Czechia

Three intelligence agencies reformed from StB dissolution, with lustration laws still in force, NSA pursuing a Third Party SIGINT relationship, and all traffic transiting through DE-CIX where the BND conducts cable interception

← Back to Privacy Law Directory

Overview

EU Member State: Czechia is subject to the GDPR, the Law Enforcement Directive, and the ePrivacy Directive. For the EU framework, see the EU Framework page.

Czechia’s privacy landscape is shaped by its post-communist transformation and deep institutional memory of StB secret police surveillance. The 1991 lustration law barred former StB collaborators from public office — among the most sweeping decommunisation measures in Central Europe. Three intelligence services (BIS, ÚZSI, VZ) were created after StB dissolution, deliberately preventing concentration of intelligence power. Despite formal constraints, the 2013 Nagyová/Nečas scandal revealed military intelligence was used to surveil the PM’s wife. NSA documents describe pursuit of a Third Party SIGINT relationship with Czech intelligence. GRU Unit 29155 was identified as responsible for the 2014 Vrbětice ammunition depot explosions.^[1]^[2]

Privacy Framework

The ÚOOÚ (Úřad pro ochranu osobních údajů) enforces the GDPR and Act No. 110/2019 Sb. (Personal Data Processing Act, age of digital consent at 15). Notable: Avast Software record GDPR fine (April 2024) for selling user browsing data via subsidiary Jumpshot. The Cybersecurity Act (Act No. 264/2025 Sb.) transposing NIS2 entered into force in 2025, covering approximately 6,000 entities. A separate Critical Infrastructure Resilience Act (CER transposition) became effective August 2025.^[3]

Surveillance and Intelligence

Three Intelligence Services

BIS (domestic security): Reports to PM, no executive powers (cannot detain/arrest), surveillance requires High Court chairman authorisation. ÚZSI (foreign civilian): Under Ministry of Interior, HUMINT and SIGINT abroad. VZ (military): Under Ministry of Defence, integrating intelligence and counterintelligence (IMINT, HUMINT, SIGINT, OSINT). Oversight: Chamber of Deputies Standing Commission, five-member Independent Oversight Body (since 2018), and judicial warrant requirements.^[4]

Nagyová/Nečas Scandal (2013)

Military intelligence head Jana Nagyová ordered VZ to surveil the PM’s wife using state intelligence resources for personal purposes. PM Nečas resigned June 17, 2013. Nagyová was convicted of abuse of power and ordering unlawful surveillance — confirming that misuse of intelligence tools for personal purposes is criminal under Czech law.^[5]

NSA Cooperation

A 2005 NSA SIDtoday document describes the first formal visit to ÚZSI, praising Czech SIGINT professionals as “relatively advanced in FORNSAT collection” with “very good analytic effort against Russian and Ukrainian HF networks” and recommending a Third Party SIGINT relationship. Czechia is listed among countries with Defense Telephone Links to the US. Classified as an NSA Tier B partner.^[2]

Vrbětice GRU Explosions (2014)

GRU Unit 29155 agents — the same unit behind the Salisbury nerve agent attack — were identified as responsible for the 2014 Vrbětice ammunition depot explosions. Czech government expelled 18 Russian diplomats in April 2021.^[6]

Internet Infrastructure and Transit Exposure

NIX.CZ (Neutral Internet Exchange): 200+ networks, routes two-thirds of Czech domestic traffic, expanded to Bratislava, Vienna, and Frankfurt. Peering.cz across 10 data centres. DE-CIX Prague provides international peering. As a landlocked country, all international traffic transits through Germany (DE-CIX Frankfurt, BND cable interception since 2009) and Austria, exposing Czech traffic to interception outside Czech judicial jurisdiction.^[7]

Data Retention

Six-month mandatory retention of traffic and location data (Section 97(3) Electronic Communications Act). Access by police, BIS, VZ, and Czech National Bank. Constitutional Court struck down portions in 2011 as disproportionate; amended provisions adopted 2012. In 2024–2025, the Supreme Court ruled the framework violates EU law, finding it “heads towards preventive retention of virtually all users at all times.” Retention provisions remain in force pending legislative reform.^[8]

International Data Sharing Agreements

Mutual Legal Assistance

EU Member States (26 countries): EU MLA Convention 2000, Schengen Convention, EIO, Prüm. Council of Europe (50 signatory states): European Convention on MLA 1959 + Protocols. US-Czech MLAT: Signed February 4, 1998, in force May 7, 2000. Supplemented by the EU-US MLAT Enhancement (2010). Czechia also maintains bilateral MLA agreements with countries from the former Czechoslovak treaty network.^[9]

Intelligence Cooperation

NATO member since March 1999 (first post-Cold War expansion with Poland and Hungary). Club de Berne and Counter-Terrorism Group member. Visegrad Group (V4) intelligence cooperation with Poland, Hungary, and Slovakia. NSA Tier B partner.^[10]

EU and Multilateral Frameworks

SIS II: Real-time query and alerts. EU-US Umbrella Agreement. SWIFT/TFTP. PNR. Europol/Eurojust. Interpol I-24/7. Egmont Group (Czech FAU). Cross-border police cooperation with Germany.

The Privacy Backdoor Effect

Despite GDPR enforcement and post-StB oversight reforms, alternative access exists:

NSA Tier B: Third Party SIGINT relationship pursued; Czech persons targetable by NSA
DE-CIX transit: Landlocked; all international traffic through German/Austrian surveillance infrastructure
EU Framework: Czech data in SIS II, Prüm, EIO accessible to 27 EU states and through Europol to US FBI
MLAT (1998): US requests through bilateral treaty
Vrbětice precedent: GRU operations on Czech soil demonstrated foreign intelligence willingness to operate physically within Czech jurisdiction
SWIFT/PNR: Financial and travel data subject to US access

Recent Developments

Supreme Court: Data Retention Violates EU Law (2024–2025): Ruled blanket retention “heads towards preventive retention of virtually all users.” Provisions remain in force pending reform.^[8]

NIS2 Cybersecurity Act (2025): Act No. 264/2025 Sb. transposing NIS2, covering ~6,000 entities including critical infrastructure.^[3]

CER Critical Infrastructure Act (August 2025): Separate transposition of the CER Directive for physical resilience of critical entities.^[3]

Avast Record GDPR Fine (April 2024): ÚOOÚ fined Avast Software for selling user browsing data via subsidiary Jumpshot.^[3]

Sources

[1] Wikipedia: StB – Secret police dissolved February 1990, lustration law October 1991

[2] The Intercept: SIDtoday “Czech Mates” – NSA visit to ÚZSI, Third Party SIGINT recommendation

[3] GDPRhub: ÚOOÚ (Czech Republic) – Avast fine, NIS2/CER transposition, Act 110/2019

[4] BIS: Official Website – Domestic security, no executive powers, High Court authorisation

[5] Wikipedia: 2013 Czech Political Crisis – Nagyová convicted, PM Nečas resignation

[6] Wikipedia: Vrbětice Explosions – GRU Unit 29155, 18 Russian diplomats expelled

[7] NIX.CZ – 200+ networks, two-thirds of Czech traffic, expanded to Frankfurt/Vienna

[8] EDRi: Czech Supreme Court Data Retention Ruling – Violates EU law, reform pending

[9] US DOJ: MLATs (April 2022) – US-Czech MLAT signed February 4, 1998, in force May 7, 2000

[10] Wikipedia: Visegrad Group – V4 intelligence cooperation, NATO since 1999