Cyprus Recording Laws: All-Party Consent, Penalties, and GDPR (2026)

Cyprus Recording Laws: All-Party Consent, Penalties, and GDPR (2026)

Cyprus requires the consent of every party to a private conversation before it can be lawfully recorded. This all-party consent rule flows from the Constitution of the Republic of Cyprus, Criminal Code Cap. 154 Section 138, the Protection of the Confidentiality of Private Communication Law 92(I)/1996, and EU data protection law as transposed by Law 125(I)/2018. Violations are criminal offenses, and secretly obtained recordings are constitutionally inadmissible in court.

Information last verified on 2026-05-15. This article has not yet been reviewed by a licensed lawyer. Statutes cited reflect their in-force versions as of 2026-05-15.

Jurisdiction scope: This article addresses the recording and privacy laws of the Republic of Cyprus, including EU regulations directly applicable in Cyprus. It does not address the laws of the Turkish Republic of Northern Cyprus (TRNC), which are covered separately below. For a global overview, see world recording laws.

---

Quick Answer: Is Cyprus All-Party or One-Party Consent?

Cyprus is an all-party consent jurisdiction for the recording of private communications. Every person whose voice or communication is captured must consent before the recording begins. This rule applies to the person holding the phone or microphone just as much as to a third-party interceptor. Being a participant in a conversation does not create any right to record it without telling the others.

The rule covers telephone calls (landline, mobile, VoIP), in-person oral conversations, video calls, electronic messaging intercepted in transit, and any other form of private communication. It applies equally to individuals, businesses, journalists, and public officials acting in a private capacity.

Three separate legal regimes reinforce this baseline simultaneously: the criminal statute Law 92(I)/1996 (the core interception law); Criminal Code Cap. 154 Section 138 (the older provision on violating correspondence); and GDPR as transposed by Law 125(I)/2018 (data protection overlay). The Constitution of the Republic of Cyprus, through Articles 15 and 17, elevates the protection to fundamental-rights status. Because of Article 35's duty to protect rights, Cyprus courts have no discretion to admit evidence obtained in violation of those articles, unlike in English common law jurisdictions where judges can exercise admissibility discretion.

---

Criminal Code Cap. 154 Section 138: The Colonial-Era Foundation

The Criminal Code of Cyprus, Cap. 154, dates from 1959 and is rooted in the colonial common law tradition the island inherited from British administration. Section 138 prohibits the wilful violation of the secrecy of correspondence or other communications. The provision covers the interception, opening, or disclosure of letters, telegrams, telephone communications, and any other form of private communication without lawful authority.

Although Section 138 predates modern telecommunications and electronic communications, it established the foundational principle that correspondence and communications belong to the sender and recipient, not to third parties or to any person with the technical means to intercept them. The section has not been repealed; it remains operative alongside the more specific Law 92(I)/1996 that was enacted to address modern telecommunications interception with greater procedural detail.

Cap. 154 as a whole covers Cyprus's major criminal offenses including homicide, assault, fraud, and sexual offenses. The 2023 amendments to Cap. 154 updated several sections for consistency with EU framework obligations. Section 138 sits within the offenses against personal liberty and privacy cluster of the Code.

Prosecution under Section 138 is possible as an alternative or complement to charges under Law 92(I)/1996 where the facts support both. Legal practitioners in Cyprus have noted that the older provision is more likely to be cited in civil constitutional proceedings than in standalone criminal prosecutions, which tend to rely on the more specific 1996 law.

Source note: The full text of Cap. 154 is available at cylaw.org (Greek). The English translation is available at the SBA Administration legislation portal.

---

Protection of Privacy of Private Communication Law 92(I)/1996

Law 92(I)/1996, formally titled the Protection of the Confidentiality of Private Communication (Interception of Conversations and Access to Recorded Content of Private Communication) Law, is the principal statute governing recording and surveillance in Cyprus. The law was amended in 2020 to address evolving telecommunications technology and was further scrutinised during the 2022 Pegasus spyware parliamentary inquiry.

General Prohibition

Articles 3 and 16 of Law 92(I)/1996 establish an absolute prohibition on the interception of private communications. The content of any unlawfully intercepted communication cannot be used in any criminal or civil proceeding. This prohibition is not qualified by the purpose of the interception or the identity of the interceptor.

