international protection), C‑715/17, C‑718/17 and C‑719/17, EU:C:2020:257, paragraphs 143 and
170).
45
It is true that, in the judgment of 30 May 2006, Parliament v Council and Commission (C‑317/04 and
C‑318/04, EU:C:2006:346, paragraphs 56 to 59), the Court held that the transfer of personal data by
airlines to the public authorities of a third country for the purpose of preventing and combating
terrorism and other serious crimes did not, pursuant to the first indent of Article 3(2) of Directive
95/46, fall within the scope of that directive, because such a transfer fell within a framework
established by the public authorities relating to public security.
46
However, having regard to the findings set out in paragraphs 36, 38 and 39 above, that case-law
cannot be transposed to the interpretation of Article 1(3) of Directive 2002/58. Indeed, as the Advocate
General noted, in essence, in points 70 to 72 of his Opinion in Joined Cases La Quadrature du Net and
Others (C‑511/18 and C‑512/18, EU:C:2020:6), the first indent of Article 3(2) of Directive 95/46, to
which that case-law relates, excluded, in a general way, from the scope of that directive ‘processing
operations concerning public security, defence, [and] State security’, without drawing any distinction
according to who was carrying out the data processing operation concerned. By contrast, in the context
of interpreting Article 1(3) of Directive 2002/58, it is necessary to draw such a distinction. As is
apparent from paragraphs 37 to 39 and 42 above, all operations processing personal data carried out by
providers of electronic communications services fall within the scope of that directive, including
processing operations resulting from obligations imposed on those providers by the public authorities,
whereas those processing operations could, where appropriate, on the contrary, fall within the scope of
the exception laid down in the first indent of Article 3(2) of Directive 95/46, given the broader wording
of that provision, which covers all processing operations concerning public security, defence, or State
security, regardless of the person carrying out those operations.
47
Furthermore, it should be noted that Directive 95/46, which was at issue in the case that gave rise to
the judgment of 30 May 2006, Parliament v Council and Commission (C‑317/04 and C‑318/04,
EU:C:2006:346), has been, pursuant to Article 94(1) of Regulation 2016/679, repealed and replaced by
that regulation with effect from 25 May 2018. Although that regulation states, in Article 2(2)(d)
thereof, that it does not apply to processing operations carried out ‘by competent authorities’ for the
purposes of, inter alia, the prevention and detection of criminal offences, including the safeguarding
against and the prevention of threats to public security, it is apparent from Article 23(1)(d) and (h) of
that regulation that the processing of personal data carried out by individuals for those same purposes
falls within the scope of that regulation. It follows that the above interpretation of Article 1(3),
Article 3 and Article 15(1) of Directive 2002/58 is consistent with the definition of the scope of
Regulation 2016/679, which is supplemented and specified by that directive.
48
By contrast, where the Member States directly implement measures that derogate from the rule that
electronic communications are to be confidential, without imposing processing obligations on
providers of electronic communications services, the protection of the data of the persons concerned is
not covered by Directive 2002/58, but by national law only, subject to the application of Directive (EU)
2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural
persons with regard to the processing of personal data by competent authorities for the purposes of the
prevention, investigation, detection or prosecution of criminal offences or the execution of criminal
penalties, and on the free movement of such data, and repealing Council Framework Decision
2008/977/JHA (OJ 2016 L 119, p. 89), with the result that the measures in question must comply with,
inter alia, national constitutional law and the requirements of the ECHR.
49
Having regard to the foregoing considerations, the answer to the first question is that Article 1(3),
Article 3 and Article 15(1) of Directive 2002/58, read in the light of Article 4(2) TEU, must be
interpreted as meaning that national legislation enabling a State authority to require providers of
electronic communications services to forward traffic data and location data to the security and
intelligence agencies for the purpose of safeguarding national security falls within the scope of that
directive.
Question 2