of digital fraud. This is because deepfakes process individuals’ biometric data without their consent. Turkish law lacks a specific deepfake regulation. Therefore, existing laws must be applied through interpretation. This article analyzes the legal implications of deepfakes. The scope includes criminal law, the Personal Data Protection Law (KVKK), and the risks of digital fraud. Our aim is to clearly outline the relevant legal responsibilities.

I. THE DEFINITION OF AI-BASED FORGERY AND THE LEGAL FRAMEWORK

1.1. Definition, Mechanism of Creation, and Development of Deepfake Technology

Deepfake technology, derived from the combination of the words “deep learning” and “fake,” refers to visual, auditory, or video content that realistically imitates or manipulates a person’s face, movements, or voice using artificial intelligence (AI) techniques. This content carries the potential to falsely appear authentic or true to a person by resembling existing individuals, objects, or events.

One of the most significant reasons for the rapid spread of this technology is that a relatively small number of photos, videos, or audio recordings are sufficient to produce highly realistic content. Face and voice data of individuals are used as the primary input for preparing Deepfake content. The most common sources for this data are typically social media and similar digital platforms. The accessibility and convincing nature of this technology necessitate the rapid adaptation of legal regulations.

1.2. Deepfake’s Position within the Concept of Digital Forgery and the Lack of Specific Regulation in Turkish Law

The Turkish legal system lacks a direct and specific legal regulation that independently addresses Deepfake technology as an act. This regulatory gap means that legal evaluations and sanctions related to Deepfake must rely on the analogical application and interpretation of existing general norms, such as the Turkish Penal Code (TCK), the Law on the Protection of Personal Data (KVKK), and the Turkish Code of Obligations (TBK).

The nature of the offense changes, and different crime types may emerge depending on the purpose of Deepfake content use. The absence of a direct provision regulating Deepfake has largely shifted the burden of punishing modern digital forgery acts and providing legal protection to judicial precedents. This situation symbolizes a legal adaptation need arising from the inability of legislation to keep pace with technological advancements, leading the Supreme Court of Appeals’ decisions in this area to assume a secondary legislative power in legal practice. This dynamic diminishes legal predictability and places significant responsibility on judicial authorities’ precedents.

1.3. Comparative Legal Analysis: The European Union’s Artificial Intelligence Act and Transparency Obligation

The European Union (EU) enacted the Artificial Intelligence Act (AI Act), its most comprehensive regulation regarding artificial intelligence, on August 1, 2024. The EU regulation defines Deepfake content as “artificially generated or manipulated image, audio, or video content that resembles existing persons, objects, places, entities, or events and falsely appears to a person to be authentic or true.”

While the AI Act does not generally prohibit the use of Deepfake, it imposes a transparency obligation on system users, requiring them to label or explain that the content has been manipulated. This obligation is restricted specifically in situations involving the exercise of freedom of expression and the freedom of science and art; similarly, uses legally authorized for the purpose of detecting, preventing, investigating, or prosecuting criminal offenses are also outside the scope of this obligation.

Furthermore, the Digital Services Act (DSA), which entered into force in November 2022, aims to limit the spread of illegal content on online platforms. If Deepfake use is contrary to the law, intermediary service providers are subject to administrative fines of up to 6% of their global turnover generated in the previous financial year.

From a comparative perspective, the EU’s AI Act establishes a proactive prevention mechanism by mandating labeling or transparency as soon as Deepfake content is created. Turkish Law, however, focuses on addressing Deepfake only with criminal and administrative sanctions after a crime has been committed. The absence of a regulatory framework that mandates the transparent labeling of Deepfake content that does not constitute a crime but poses a potential danger (e.g., content produced for humor or political satire) is considered a limiting factor in Turkey’s capacity to prevent future disinformation crises.

II. DEEPFAKE AND TURKISH CRIMINAL LAW: EXAMINING CRIME TYPES INDIVIDUALLY

Deepfake is not a distinct crime type under the TCK but is a powerful and deceptive tool used in the commission of various offenses.

2.1. Crimes Against Honor and Dignity: TCK Art. 125 (Defamation Crime)

If audio or visual content, created using Deepfake technology and falsely attributed to non-existent persons, is produced and disseminated in a way that damages the victim’s honor, dignity, or respectability, the act is evaluated as Defamation Crime under TCK Art. 125. The Supreme Court’s precedent decisions directly recognize Deepfake manipulation as an element of the defamation crime.