Private communication is broadly defined to encompass telephone calls (landline and mobile), in-person oral conversations held in private settings, electronic messaging and email, video conferencing, and any other medium through which individuals communicate with an expectation that only the intended parties will receive the content.

Lawful Interception: Narrow Exceptions Only

The law permits interception only under strictly controlled judicial-oversight conditions. Under Article 6, the Attorney General may apply to a designated court for an ex parte interception order. The application must rest on a recommendation from either the Chief of Police, the Deputy Chief of Police, or the Chief of the Cyprus Intelligence Service.

A court order can authorise interception only for investigations into serious specified offenses. The list covers murder and attempted murder, human trafficking, drug trafficking, corruption, terrorism, and espionage. The order must specify the targets, scope, and duration of the surveillance. In genuine emergencies, interception may begin before a court order is formally issued, but a judicial ruling must follow within 24 hours.

The 2020 Amendments and Their Shortcomings

The 2020 amendments to Law 92(I)/1996 sought to update technical requirements for telecommunications providers and clarify the procedural chain between law enforcement and the courts. However, the amendments were criticised for failing to impose effective obligations on service providers to build and maintain the necessary technical infrastructure. A parliamentary review found that major telecommunications companies operating in Cyprus lacked the systems needed to execute lawful interceptions reliably.

This gap contributed directly to the February 2026 reform bill discussed below.

Penalties Under Law 92(I)/1996

Illegal interception, monitoring, or access to private communications is a criminal offense under Law 92(I)/1996. The current penalty framework includes imprisonment and criminal fines, with the specific maximums set at the time of the original enactment and the 2020 amendments. The 2026 draft reform bill proposes increasing the maximum custodial sentence for unlawful surveillance to 10 years imprisonment, reflecting the severity with which Cyprus treats violations of communications privacy.

---

Constitutional Protection: Articles 15 and 17

The Constitution of the Republic of Cyprus provides the highest-level protection for communications privacy. Two articles form the constitutional bedrock of recording law.

Article 15 guarantees every person the right to respect for private and family life. This right covers all dimensions of personal privacy, including conversations held in private settings, medical and legal consultations, and other inherently confidential exchanges. Article 15 mirrors Article 8 of the European Convention on Human Rights, and Cyprus courts frequently interpret both in tandem.

Article 17 establishes that every person has the right to respect for, and to the secrecy of, their correspondence and communications made through means not prohibited by law.

"Every person has the right to respect for, and to the secrecy of, his correspondence and other communication." -- Constitution of the Republic of Cyprus, Article 17(1)

Article 17(2) permits interference with this right only in accordance with the law, and only to the extent necessary in the interests of the security of the Republic, the constitutional order, public safety, public order, public health, public morals, or the protection of the rights and liberties guaranteed by the Constitution.

This language is significant for two reasons. First, it requires both a legal basis and a demonstrated necessity for one of the enumerated purposes. A person who simply wants to record a conversation for personal reasons, however benign, cannot invoke any of these grounds. Second, the enumeration is exhaustive. No ground outside this list can justify interference with communications secrecy.

Article 35 imposes a duty on all state authorities, including courts, to secure the efficient application of constitutional rights. This provision is the engine of the absolute exclusionary rule that Cyprus courts apply to secretly recorded evidence.

---

Police v. Georghiades (1983) 2 CLR 33: The Binding Precedent

The Supreme Court of Cyprus decision in Police v. Georghiades (1983) 2 CLR 33, decided November 16, 1982 and reported February 21, 1983, is the foundational case on recording law in Cyprus. Its principles remain binding on all courts and have never been overruled.

Facts

Andreas Georghiades, a psychologist, examined a patient named Eracleous at the request of lawyers involved in civil proceedings. Without the knowledge of Georghiades or his patient, other lawyers in those proceedings installed a hidden electronic transmitter in the examination room. An advocate listened to and transcribed the private conversation.

When Georghiades later gave evidence in the civil proceedings, he was charged with perjury. The prosecution sought to introduce the secretly recorded conversation to contradict his testimony.

The Court's Ruling

The Supreme Court unanimously held the secretly recorded evidence inadmissible. The Court found that overhearing and recording the consultation violated both Article 15 and Article 17 of the Constitution, as well as Articles 34 and 35 governing the protection and efficient application of constitutional rights.

