Greece

Overview

EU Member State (since January 1981), NATO (since February 1952). For the EU framework, see the EU Framework page.

Greece’s Constitution enshrines data protection (Article 9A) and absolute communications secrecy (Article 19), mandating independent authorities for each. The HDPA (Hellenic Data Protection Authority, constitutional status) enforces GDPR via Law 4624/2019. The EYP (National Intelligence Service) was placed under the Prime Minister’s direct control in July 2019. Three years later, Greece became the epicentre of the Predator/Intellexa spyware scandal — targeting opposition leader Androulakis and journalist Koukakis — which led to Law 5002/2022 (first EU spyware ban), US sanctions on Intellexa, and landmark criminal convictions in February 2026. The 2004–05 Vodafone wiretapping affair remains one of the most technically sophisticated surveillance operations ever documented. Greece ranked 89th in the 2025 Press Freedom Index — last among EU member states.^[1][2][3]

Surveillance and Intelligence

EYP: National Intelligence Service

The Ethniki Ypiresia Pliroforion (EYP) operates under the Prime Minister’s authority (direct control since July 2019). Surveillance requires judicial authorisation under Law 2225/1994: for national security, authorisation from a Supreme Court-designated prosecutor; for criminal investigations, from a judicial council. No time limit applies to national security surveillance, and “national security” is not defined in the law. The ADAE (Hellenic Authority for Communication Security and Privacy, established by Law 3115/2003) monitors compliance with communications secrecy. ADAE’s 2024 report revealed 8,262 national security wiretaps (23% increase from 2023), and that EYP had failed to inform ADAE about hundreds of interception orders.^[4][5]

The Predator/Intellexa Scandal

In 2022, it emerged that EYP had placed lawful wiretaps on opposition PASOK leader Nikos Androulakis (also an MEP) and journalist Thanasis Koukakis, and that both had also been infected with Predator spyware marketed by the Intellexa consortium (founded by former Israeli intelligence officer Tal Dilian). The EYP head and PM’s chief of staff resigned. Law 5002/2022 banned private spyware (minimum 2-year sentence) — Greece became the first EU state to criminalise spyware transactions — though critics note it legitimises government procurement under presidential decree. The US Commerce Department added Intellexa to the Entity List (July 2023); the US Treasury sanctioned Dilian personally (March 2024). The December 2025 “Intellexa Leaks” revealed Intellexa maintained remote access to government customers’ surveillance systems.^[2][6][7]

Predator Trial: Landmark Convictions (February 2026)

The criminal trial at the Athens Criminal Court (opened April 10, 2025) concluded on February 26, 2026 with guilty verdicts against all four defendants: Tal Dilian, Sara Aleksandra Fayssal Hamou, Felix Bitzios, and Giannis Lavranos. Aggregate sentence: 126 years and 8 months, suspended pending appeal. This is the first criminal conviction in any EU member state against spyware developers. Amnesty International called it “rare accountability in the abuse of surveillance technology.”^[8][9]

Council of State Unconstitutionality Ruling (April 2024)

Greece’s highest administrative court declared unconstitutional a March 2021 amendment that had barred ADAE from informing citizens about past state surveillance — finding violations of the Greek Constitution, EU Charter, and ECHR. This restored individuals’ ability to learn whether they were surveilled.^[10]

The Vodafone Greece Wiretapping Affair (2004–05)

Over 100 mobile phones on the Vodafone Greece network were illegally tapped, including PM Kostas Karamanlis, the Mayor of Athens, and senior military and ministry officials. The operation used 6,500 lines of rogue code in Ericsson AXE telephone switches. Vodafone’s Network Planning Manager Kostas Tsalikidis was found dead the day before Vodafone was to brief authorities. In 2015, Greek investigators linked the wiretapping to the US Embassy in Athens and issued an arrest warrant for a former NSA operative.^[11]

