Portugal

Portugal has been a member of the European Union since 1986. The GDPR (Regulation 2016/679) applies directly. Portugal’s national implementing legislation is Lei 58/2019 of August 8, which supplements the GDPR with domestic provisions on public sector processing, consent age, and administrative fines. Portugal is also bound by the EU ePrivacy Directive (implemented via Lei 41/2004), the Law Enforcement Directive, and participates in EU data-sharing systems including SIS II, Prüm, Europol, and the European Investigation Order framework.

Overview

Portugal’s privacy framework is rooted in one of the most explicit constitutional data protection provisions in Europe. Article 35 of the Constitution — titled “Use of Information Technology” (Utilização da Informática) — has guaranteed citizens the right to access, correct, and control their personal data since the 1976 post-revolution constitution, predating the GDPR by four decades. This provision was a direct response to the surveillance apparatus of the PIDE/DGS secret police, which maintained extensive dossiers on Portuguese citizens throughout the Salazar-Caetano dictatorship (1933–1974). The Comissão Nacional de Proteção de Dados (CNPD) enforces data protection law, and has issued some of the EU’s most notable GDPR enforcement actions, including a €4.3 million fine against the national statistics institute.^[1][2]

On the intelligence side, Portugal’s Sistema de Informações da República Portuguesa (SIRP) coordinates two agencies — the SIS for domestic security and the SIED for strategic defense — under parliamentary oversight by the CFSIRP. As a NATO founding member (1949) and NSA Tier B partner, Portugal participates in transatlantic intelligence sharing. Its Atlantic coastline — particularly the emerging hub at Sines and the established landing stations at Carcavelos and Sesimbra — serves as a critical junction for submarine cables connecting Europe to Africa, South America, and beyond, making Portugal’s infrastructure strategically significant for global communications.^[3][4]

Data Protection Authority: CNPD

The Comissão Nacional de Proteção de Dados (CNPD) is Portugal’s independent supervisory authority established under Lei 43/2004 in accordance with GDPR Article 51. The CNPD is based in Lisbon and handles complaints, conducts investigations, issues binding orders, and imposes administrative fines. Its budget was €2.98 million in 2023. Under Portuguese law, 60% of GDPR fines go to the state treasury and 40% to the CNPD itself. In 2023, the CNPD issued 90 fines totaling €559,950.^[1][5]

Notable Enforcement Actions

Key Legislation

Constitution of the Portuguese Republic — Article 35

Article 35 (“Utilização da Informática”) establishes a constitutional right to data protection. Citizens have the right to access computerized data concerning them, to request correction, and to know the purpose for which data is collected. The article prohibits third-party access to personal data files and cross-border data transfers except as provided by law, and bans the processing of data relating to philosophical or political beliefs, party or trade union affiliation, religious faith, or private life. Originally enacted in the 1976 Constitution following the Carnation Revolution, it was one of the earliest constitutional data protection provisions in the world.^[2]

Lei 58/2019 — GDPR Implementation

Law No. 58/2019 of August 8 ensures the implementation of the GDPR in the Portuguese legal order. It replaced the prior Lei 67/1998 and provides supplementary national provisions on public sector data processing, sets the age of consent for information society services at 13, regulates employer-employee data processing, and establishes the administrative fine framework. Portugal was one of the last EU member states to adopt GDPR implementing legislation, prompting a European Parliament inquiry in 2019.^[8]

Lei 41/2004 — Electronic Communications Privacy

Law No. 41/2004 of August 18 transposed the EU ePrivacy Directive (2002/58/EC) into Portuguese law. It regulates the processing of personal data in electronic communications, including traffic and location data retention, cookie consent requirements, and restrictions on unsolicited marketing communications.^[9]

Lei Orgânica do SIRP — Intelligence Framework Law

The organic law governing the SIRP intelligence system, most recently amended by Law No. 50/2014, provides the legal basis for the operations of SIS and SIED. It defines the scope and limits of intelligence collection, establishes oversight mechanisms through the CFSIRP, and regulates access to telecommunications metadata for intelligence purposes. SIS and SIED officers may access subscriber and equipment location data for national security purposes, and traffic data for the specific purpose of preventing espionage and terrorism.^[10]

Surveillance and Intelligence

Historical Context: PIDE/DGS

Portugal’s current intelligence framework exists in the shadow of the PIDE (Polícia Internacional e de Defesa do Estado, 1945–1969) and its successor the DGS (Direcção-Geral de Segurança, 1969–1974), the secret police of the Salazar-Caetano dictatorship. Using a wide network of informants, the PIDE infiltrated agents into underground movements and encouraged citizens to denounce suspects, conducting pervasive surveillance, censorship, and political repression. The DGS was dissolved following the Carnation Revolution of April 25, 1974, though many records were destroyed during the transition. This history directly shaped Portugal’s constitutional privacy protections and the strict legal constraints placed on its successor intelligence services.^[11]

SIRP Intelligence System

The Sistema de Informações da República Portuguesa (SIRP) is the coordinating structure for Portuguese intelligence, established by Law No. 30/1984. It oversees two agencies:^[3]

Serviço de Informações de Segurança (SIS) — the domestic security intelligence service, responsible for producing intelligence to safeguard internal security and prevent sabotage, terrorism, espionage, and acts threatening the constitutional order.

