Poland

First EU criminal prosecution of intelligence chiefs over Pegasus, CIA black site confirmed by the ECHR, NSA Tier B partner, and five intelligence agencies with warrantless metadata access

← Back to Privacy Law Directory

Overview

EU Member State: Poland is subject to the GDPR, the Law Enforcement Directive, and the ePrivacy Directive. For the EU framework, see the EU Framework page.

The Pegasus spyware scandal revealed 578 individuals targeted by three agencies using PLN 25 million diverted from the Justice Fund. In February 2026, the first EU criminal prosecution of intelligence chiefs over Pegasus was launched. The ECHR found three Article 8 violations in Poland’s surveillance regime (Pietrzak, May 2024). Poland hosted a CIA secret detention facility at Stare Kiejkuty (ECHR confirmed 2014). Five intelligence agencies exercise surveillance with ~99% wiretap approval rate and ~2 million annual metadata requests without judicial authorisation. Poland is an NSA Tier B partner.^[1]^[2]^[3]

Privacy Framework

The UODO enforces the GDPR. Major fines: Poczta Polska PLN 27.1M (30 million citizens’ data for postal election), ING Bank PLN 18.4M (identity document scanning), McDonald’s PLN 16.9M (failed risk analysis). The Personal Data Protection Act (2018) supplements the GDPR. The Electronic Communications Law (November 2024) expanded scope to email, messaging, and video conferencing. Police Act (1990) and Anti-Terrorism Act (2016) provide surveillance authorities. Chat Control: Poland opposes mandatory scanning of encrypted communications.^[4]^[5]

Surveillance and Intelligence

Five Intelligence Agencies

ABW (domestic intelligence), AW (foreign intelligence/SIGINT), CBA (anti-corruption), SKW (military counterintelligence/SIGINT), SWW (military intelligence/SIGINT). All five have operational control (wiretapping) powers and access telecommunications metadata without judicial authorisation. Created after dissolving communist-era services. Wiretap approval rate approximately 99%.^[6]

Pegasus Spyware Scandal (2017–2022)

CBA purchased Pegasus with PLN 25 million from the Justice Fund. Three agencies (CBA, ABW, SKW) targeted 578 individuals: 6 in 2017 escalating to 162 in 2021. Citizen Lab identified first targets in December 2021: opposition politician Krzysztof Brejza (hacked 33 times during campaign), lawyer Roman Giertych, and prosecutor Ewa Wrzosek. Senate investigation found “gross violations of constitutional standards.” Former Justice Minister Ziobro arrested (January 2025, 26 charges), fled to Hungary (January 2026), EAW sought (February 2026).^[7]

On February 25, 2026, the National Prosecutors’ Office charged former ABW head and SKW head with criminal offences for deploying Pegasus without required IT security accreditation — the first criminal prosecution of intelligence chiefs over Pegasus in any EU member state. Each faces up to three years imprisonment.^[8]

ECHR: Pietrzak and Others v. Poland (May 2024)

Three Article 8 ECHR violations: (1) wiretapping regime lacked adequate safeguards; (2) metadata access regime exceeded what is “necessary in a democratic society”; (3) Anti-Terrorism Act secret surveillance lacked independent review. The Constitutional Tribunal’s 2014 ruling requiring independent surveillance oversight has been broadly ignored; 2016 amendments instead expanded powers.^[2]^[9]

Palantir Defense Partnership

MoD signed MOU (December 2024) and Letter of Intent (October 2025) with Palantir covering battlefield management, logistics, AI, and cybersecurity across the Polish Armed Forces. Poland’s NATO-leading ~5% GDP defence spending drives aggressive US defence tech partnerships. Because Palantir is subject to the CLOUD Act, Polish Armed Forces operational data is accessible to US authorities without Polish consent.^[10]

Internet Infrastructure

EPIX (Poland’s largest IXP, 3.5+ Tbps, 850+ users, Warsaw/Katowice/Poznan). PLIX/Equinix Warsaw (241 ISP members, 460+ ports). ~500 km Baltic coastline; connectivity relies primarily on terrestrial fibre to Germany, Czech Republic, and Lithuania. Landlocked for cables — international traffic transits through neighbouring countries including Germany (DE-CIX/BND cable interception).^[11]