2.2. Crimes Against the Privacy of Private Life: TCK Art. 134 (Violation of Privacy of Private Life)

When content created with Deepfake is unlawfully disclosed, falsely representing it as pertaining to an individual’s private life, TCK Art. 134/1 and 134/2 provisions come into play. This crime applies when the content directly enters the private sphere and the person’s privacy is violated through the disclosure of these images or sounds.

2.3. Crimes of Unlawful Processing of Personal Data: TCK Art. 136

The production of Deepfake content involves the processing, dissemination, or unlawful acquisition of personal data of a biometric nature (such as face and voice) without the person’s consent. This act is a fundamental crime type that directly violates TCK Art. 136 and has been confirmed by the Supreme Court to be linked to Deepfake. Furthermore, if the act of data collection occurred with the aim of obtaining Deepfake material, TCK Art. 135 (Recording of Personal Data) may also be considered due to preparatory acts.

2.4. Crimes Against Public Morality: TCK Art. 226 (Obscenity)

One of the most common and victimizing uses of Deepfake is the creation and publication of obscene videos where real persons are falsely depicted as being present. The public presentation of such content is evaluated as the Crime of Obscenity under TCK Art. 226.

2.5. Deepfake and Economic Crimes: Fraud (TCK Art. 157) and Forgery Crimes (TCK Art. 204, 207)

When Deepfake is used to deceive a person and gain an unfair advantage, it can constitute the “deceptive conduct” element of the Fraud crime under TCK Art. 157. For instance, actions involving the imitation of a senior executive’s voice or image to request a financial transfer fall under this scope.

Deepfake is characterized as a tool used in the commission of various crimes rather than a distinct crime type under the TCK. This instrumental nature increases the likelihood of the perpetrator being tried under aggravated forms of TCK offenses (e.g., Aggravated Fraud by Use of Information Systems under TCK Art. 158), depending on the purpose of the act (economic gain, sexual exploitation, political pressure, etc.).

Regarding document forgery crimes (TCK Art. 204 Official Document Forgery and TCK Art. 207 Private Document Forgery), the crime requires the forged document to possess “capability to deceive” (iğfal kabiliyeti). While high-quality Deepfake content may possess this capability, the main issue for forgery crimes is whether Deepfake content legally qualifies as a “document.” A simple Deepfake video may not be considered an official document on its own. However, if this Deepfake content is incorporated into a digital document with a forged signature or approval used in an official application or legal transaction, it may be evaluated under TCK Art. 204.

Potential Crime Types and Jurisprudence of Deepfake Actions under the Turkish Penal Code

Deepfake Action	Relevant TCK Article	Judicial Context and Rationale for Crime	Anticipated Sanction (Imprisonment)
Manipulating a person’s voice/image data to damage their honor	TCK Art. 125 (Defamation) and TCK Art. 136 (Data Dissemination)	The Real Concurrence adopted by the Supreme Court. Precedent confirms Deepfake constitutes both crimes.	Punished separately. Art. 125: 3 months to 2 years; Art. 136: 2 years to 4 years.
Creating and publishing images falsely suggesting they are related to private life	TCK Art. 134/2 (Violation and Disclosure of Private Life)	Content entering the sphere of privacy and unlawful disclosure.	2 years to 5 years of imprisonment.
Production and dissemination of obscene content	TCK Art. 226 (Obscenity)	Public presentation of Deepfake content falsely depicting real persons.	2 years to 5 years of imprisonment.
Using deceptive content for financial gain	TCK Art. 157 (Fraud)	The element of deceptive conduct is achieved through Deepfake, resulting in the victim’s loss.	1 year to 5 years of imprisonment and judicial fine.

III. CRIMINAL LIABILITY AND CONCURRENCE IN LIGHT OF SUPREME COURT DECISIONS

3.1. Analysis of the Supreme Court Precedent: 8th Criminal Chamber Decision

The decision of the 8th Criminal Chamber of the Supreme Court of Appeals, numbered 2022/7890 E. and 2023/2345 K., is considered a “milestone” in legal evaluations regarding Deepfake technology. The core finding of this decision is that manipulating a person’s image or voice unrealistically using Deepfake technology can constitute the crimes of TCK 125 (Defamation) and TCK 136 (Unlawful Use of Personal Data).

This precedent is critically important as it demonstrates that Deepfake perpetrators cannot escape criminal liability within the framework of existing fundamental criminal law norms. Due to the absence of a direct provision regulating Deepfake in the TCK, the Supreme Court’s approach of applying existing provisions with flexible interpretation to punish the technological offense demonstrates the elasticity of the current law and judicial creativity. This decision not only provides a powerful legal basis for Deepfake victims but also serves as a typical example of how legislative gaps in the field of cybercrimes are filled by the high judiciary. Furthermore, it acts as a guiding principle for lower courts, contributing to the development of “consistent practice” in similar cases.

