- within Privacy, Strategy and Criminal Law topic(s)
- in European Union
The Cyprus Cabinet has approved a draft bill allowing law enforcement and intelligence services to intercept telephone communications under specified circumstances, with the aim of strengthening criminal investigations and tackle organised crime. Now awaiting parliamentary approval, the proposal has raised significant questions regarding the balance between national security and individual privacy, as well as its implications for constitutional and EU law.
Why a New Law?
Phone tapping and electronic surveillance in Cyprus are currently governed by the Protection of the Privacy of Private Communication (Interception of Conversations and Access to Recorded Content of Private Communication) Law (N. 92(I)/1996), as amended in 2020.
While this framework was intended to provide safeguards and clear procedures, in practice it has proven insufficient as it has faced practical challenges, including technical limitations, ambiguous legal definitions, and procedural gaps, complicating lawful interceptions and exposing authorities to potential legal challenges.
The Cabinet-approved draft law of 13 February 2026 seeks to address these issues by introducing clearer rules, stronger judicial oversight, and stricter obligations for telecom providers.
It also broadens the constitutionally defined list of serious offences permitting communications interception and allows the Attorney General, in exceptional cases, to authorise such interception without judicial approval on national security grounds.
These proposed changes raise important questions regarding their compatibility with the constitutional safeguards governing the secrecy of communications in Cyprus.
Constitutional Considerations
The Cyprus Constitution guarantees the secrecy of communications under Article 17, allowing interference only in narrowly defined circumstances, such as with a court order at the request of the Attorney General of Cyprus for national security or specific serious offenses like murder, trafficking, drug offenses, or corruption.
Article 17(2) specifies that interception requires judicial authorisation and must be necessary for the security of the Republic or the prevention, investigation or prosecution of the serious criminal offences set out in the constitution.
If the proposed bill seeks to expand or clarify the list of crimes subject to interception, such as terrorism, espionage, organised cybercrime, or other forms of organised crime, it may necessitate either constitutional clarification or amendment to ensure legality.
The Supreme Court case Police v. Georghiades (1983) also underscores the constitutional limits on interception, holding that evidence obtained via secret recordings without proper authorization violates Articles 15 (right to private life) and 17 (right to confidentiality of correspondence) of the Constitution and is inadmissible in court.
From a Cypriot criminal law perspective, the practical implications of the new bill lie primarily in the admissibility and evidential integrity of intercepted communications. Under established principles of Cyprus criminal procedure, unlawfully obtained evidence and particularly evidence obtained in breach of constitutional rights faces a serious risk of exclusion.
The current uncertainty surrounding interception procedures has repeatedly exposed prosecutions to defence challenges, not on the merits of the case but on procedural and constitutional grounds. A clearer statutory framework, if tightly aligned with Article 17 of the Constitution, could enhance legal certainty by defining precise thresholds for authorization, standardising warrant content, and clarifying the role of investigators, prosecutors, and service providers in the interception chain. In this sense, the bill is as much a criminal procedure reform as it is a security measure.
At the same time, the bill's implementation will require careful calibration within the broader architecture of Cypriot criminal justice, particularly regarding prosecutorial discretion and judicial control. Interception orders are likely to become a focal point of pre-trial litigation, with defence counsel scrutinising necessity, proportionality, and scope at every stage. Cypriot Courts will therefore play a pivotal role not merely as authorising bodies, but as constitutional gatekeepers tasked with preventing routine or speculative surveillance.
If interception powers expand beyond traditionally enumerated serious offences, courts may be called upon to develop stricter jurisprudential standards for justification, duration, and renewal of warrants. Ultimately, the success of the bill in Cyprus criminal law will depend less on its breadth and more on how rigorously judges enforce its safeguards in everyday criminal proceedings.
The new amendment to the bill introduces two major changes: it broadens the list of serious offences for which the Attorney General can request the lifting of telecommunications secrecy, and it allows phone tapping without judicial approval in exceptional cases. Under this provision, the Attorney General could directly authorise intelligence or police agencies to monitor communications for state security reasons. This change would be enshrined in a proposed constitutional amendment, specifying that such interference is permissible with the Attorney General's written approval when necessary to protect the Republic's security and sovereignty.
European Law Implications
Any interception of communications must comply with European standards, notably Article 8 of the European Convention on Human Rights, which requires that interference with private communications be lawful, necessary, and proportionate in a democratic society. Such interference may be justified, for example, on grounds of national security, public safety, economic well-being, or the prevention of crime.
Article 2(2)(d) of the GDPR excludes personal data processing by competent authorities for the prevention, investigation, and prosecution of criminal offences. Such processing falls under Directive (EU) 2016/680, which establishes principles of lawfulness, necessity, proportionality, data minimisation, and data subject rights, as transposed in Cyprus through Law 44(I)/2019.
Landmark CJEU cases emphasise strict limits on personal data processing. In Valsts ieņēmumu dienests (C-175/20), the Court confirmed that the GDPR applied, as tax authorities are not competent authorities under Directive 2016/680. Data collection is allowed only to the extent that it is strictly necessary for a specific purpose, and any further use requires a clear legal basis under the GDPR.
In VS v Inspektor (C-180/21), the Court held data collected for criminal investigations cannot be repurposed for other objectives without legal authorisation, and such processing must be necessary and proportionate under Directive 2016/680.
Cyprus has transposed the ePrivacy Directive (Directive 2002/58/EC) through the Regulation of Electronic Communications and Postal Services Law of 2004 (Law 112(I)/2004). Under Article 99 of the Cypriot law, communications and related traffic data may not be intercepted without the consent of the users, except in cases provided by law and authorised by the Court. In line with Article 15(1) of the ePrivacy Directive, such restrictions are permitted where necessary, appropriate, and proportionate to safeguard national security, defence, public security, or to prevent, investigate, detect, and prosecute criminal offences or unauthorised use of electronic communications. Member States may also adopt data retention measures for a limited period where such measures are justified on these grounds.
All such measures must comply with the general principles of the Charter of Fundamental Rights of the European Union and the European Convention on Human Rights. The new bill should aim to implement these obligations by establishing clear procedural safeguards and restricting the scope and duration of interceptions.
Balancing Security and Privacy
While the draft bill seeks to address operational gaps in the existing framework, privacy protection, safeguarding of fundamental rights and constitutional conformity remain of pivotal importance. Key safeguards should include mandatory judicial authorisation, clearly defined limits on the scope, purpose, and duration of interceptions, strict rules governing access to, storage, and destruction of data, as well as obligations for telecom providers to ensure technical compliance and traceability.
Nevertheless, privacy advocates caution that broadening interception powers, even with judicial oversight, risks eroding fundamental rights. European law requires any restriction on privacy to be necessary, proportionate, and transparent. The proposed bill highlights the ongoing tension between national security and the right to privacy, particularly where judicial oversight may be bypassed in exceptional circumstances. Two companion bills are being prepared to support the implementation of the new framework, incorporating safeguards to mitigate potential limitations on judicial oversight, with all three expected to be considered together once the legislative package is finalised.
Ultimately, whether the new framework can achieve operational effectiveness without compromising fundamental rights will depend on the precise scope of crimes covered, the robustness of judicial oversight and the strict implementation of safeguards in practice.
The proposed legislation represents a significant development in Cyprus surveillance law. While the bill aims to modernise interception procedures and address operational challenges, it also raises important constitutional and European law questions.
As the bill moves to Parliament, the key challenge will be ensuring that any expansion of interception powers is accompanied by robust safeguards, effective judicial oversight, and strict compliance with European privacy standards.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
