50
By its second question, the referring court seeks, in essence, to ascertain whether Article 15(1) of
Directive 2002/58, read in the light of Article 4(2) TEU and Articles 7, 8 and 11 and Article 52(1) of
the Charter, is to be interpreted as precluding national legislation enabling a State authority to require
providers of electronic communications services to carry out the general and indiscriminate
transmission of traffic data and location data to the security and intelligence agencies for the purpose of
safeguarding national security.
51
As a preliminary point, it should be borne in mind that, according to the information set out in the
request for a preliminary ruling, section 94 of the 1984 Act permits the Secretary of State to require
providers of electronic communications services, by way of directions, if he considers it necessary in
the interests of national security or relations with a foreign government, to forward bulk
communications data to the security and intelligence agencies. That data includes traffic data and
location data, as well as information relating to the services used, pursuant to section 21(4) and (6) of
the RIPA. That provision covers, inter alia, the data necessary to (i) identify the source and destination
of a communication, (ii) determine the date, time, length and type of communication, (iii) identify the
hardware used, and (iv) locate the terminal equipment and the communications. That data includes,
inter alia, the name and address of the user, the telephone number of the person making the call and the
number called by that person, the IP addresses of the source and addressee of the communication and
the addresses of the websites visited.
52
Such a disclosure of data by transmission concerns all users of means of electronic communication,
without its being specified whether that transmission must take place in real-time or subsequently.
Once transmitted, that data is, according to the information set out in the request for a preliminary
ruling, retained by the security and intelligence agencies and remains available to those agencies for
the purposes of their activities, as with the other databases maintained by those agencies. In particular,
the data thus acquired, which is subject to bulk automated processing and analysis, may be crosschecked with other databases containing different categories of bulk personal data or be disclosed
outside those agencies and to third countries. Lastly, those operations do not require prior authorisation
from a court or independent administrative authority and do not involve notifying the persons
concerned in any way.
53
As is apparent from, inter alia, recitals 6 and 7 thereof, the purpose of Directive 2002/58 is to protect
users of electronic communications services from risks for their personal data and privacy resulting
from new technologies and, in particular, from the increasing capacity for automated storage and
processing of data. In particular, that directive seeks, as is stated in recital 2 thereof, to ensure that the
rights set out in Articles 7 and 8 of the Charter are fully respected. In that regard, it is apparent from
the Explanatory Memorandum of the Proposal for a Directive of the European Parliament and of the
Council concerning the processing of personal data and the protection of privacy in the electronic
communications sector (COM (2000) 385 final), which gave rise to Directive 2002/58, that the EU
legislature sought to ‘ensure that a high level of protection of personal data and privacy will continue
to be guaranteed for all electronic communications services regardless of the technology used’.
54
To that end, Article 5(1) of Directive 2002/58 provides that ‘Member States shall ensure the
confidentiality of communications and the related traffic data by means of a public communications
network and publicly available electronic communications services, through national legislation’. That
provision also emphasises that, ‘in particular, [Member States] shall prohibit listening, tapping, storage
or other kinds of interception or surveillance of communications and the related traffic data by persons
other than users, without the consent of the users concerned, except when legally authorised to do so in
accordance with Article 15(1)’, and specifies that ‘this paragraph shall not prevent technical storage
which is necessary for the conveyance of a communication without prejudice to the principle of
confidentiality.’
55
Thus, Article 5(1) of that directive enshrines the principle of confidentiality of both electronic
communications and the related traffic data and requires, inter alia, that, in principle, persons other than
users be prohibited from storing, without those users’ consent, those communications and that data.
Having regard to the general nature of its wording, that provision necessarily covers any operation
enabling third parties to become aware of communications and data relating thereto for purposes other
than the conveyance of a communication.