Privacy Law Directory

About This Directory

This directory is a living directory and kept up to date as new laws pass. Last update Feb 2026. If you find any incorrect information, please contact updates@codamail.com. This covers 38 country jurisdictions across the United States, the European Union, and international partners. Each page examines not just data protection legislation but also surveillance laws, intelligence agencies, data broker contracts, Internet exchange point taps, surveillance company contracts, mutual legal assistance treaties (MLATs), data sharing agreements, data retention laws, encryption laws, child protection laws, oversight boards, and enforcement actions, because understanding privacy requires understanding the full picture.

The directory is organized around the intelligence alliance framework that shapes modern signals intelligence cooperation: the Five Eyes (the core anglophone alliance), the Nine Eyes (adding four European partners), the Fourteen Eyes (SIGINT Seniors Europe), and SSPAC (SIGINT Seniors of the Pacific). These alliances determine how intercepted communications and personal data flow between governments, making them directly relevant to any assessment of a jurisdiction’s privacy posture.

A recurring finding across every jurisdiction in this directory is that privacy laws primarily protect a country’s own citizens and residents. Nearly every nation examined here maintains legal exemptions that permit its intelligence agencies to collect, intercept, and retain foreign communications with fewer restrictions than apply to domestic targets. These foreign traffic exemptions, combined with intelligence-sharing alliances that allow partner nations to collect on each other’s populations and share the results back, create a global system in which domestic privacy protections can be structurally bypassed.

Remember, if you don't live there, you are foreign traffic. This means that you are not protected under their privacy laws, but instead fall under their surveillance laws and MLATs.

Beyond government surveillance, commercial data collection operates largely outside the scope of these laws. Data brokers aggregate personal information from public records, commercial transactions, app SDKs, advertising exchanges, and social media into profiles that can be purchased by governments, private investigators, and corporations without the judicial oversight required for law enforcement surveillance. Internet exchange points are monitored in multiple choke points (places most traffic passes through). Commercial surveillance contractors sell endpoint exploitation tools, spyware, and analytics platforms directly to government agencies. The result is that the privacy protections documented in this directory, while significant, represent only one layer of a more complex reality.

This journey began with The Myth of Jurisdictional Privacy, which lead to Your Phone is a Military Target. Then the need for detailing the Data Brokers in Data Broker Directory (over 1700 across 17 categories), and finally putting it all together into this page, Privacy Law Directory.

United States

Federal

United States Federal Privacy & Surveillance Laws – Patchwork of sector-specific federal privacy laws (Privacy Act, HIPAA, GLBA, FCRA, COPPA) with no comprehensive framework. Section 702 authorizes warrantless collection of foreign communications — expires April 20, 2026; DNI Gabbard testified she supports a warrant requirement. EO 12333 governs overseas bulk collection with minimal restrictions. DOGE accessing data across federal agencies under “Eliminating Information Silos” executive order; 14+ Privacy Act lawsuits filed. Cable-tapping programs: FAIRVIEW (AT&T, $188.9M), STORMBREW (Verizon, $46M), Room 641A fiber splitters. US-Israel SIGINT MOU (March 2009): NSA shares raw unminimized signals intelligence with ISNU, explicitly including US person data — “not intended to create legally enforceable rights.” Surveillance vendor contracts include Palantir ($970.5M 2025 + $1B DHS BPA Feb 2026, not competed), Clearview AI (tactical targeting CBP Feb 2026, 60B images), Mobile Fortify facial recognition app (1.2B photos, 100K+ uses, deployed without required Privacy Impact Assessment), Paragon/Graphite spyware (ICE contract reactivated Sep 2025 after AE Industrial Partners acquisition), Cellebrite ($48.6M ICE), Cognyte ($20M+ NSA).

States

California (CCPA/CPRA) – First comprehensive US state privacy law with the nation’s first dedicated privacy enforcement agency (CPPA). DELETE Act/DROP platform enables data broker deletion requests. Private right of action limited to data breaches; state law does not restrict federal surveillance programs.

US State Privacy Laws Overview – 20 states with comprehensive privacy laws as of February 2026. The dominant Virginia model provides no private right of action and broad business exemptions; only 11 states require universal opt-out mechanisms. Sector-specific laws fill gaps: Illinois BIPA (biometric consent, $1,000–$5,000 per violation), Washington My Health My Data Act, Texas CUBI.

Five Eyes Alliance

The Five Eyes is the core anglophone signals intelligence alliance under the UKUSA Agreement, originally signed between the United States and United Kingdom in 1946 and extended to Canada, Australia, and New Zealand. Member nations share raw signals intelligence and, critically, can collect intelligence on each other’s citizens and share it back, a structure that critics argue functions as a mechanism to circumvent domestic legal restrictions on surveilling one’s own population.

United Kingdom – UK GDPR, Data Protection Act 2018, and the Investigatory Powers Act 2016. The IPA authorizes bulk interception, bulk equipment interference, and 12-month mandatory data retention. GCHQ Tempora program collects from 200+ fiber-optic cables (21M GB/day). IPA 2024 amendment requires tech companies to notify before deploying new encryption; Apple withdrew Advanced Data Protection from the UK. CLOUD Act bilateral with the US (20,000+ requests). Five Eyes intelligence sharing. Palantir: MOD £240.6M direct-award (Dec 2025, no competitive tender), NHS £330M. Live facial recognition: Met deployed 231 times in 2025 (4.2M people scanned); permanent cameras in Croydon; High Court judicial review Jan 2026 (Articles 8/10/11 ECHR). Clearview AI Upper Tribunal: ICO jurisdiction upheld Oct 2025, appealing to Court of Appeal.