The Court made four holdings that continue to shape recording law in Cyprus:

No judicial discretion. English common law allows judges to exercise discretion in deciding whether to admit illegally obtained evidence. The Cyprus Supreme Court rejected this approach in its entirety. Articles 34 and 35 impose a mandatory duty on courts to exclude evidence obtained in violation of constitutional rights. There is no balancing exercise, no weighing of competing interests, and no exception for particularly probative evidence.

Broad interpretation of Article 17. The right to communications secrecy covers all forms of communication, including oral conversations in private settings. It is not limited to written correspondence or telephone calls.

Private parties are bound. The Court held that constitutional rights operate against violations by anyone, not only state actors. A private citizen who secretly records another person's conversation violates constitutional rights to the same degree as a government agent doing the same thing.

Medical consultations are inherently private. The Court specifically noted that the confidential nature of a medical consultation is self-evident and falls squarely within the constitutional protection for private life and communications.

---

Processing of Personal Data Law 125(I)/2018 and the OCPDP

Cyprus implemented the GDPR through Law 125(I)/2018, which entered into force on July 31, 2018. The law designates the Office of the Commissioner for Personal Data Protection (OCPDP) as the national supervisory authority for data protection in Cyprus. The current Commissioner is Irene Loizidou Nicolaidou.

Voice Recordings as Personal Data

Under GDPR Article 4 and Law 125(I)/2018, a voice recording constitutes personal data when it can identify a person, whether through voice, name, phone number, or other information present in or associated with the recording. Any individual or organisation that collects, stores, processes, or shares voice recordings is a data controller subject to the full range of GDPR obligations.

The OCPDP's Position on Audio Recording

The OCPDP has taken the position that recording audio is highly invasive and intrusive and is generally prohibited. Individuals have a reasonable expectation that their conversations will not be recorded and will remain confidential. Audio recording is treated as more invasive than video recording alone because it captures the specific content of private expression.

This position was applied in enforcement in June 2025, when the OCPDP fined the Social Welfare Deputy Ministry 5,000 euros after an on-site inspection revealed that three of the ministry's 19 CCTV cameras were recording audio illegally. The OCPDP found that the ministry had not conducted a Data Protection Impact Assessment (DPIA) before installing the system and had not carried out the necessary checks to verify whether audio recording was active. The fine was issued under GDPR and Law 125(I)/2018.

Legal Bases for Processing Voice Recordings

Before recording a voice conversation and retaining the file, a data controller must identify a valid legal basis under GDPR Article 6. In Cyprus, the practically relevant bases are:

• Consent (Article 6(1)(a)): Freely given, specific, informed, and unambiguous. Consent is the most straightforward basis for most private and business recording, but it requires active, affirmative agreement before the recording starts. Pre-ticked boxes, continued call participation after a vague notice, or consent bundled with terms of service do not satisfy the standard.
• Legal obligation (Article 6(1)(c)): Applies where a specific law requires recording, for example the regulatory requirement for certain financial services firms to record client communications. The scope of the obligation must be precisely identified.
• Legitimate interests (Article 6(1)(f)): In principle available, but the OCPDP's position on the invasive nature of audio recording makes it very difficult to demonstrate that the controller's interests override the data subject's privacy rights without a documented and robust balancing test.

Enforcement Track Record

Since GDPR entered into force in Cyprus, the OCPDP has received over 2,500 complaints and imposed more than 1.7 million euros in administrative fines through 2025. Notable enforcement actions include the Housing Finance Corporation fine for GDPR breaches. The maximum administrative penalty available is 20 million euros or 4% of worldwide annual turnover, whichever is higher. Criminal penalties under Law 125(I)/2018 include up to 5 years imprisonment and fines of 10,000 to 50,000 euros for specified criminal offenses.

---

EU GDPR and AI Act Overlay

As an EU member state, Cyprus is subject to the GDPR directly (not through transposition) and to the EU Artificial Intelligence Act (AI Act), which entered into force on August 1, 2024.

GDPR in Cyprus

The GDPR applies uniformly across all EU member states. In Cyprus, Law 125(I)/2018 exercises the national derogations the GDPR permits, including setting the age of consent for data processing at 14 years (Article 8 derogation). All GDPR principles (lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability) apply to recording activities.