Serviço de Informações Estratégicas de Defesa (SIED) — the strategic defense intelligence service (foreign intelligence), responsible for producing intelligence contributing to national independence, national interests, and external security. Originally the SIEDM (with a military component), it was restructured in 2004 and lost its military designation.

Parliamentary Oversight

The Conselho de Fiscalização do SIRP (CFSIRP) provides parliamentary oversight. Its members are elected by the Portuguese Parliament and have authority to monitor intelligence activities, inspect data centers operated by SIS and SIED, oversee telecommunications metadata access procedures, and conduct announced or unannounced inspection visits. A separate Data Oversight Commission monitors the data processing activities of each intelligence service and reports irregularities to the CFSIRP.^[12]

Internet Infrastructure and Submarine Cables

GigaPIX (Gigabit Portuguese Internet eXchange)

GigaPIX is Portugal’s primary internet exchange point, a not-for-profit IXP managed and operated by FCT|FCCN. Established in 1995 (originally as “Pix”), it operates across three data centers in Lisbon and one in Porto, with approximately 60 ASNs connected. GigaPIX provides neutral peering infrastructure that keeps domestic traffic local and reduces dependence on international transit links.^[13]

Atlantic Submarine Cable Hub

Portugal’s Atlantic coastline makes it one of Europe’s most strategically important submarine cable landing zones. The greater Lisbon region — with landing stations at Carcavelos, Sesimbra, and Seixal — hosts landings for numerous submarine cable systems connecting Europe with Africa, the Middle East, and Asia. Key cables include:^[14][15]

EllaLink — a direct Europe-South America cable linking Sines (Portugal) to Fortaleza (Brazil), providing low-latency connectivity bypassing North American routing. Operational since 2021.

2Africa — the world’s largest submarine cable system (45,000+ km connecting 33 countries), landed at Carcavelos in March 2024 with Vodafone as the Portuguese landing party.

Equiano — Google’s cable connecting Portugal (Sesimbra) to South Africa, with branches to West African nations. Landed in May 2022.

WACS (West Africa Cable System), SAT-3/WASC, ACE, MainOne, SEA-ME-WE-3, and EIG (Europe India Gateway) also land in the Lisbon area.

Sines: Emerging Atlantic Hub

The port city of Sines is being developed as a major new Atlantic connectivity hub through a partnership between aicep Global Parques, EllaLink, and Start Campus (a hyperscale data center developer). EllaLink’s Sines landing station serves as the anchor, with the Olisipo domestic cable connecting Sines to Lisbon and the Nuvem cable planned to link Portugal to the United States. The Medusa cable connecting to North Africa via the Mediterranean is also set to land at Carcavelos.^[16]

Data Retention

Portugal’s data retention framework has undergone significant constitutional upheaval. Lei 32/2008 transposed the EU Data Retention Directive, requiring telecommunications providers to retain all traffic metadata for one year. On April 19, 2022, the Constitutional Court (Acórdão 268/2022) declared Articles 4, 6, and 9 of Lei 32/2008 unconstitutional, finding that blanket, indiscriminate metadata retention violated fundamental rights. The ruling followed a 2019 challenge by the Ombudsperson.^[18]

Parliament’s first attempt at replacement legislation was struck down by the Constitutional Court in December 2023 (Acórdão 800/2023) for the same deficiency — general and indiscriminate retention. A second reformed law, Lei 18/2024 of February 5, was enacted in early 2024, regulating access to metadata in the context of criminal investigations. Whether this third attempt will survive constitutional scrutiny remains an open question.^[19]

International Data Sharing Agreements

NATO Founding Member

Portugal was a founding member of NATO on April 4, 1949. As a NATO member, Portugal participates in Alliance intelligence-sharing structures, including the NATO Intelligence Fusion Centre and integrated military intelligence frameworks. Portugal’s strategic Atlantic position — including the Azores archipelago — has given it outsized importance in NATO maritime and transatlantic security.^[20]

NSA Tier B Cooperation

According to documents disclosed by Edward Snowden, Portugal is classified as an NSA Tier B partner under “Focused Cooperation.” As a Third Party partner, Portugal participates in bilateral SIGINT cooperation but can itself be targeted by NSA collection — unlike Five Eyes (Second Party) members who are nominally exempt from mutual surveillance.^[4]

Lajes Field, Azores

Lajes Field on Terceira Island in the Azores is a jointly operated Portuguese Air Force and United States Air Force installation. Positioned midway between North America and Europe, it has served as a critical transatlantic logistics, refueling, and maritime patrol hub since World War II. During the Cold War, Lajes supported maritime patrol aircraft tracking Soviet submarines and served as a key stopover during Operation Nickel Grass (1973). The base’s strategic location in the mid-Atlantic carries intelligence implications for signals collection and maritime domain awareness.^[21]