Canada – CSE (Communications Security Establishment) intercepts foreign communications with minimal restrictions — targeting limitations do not prevent incidental Canadian communications collection, filtered post-acquisition. The Levitation program monitored 10–15 million file-sharing uploads/downloads daily (IP addresses, file metadata, user activity). CSE accesses NSA XKeyscore: intercepted emails, web activity, and social media bulk collection. Transatlantic cables land on both Canadian coasts; under the UKUSA Agreement, Canada is responsible for northern latitudes and Russian communications, with Canadian cable infrastructure providing NSA reciprocal access. Five Eyes founding member. No mandatory data retention. CLOUD Act bilateral under negotiation. PIPEDA governs private-sector data under an ombudsman model with no federal fining power; Consumer Privacy Protection Act (Bill C-27) pending.

Australia – Privacy Act 1988 (13 APPs) with the TOLA Act requiring encryption backdoors through Technical Capability Notices. 2-year mandatory metadata retention with 300,000+ access requests annually; Section 280 allows 80+ entities to access metadata beyond the 21 authorized agencies. Pine Gap: NSA-operated satellite interception station. Five Eyes intelligence sharing. Surveillance contracts: Palantir AUD $100M+, Cellebrite AUD $17M.

New Zealand – GCSB (Government Communications Security Bureau) conducts cable interception and SIGINT across the Pacific; Waihopai satellite station decommissioned 2022 but cable access continues. TICSA (Telecommunications Interception Capability and Security Act 2013) requires all network operators to maintain built-in interception capability. Pacific island nations’ communications transit New Zealand-controlled infrastructure — Southern Cross Cable carries US–NZ–Australia traffic — making GCSB a collection platform for a far broader geographic footprint than NZ’s population suggests. Five Eyes founding member; GCSB accesses NSA XKeyscore. No mandatory data retention. Privacy Act 2020; Privacy Amendment Act 2025 adds IPP 3A (indirect collection notification, effective May 2026). Biometric Processing Privacy Code in force November 3, 2025 — first biometric-specific rules in Asia-Pacific. GCSB opened NZD $326M sovereign data centre (2025). OPC complaints: 1,598 cases in 2024–2025 (21% increase); no civil fine powers yet.

Nine Eyes Alliance

The Nine Eyes extends the Five Eyes by four European nations (Denmark, France, the Netherlands, and Norway) who share signals intelligence as “third party” partners under the UKUSA framework. Unlike Five Eyes members, third-party partners are not automatically exempt from being targeted by NSA collection.

Denmark – Operation Dunhammer (public revelation May 2021): FE (Danish Defence Intelligence Service) built a data center at Sandagergård (Amager island, Copenhagen) with NSA assistance; NSA deployed XKeyscore there and used Danish cable access 2012–2014 to surveil European leaders — German Chancellor Angela Merkel, Foreign Minister Steinmeier, opposition leader Peer Steinbrück, and senior Swedish, Norwegian, Dutch, and French officials, as well as Denmark’s own Foreign Ministry, Finance Ministry, and a Danish weapons manufacturer. FE held its own internal report (2015) for five years; FE Director Lars Findsen arrested December 2021, charges dropped November 2023. Maximator founding member (1976): the secret five-nation cryptanalysis pact (Denmark, Sweden, Germany, Netherlands, France) targeting third-country encryption. Nine Eyes SIGINT member. Data retention reformed 2022 to a targeted dual-track model. 2025: social media banned for under-15s (MitID age verification); Danish EU Council Presidency dropped mandatory Chat Control scanning. Datatilsynet 2026 focus: cookie consent dark patterns and asymmetric consent designs.

France – CNIL enforces data protection. Intelligence Act 2015 authorizes algorithmic “black boxes” for bulk metadata analysis; SILT Law 2017 made emergency surveillance powers permanent; Narcotrafficking Law 2025 (Law 2025-532): Constitutional Council struck down Article 15 (black box extension to organized crime) and AVS extension before promulgation; encryption backdoor rejected by parliament. Marseille is Europe’s largest submarine cable hub (17 systems including SEA-ME-WE 3/4/5/6, 2Africa); DGSE conducts bulk cable interception under Article L.854-1 with no CNCTR prior opinion required. France-IX: ~500 members, largest IXP in France. Orange Marine: 7 cable ships, ~50 maintenance operations per year. Generalized data retention validated by the Council of State; intelligence can retain metadata up to 6 years. Maximator alliance member — DGSE contributes cryptanalytic capabilities to the five-nation encryption-breaking pact. Nine Eyes SIGINT sharing.

Netherlands – AIVD/MIVD began reducing US intelligence sharing in October 2025, citing concerns over US policy reliability — a notable break from decades of close transatlantic SIGINT cooperation. Odido (third-largest Dutch telecom) suffered a breach in February 2026 exposing 6.2 million customer records. Espionage law expanded May 2025 to criminalize undisclosed foreign government relationships. AP fined Experian EUR 2.7M (October 2025) for unlawful data brokering. Wiv 2017 authorizes bulk interception of cable traffic; Temporary Cyber Operations Act (2024) expanded JSCU cable access. AMS-IX is one of the world’s largest IXPs (900+ connected networks, 14 Tbps peak); submarine cables land at Beverwijk, Katwijk, and Zandvoort. Nine Eyes SIGINT member; Maximator alliance member (Dutch SIGINT in the five-nation cryptanalysis pact). Data retention law struck down 2015, not replaced.