Key GDPR obligations for any entity recording in Cyprus include: providing a lawful basis (Art. 6); providing a clear privacy notice before or at the point of recording (Art. 13-14); honouring data subject access, erasure, and portability requests (Art. 15-20); and conducting a DPIA for high-risk processing activities (Art. 35).

ePrivacy Directive and Law 112(I)/2004

Cyprus transposed EU Directive 2002/58/EC (the ePrivacy Directive) through Part 14 of the Electronic Communications and Postal Services Law 112(I)/2004. This layer of law governs confidentiality of electronic communications content and traffic data, cookies and device-storage consent, and restrictions on unsolicited electronic direct marketing. Where the ePrivacy Directive and GDPR overlap on communications data, the more specific ePrivacy rules take precedence. Enforcement of Part 14 sits with the Office of the Commissioner for Electronic Communications and Postal Regulation, distinct from the OCPDP, though the OCPDP retains jurisdiction over personal data processed within those communications.

EU AI Act: Biometric Surveillance Prohibition

The EU AI Act prohibits several categories of AI systems as unacceptable-risk applications. The prohibitions took effect on February 2, 2025. Among the prohibited practices directly relevant to recording law is the use of real-time remote biometric identification systems in publicly accessible spaces for law enforcement purposes. This means that deploying AI-powered facial recognition to identify individuals from live video feeds in public is banned throughout the EU, including Cyprus, subject to very narrow exceptions for missing children, imminent terrorist threats, and specified serious criminal investigations with prior judicial or independent body authorisation.

Additional prohibited practices include AI systems that use subliminal techniques to manipulate behaviour, that exploit vulnerabilities of specific groups, and that enable social scoring by public authorities.

AI Act Implementation Timeline in Cyprus

The timeline for Cyprus specifically is:

• February 2, 2025: Unacceptable-risk AI prohibitions in force, including real-time biometric surveillance ban.
• August 2, 2025: Cyprus must designate national competent authorities for AI Act oversight. The Deputy Ministry of Research, Innovation, and Digital Policy is expected to lead implementation.
• August 2, 2026: Obligations for general-purpose AI models and high-risk AI systems (covering employment, education, and essential services) take full effect.
• December 2, 2027: Obligations for AI systems in biometrics, critical infrastructure, and migration/border control take full effect.

Businesses using AI-powered transcription, voice identification, sentiment analysis, or automated call monitoring in Cyprus must map their systems against the AI Act risk tiers and ensure compliance by the applicable deadline.

---

Penalties

The penalties framework in Cyprus for recording violations draws from multiple statutory regimes simultaneously.

---

Civil Liability for Unlawful Recording

Beyond criminal prosecution, a person whose communications are recorded without consent has civil remedies in Cyprus.

Actions may be brought directly under Articles 15 and 17 of the Constitution against both public authorities and private parties. The Supreme Court confirmed in Georghiades that constitutional rights operate horizontally, meaning they apply to violations by private individuals, not only the state. Where a constitutional breach is proved, courts may award general damages (non-pecuniary, compensatory) regardless of whether any specific tort was separately established. No additional negligence or intent element is required beyond the constitutional violation itself.

Civil claims based on the general tort of breach of privacy under Cyprus common law are also available, and the limitation period for such claims is six years from the date of the breach. Claims founded on negligence carry a three-year limitation period.

GDPR-based civil claims are additionally available under GDPR Article 82, which grants data subjects the right to compensation from a controller or processor for material or non-material damage caused by a GDPR infringement. The OCPDP's administrative enforcement does not preclude a separate civil compensation claim.

---

Recording Phone Calls

Recording any telephone call in Cyprus requires the prior consent of every party on the call. This rule applies equally to landline calls, mobile calls, VoIP calls (Viber, WhatsApp, Zoom, Microsoft Teams, Skype), and multi-party conference calls.

For conference calls, every participant must consent. A single non-consenting party renders the recording unlawful, regardless of how many other parties have agreed.

There is no self-consent exemption. A call participant who records without informing and obtaining consent from the other parties commits the same offense as a third-party interceptor. Cyprus law treats participant recording and outside interception with equal seriousness.

Business call recording. Businesses operating in Cyprus that record customer service, financial advisory, or other professional calls must comply with both Law 92(I)/1996 and the GDPR. The standard practice of playing a pre-recorded message stating that a call may be monitored satisfies the transparency requirement only if: (1) the message specifically states who is recording, why, how long the recording is retained, and who will access it; (2) the caller is given a genuine opportunity to refuse and continue on an unrecorded line; and (3) the caller's continued participation after a clear and specific notice constitutes freely given consent. Ambiguous or bundled notices do not meet the GDPR standard.

