Latvia

Overview

EU Member State (since May 2004), NATO (since March 2004), Schengen (since December 2007). For the EU framework, see the EU Framework page.

Latvia is a front-line NATO state on Russia’s border with a 25% ethnic Russian population and a record 20+ espionage detentions since 2023. Three intelligence services (SAB, VDD, MIDD) reformed from KGB structures after 1991 independence. 18-month mandatory data retention — one of the longest in the EU (the President returned the law to Parliament over CJEU compatibility concerns before it was adopted with the period intact). Pegasus infections confirmed against Latvia-based Russian opposition journalists at Meduza (Citizen Lab/Access Now 2023). Kremlin hybrid warfare includes disinformation and “single-use agents” for sabotage.^[1][2]

Privacy Framework

The DVI (Datu valsts inspekcija) enforces the GDPR and Personal Data Processing Law (2018). Largest Baltic GDPR fine: EUR 1.2 million against Tet (2022) for disclosing unverified personal data to debt recovery services. The National Cyber Security Law (2024) transposes NIS2 (effective September 1, 2024). Law on State Security Institutions (1994) governs intelligence services.^[3]

Surveillance and Intelligence

Three intelligence services under the Law on State Security Institutions (1994): SAB (Constitution Protection Bureau): civilian intelligence and counterintelligence. VDD (State Security Service): counterintelligence and internal security. MIDD (Defence Intelligence and Security Service): military intelligence and SIGINT. All reformed from KGB structures after 1991. Parliamentary oversight via the National Security Commission of the Saeima.^[4]

Pegasus Targeting of Meduza Journalists

Citizen Lab and Access Now confirmed Pegasus infections against Latvia-based Russian opposition journalists at Meduza (2023). The independent Russian news outlet relocated to Riga after being designated a “foreign agent” and “undesirable organisation” in Russia. The targeting demonstrates that journalists in Latvia face spyware threats from both Russian intelligence and potentially from allied intelligence services with Pegasus access.^[2]

Espionage and Hybrid Warfare

20+ espionage detentions since 2023, including former military personnel and government officials recruited by Russian intelligence. Kremlin hybrid warfare includes disinformation campaigns targeting the Russian-speaking population and “single-use agents” for sabotage operations. January 2025 submarine cable damage incident in the Baltic Sea underscored infrastructure vulnerability.^[1]

Internet Infrastructure and Transit Exposure

LIX (Latvian Internet Exchange) provides domestic peering. Latvia’s international connectivity relies on terrestrial fibre links to Lithuania, Estonia, and Sweden. Submarine cable vulnerability demonstrated by the January 2025 Baltic Sea cable damage incident.^[5]

FRA cable-tapping exposure: A significant proportion of Latvian international traffic routes through Sweden, where the FRA Law authorises bulk interception of cross-border cable traffic. The ECtHR found Sweden’s FRA regime violated Article 8 ECHR in Centrum för Rättvisa (2021), but reforms remain pending. Latvian traffic transiting Swedish cables is subject to FRA collection under Type 2 warrants (ministerial only, no judicial approval for non-Swedish persons).^[6]

Data Retention

The Electronic Communications Law (2022) imposes 18-month mandatory retention of telecommunications metadata — one of the longest in the EU. The President returned the law to Parliament over CJEU compatibility concerns, but it was adopted with the 18-month period intact. Access requires judicial authorisation.^[7]

International Data Sharing Agreements

Mutual Legal Assistance

EU Member States (26 countries): EU MLA Convention 2000, Schengen, EIO, Prüm. Council of Europe (50 signatory states): European Convention on MLA 1959 + Protocols. US-Latvia MLAT: Signed June 13, 1997, supplementary protocol December 7, 2005. Trilateral MLA agreement with Estonia and Lithuania (signed Tallinn, November 11, 1992). Bilateral MLA with Russia (civil, family, and criminal matters) and Poland.^[8]

Intelligence and Defense Cooperation

NATO (since March 2004). NB8 (Nordic-Baltic Eight) intelligence cooperation. Club de Berne and Counter-Terrorism Group. Baltic trilateral intelligence cooperation with Estonia and Lithuania. US-Latvia DCA (2017) defense cooperation agreement. US-Latvia Classified Information Agreement (December 2024). SIS II, Europol, Eurojust. EU-US Umbrella Agreement, SWIFT/TFTP, PNR. Interpol I-24/7. Egmont Group.^[9]

The Privacy Backdoor Effect

• FRA transit exposure: Latvian traffic through Swedish cables subject to bulk FRA interception
• 18-month retention: One of EU’s longest, with CJEU compatibility unresolved
• EU Framework: Latvian data in SIS II, Prüm, EIO accessible to 27 EU states
• MLATs: US, Estonia, Lithuania, Russia, Poland bilateral treaties
• Pegasus: Latvia-based journalists confirmed targets
• 25% Russian population: Creates unique intelligence targeting dynamics for both Russian and Western services

Recent Developments

Pegasus Infections at Meduza (2023): Citizen Lab/Access Now confirmed targeting of Latvia-based Russian opposition journalists.^[2]

20+ Espionage Detentions (Since 2023): Record number of detentions for Russian intelligence recruitment.^[1]

Baltic Cable Damage (January 2025): Submarine cable incident underscoring infrastructure vulnerability to hybrid warfare.^[5]

US-Latvia Classified Information Agreement (December 2024): Deepened bilateral intelligence-sharing framework.^[9]

Sources