Norway – Intelligence Service Act 2020 authorizes bulk collection of cross-border cable traffic; E-tjenesten operates Arctic SIGINT facilities; metadata retained 18 months, raw data up to 15 years. Nine Eyes SIGINT sharing. Salt Typhoon (Chinese state hackers) compromised Norwegian network infrastructure — first Nordic disclosure, February 6, 2026. Grindr NOK 65 million GDPR fine upheld by Borgarting Court of Appeal (October 2025): landmark ruling on unlawful sharing of HIV status and sexual orientation with ad-tech partners. Datatilsynet 2026: audit of all 357 municipalities for GDPR compliance; Telenor fined NOK 4 million for DPO independence failures (March 2025). Social media ban for children under 15 proposed with BankID age verification. Digital Security Act (October 2025) establishes NIS1 obligations. Telecom data retention legislated but not yet in force. Datatilsynet enforces GDPR via the EEA.

Fourteen Eyes Alliance (SIGINT Seniors Europe)

SIGINT Seniors Europe, commonly known as the Fourteen Eyes, adds five more nations to the Nine Eyes framework: Germany, Belgium, Italy, Sweden, and Spain. The alliance was formed in 1982 during the Cold War and expanded after September 2001 to include counterterrorism cooperation.

Germany – BND Act authorizes bulk cable tapping at DE-CIX Frankfurt (world’s largest internet exchange, 17+ Tbps); BND Act 2025 reform (cabinet approved Dec 16, 2025) adds offensive cyber, up to 30% DE-CIX traffic monitoring, covert CNE of Google/Meta/X, facial recognition, and covert apartment entry. BVerfG struck down source telecom surveillance for minor offences and remote search authorization (June 24, 2025). Maximator alliance member — primary focus is breaking third-country encryption systems. BKA purchased NSO Pegasus. Palantir Gotham deployed in 4 states; national rollout push by Interior Minister Dobrindt. Dobrindt’s plan to use Clearview AI for biometric web scraping conflicts with EU AI Act Art. 5 prohibition (Feb 2025). BfV designated entire AfD as confirmed extremist (May 2025; court-suspended Feb 2026). BfDI fined Vodafone EUR 45M (June 2025). Data retention suspended; 3-month IP retention legislation pending. Fourteen Eyes SIGINT sharing.

Belgium – VSSE (Sûreté de l’État, established 1830 — the world’s oldest continuously operating intelligence service) and ADIV/SGRS (military intelligence) operate under the BIM Law 2010, which authorizes five exceptional intelligence methods: targeted communications interception, electronic data and metadata inspection, physical surveillance, computer network exploitation (CNE), and covert recording. Data retention: the Constitutional Court upheld retention by designating the entire national territory a geographic risk zone — currently before the CJEU as a preliminary reference. Belgium is a confirmed NSO Group Pegasus customer. SWIFT headquarters in La Hulpe: US Treasury issues subpoenas under the Terrorist Finance Tracking Program, capturing global interbank financial messaging. Belgium hosts NATO headquarters, SHAPE military command, and core EU institutions — among the highest-density intelligence targets per square kilometer in Europe; NSA documents confirm NSA targets Belgium despite Fourteen Eyes SIGINT-sharing partnership. APD/GBA 2026–2028 strategic plan shifts enforcement from reactive complaints to proactive inspection, prioritizing health data, adtech, data brokers, and children’s data, under a hiring freeze through 2029.

Italy – Italy authorizes more lawful interceptions than any other EU country, rooted in decades of Mafia and domestic terrorism campaigns. Captatore informatico: Italy is one of the few EU countries to formally legislate judicial-authorized state Trojan spyware enabling microphone capture, remote data access, and GPS tracking. Paragon Graphite spyware deployed against 100+ journalists and civil society worldwide, including Italian journalists Francesco Cancellato and Ciro Pellegrino (Citizen Lab, 2025); Paragon terminated Italy’s contract after confirming violations. Data retention: 24 months telephony / 12 months internet, extended to 72 months (6 years) for serious crimes — the longest in the EU. Sicily submarine cable hub: SEA-ME-WE 3/4, AAE-1, I-ME-WE, Blue-Raman land at Palermo/Catania — one of the world’s most strategically significant landing points for Europe-Asia-Middle East traffic. AISE/AISI/DIS intelligence services. Fourteen Eyes SIGINT sharing. Garante enforces the Privacy Code and GDPR. US-Italy MLAT (1982); EU law enforcement sharing via SIS II, EIO, Prüm, Europol. SWIFT/TFTP and PNR data flows to US.

Sweden – FRA Law authorizes bulk interception of all cross-border cable traffic; the ECtHR Grand Chamber found it violated the ECHR in Centrum för Rättvisa v. Sweden (2021), but reforms remain pending. 2025 saw record 12,276 breach notifications to IMY (89% increase), with large-scale darknet leaks affecting children; total caseload rose 56%. Expanded video surveillance, biometric, and real-time facial recognition powers enacted 2025; proposed encryption backdoor law postponed after 237-organization joint letter. 1-year data retention with no prior judicial authorization. Maximator alliance member — FRA contributes to the five-nation cryptanalysis pact. Fourteen Eyes sharing. Seventy years of secret SIGINT behind a public posture of neutrality.

Spain – Catalangate (April 2022, Citizen Lab): 65+ individuals infected with NSO Group Pegasus and Candiru spyware 2017–2020 — European Parliament members, Catalan Parliament members, presidents and former presidents of the Generalitat de Catalunya, journalists, lawyers, civil society activists, and family members. Prime Minister Sánchez and Defense Minister Robles were also targeted; CNI Director Paz Esteban López fired. November 2024: joint investigation identified three NSO Group executives. September 2025: Barcelona court launched criminal prosecution of Pegasus developers — the first worldwide. January 2026: Audiencia Nacional shelved the inquiry into Sánchez’s infection, citing five ignored Israeli judicial assistance requests. Aena fined €10 million (November 2025) for deploying biometric facial recognition boarding at airports without a valid DPIA; programme suspended at eight airports including Madrid-Barajas and Barcelona-El Prat. Spain supports mandatory Chat Control mass scanning. 12-month mandatory data retention (unreformed after CJEU invalidated the EU directive). CNI intelligence. Fourteen Eyes SIGINT sharing. AEPD enforces GDPR and the LOPDGDD.