Financial services firms may have regulatory obligations to record certain client communications under MiFID II and related instruments. Even in those cases, the firm must identify a valid GDPR Article 6 legal basis (typically Article 6(1)(c) legal obligation) and notify callers accordingly.

---

Recording In-Person Conversations

In-person oral conversations in Cyprus receive strong protection under the Constitution, Cap. 154 Section 138, and Law 92(I)/1996. The critical legal question is whether the participants had a reasonable expectation that their conversation would remain private.

Conversations in private homes, closed offices, medical and legal consultation rooms, vehicles, and any other setting where the speakers expect confidentiality are fully protected. Recording such conversations without consent is a criminal offense and produces inadmissible evidence.

Covert recording devices of any kind, including hidden microphones, audio bugs, smartphone apps running in the background, and voice-activated recorders concealed in a room, all fall within the prohibition. The method of concealment does not change the legal analysis. The key is whether consent was obtained from everyone whose voice was captured.

Public settings are treated differently. In genuinely public spaces where there is no reasonable expectation of privacy, ambient sound is generally not "private communication" for purposes of Law 92(I)/1996. However, the GDPR data minimisation and purpose limitation principles continue to apply once identifiable voices are recorded, and care must be taken not to capture private conversations that happen to occur in a public setting.

---

Recording the Police

Cyprus parliament approved a body-worn camera law in March 2026, authorising police officers to use body cameras and to install recording equipment in patrol vehicles. All recordings must be stored in encrypted format for up to six months, or longer if required for judicial proceedings. Unauthorised access to police body-camera recordings carries a penalty of up to three years imprisonment.

From the civilian side, there is no express statutory provision that prohibits members of the public from recording police officers in their official capacity in public spaces. Recording a police officer carrying out a public function in a public place does not inherently violate Law 92(I)/1996 because there is generally no expectation of privacy in the exercise of official powers in a public setting.

However, several constraints apply even in public:

• GDPR and data minimisation. Even a lawful video recording creates personal data obligations once identifiable individuals are captured. Storing and distributing footage is subject to GDPR principles.
• Obstruction. Filming while physically interfering with a police operation may give rise to obstruction charges under Cap. 154 independently of the recording itself.
• Audio of private communications. If the recording captures a private conversation between a suspect and a police officer held out of public earshot, the all-party consent requirement under Law 92(I)/1996 may still apply to that private exchange even if the surrounding scene is public.

In February 2024, parliament debated legislation to make recording of police interrogations and investigations mandatory, aimed at enhancing transparency. As of May 2026, that proposal remained under review.

---

Workplace Surveillance and Employee Monitoring

Cyprus imposes strict limits on workplace surveillance through OCPDP guidance and GDPR enforcement.

Employee Consent Is Not a Valid Basis

The OCPDP has held that employee consent to workplace monitoring is invalid due to the inherent power imbalance in the employment relationship. Employees cannot freely refuse or withdraw consent from an employer without real risk of employment consequences. This means an employer cannot rely on consent as the GDPR Article 6 legal basis for workplace surveillance of any kind, including CCTV, audio monitoring, or computer activity logging.

CCTV: Permitted and Prohibited Zones

Video surveillance in the workplace is permitted only where justified by specific operational needs, and even then only in specific locations:

Permitted: Building entrances and exits; elevator exterior doors (not interiors); parking areas and perimeters; areas where safes, cash, or high-value inventory are stored.

Prohibited: Employee offices; conference rooms; corridors; break rooms and kitchens; restrooms and changing areas; dining areas; waiting rooms.

Audio Recording at Work Is Prohibited

The OCPDP has stated explicitly that recording both image and sound in the workplace is excessive relative to any legitimate operational purpose. Workplace audio recording is prohibited as a general rule. Employers cannot install microphones to capture employee conversations. Employees cannot secretly record meetings with supervisors or colleagues. The June 2025 fine against the Social Welfare Deputy Ministry for CCTV audio recording confirms that even inadvertent audio capture by a surveillance system is an enforcement-level violation.

