Latvia

EU Framework Note: Latvia has been a member of the European Union since May 1, 2004. The GDPR (Regulation 2016/679) applies directly. Latvia’s national implementation is the Personal Data Processing Law (2018). Latvia is also bound by the EU Law Enforcement Directive (2016/680), the ePrivacy Directive (2002/58/EC), and the NIS2 Directive (2022/2555), which Latvia transposed via the National Cyber Security Law effective September 1, 2024. Latvia joined NATO on March 29, 2004 and the Schengen Area on December 21, 2007.

Overview

Latvia’s data protection regime is governed by the GDPR and its national implementation, the Personal Data Processing Law (2018), enforced by the Datu valsts inspekcija (DVI). The DVI has issued the largest GDPR fine in Baltic history — EUR 1.2 million against telecom provider Tet in 2022 for disclosing unverified personal data to debt recovery services. Latvia’s Electronic Communications Law (2022) imposes an 18-month mandatory retention period for telecommunications metadata — one of the longest in the EU — and was returned by the President to Parliament over concerns about compatibility with CJEU data retention jurisprudence before being adopted with the period intact.^[1][7]

Latvia maintains three statutory intelligence and security services authorized under the Law on State Security Institutions (1994): the SAB (Constitution Protection Bureau, civilian intelligence and counterintelligence), the VDD (State Security Service, counterintelligence and internal security), and the MIDD (Defence Intelligence and Security Service, military intelligence and SIGINT). All three are subject to parliamentary oversight through the National Security Commission of the Saeima, and Latvia participates in NATO and EU intelligence-sharing structures including the Club de Berne and EU INTCEN.^[8]

Data Protection Authority: DVI

The Datu valsts inspekcija (DVI) — Data State Inspectorate — is Latvia’s independent supervisory authority established in 2001 and designated under GDPR Article 51. The DVI is based in Riga and handles complaints, conducts investigations, issues binding orders, and imposes administrative fines. In 2022, the DVI received 708 complaints, initiated 865 reviews and inspections, and imposed monetary penalties in 12 cases.^[2]

Notable Decisions

The DVI participates in the annual Baltic DPA meetings alongside its Estonian (AKI) and Lithuanian (VDAI) counterparts, and hosted the 32nd European Spring Conference of Data Protection Authorities in Riga in May 2024.^[2]

Key Legislation

Personal Data Processing Law (2018)

Latvia’s primary GDPR implementation law, adopted by the Saeima (Parliament) and effective July 5, 2018. The law sets the age of digital consent at 13 years, provides exemptions for journalistic and artistic expression, restricts data subject access rights for national security and criminal proceedings, and establishes criminal penalties of up to five years’ imprisonment for unlawful data processing.^[6]

Electronic Communications Law (2022)

Transposing the European Electronic Communications Code (EECC), the new law entered into force on July 27, 2022 after the President sent it back to Parliament over concerns that Sections 99–101 — governing data retention and transfer to supervisory authorities — were incompatible with EU law and CJEU case law on the right to privacy. The revised law retained an 18-month mandatory data retention period.^[7]

Law on State Security Institutions (1994)

The foundational legal framework for Latvia’s intelligence and security services. Adopted in 1994, it defines the legal status, goals, tasks, obligations, and oversight mechanisms for the SAB, VDD, and MIDD. The law authorizes intelligence, counterintelligence, and operational activities while requiring compliance with general human rights principles.^[8]

National Security Law

Prescribes the national security system, the competence of its subjects, and the coordination and oversight of security activities. The National Security Council, chaired by the President, provides strategic oversight of intelligence and security matters.^[9]

National Cyber Security Law (2024)

Transposing the NIS2 Directive, adopted on June 20, 2024 and effective September 1, 2024. The law brings an estimated 6,000–8,000 organizations into cybersecurity compliance scope. Entities must register with CERT.LV by April 1, 2025, appoint cybersecurity managers by October 1, 2025, and submit self-assessment reports by the same date.^[10]

Surveillance and Intelligence

Intelligence Services

Latvia operates three distinct security and intelligence services. The Satversmes aizsardzibas birojs (SAB) — Constitution Protection Bureau — is the civilian intelligence service supervised by the Cabinet of Ministers, formed in 1995 under the Law on the Constitution Protection Bureau. The SAB conducts intelligence, counterintelligence, and protection of state secrets, and houses the National Security Authority (NSA) established in 2003 as a prerequisite for NATO and EU accession. The SAB also manages EU and NATO classified information protection.^[11]

The Valsts drosibas dienests (VDD) — State Security Service — is the civilian counterintelligence and internal security service. The VDD gathers intelligence from multiple sources, conducts analysis, and informs senior officials of national security risks.^[12]