European Union Framework

All EU member states in this directory (Ireland, France, Germany, Denmark, the Netherlands, Belgium, Italy, Sweden, Spain, Estonia, Austria, Poland, Greece, Finland, Hungary, Czechia, Portugal, Luxembourg, Latvia, and Lithuania) are subject to the General Data Protection Regulation (GDPR), the ePrivacy Directive, the Law Enforcement Directive, and other EU-level data protection instruments. The EU framework page provides the foundation for understanding each member state’s national implementing legislation.

European Union Framework – GDPR provides the baseline, but Article 2(2) exempts national security — an exemption every member state uses. Digital Omnibus Package (November 2025) proposes weakening GDPR: narrowing the definition of personal data, creating AI training legitimate interest, extending breach notification to 96 hours; EDPB raised “significant concerns;” NIS2 reasoned opinions issued to 19 member states for non-transposition (May 2025). Chat Control proposal would mandate scanning of encrypted messages (voluntary scanning expires April 2026); ProtectEU strategy (April 2025) adds parallel lawful-access roadmap for encrypted communications. Schrems I and II invalidated successive transatlantic data transfer frameworks; CJEU ruled companies may directly challenge EDPB binding decisions (February 10, 2026). Data Retention Directive struck down, but member states maintain national retention laws. AI Act permits real-time biometric surveillance with law enforcement exemptions.

Asia-Pacific Partners (SSPAC)

SIGINT Seniors of the Pacific (SSPAC) is the Asia-Pacific counterpart to SIGINT Seniors Europe. Founded by the Five Eyes nations alongside South Korea, Singapore, and Thailand, SSPAC was later joined by France (2013) and India (2008). Members share counterterrorism intelligence through the CRUSHED ICE secure network. Like Nine Eyes third-party partners, SSPAC members are not automatically exempt from being targeted by NSA collection.

Singapore – OCHA directives (2025–2026): First-ever directive (September 2025) ordered Meta to implement facial recognition on Facebook against government-impersonation scam ads; second directive (February 2026) expanded scope; Apple and Google directive (November 2025) ordered gov.sg spoofing filters — SGD 456M in scam losses in H1 2025. Internal Security Act (1960): executive detention without trial; ISD intercepts communications without judicial authorization. Lamppost-as-a-Platform: 110,000 lamp posts with facial recognition cameras; 90,000+ CCTV cameras. NSA–SID cable tapping via SingTel (Snowden). 30+ submarine cable systems — primary Asia transit hub. TraceTogether COVID privacy promise broken January 2021. Operation CYBER GUARDIAN: China-linked UNC3886 targeted all four major telecoms (disclosed February 2026). PDPA Amendment (Act 19/2025) extended data protection to statutory bodies. SSPAC founding member. PDPC enforces PDPA.

Japan – The secret Directorate for Signals Intelligence (DFS): ~1,700 personnel across at least six surveillance facilities, around-the-clock interception with no independent oversight body — most Japanese government officials remain unaware of DFS operations. DFS received NSA XKeyscore (April 2013); Japan financed over $500 million in NSA operations on Japanese soil. CIRO being upgraded to a National Intelligence Bureau by mid-2026. Active Cyber Defense Act (May 2025) authorizes neutralizing attacker infrastructure abroad. Initially declined SSPAC membership; participates in Five Eyes Plus since January 2020. No mandatory data retention. No independent intelligence oversight. PPC enforces the APPI; EU mutual adequacy since January 2019 (first Asia-Pacific country). US–Japan MLAT.

South Korea – NIS (National Intelligence Service, successor to the KCIA) exercises surveillance at a per-capita wiretapping rate 9.5 times the US and subscriber data disclosures 60 times the US. December 2024 constitutional crisis: President Yoon declared martial law, dispatched armed troops to the National Assembly and National Election Commission, and directed NIS to arrest political opponents — impeached within hours, convicted of insurrection, sentenced to life imprisonment (February 2026). AI CCTV expansion: Seoul deploying 10,000 AI surveillance cameras for parks/trails with Dejaview AI crime-prediction system; intelligent CCTVs at 33% of Seoul’s cameras, targeting 57% by end 2025. SSPAC founding member; participates in Five Eyes Plus focused on North Korean and Chinese intelligence. PIPC enforces PIPA (EU adequacy December 2021); penalties up to 10% of total revenue; February 2026 PIPA amendment expands penalty triggers, catalyzed by the Coupang breach (33.7 million accounts).

India – NATGRID processing 45,000 data requests/month, linked to the National Population Register (119 crore residents) since December 2025; PM Modi ordered scale-up at November 2025 DGP conference. Rule 23 of the DPDP Rules 2025 enables warrantless government data collection from any Data Fiduciary with no judicial oversight. Aadhaar (1 billion+ biometric registrants) expanded to private sector e-commerce/travel/healthcare (January 2025). Supreme Court (April 2025) refused to release Pegasus technical committee report, bench asked “What is wrong if a country is using spyware against terrorists?” J&K VPN ban (December 2025–February 2026): 800–1,000 questioned; RSF called it an “information black hole.” Three mass surveillance programs (CMS, NATGRID, NETRA) operate with no independent oversight. SSPAC member since 2008; RAW highest-volume SSPAC reporter after the US. Constitutional challenge to DPDPA referred to larger SC bench (March 2026).