3.2. Commission of Multiple Crimes with a Single Act: The Principle of Real Concurrence

The Supreme Court’s approach to the Deepfake act indicates that the action gives rise to multiple independent crimes with a single movement, meaning it applies the Real Concurrence principle in the TCK. The production and dissemination of Deepfake content inevitably lead to two separate legal outcomes: First, the violation of the person’s honor and dignity (Art. 125), and second, the unlawful processing and dissemination of the person’s biometric data used to achieve this violation (Art. 136).

This assessment shows that Deepfake use will almost always create Real Concurrence; therefore, the perpetrator is held responsible not only for a simple “defamation” act but also for an act considered a mandatory “data breach.” This situation significantly increases the sentence the perpetrator will receive and strengthens the legal standing of the victims.

Since the dissemination of Deepfake content usually occurs over the internet, it must also be viewed from the perspective of information systems crimes. This potentially makes the perpetrator liable not only for TCK 125 and 136 but also for secondary offenses such as unlawful entry into information systems (TCK Art. 243) (if a system was breached to obtain the Deepfake material). Therefore, when investigating Deepfake crimes, the source and method of data acquisition should be examined separately under the TCK, in addition to the resultof the action.

IV. DEEPFAKE AND THE LAW ON THE PROTECTION OF PERSONAL DATA (KVKK)

4.1. Evaluation of Deepfake Technology as a Personal Data Breach

The Deepfake Information Note prepared by the Personal Data Protection Authority (KVKK) defines this technology as a serious threat to personal data. Deepfake takes a person’s real data, such as voice and image, and mixes them to create a new, manipulated personal data content that is contrary to reality, and this fake content is used for deceptive purposes because it contains real personal data.

Most Deepfake content is produced from data obtained from social media and made publicly available by the user. However, the core value protected by the KVKK in the context of Deepfake is not the physical confidentiality of the data but its integrity and suitability for the purpose of processing. Deepfake is the most severe form of unlawful processing that compromises the integrity and reliability of the data. Therefore, even if the user has willingly made the data public, the unlawful manipulation of the data and the creation of deceptive content exceed the scope of consent, constituting a data breach.

4.2. The Concept of Biometric Data and Deepfake: Sensitivity of Face and Voice Data

Face and voice data used in Deepfake creation are categorized as biometric data, which fall under the category of “special categories of personal data” within the scope of Law No. 6698. The unlawful processing of such sensitive data is subject to stricter obligations and heavier criminal sanctions under the KVKK.

KVKK notes that face and voice data, the primary input source for Deepfake production, are frequently obtained through social media, and emphasizes that individuals should exercise sensitivity when sharing such visuals. The unlawful processing of this data constitutes a crime under TCK Art. 136 and concurrently entails administrative sanctions.

4.3. Data Controllers’ Obligations and Administrative Fines

Deepfake attacks indicate that data controllers (social media platforms, service providers) have violated their obligation under KVKK Art. 12 to take technical and administrative measures regarding data security. The leakage or unauthorized access to data that facilitates the creation of Deepfake material triggers the data controller’s liability.

Social network providers or hosting providers face a dual risk because they are responsible both for the dissemination of Deepfake content (Law No. 5651) and for the protection of the data used to create that content (KVKK). The consequences of KVKK violations are high administrative fines.

Administrative Fines under the KVKK for Deepfake-Related Violations (Current Ranges)

KVKK Obligation Violation	Example Deepfake Context	Administrative Fine Lower/Upper Limit
Failure to fulfill the obligation to inform (KVKK Art. 10)	Lack of transparency regarding the purposes for which user data (face/voice), including Deepfake creation, will be processed.	47,303 TL – 946,308 TL
Failure to fulfill obligations regarding data security (KVKK Art. 12)	Failure to take necessary technical measures against the leakage of or unauthorized access to data that allows Deepfake creation.	141,934 TL – 9,463,213 TL
Failure to execute Board decisions	Non-compliance with the Board’s decision to delete Deepfake-related data.	236,557 TL – 9,463,213 TL

V. LEGAL AND ADMINISTRATIVE REMEDIES FOR VICTIMS

5.1. Legal Measures: Removal of Content and Blocking Access in the Internet Environment (Law No. 5651)

Deepfake victims, citing the violation of their personal rights, can apply to the Criminal Judgeships of Peace under Law No. 5651 on the Regulation of Publications Made in the Internet Environment and the Fight Against Crimes Committed Through These Publications, requesting the removal of the content or the blocking of access to it.