The Militaras izlukosanas un drosibas dienests (MIDD) — Defence Intelligence and Security Service — operates under the Ministry of Defence. The MIDD is Latvia’s national SIGINT agency, conducting signals intelligence collection and protection. Originally the Military Counterintelligence Service, it was reorganized into the MIDD in April 2004 with expanded intelligence and security functions.^[13]

Internet Infrastructure and Transit Exposure

Internet Exchange Points

The Latvian Internet Exchange (LIX) is the primary neutral internet exchange point in Riga, facilitating direct interconnection between ISPs, content delivery networks, and network operators. Latvia also operates the GLV-IX (Government of Latvia Internet Exchange), run by the state-owned Latvijas Valsts radio un televizijas centrs (LVRTC) as a not-for-profit platform for government and local internet traffic exchange.^[14]

Submarine Cables and Baltic Connectivity

Latvia’s primary international data link is the LVRTC submarine optical fiber cable running from Ventspils to Gotland (Sweden), which provides the fastest connection to Scandinavia and Northern Europe. Latvia also maintains cross-border terrestrial fiber connections to Estonia, Lithuania, and Russia. The LVRTC cable is critical not only for Latvia but for the digital security of the broader Baltic Sea region.^[15]

January 2025 Cable Incident

On January 26, 2025, the LVRTC submarine cable between Ventspils and Gotland was damaged at depths of more than 50 metres. Latvian Prime Minister Evika Silina stated the damage was “most likely external” and “significant.” Swedish prosecutors launched a sabotage investigation and detained the Malta-flagged bulk carrier Vezhen, which was navigating between Gotland and Latvia when the damage occurred. LVRTC rerouted data through redundant terrestrial paths. Swedish prosecutors ultimately closed the investigation in 2025, concluding the damage resulted from a combination of harsh weather, mechanical defects, and operational shortcomings rather than intentional sabotage — though the incident underscored Baltic submarine cable vulnerability amid a series of similar incidents in the region.^[16][17]

FRA Cable-Tapping Exposure

Because the LVRTC submarine cable terminates at Gotland, Sweden, it falls within the collection jurisdiction of the Swedish Försvarets radioanstalt (FRA) under Sweden’s Signals Intelligence Act (FRA Law, 2008). The FRA Law authorizes the FRA to intercept cable-bound electronic communications crossing Sweden’s borders, subject to prior authorization from Sweden’s Foreign Intelligence Court. Latvian data transiting the Ventspils–Gotland cable is therefore subject to potential collection under Swedish law. Sweden’s strategic position on Baltic Sea cables — described by the New York Review of Books as making Sweden the “kings of cyberwar” — gives the FRA access to east-west communications carrying Russian and Baltic state traffic to Western Europe. The European Court of Human Rights ruled Sweden’s bulk interception regime in violation of Article 8 ECHR in Centrum för rättvisa v. Sweden (2021). See the Sweden country page for full documentation of the FRA Law and its oversight framework.^[27][28]

Data Retention

Latvia maintains an 18-month mandatory data retention period for telecommunications metadata — one of the longest in the European Union. The obligation applies to network operators providing number-dependent services and internet access services, requiring them to retain personal data and provide it to supervisory authorities upon request. When the 2022 Electronic Communications Law was drafted, President Egils Levits sent it back to the Saeima, warning that Sections 99–101 on data retention and transfer to authorities carried risks to the right to privacy and were potentially incompatible with EU law and CJEU case law, including the landmark Digital Rights Ireland (2014) and Tele2/Watson (2016) rulings. The revised law was nonetheless adopted with the retention period intact.^[7]

International Data Sharing Agreements

Nordic-Baltic Eight (NB8)

Latvia is a member of the Nordic-Baltic Eight (NB8), the regional cooperation format bringing together the five Nordic states (Denmark, Finland, Iceland, Norway, Sweden) and three Baltic states (Estonia, Latvia, Lithuania). Latvia held the NB8 coordination role in 2023. The NB8 covers security cooperation, cybersecurity, and hybrid threat resilience, with Latvia participating in joint digital resilience initiatives.^[18]

Club de Berne and Counter-Terrorism Group

As an EU member state, Latvia participates in the Club de Berne, the intelligence-sharing forum of EU domestic security services plus Norway and Switzerland. Latvia also participates in the Counter-Terrorism Group (CTG), the operational counterterrorism network. The SAB maintains cooperation with EU INTCEN (the EU Intelligence and Situation Centre), ensuring Latvian intelligence informs EU-level decision-making on security matters.^[19]

NATO (2004)