Data Retention

12-month mandatory retention of telecommunications metadata (reduced from 24 months in January 2013). Nine entities authorised to access retained data (Police, Border Guard, Military Police, ABW, SKW, CBA, Customs, fiscal authorities, prosecutors/courts). Intelligence agencies access metadata without judicial authorisation and without independent oversight. The Constitutional Tribunal’s 2014 ruling that this access violated privacy rights has not been effectively implemented.^[12]

International Data Sharing Agreements

EU and NATO Framework

NATO member since March 1999; EU member since May 2004. Participates in SIS II, EIO, Prüm Convention, and Europol/Eurojust. Council of Europe Convention on MLA 1959 + Protocols.^[13]

NSA Tier B Cooperation

Classified as Tier B under “Focused Cooperation” on computer network exploitation. Not a Five/Nine/Fourteen Eyes member. Polish persons can be targeted by NSA collection under US foreign surveillance authorities.^[3]

CIA Black Site: Stare Kiejkuty

The ECHR found “beyond reasonable doubt” that Poland hosted a CIA secret detention facility at Stare Kiejkuty military base (2002–2003). Al Nashiri and Abu Zubaydah rulings (July 24, 2014) found Poland violated Articles 3, 5, 6, 8, and 13 ECHR. EUR 100,000 damages each. Former President Kwasniewski admitted agreeing to host the site.^[14]

US-Poland MLAT

Signed July 10, 1996, in force September 17, 1999.^[15]

The Privacy Backdoor Effect

Despite UODO enforcement and constitutional protections, extensive alternative access exists:

NSA Tier B: Bilateral SIGINT partnership outside GDPR frameworks; Polish persons targetable by NSA
CIA precedent: Stare Kiejkuty established US intelligence operations on Polish soil outside Polish oversight
Five agencies: ABW, AW, CBA, SKW, SWW operate under Police Act and Anti-Terrorism Act, exempt from data protection supervision
EU Framework: Polish data in SIS II, Prüm, EIO accessible to 27 EU states and through Europol to US FBI
Palantir CLOUD Act: Polish Armed Forces data on US-controlled platform accessible without Polish consent
SWIFT/PNR: Financial and travel data subject to US access

Sources

[1] UODO: About the Office – Enforcement statistics, Poczta Polska/ING/McDonald’s fines

[2] HUDOC: Pietrzak and Others v. Poland (May 2024) – Three Article 8 violations

[3] Electrospaces: NSA Foreign Partnerships – Poland Tier B

[4] ICLG: Data Protection – Poland – Personal Data Protection Act 2018, Electronic Communications Law

[5] EDRi: Chat Control – Poland opposes mandatory scanning

[6] Library of Congress: Intelligence Activities – Poland – Five agencies, warrantless metadata access, 99% wiretap approval

[7] Citizen Lab: Polish Pegasus Targets (December 2021) – Brejza (33 hacks), Giertych, Wrzosek, 578 total targets

[8] Reuters: Poland Charges Former Intelligence Chiefs (February 2026) – First EU prosecution over Pegasus

[9] Constitutional Tribunal: K 23/11 (July 2014) – Surveillance ruling broadly ignored

[10] Defence24: Palantir Poland LoI (October 2025) – MoD partnership, CLOUD Act exposure

[11] EPIX – 3.5+ Tbps, 850+ users, Poland’s largest IXP

[12] Open Net: Poland Data Retention – 12-month retention, nine entities, warrantless access

[13] Wikipedia: Poland in the EU – NATO 1999, EU 2004, SIS II, EIO, Prüm

[14] Wikipedia: CIA Black Sites – Poland – Stare Kiejkuty, ECHR Al Nashiri and Abu Zubaydah rulings

[15] US DOJ: MLATs (April 2022) – US-Poland MLAT signed July 1996, in force September 1999