Blocking access, which is an exceptional preventive measure restricting fundamental rights and freedoms, must be applied in accordance with the principle of proportionality. The Judge must evaluate whether a milder sanction, such as content removal, would be sufficient. The precedents of the Constitutional Court and the European Court of Human Rights require the access blocking measure to balance the protection of private life with freedom of expression. If the Deepfake content was produced for humor or political satire (areas also restricted in the EU AI Act), the scope of legal measures may narrow. Therefore, the decision of the Criminal Judge of Peace should only include the part necessary to remedy the victimization (e.g., URL-based removal); otherwise, the principle of proportionality would be violated, potentially leading to accusations of censorship.

5.2. Responsibilities of Internet Actors

Under Law No. 5651, the Content Provider, who produces, modifies, and presents the Deepfake content, has primary legal responsibility. The Hosting Provider provides or operates the systems that host the services and content; upon learning of unlawful content, an obligation to remove or block it arises. Failure to comply with this obligation may result in an administrative fine. The Access Provider is responsible for implementing access blocks determined by legal decisions.

5.3. Compensation Law: Non-Pecuniary Damages and Tort Liability (TBK Art. 49)

The production and dissemination of Deepfake content constitute an unlawful and culpable act (tort) that damages the victim’s personal rights, thereby establishing material and non-pecuniary compensation liability under Article 49 of the Turkish Code of Obligations (TBK). TBK Art. 49 states that a person who causes damage to another through a culpable and unlawful act is obliged to compensate for that damage.

Non-pecuniary damages can be claimed to alleviate the pain, sorrow, and suffering caused to the person’s mental, psychological, or emotional integrity due to Deepfake. However, identifying the source and perpetrator of Deepfake content is quite difficult due to the anonymization and distribution capabilities of the technology used. Therefore, for victims to succeed in compensation lawsuits, it is crucial that they request the swift determination of digital evidence, such as server information and IP records where the content was published, within the framework of the Code of Civil Procedure (HMK).

VI. CONCLUSION, FINDINGS, AND LEGISLATIVE RECOMMENDATIONS

6.1. Core Findings and Summary of Legal Assessment

Although Turkish Law lacks a direct, specific regulation for Deepfake technology, it prevents perpetrators from escaping criminal liability by applying existing criminal norms such as TCK Art. 125 (Defamation), Art. 134 (Violation of Private Life), and Art. 136 (Dissemination of Personal Data). The most important factor empowering legal practice in this area is the Supreme Court’s precedent, which accepts Deepfake as an act constituting both honor violation and unlawful use of biometric data simultaneously (Real Concurrence).

Since Deepfake involves the manipulation of personal data (especially biometric data), it poses a risk of heavy administrative fines for Data Controllers under the KVKK. Legal protection for victims is provided through access blocking under Law No. 5651 and non-pecuniary damage lawsuits based on TBK Art. 49.

6.2. Legislative Recommendations for Legal Development

In the face of the rapidly increasing danger posed by Deepfake, legal mechanisms based solely on punishment are insufficient; regulations mandating preventive and technological verification systems must be implemented urgently.

• Specific Deepfake Regulation: A special provision should be added to the TCK, defining the act of producing and disseminating AI-supported fake content as a distinct crime type or including it as an aggravated form of existing forgery and cybercrimes.
• Mandating a Transparency Mechanism: As in the EU AI Act, a clear labeling obligation (transparency obligation) should be introduced, indicating that Deepfake content has been manipulated before it is published for commercial or public purposes.
• Strengthening the Definition of Biometric Data: The KVKK and relevant secondary legislation should detail the nature of face and voice data used in Deepfake creation as biometric data, and their processing conditions should be regulated in a way that strengthens protection against AI manipulation.

6.3. Concluding Assessment: The Law’s Adaptation to Technological Speed

The greatest challenge for Turkish Law is to establish a strong and predictable legal defense line against these new forms of digital forgery while preserving the existing legal foundations. Considering the deceptive capability and dissemination speed of Deepfake, relying solely on criminal sanctions will be insufficient to prevent large-scale social, political, and economic disinformation crises that may arise in the future. The adaptation of the law to technological speed can only be achieved through the urgent integration of special regulations, transparency obligations, and strengthened data protection measures.

---

Our Latest Articles