DPIA Requirement

A Data Protection Impact Assessment (DPIA) under GDPR Article 35 is mandatory before implementing any new surveillance system that presents high risks to individual rights and freedoms. A workplace CCTV system covering common areas will typically require a DPIA. Any system that monitors employee communications or behaviour systematically will require one.

Transparency Obligations

Warning signs must be prominently displayed wherever surveillance is in operation. Signs must identify the data controller, state the purpose and legal basis of the recording, and enable employees and visitors to understand their rights. Signs that simply say "CCTV in operation" without the required information do not meet the OCPDP standard.

---

Voyeurism and Secret Filming

Cyprus amended the Criminal Code Cap. 154 in 2019 to criminalise upskirting and other forms of covert intimate filming. The amendment followed parallel legislation in the United Kingdom and reflects the broader EU trend toward criminalising image-based sexual abuse.

The offense covers operating equipment beneath another person's clothing with the intent of observing their genitals, buttocks, or underwear in circumstances where they would not otherwise be visible, and doing so without consent. Recording such images without consent is separately criminalised. Both forms of the offense apply whether the purpose is sexual gratification, humiliation, or distress.

More generally, placing recording devices in private spaces such as bathrooms, changing rooms, hotel rooms, or bedrooms without consent is a serious criminal offense under both the voyeurism provisions of Cap. 154 and the general interception prohibition in Law 92(I)/1996. There is no journalistic privilege or other public interest defense that applies to this category of covert filming.

---

Deepfakes and AI-Generated Content

Cyprus enacted legislation targeting non-consensual deepfakes on March 12, 2026. Parliament passed the law that day, amending the Copyright and Related Rights Law to create a new category of protection for personal characteristics and performer interpretations.

The law prohibits the public distribution of content that mimics a person's physical features or a performer's interpretation or performance without that person's explicit consent. Violations are criminal offenses. Affected persons may also file civil lawsuits for compensation and seek injunctions to stop further distribution. The protection extends fifty years after the person's or artist's death.

The legislation was developed in response to growing use of AI tools to create sexualised or degrading synthetic content targeting individuals. Cypriot legal commentary had characterised non-consensual intimate deepfakes as a form of cyber rape because of their serious and lasting impact on victims' dignity and safety.

Separately, the EU AI Act requires transparency and watermarking for AI-generated content presented to human users. These obligations have applied in Cyprus since February 2025. The AI Act also prohibits AI systems that use subliminal or manipulative techniques to influence individuals.

---

The 2026 Surveillance Reform Bill

In February 2026, the Cyprus Cabinet approved a draft bill to overhaul the telecommunications interception framework.

Expanded Crime Coverage

The reform bill expands the list of offenses for which interception may be authorised to include terrorism, espionage, organised cybercrime, child sexual exploitation, money laundering, and participation in a criminal organisation.

Attorney General Authorisation Without a Court Order

In the most controversial provision, the bill would permit the Attorney General to authorise interception directly, without prior judicial approval, in exceptional circumstances linked to state security. This represents the first time in Cyprus's legal history that surveillance could proceed without any court order. Critics, including the parliamentary AKEL party, have argued that this provision risks creating the legal architecture of a surveillance state and undermines Article 17 of the Constitution.

Because the bill modifies the conditions under which Article 17 communications secrecy may be overridden, a constitutional amendment is required. The bill needs at least 38 parliamentary votes to pass.

Bill Did Not Pass Before Dissolution

The bill did not receive a plenary vote before the April 23, 2026, dissolution of parliament. On April 2, 2026, parliament's House legal committee agreed the constitutional amendment would remain under discussion and would not go to a vote with the outgoing parliament. Disagreements persisted over whether to require a court warrant before any interception, with the largest party (Disy) indicating it would insist on that safeguard in any revised version.

Cyprus held parliamentary elections on May 24, 2026. The bill's fate rests with the newly elected parliament. As of May 2026, no vote has taken place.

Stricter Penalties and New Oversight

The bill proposes a maximum penalty of 10 years imprisonment for unlawful surveillance, a substantial increase from the current penalty structure. It also creates a three-member supervisory committee to monitor compliance and requires telecommunications providers (Cyta, Cablenet, Epic, Primetel) to maintain traceable records of every interception request and to provide immediate technical access upon warrant issuance.