Thailand – Computer Crime Act enables broad content blocking and ISP data retention (90 days, extendable to 2 years by ministerial order). Section 112 lèse-majesté: 284+ individuals charged since 2020; 50-year sentence for 27 Facebook posts (January 2025); 168+ cases triggered by public reports — functioning as an institutionalized digital speech surveillance trigger. National Intelligence Act 2019 grants NIA data access “by any means, including electronic, scientific, or telecommunication devices” without judicial approval. Post-2014 coup surveillance infrastructure: mandatory SIM registration, internet traffic sniffing device acquired September 2015, Single Gateway proposal to funnel all traffic through one state-controlled access point (scrapped after public opposition but underlying capabilities retained). Pegasus deployed against 35+ pro-democracy activists (Citizen Lab 2022); civil court dismissed NSO lawsuit (November 2024). SSPAC founding member; Cobra Gold annual exercises include dedicated SIGINT training. PDPC enforcement escalating: THB 21.5M+ in fines across 8 orders (2025) — government agencies fined alongside private companies; five-year PDPA review triggered. BCR certification rules for intra-group cross-border transfers issued September 2025. PDPC enforces the PDPA. US-Thailand MLAT (1986).

Third-Party Partners and Transit States

The jurisdictions below are not formal members of the numbered Eyes alliances or SSPAC, but each participates in intelligence data sharing, has its traffic transit through partner nations’ cable-tapping infrastructure, or maintains its own foreign surveillance capabilities with few restrictions on non-citizen targeting. The recurring pattern across this directory applies here as well: privacy laws protect domestic populations while foreign traffic faces minimal legal barriers to interception. Because foreign communications constitute the majority of data flowing through any nation’s internet exchange points and submarine cables, the foreign traffic exemption is not a marginal exception — it is the default condition for most data in transit.

Austria – Constitutionally neutral since 1955, yet an NSA Tier B partner participating in the CROSSHAIR direction-finding network. HNA operates the Koenigswarte SIGINT listening station. DSN (successor to the BVT, which was raided by police in 2018 and subsequently failed a Club de Berne security audit that found even moderately talented hackers could penetrate the shared European intelligence network “Poseidon”) received Bundestrojaner state spyware authority in July 2025 despite the Constitutional Court striking down an identical law in 2019. Landlocked: all internet traffic transits through DE-CIX Frankfurt where the BND conducts cable interception, then through Swiss exchange points where NDB conducts cable reconnaissance. Home of noyb (Max Schrems), whose Schrems I and II CJEU litigation invalidated successive EU-US data transfer frameworks. DSB enforcement capacity cut from July 2025: ~20 intern positions eliminated, ex officio investigations require “sufficiently concrete suspicion,” phone access restricted — while the DSB gains Freedom of Information Act oversight and AI regulation responsibilities. US-Austria MLAT (1995). EU law enforcement sharing via SIS II, EIO, Prüm, Europol.

Israel – Unit 8200 (SIGINT, part of Aman) provides 80% of all Israeli intelligence — described by RUSI as “on a par with the NSA in everything except scale.” Shin Bet’s “The Tool” (HaMachshir): bulk metadata collection on every mobile phone user since ~2002, no judicial oversight. NSA–ISNU SIGINT MOU (March 2009): raw unminimized SIGINT sharing including US person data. Shin Bet Director Ronen Bar fired by cabinet (March 2025), Supreme Court ruled dismissal “unlawful” (May 21, 2025) — first-ever such ruling. Home country of the global commercial surveillance industry: NSO Group (Pegasus jury award $167.25M reduced to ~$4M + permanent injunction; Trump confirmed not removing from Entity List May 2025; Apple dropped its NSO lawsuit), Paragon (Italy contract terminated June 9, 2025 after Italy refused to investigate journalist targeting; ICE contract reinstated Aug 30, 2025 via AE Industrial/REDLattice reclassification), Cellebrite, Cognyte, Candiru — all exports regulated by DECA as weapons. Occupation surveillance: Blue Wolf/Red Wolf/Wolf Pack facial recognition; Lavender AI targeting (37,000 targets, ~20-second approval); Alchemist (tactical field alerts) and Fire Factory (threat categorization). Camera hacking law extended December 24–25, 2025 with wartime condition removed. PPA Amendment 13 (August 2025): 5% turnover fines, security agencies exempted. EU adequacy (2011, reaffirmed 2024) under civil society challenge. US–Israel MLAT (1999).

Ireland – DPC is the GDPR lead supervisor for Meta, Google, Apple, Microsoft, TikTok, and LinkedIn — making Ireland the regulatory chokepoint for EU personal data flows — but €4.04B in fines ordered against only €20M collected illustrates the gap between nominal protection and enforcement reality. Intellexa Limited — holding company for the Predator spyware consortium, functionally equivalent to NSO Group — is registered in Dublin; Ireland imposed no domestic export controls or sanctions despite the US Commerce Department’s Entity List designation (March 2024). Proposed National Cyber Security Bill 2024 would authorize bulk communications metadata collection with 18-month retention beyond EU NIS2 requirements. ECHELON member despite nominal military neutrality; hyperscale data centers (Meta Clonee, Google, Microsoft, AWS) subject to US CLOUD Act access without Irish judicial authorization; Irish traffic transits UK cable infrastructure where GCHQ Tempora operates. Graham Dwyer CJEU ruling (C-140/20, 2022) struck down blanket data retention; 2022 Amendment Act restructured retention into three tiers (national security, targeted serious crime, quick freeze) with designated judge oversight.

