CURIA - Documents
34 of 58
http://curia.europa.eu/juris/document/document_print.jsf?docid=2320...
although it is for the Member States to define their essential security interests and to adopt
appropriate measures to ensure their internal and external security, the mere fact that a national
measure has been taken for the purpose of protecting national security cannot render EU law
inapplicable and exempt the Member States from their obligation to comply with that law (see, to
that effect, judgments of 4 June 2013, ZZ, C‑300/11, EU:C:2013:363, paragraph 38; of 20 March
2018, Commission v Austria (State printing office), C‑187/16, EU:C:2018:194, paragraphs 75 and
76; and of 2 April 2020, Commission v Poland, Hungary and Czech Republic (Temporary
mechanism for the relocation of applicants for international protection), C‑715/17, C‑718/17 and
C‑719/17, EU:C:2020:257, paragraphs 143 and 170).
100
It is true that, in the judgment of 30 May 2006, Parliament v Council and Commission (C‑317/04
and C‑318/04, EU:C:2006:346, paragraphs 56 to 59), the Court held that the transfer of personal
data by airlines to the public authorities of a third country for the purpose of preventing and
combating terrorism and other serious crimes did not, pursuant to the first indent of Article 3(2) of
Directive 95/46, fall within the scope of that directive, because that transfer fell within a framework
established by the public authorities relating to public security.
101
However, having regard to the considerations set out in paragraphs 93, 95 and 96 of the present
judgment, that case-law cannot be transposed to the interpretation of Article 1(3) of Directive
2002/58. Indeed, as the Advocate General noted, in essence, in points 70 to 72 of his Opinion in
Joined Cases La Quadrature du Net and Others (C‑511/18 and C‑512/18, EU:C:2020:6), the first
indent of Article 3(2) of Directive 95/46, to which that case-law relates, excluded, in a general way,
from the scope of that directive ‘processing operations concerning public security, defence, [and]
State security’, without drawing any distinction according to who was carrying out the data
processing operation concerned. By contrast, in the context of interpreting Article 1(3) of Directive
2002/58, it is necessary to draw such a distinction. As is apparent from paragraphs 94 to 97 of the
present judgment, all operations processing personal data carried out by providers of electronic
communications services fall within the scope of that directive, including processing operations
resulting from obligations imposed on those providers by the public authorities, although those
processing operations could, where appropriate, on the contrary, fall within the scope of the
exception laid down in the first indent of Article 3(2) of Directive 95/46, given the broader wording
of that provision, which covers all processing operations concerning public security, defence, or
State security, regardless of the person carrying out those operations.
102
Furthermore, it should be noted that Directive 95/46, which was at issue in the case that gave rise
to the judgment of 30 May 2006, Parliament v Council and Commission (C‑317/04 and C‑318/04,
EU:C:2006:346), has been, pursuant to Article 94(1) of Regulation 2016/679, repealed and replaced
by that regulation with effect from 25 May 2018. Although that regulation states, in Article 2(2)(d)
thereof, that it does not apply to processing operations carried out ‘by competent authorities’ for the
purposes of, inter alia, the prevention and detection of criminal offences, including the safeguarding
against and the prevention of threats to public security, it is apparent from Article 23(1)(d) and (h)
of that regulation that the processing of personal data carried out by individuals for those same
purposes falls within the scope of that regulation. It follows that the above interpretation of
Article 1(3), Article 3 and Article 15(1) of Directive 2002/58 is consistent with the definition of the
scope of Regulation 2016/679, which is supplemented and specified by that directive.
103
By contrast, where the Member States directly implement measures that derogate from the rule that
electronic communications are to be confidential, without imposing processing obligations on
providers of electronic communications services, the protection of the data of the persons concerned
is covered not by Directive 2002/58, but by national law only, subject to the application of Directive
(EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of
natural persons with regard to the processing of personal data by competent authorities for the
purposes of the prevention, investigation, detection or prosecution of criminal offences or the
execution of criminal penalties, and on the free movement of such data, and repealing Council
Framework Decision 2008/977/JHA (OJ 2016 L 119, p. 89), with the result that the measures in
2/15/2021, 4:58 PM