The Pegasus Spyware Context

The reform bill comes against the backdrop of Cyprus's prominent role in the European spyware industry. A November 2022 European Parliament PEGA committee report identified Cyprus as an important export hub for surveillance technologies, including NSO Group's Pegasus spyware. NSO Group confirmed that Cyprus had granted export licences for Pegasus technology. The Cyprus government denied direct links to Pegasus deployments inside the EU but faced sustained scrutiny over the lax application of export controls and close ties between politicians, security agencies, and the surveillance industry. The parliamentary inquiry opened in November 2022 did not result in prosecutions. The 2026 reform bill must be evaluated in this context, as it could expand executive surveillance capacity at a time when Cyprus's oversight record has already drawn EU-level concern.

---

Northern Cyprus: TRNC Legal Framework

The northern part of Cyprus has been under the administration of the Turkish Republic of Northern Cyprus (TRNC) since 1974. The TRNC is internationally recognised only by Turkey and is not a member of the EU. Republic of Cyprus law, the GDPR, and the EU AI Act do not apply in TRNC-administered territory.

Legal Basis in the TRNC

The TRNC operates its own legal system, which draws from Turkish law and Turkish legal traditions rather than from the Republic of Cyprus's British-derived common law. Criminal law in the TRNC is governed by the TRNC Criminal Code (Ceza Yasasi) and the Criminal Procedure Law (Ceza Muhakemeleri Usulü Yasasi).

Because Turkey adopted comprehensive surveillance and communications privacy rules through its own Penal Code (which criminalises unlawful interception with penalties up to five years imprisonment under Article 133) and the Electronic Communications Law No. 5809, the TRNC framework follows analogous principles, but specific TRNC provisions and their enforcement status must be verified through TRNC legal sources, which are not indexed in the same databases as Republic of Cyprus or EU law.

Practical Implications for Travellers and Businesses

A person crossing from the Republic of Cyprus into the TRNC crosses into a separate legal jurisdiction. Recordings made in the TRNC are not governed by Law 92(I)/1996, the Constitution of the Republic of Cyprus, or the GDPR. Whether a recording is lawful depends on TRNC law. The Republic of Cyprus does not recognise the legal authority of TRNC courts or legislation. Cross-border evidence gathered in the TRNC faces admissibility challenges in Republic of Cyprus courts on multiple grounds.

For practical guidance on laws in TRNC territory, consultation with a lawyer practising in the TRNC is essential.

---

Cross-Border Recording and International Considerations

Recording While in Cyprus

A person physically located in Cyprus who records a conversation is subject to Cyprus and EU law regardless of where the other parties to the conversation are located. The location of the recorder, not the location of the other parties, determines which recording consent law applies to the act of interception.

Recording Across Borders

When a call takes place between Cyprus and another country, the more restrictive jurisdiction's law typically applies from the perspective of the party in that jurisdiction. A call between someone in Cyprus (all-party consent required) and someone in the United Kingdom (one-party consent sufficient) is subject to Cyprus's all-party consent standard for the Cyprus-side participant. Recording without the UK party's consent would violate Law 92(I)/1996.

Cross-Border Data Transfers

Where recordings made in Cyprus are stored or processed on servers outside the EU/EEA, GDPR Chapter V governs the transfer. Transfers to countries without an EU adequacy decision (such as the United States outside Privacy Shield's successor framework, or most non-EU countries) require either Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or explicit data subject consent to the specific transfer after being informed of the risks. A recording made with all-party consent in Cyprus may still require additional safeguards before it can be lawfully transferred to a non-EU cloud provider.

---

Frequently Asked Questions

Disclaimer

This article presents general legal information about the law of the Republic of Cyprus as it relates to recording and surveillance. It does not constitute legal advice and does not establish a lawyer-client relationship. The information was last verified on 2026-05-15 and reflects statutes and official guidance as of that date. Laws change: statutory amendments, new OCPDP decisions, and pending parliamentary bills discussed here may have different outcomes after publication.

Readers who have specific questions about whether a particular recording is lawful, whether they face liability for a past recording, or how to structure a business compliance program should consult a lawyer qualified and licensed to practise in the Republic of Cyprus. For TRNC matters, a separate consultation with a lawyer practising in that jurisdiction is necessary.

About the Author

[PLACEHOLDER -- author roster pending. Information compiled and verified by the RecordingLaw.com research team on 2026-05-15.]

---

Last updated: 2026-05-15. Statutes cited reflect their in-force versions as of 2026-05-15.