Iceland – Not a Five Eyes, Nine Eyes, or Fourteen Eyes member, but participates as a Tier B third-party contributor on computer network exploitation with Five Eyes nations. Iceland’s submarine cables (DANICE, CANTAT-3, Greenland Connect) transit through Denmark and the UK — both with documented cable-tapping programs — meaning Icelandic traffic is subject to interception before it reaches its destination. First formal defense and security policy (November 2025): deploys unmanned surveillance submarine to monitor submarine cables and ports, acknowledging North Atlantic geography as primary vulnerability. IMMI framework protects whistleblowers and journalists. A police surveillance powers bill proposes expanded warrantless surveillance of organized crime suspects without independent judicial authorization. Persónuvernd fined Primary Health Care of the Capital Area ISK 5M for unlawful integration exposing 450,000 medical records (2025). 6-month mandatory data retention. Persónuvernd enforces GDPR via the EEA; criminal penalties up to 3 years.

Poland – First EU criminal prosecution of intelligence chiefs over Pegasus (February 25, 2026): former ABW head and SKW head charged, each facing up to 3 years. Former Justice Minister Ziobro faces up to 25 years; fled to Hungary (January 2026), EAW issued. Pegasus: 578 individuals targeted by three agencies using PLN 25M diverted from the Justice Fund. ECHR: three Article 8 violations in Pietrzak and Others v. Poland (May 2024). Five intelligence agencies; 99% wiretap approval rate; ~2 million annual metadata requests without judicial authorization. UODO: PLN 27.1M (Poczta Polska), PLN 18.4M (ING Bank), PLN 16.9M (McDonald’s) — three of the largest GDPR fines in 2025. CIA black site at Stare Kiejkuty confirmed by ECHR (2014). NSA Tier B partner. 12-month data retention. Palantir LoI signed October 2025. NATO/EU member.

Switzerland – Crypto AG/Operation Rubicon (exposed February 11, 2020): the CIA and West German BND secretly owned Switzerland’s premier encryption firm 1970–2018, selling deliberately weakened encryption to 120+ governments (Iran, India, Pakistan, Latin American nations) — enabling CIA/BND to read their encrypted communications for decades. Swiss SND knew since 1993 and subsequently collaborated; GPDel investigation (November 2020) found Swiss authorities “share responsibility.” NDB conducts cable reconnaissance (Kabelaufklärung) on cross-border fiber-optic traffic; Federal Administrative Court ruling (December 2, 2025) found this incompatible with the Federal Constitution and ECHR — interception continues under a five-year transitional period until 2030. Club de Berne founding member (1969): all 27 EU member states + Norway + Switzerland, counter-terrorism intelligence sharing. Participates in focused cooperation on computer network exploitation with Five Eyes nations. Swiss traffic transits DE-CIX Frankfurt (BND cable interception). BÜPF: 6-month mandatory metadata retention; proposed VÜPF expansion would extend this to VPNs and encrypted messaging (Parliament paused process December 2025). FDPIC enforces the revised nFADP.

Brazil – Parallel ABIN scandal (2019–2021, exposed 2024): ABIN Director Alexandre Ramagem conducted illegal mass surveillance of 60,000+ targets using Cognyte First Mile spyware — STF justices, opposition politicians, journalists, environmental agency officials. Operation Last Mile (2023 Federal Police); Ramagem convicted September 11, 2025, sentenced to 16 years. Nine Brazilian state security departments separately purchased Cognyte totaling R$65.7 million. 2013 NSA disclosures (Snowden): NSA intercepted President Rousseff’s personal communications and hacked Petrobras — directly motivating the EllaLink cable (2021, direct Portugal–Brazil, 100 Tbps) to bypass NSA upstream collection at US transit nodes. Brazil is a major submarine cable hub: 14 landing stations at Fortaleza, Rio, Santos, and Salvador, targeted by NSA FAIRVIEW and STORMBREW. Facial recognition: 90%+ of FRT arrests target Black Brazilians (CESeC study). Mandatory data retention: 1 year connection logs, 6 months application logs, 5 years subscriber data. EU mutual adequacy (January 26, 2026 — first Latin American country). ANPD enforces the LGPD.

Czechia – Three intelligence agencies (BIS, ÚZSI, VZ) reformed after StB dissolution, with lustration laws still in force. GRU Unit 29155 agents — the same unit behind the Salisbury nerve agent attack — identified as responsible for the 2014 Vrbětice ammunition depot explosions; Czech government expelled 18 Russian diplomats in April 2021. NSA Tier B partner; SIDtoday document “Czech Mates” describes NSA pursuit of Third Party SIGINT relationship. NIX.CZ routes two-thirds of Czech internet traffic; landlocked, with transit exposure through DE-CIX Frankfurt where BND conducts cable interception. Supreme Court ruled blanket data retention violates EU law (2024–2025). NIS2 Cybersecurity Act (effective Nov 2025) and CER Critical Infrastructure Act (effective Aug 2025) both enacted. Visegrad Group (V4) intelligence cooperation. NATO member since 1999; EU member since 2004. US-Czech MLAT (2000).