Identity Infrastructure as Surveillance

Greece’s Kids Wallet app (launched October 2025) serves as the age verification system for a social media ban for children under 15. The app combines biometric face recognition with official identity documents for real-time age verification. Greece is one of the first EU member states to adopt the European Commission’s age verification blueprint, alongside Denmark, France, Italy, and Spain. For users aged 15–18, strict access restrictions apply rather than a full ban. 80% of Greeks support restricting social media for under-15s, though 57% believe teenagers will circumvent the rules.^[12]

Internet Infrastructure and Submarine Cables

Crete: Mediterranean Cable Hub

Greece’s position at the crossroads of Europe, the Middle East, and Africa makes Crete a strategically significant cable hub with six cable landing points. Key systems include: AAE-1 (25,000 km Hong Kong-France, landing at Chania); BlueMed (Sparkle/Google, landed Chania May 2024, 25+ Tbps per fibre pair); MedNautilus (5,729 km ring: Italy-Crete-Athens-Istanbul-Tel Aviv-Haifa-Cyprus); IEX (India-Europe-Xpress, Heraklion, operational 2025); ARTEMIS (Grid Telecom domestic cable connecting Crete to Attica, gateway for Eastern Mediterranean cables). Souda Bay (Crete) hosts a US Naval Support Activity — one of the largest deep-water ports in the Mediterranean.^[13][14]

GR-IX

GR-IX (operated by GRNET, state-owned) has two sites: Athens (67 peers, 4.4 Tbps switching capacity) and Thessaloniki.^[15]

Data Retention

12-month retention of traffic and location data under Law 3917/2011, stored within Greek territory. The law remains in force without reform despite the CJEU’s invalidation of the underlying EU directive in Digital Rights Ireland (2014) and subsequent rulings narrowing blanket retention.^[16]

International Data Sharing Agreements

Mutual Legal Assistance

EU Member States (26 countries): EU MLA Convention 2000, Schengen (since 2000), EIO, Prüm. Council of Europe (50 signatory states): European Convention on MLA 1959 + Protocols. US-Greece MLAT: Signed May 26, 1999, in force November 20, 2001. EU-US supplementary instrument in force February 1, 2010.^[17]

Defense and Intelligence Cooperation

NATO (since February 1952, same enlargement round as Turkey). US-Greece MDCA (Mutual Defense Cooperation Agreement, signed 1990, updated 2019 and 2021): expanded US access to Greek bases including Larissa, Stefanovikeio, Alexandroupolis, and infrastructure at Souda Bay. US-Greece GSOMIA (1986): classified military information sharing. Club de Berne and Counter-Terrorism Group (CTG). SIS II, Europol, Eurojust. EU-US Umbrella Agreement, SWIFT/TFTP, PNR. Interpol I-24/7. Egmont Group.^[18][19]

The Privacy Backdoor Effect

• Predator Extraterritoriality: Zero-click surveillance tools target individuals irrespective of nationality or location, entirely outside GDPR
• Mediterranean Cable Hub: Foreign communications transiting Crete cable landing stations accessible by EYP under Law 2225/1994 without GDPR protection for foreign nationals
• Souda Bay / MDCA: US Naval Support Activity on Crete with expanded base access since 2021
• EYP Oversight Gaps: No time limit on national security surveillance; ADAE reports EYP fails to notify about hundreds of wiretaps
• EU Framework: Greek data in SIS II, Prüm, EIO accessible to 27 EU states; through Europol, to US FBI
• Kids Wallet: Biometric face recognition + identity documents for age verification creates government identity infrastructure for online access

Recent Developments

Predator Convictions (February 2026): All four defendants convicted — first EU criminal convictions for commercial spyware. 126 years aggregate sentence, suspended pending appeal.^[8]

Intellexa Leaks (December 2025): Revealed Intellexa maintained remote access to government customers’ surveillance systems, continued operations despite US sanctions.^[7]

ADAE Wiretap Surge (2024): 8,262 national security wiretaps, 23% increase, with EYP failing to notify ADAE about hundreds of orders.^[5]

Council of State Ruling (April 2024): Struck down 2021 amendment barring ADAE from notifying surveillance targets.^[10]

Kids Wallet Age Verification (October 2025): Biometric + ID-based social media access verification for under-15s.^[12]

Sources