Portugal

Overview

EU Member State (since 1986), NATO founding member (1949). For the EU framework, see the EU Framework page.

Portugal’s privacy framework is rooted in Article 35 of the Constitution (“Use of Information Technology”), guaranteeing data protection rights since the 1976 post-revolution constitution — a direct response to the PIDE/DGS secret police surveillance under the Salazar-Caetano dictatorship (1933–1974). The CNPD (Comissão Nacional de Proteção de Dados) enforces the GDPR via Lei 58/2019. The SIRP coordinates two intelligence agencies (SIS domestic, SIED foreign) under parliamentary oversight. NSA Tier B partner. Portugal’s Atlantic coastline — particularly Sines and Carcavelos — is a critical submarine cable junction connecting Europe to Africa, South America, and beyond. Lajes Field in the Azores is a jointly operated Portuguese-US Air Force installation with signals intelligence implications.^[1][2]

Surveillance and Intelligence

Historical Context: PIDE/DGS

Portugal’s intelligence framework exists in the shadow of the PIDE (1945–1969) and its successor DGS (1969–1974), the secret police of the Salazar-Caetano dictatorship. Using ~1,000 agents and 20,000 informants, the PIDE conducted pervasive surveillance, censorship, and political repression. The DGS was dissolved following the Carnation Revolution of April 25, 1974, though many records were destroyed. This history directly shaped Article 35 and the strict legal constraints on successor intelligence services.^[3]

SIRP Intelligence System

The Sistema de Informações da República Portuguesa (SIRP), established by Law No. 30/1984 (most recently amended by Law No. 50/2014), coordinates two agencies:

SIS (Serviço de Informações de Segurança) — domestic security intelligence, responsible for internal security, counter-terrorism, counter-espionage.

SIED (Serviço de Informações Estratégicas de Defesa) — foreign/strategic intelligence. Originally SIEDM (with military component), restructured 2004.

SIS and SIED officers may access subscriber and equipment location data for national security, and traffic data for preventing espionage and terrorism. The CFSIRP (parliamentary oversight council) monitors intelligence activities with authority to inspect data centres and conduct unannounced visits. A separate Data Oversight Commission monitors each agency’s data processing.^[4][5]

Internet Infrastructure and Submarine Cables

Atlantic Submarine Cable Hub

Portugal’s Atlantic coastline makes it one of Europe’s most strategically important cable landing zones. Landing stations at Carcavelos, Sesimbra, and Seixal host systems connecting Europe with Africa, the Middle East, and Asia:

EllaLink — direct Europe-South America cable linking Sines (Portugal) to Fortaleza (Brazil), bypassing North American routing. Operational since 2021.

2Africa — the world’s largest submarine cable (45,000+ km, 33 countries), landed at Carcavelos March 2024.

Equiano — Google’s cable connecting Sesimbra to South Africa (May 2022). Plus WACS, SAT-3/WASC, ACE, MainOne, SEA-ME-WE-3, and EIG.

Sines: Emerging Atlantic Hub

Sines is being developed as a major Atlantic connectivity hub through aicep Global Parques, EllaLink, and Start Campus (hyperscale data centre). The Olisipo domestic cable connects Sines to Lisbon; the Nuvem cable is planned to link Portugal to the United States; the Medusa cable will connect to North Africa via the Mediterranean.^[6][7]

GigaPIX

GigaPIX (founded 1995) is Portugal’s primary IXP, operated by FCT|FCCN across three Lisbon data centres and one in Porto, with ~60 ASNs connected.^[8]

Data Retention

Portugal’s data retention framework has been struck down three times by the Constitutional Court. Lei 32/2008 (1-year blanket retention) was declared unconstitutional on April 19, 2022 (Acórdão 268/2022) for indiscriminate retention. Parliament’s first replacement was struck down in December 2023 (Acórdão 800/2023) for the same deficiency. A third attempt, Lei 18/2024 (February 2024), regulates metadata access specifically for criminal investigations. Whether this survives constitutional scrutiny remains open.^[9][10]

International Data Sharing Agreements

Mutual Legal Assistance

EU Member States (26 countries): EU MLA Convention 2000, Schengen, EIO, Prüm. Council of Europe (50 signatory states): European Convention on MLA 1959 + Protocols. US-Portugal: Bilateral agreement signed July 14, 2005 (Rice and Freitas do Amaral), but per DOJ records Portugal operates under the EU-US MLA instrument only (in force February 1, 2010). CPLP: Cooperation among police directors and military authorities with nine lusophone nations (Portugal, Brazil, Angola, Mozambique, Cabo Verde, Guinea-Bissau, São Tomé and Príncipe, Timor-Leste, Equatorial Guinea) across four continents.^[11][12]

Intelligence Cooperation

NSA Tier B (“Focused Cooperation”) — bilateral SIGINT partner; Portuguese persons targetable. Lajes Field (Terceira Island, Azores): jointly operated Portuguese-US Air Force installation, positioned midway between North America and Europe; served Cold War maritime patrol and Operation Nickel Grass (1973); carries signals intelligence implications for mid-Atlantic cable communications. NATO founding member (1949): participates in Alliance intelligence-sharing structures including the NATO Intelligence Fusion Centre. Club de Berne and Counter-Terrorism Group (CTG). SIS II, Europol, Eurojust. EU-US Umbrella Agreement, SWIFT/TFTP, PNR. Interpol I-24/7. Egmont Group.^[13][14][15]

The Privacy Backdoor Effect

• NSA Tier B / Lajes Field: Bilateral SIGINT cooperation; Lajes Field serves as US signals intelligence and maritime patrol hub with implications for mid-Atlantic cable surveillance
• Atlantic Cable Hub Exposure: Carcavelos, Sesimbra, and Sines host cables connecting three continents; allied intelligence can access traffic at UK or US cable segments on the same systems
• Club de Berne / EU INTCEN: SIS intelligence shared with 31 European services outside GDPR
• NATO Founding Member: Intelligence shared within NATO frameworks not subject to GDPR at receiving-state level
• EU Framework: Portuguese data in SIS II, Prüm, EIO accessible to 27 EU states; through Europol, to US FBI
• CPLP: Security cooperation with lusophone nations across four continents

Recent Developments

NIS2 Transposition (December 2025): Decree-Law 125/2025, entry into force April 3, 2026. CNCS leads oversight.^[16]

2Africa Cable Landing (March 2024): World’s largest submarine cable landed at Carcavelos, solidifying Portugal’s position as a critical Atlantic hub.^[7]

Metadata Law Reform — Third Attempt (February 2024): Lei 18/2024 after Constitutional Court invalidated both Lei 32/2008 (April 2022) and the first replacement (December 2023).^[10]

Sources