Estonia – KAPO (counterintelligence/counterterrorism) and VLA (foreign intelligence, SIGINT focused on Russian military communications) operate under GDPR Article 2(2) with a different legal regime for foreign targets. Pegasus spyware: $30M procurement in 2018; Israeli authorities blocked use on Russian targets; FinSpy suspected deployment. State-linked Cybernetica (successor to Soviet Institute of Cybernetics) operates X-Road and i-Voting and also deploys surveillance systems globally across 100+ locations. NATO CCDCOE established in Tallinn (2008) following the 2007 Russian cyberattacks — the first major state-level cyberattack in history. Estonia’s entire internet traffic transits through Denmark, Sweden, Germany, and the UK — all four with documented cable-tapping programs (FE/XKeyscore, FRA Law bulk interception, BND/DE-CIX, GCHQ/Tempora) — subject to allied interception at every transit point. Baltic Sea cables under active attack: Russian oil tanker Eagle S severed Estlink 2 and multiple telecom cables (December 25, 2024). AKI enforces GDPR; largest-ever fine: EUR 3M against Allium UPI (Apotheka pharmacy loyalty program breach, 750,000+ individuals), September 2025. The world’s most digitally advanced society (X-Road, i-Voting, KSI Blockchain) is also the most digitally exposed.

Hungary – Sovereignty Protection Office (SPO): Hungary’s Constitutional Court upheld the Act (November 2024), CJEU referral announced under accelerated procedure; new draft NGO targeting law proposed May 2025. Pegasus spyware deployed against investigative journalists (Direkt36), opposition politicians, lawyers, and the Bar Association president; NAIH classified findings until 2050; Pegasus targets now pursuing ECHR applications. Five security services (NBSZ, AH, IH, KNBSZ, TEK) with TEK’s “virtually unlimited” surveillance powers and ministerial (not judicial) authorization; ECHR condemned regime in Szabó and Vissy (2016) — still not remedied. EU Rule of Law Report 2025 (July 8) documents ongoing judicial independence failures. NSA CROSSHAIR partner. 1-year metadata retention. Blocked EU Chat Control as Council president (2024). NATO/EU member; Article 7 TEU proceedings ongoing.

Finland – Intelligence Acts 2019 authorize cross-border cable traffic interception by Supo and the FDIA — legislation that required a constitutional amendment passed by two-thirds supermajority across two parliamentary terms, demonstrating how even strong constitutional privacy protections are amended when national security demands arise. NATO member since April 4, 2023 (31st member, doubled the alliance’s Russian border). US Defense Cooperation Agreement grants access to 15 Finnish military bases (entered force September 2024). NSA Tier B partner. C-Lion1 submarine cable severed twice in five weeks (November and December 2024); Eagle S tanker damaged five undersea cables (December 25, 2024) — hybrid warfare targeting the infrastructure that carries interceptable traffic. Eagle S captain and officers charged with aggravated criminal mischief (2025); NATO Baltic Sentry launched January 2025 in response. NIS2 Cybersecurity Act April 2025 expanded scope from 1,100 to 5,500 entities. S-Pankki fined EUR 1.8M (September 2025) for banking app security flaw. FICIX (founded 1993). NORDEFCO. X-Road/NIIS data exchange with Estonia. State authorities exempt from GDPR administrative fines.

Latvia – Front-line NATO state on Russia’s border with 25% ethnic Russian population and a record 20+ espionage detentions since 2023. Three intelligence services (SAB, VDD, MIDD) reformed from KGB structures after 1991 independence. 18-month mandatory data retention — one of the longest in the EU. Pegasus infections confirmed against Latvia-based Russian opposition journalists at Meduza (Citizen Lab/Access Now 2023). Kremlin hybrid warfare includes disinformation campaigns and “single-use agents” for sabotage operations. January 2025 submarine cable damage incident. LIX (Latvian Internet Exchange). NB8 (Nordic-Baltic Eight) intelligence cooperation. US-Latvia DCA (2017). NATO member since 2004; EU member since 2004.

Lithuania – Controls one side of the Suwalki Gap — the 65 km corridor between Russia’s Kaliningrad exclave and Belarus that NATO considers its most vulnerable point. VSD (civilian intelligence) and AOTD (military intelligence, origins 1918) face persistent Russian, Chinese, and Belarusian espionage threats. Pegasus infections confirmed: Belarusian activist targeted while in Vilnius (Access Now/Citizen Lab 2024). Belarus weaponized migration in 2021, directing thousands of migrants to the Lithuanian border as hybrid warfare. BCS East-West Interlink submarine cable (Lithuania-Sweden) severed November 17, 2024 by Chinese vessel Yi Peng 3. Hosts NATO ENSEC COE (Energy Security Centre of Excellence) in Vilnius. Intelligence Law expanded February 2026. NB8 cooperation. 6-month data retention (internet) / 12-month (telephony). NATO member since 2004; EU member since 2004. US-Lithuania MLAT (1998).

Luxembourg – Host of EU Court of Justice, European Investment Bank, Eurostat, and core EU institutions — a structural data flow hub where SRE (sole intelligence agency, formed 1960 under NATO obligation) sits at the centre of European governance data. SREL scandal: a 2013 parliamentary inquiry revealed the former SRE director secretly recorded Prime Minister Juncker in 2007, exposing illegal surveillance and systematic oversight failures — collapsing the Juncker government after 18 years and triggering a comprehensive 2016 intelligence reform law. The Bommeléeër affair (1984–1986): ~20 infrastructure bombings linked intelligence operatives to NATO Stay-Behind (Gladio) networks; trial concluded without convictions. Landlocked transit state: all traffic passes through Germany (DE-CIX Frankfurt, BND bulk cable interception), Belgium, and France. LU-CIX internet exchange; LuxConnect fiber network (1,900 km, 12 international breakouts). 6-month data retention. Club de Berne founding member (1969). CNPD issued the largest GDPR fine in history: EUR 746 million against Amazon (July 2021, upheld March 2025). NATO founding member (1949); EU founding member (1957). US-Luxembourg MLAT (1997).

