Question 1
30
By its first question, the referring court asks, in essence, whether Article 1(3) of Directive 2002/58,
read in the light of Article 4(2) TEU, is to be interpreted as meaning that national legislation enabling a
State authority to require providers of electronic communications services to forward traffic data and
location data to the security and intelligence agencies for the purpose of safeguarding national security
falls within the scope of that directive.
31
In that regard, Privacy International argues, in essence, that, having regard to the guidance derived
from the case-law of the Court of Justice as regards the scope of Directive 2002/58, both the
acquisition of data by the security and intelligence agencies from those providers under section 94 of
the 1984 Act and the use of that data by those agencies fall within the scope of that directive, whether
that data is acquired by means of a transmission carried out in real-time or subsequently. In particular,
it argues that the fact that the objective of protecting national security is explicitly listed in
Article 15(1) of that directive does not mean that the directive does not apply to such situations, and
that assessment is not affected by Article 4(2) TEU.
32
By contrast, the United Kingdom, Czech and Estonian Governments, Ireland, and the French, Cypriot,
Hungarian, Polish and Swedish Governments contend, in essence, that Directive 2002/58 does not
apply to the national legislation at issue in the main proceedings, as the purpose of that legislation is to
safeguard national security. They argue that the activities of the security and intelligence agencies are
essential State functions relating to the maintenance of law and order and the safeguarding of national
security and territorial integrity, and, accordingly, are the sole responsibility of the Member States, as
attested to by, in particular, the third sentence of Article 4(2) TEU.
33
According to those governments, Directive 2002/58 cannot therefore be interpreted as meaning that
national measures concerning the safeguarding of national security fall within its scope. Article 1(3) of
that directive defines the scope of that directive and excludes from that scope, as was previously
provided in the first indent of Article 3(2) of Directive 95/46, activities concerning public security,
defence, and State security. Those provisions reflect the allocation of competences laid down in
Article 4(2) TEU and would be deprived of any practical effect if it were necessary for measures in the
field of national security to meet the requirements of Directive 2002/58. Furthermore, the case-law of
the Court derived from the judgment of 30 May 2006, Parliament v Council and Commission
(C‑317/04 and C‑318/04, EU:C:2006:346), concerning the first indent of Article 3(2) of Directive
95/46 can be transposed to Article 1(3) of Directive 2002/58.
34
In that regard, it should be stated that, under Article 1(1) thereof, Directive 2002/58 provides, inter
alia, for the harmonisation of the national provisions required to ensure an equivalent level of
protection of fundamental rights and freedoms, and in particular the right to privacy and
confidentiality, with respect to the processing of personal data in the electronic communications sector.
35
Article 1(3) of that directive excludes from its scope ‘activities of the State’ in specified fields,
including activities in areas of criminal law and in the areas of public security, defence and State
security, including the economic well-being of the State when the activities relate to State security
matters. The activities thus mentioned by way of example are, in any event, activities of the State or of
State authorities and are unrelated to fields in which individuals are active (judgment of 2 October
2018, Ministerio Fiscal, C‑207/16, EU:C:2018:788, paragraph 32 and the case-law cited).
36
In addition, Article 3 of Directive 2002/58 states that the directive is to apply to the processing of
personal data in connection with the provision of publicly available electronic communications
services in public communications networks in the European Union, including public communications
networks supporting data collection and identification devices (‘electronic communications services’).
Consequently, that directive must be regarded as regulating the activities of the providers of such
services (judgment of 2 October 2018, Ministerio Fiscal, C‑207/16, EU:C:2018:788, paragraph 33 and
the case-law cited).
37
In that context, Article 15(1) of Directive 2002/58 states that Member States may adopt, subject to the
conditions laid down, ‘legislative measures to restrict the scope of the rights and obligations provided