Latvia joined NATO on March 29, 2004. Latvia has access to NATO intelligence-sharing structures and participates in allied SIGINT cooperation through the MIDD. The December 2024 US-Latvia agreement on protection of classified information further deepened bilateral intelligence sharing.^[20]

US-Latvia Defense Cooperation Agreement

The US-Latvia Defense Cooperation Agreement (DCA) was signed in Riga on January 12, 2017 and entered into force on April 5, 2017. In 2019, the US and Baltic states signed bilateral 5-year Security Cooperation Roadmaps. On December 12, 2024, the SAB signed an agreement with the United States on protection of classified information.^[21][22]

US-Latvia MLAT

The United States and Latvia maintain a Mutual Legal Assistance Treaty in criminal matters, originally concluded in the late 1990s and subsequently amended under the EU-US MLAT framework agreement. The treaty provides for mutual assistance including taking testimony, executing searches, and transferring evidence.^[23]

EU Law Enforcement Cooperation

Latvia participates in the Schengen Information System (SIS II), the European Investigation Order (EIO) framework, the Prüm Convention for automated DNA/fingerprint/vehicle data exchange, and Europol/Eurojust cooperation.^[24]

The Privacy Backdoor Effect

Despite DVI GDPR enforcement and Latvia’s EU membership, intelligence sharing frameworks and cable infrastructure create collection pathways that operate entirely outside data protection law — and foreign communications transiting Latvian networks are subject to collection by Latvian intelligence services without GDPR protection:

• Swedish FRA Cable Access: As documented above, the Ventspils–Gotland submarine cable terminates in Sweden, where the FRA can intercept cable-bound communications under the FRA Law (2008). Latvian data on this cable is subject to Swedish collection outside Latvian or GDPR jurisdiction.
• Club de Berne / EU INTCEN: SAB intelligence is shared with EU INTCEN and 31 European services outside any GDPR framework.
• NB8 Security Cooperation: Intelligence and security assessments are shared with Denmark, Estonia, Finland, Iceland, Lithuania, Norway, and Sweden through NB8 frameworks outside GDPR.
• US-Latvia Intelligence Agreements: The Defense Cooperation Agreement (2017) and the December 2024 classified information protection agreement enable bilateral intelligence sharing outside GDPR compatibility requirements.
• EU Framework Sharing: Latvian person data in SIS II, Prüm, or EIO channels is accessible to 27 EU member states and, through Europol, to US FBI.
• SWIFT/PNR Dragnet: International financial transactions and air travel data subject to US access.

For Latvian persons, data protected by the Personal Data Processing Law (2018) and GDPR applies to controllers subject to Latvian jurisdiction; the SAB, VDD, and MIDD operate under the Law on State Security Institutions (1994), explicitly separate from data protection law. Foreign nationals whose communications pass through LIX, GLV-IX, or Latvian fiber networks are subject to MIDD SIGINT collection authorities without data protection protections — GDPR Article 2(2) excludes national security processing from its scope.

Recent Developments

Pegasus Spyware Infections of Latvia-Based Journalists (2023)

In February 2023, Citizen Lab and Access Now confirmed that the iPhone of Galina Timchenko, co-founder of the Latvia-based Russian exile news publication Meduza, had been infected with NSO Group’s Pegasus spyware. Three additional Russian expatriate journalists with Latvian phone numbers subsequently received Apple notifications about state-sponsored attacks on their devices. Latvia is among 45 countries where suspected Pegasus infections have been identified.^[25]

Submarine Cable Damage (January 2025)

The LVRTC Ventspils–Gotland submarine cable was damaged on January 26, 2025. Sweden detained the Malta-flagged Vezhen and launched a sabotage investigation. The investigation was later closed with an accidental finding, but the incident heightened Baltic cable security concerns and prompted review of redundancy provisions.^[16]

Tet EUR 1.2M GDPR Fine (2022)

The DVI issued a EUR 1.2 million fine against telecom provider Tet — the largest GDPR fine in Baltic history — for disclosing unverified personal data, including a minor’s data, to debt recovery services. The fine, reduced from an initial EUR 3.2 million, remained under appeal as of late 2022.^[3]

NIS2 Transposition (September 2024)

Latvia’s National Cyber Security Law entered into force on September 1, 2024, bringing an estimated 6,000–8,000 organizations under cybersecurity requirements. Despite being an early transposer, the European Commission issued a reasoned opinion to Latvia in May 2025 regarding incomplete transposition notification.^[10]

US-Latvia Classified Information Agreement (December 2024)

On December 12, 2024, the SAB signed an agreement with the United States on protection of classified information, deepening bilateral intelligence cooperation.^[22]

Sources