Malaysia – Special Branch (Cawangan Khas) — colonial-era domestic intelligence embedded in the Royal Malaysia Police with no public legal framework and no independent oversight body — and MEIO (foreign intelligence, no governing public statute, no parliamentary oversight, MI6-guided origins, 2018 CIA solicitation scandal) conduct surveillance across government, opposition, and civil society. PDPA 2010 explicitly exempts all federal and state government processing. SOSMA 2012 authorizes 28-day detention without court order and warrantless communications interception for security offences. MCMC orders ISP blocks of news outlets and platforms without judicial review; Section 233 CMA criminalizes “improper use” of communications (August 2025 Court of Appeal struck down “offensive” and “annoy” provisions; government appealing). Strait of Malacca submarine cable chokepoint: 26+ cable systems including SEA-ME-WE 3/4/5/6 land at Mersing, Cherating, and Kota Kinabalu — one of three primary global cable corridors, with no GDPR-equivalent protection for transiting traffic. FPDA (Five Power Defence Arrangements) with Singapore, UK, Australia, and New Zealand creates a formal intelligence-sharing bridge to three Five Eyes members. No EU adequacy decision.

Portugal – Atlantic submarine cable hub at Carcavelos/Sesimbra/Sines: EllaLink (first direct Europe-South America cable), 2Africa (world’s largest submarine cable, landed March 2024), Equiano (Google, West Africa), WACS, SAT-3, and SEA-ME-WE-3. Sines emerging as a major hub with Olisipo, Nuvem, and Medusa cables. NSA Tier B partner. Lajes Field (Azores): joint US-Portuguese air base used for transatlantic signals collection and maritime patrol since WWII. SIS (domestic intelligence) and SIED (foreign intelligence). Article 35 of the 1976 constitution — written in direct response to PIDE/DGS secret police surveillance under Salazar — created one of Europe’s earliest constitutional data protection rights; the Constitutional Court has nonetheless struck down data retention laws three times (2022, 2023, 2024), with Lei 18/2024 as the fourth attempt. Club de Berne member; CPLP lusophone intelligence cooperation across four continents. NATO founding member (1949); EU member since 1986. US-Portugal MLAT (2005).

Greece – EYP (National Intelligence Service) placed under direct Prime Minister control in 2019. Predator/Intellexa scandal: opposition leader Androulakis (MEP) and journalist Koukakis targeted with commercial spyware; Intellexa Entity-Listed (July 2023) and Treasury-sanctioned (March 2024); trial opened April 2025; landmark convictions February 26, 2026 — all four defendants guilty, 126-year aggregate sentence (suspended pending appeal) — first EU criminal convictions for commercial spyware use. 2004–05 Vodafone wiretapping affair: 100+ government phones tapped via 6,500 lines of rogue code in Ericsson switches — never resolved. Law 5002/2022 bans spyware with a 2-year minimum sentence but includes a government procurement exception. ADAE recorded 8,262 wiretaps in 2024 (23% increase); Council of State ruled aspects of the surveillance framework unconstitutional (April 2024). Crete serves as a Mediterranean submarine cable hub (AAE-1, BlueMed, MedNautilus, ARTEMIS). 12-month mandatory data retention. NATO member since 1952. US-Greece MDCA (1990, updated 2019/2021). US-Greece MLAT (1999). EU law enforcement sharing via SIS II, EIO, Prüm, Europol.

Liechtenstein – DSS (Datenschutzstelle) enforces GDPR via EEA membership. No intelligence service, no military (abolished 1868). Liechtenstein is effectively borrowing Switzerland’s internet connection: complete telecommunications dependency means all traffic is subject to Swiss BÜPF interception and NDB cable reconnaissance, then transits onward through German and Austrian exchange points where BND and HNA conduct their own interception — three layers of foreign intelligence collection on a single data packet before it reaches its destination. The 2008 LGT Bank scandal: a former employee sold 1,400 account holder records to the German BND for EUR 4.2M, triggering investigations in the US, UK, Australia, France, and Italy — the princely family’s own bank as an international intelligence collection target. The Prince retains veto power over all legislation.

Turkey – MİT received expanded powers in 2014 to collect communications data without a court order; can demand data from banks, companies, and public bodies with imprisonment for non-compliance. Post-2016 coup crackdown: 113,000+ arrests, with the encrypted app ByLock used as sole evidence for tens of thousands of convictions; ECtHR ruled in Yalçınkaya v. Türkiye (September 2023) that ByLock convictions violated Articles 6, 7, and 11. NSA “oldest partner in Asia” and simultaneously a leading surveillance target: provided Turkey hourly PKK location data while infiltrating its leaders’ computers through the Turkish Surge Project Plan (2006). 311,000+ websites blocked in 2024; 27 VPN services blocked; 2025 social media throttling (42-hour and 21-hour nationwide incidents). Freedom House 31/100 (“Not Free”). DE-CIX Istanbul (only IXP bridging Europe and Asia); KAFOS/SEA-ME-WE 5 submarine cables. 1–2 year mandatory data retention. KVKK 2026 fines raised 25.49%; new breach announcement publication rules (Decision No. 2025/2451). NATO member since 1952; EU candidate since 1999 (frozen since 2018). US-Turkey MLAT (1981, one of the first three US MLATs).

Directory Information

This directory covers 41 pages across 38 country jurisdictions, including dedicated coverage of US federal and state privacy laws, the EU framework, and international partners, as of February 2026. It is maintained by CodaMail as a public resource for understanding the global privacy and surveillance landscape. Pages are updated as new legislation, enforcement actions, and intelligence disclosures warrant revision.