Club de Berne and Counter-Terrorism Group

Portugal is a member of the Club de Berne, the intelligence-sharing forum of EU member states’ domestic security services plus Norway and Switzerland, and participates in the Counter-Terrorism Group (CTG), its post-9/11 operational counterterrorism offshoot. The CTG facilitates voluntary intelligence exchange and provides terrorism threat assessments to EU policymakers.^[22]

US-Portugal MLAT

The US-Portugal bilateral agreements on Extradition and Mutual Legal Assistance in Criminal Matters were signed on July 14, 2005, supplementing the broader EU-US MLAT framework. These agreements provide for mutual assistance in criminal investigations including taking testimony, executing searches, and transferring evidence.^[23]

CPLP (Community of Portuguese Language Countries)

Portugal is a founding member of the CPLP (Comunidade dos Países de Língua Portuguesa), established in 1996. The CPLP encompasses nine member states: Portugal, Brazil, Angola, Mozambique, Cabo Verde, Guinea-Bissau, São Tomé and Príncipe, Timor-Leste, and Equatorial Guinea. While primarily a diplomatic and cultural organization, the CPLP facilitates cooperation among police directors and military authorities across four continents, providing channels for security cooperation with lusophone nations in South America, Africa, and Southeast Asia.^[24]

EU Law Enforcement Cooperation

Portugal participates in the Schengen Information System (SIS II), the European Investigation Order (EIO) framework, the Prüm Convention for automated DNA/fingerprint/vehicle data exchange, and Europol/Eurojust cooperation.

The Privacy Backdoor Effect

Despite Portugal’s constitutionally-rooted privacy protections (Article 35, post-PIDE tradition) and CNPD GDPR enforcement, intelligence sharing frameworks and Portugal’s Atlantic cable hub position create collection pathways outside data protection law — and foreign communications transiting Portuguese cable infrastructure are subject to collection without GDPR protection:

• NSA Tier B / Lajes Field: As an NSA Tier B partner, Portugal participates in bilateral SIGINT cooperation; Lajes Field (Azores) serves as a US signals intelligence and maritime patrol hub with direct implications for cable communications surveillance across the mid-Atlantic.
• Atlantic Cable Hub Exposure: Portugal’s Carcavelos, Sesimbra, and Sines landing stations host cables connecting three continents; allied intelligence services can access traffic transiting Portuguese infrastructure through collection authorities at UK or US cable segments on the same systems.
• Club de Berne / EU INTCEN: SIS intelligence shared with EU INTCEN and 31 European services flows outside GDPR.
• NATO Founding Member: Portugal participates in NATO intelligence-sharing structures; intelligence about Portuguese persons shared within NATO frameworks is not subject to GDPR at the receiving-state level.
• EU Framework Sharing: Portuguese person data in SIS II, Prüm, or EIO channels is accessible to 27 EU member states and, through Europol, to US FBI.
• SWIFT/PNR Dragnet: International financial transactions and international air travel data subject to US access.

For Portuguese persons, the CNPD enforces GDPR against data controllers subject to Portuguese jurisdiction, and Article 35 of the Constitution provides strong domestic privacy protections — but SIS and SIED operate under the SIRP organic law (amended 2014), which authorizes access to subscriber data and traffic data for national security purposes outside data protection oversight. Foreign nationals whose communications transit Portugal’s Atlantic cable landing stations or GigaPIX are not protected by Portuguese data protection law — GDPR Article 2(2) explicitly excludes member state national security processing from its scope.

Recent Developments

NIS2 Transposition (December 2025)

Portugal transposed the NIS2 Directive via Decree-Law No. 125/2025, published December 4, 2025, with entry into force on April 3, 2026. The National Cybersecurity Centre (CNCS) leads oversight. Essential entities face fines up to €10 million or 2% of global turnover; important entities up to €7 million or 1.4%. The transposition was delayed by political instability in 2024–2025.^[25]

2Africa Cable Landing (March 2024)

The world’s largest submarine cable system, 2Africa, landed at Carcavelos in March 2024, further solidifying Portugal’s position as a critical Atlantic connectivity hub connecting 33 countries across three continents.^[15]

Metadata Law Reform (February 2024)

Lei 18/2024 enacted a third attempt at data retention reform following the Constitutional Court’s invalidation of both Lei 32/2008 (April 2022) and the first replacement bill (December 2023). The new law regulates metadata access specifically in the context of criminal investigations.^[19]

INE Census Fine (December 2022)

The CNPD issued a €4.3 million fine against the National Statistics Institute for GDPR violations during the 2021 Census, including processing special category data without lawful basis and inadequate transparency obligations — the largest fine in Portuguese GDPR enforcement history.^[7]

Constitutional Court Strikes Down Data Retention (April 2022)

Acórdão 268/2022 declared blanket metadata retention under Lei 32/2008 unconstitutional, following the CJEU’s Digital Rights Ireland and Tele2 Sverige jurisprudence. Portugal became one of several EU member states to invalidate national data retention frameworks post-2014.^[18]

Sources