63

However, the rights enshrined in Articles 7, 8 and 11 of the Charter are not absolute rights, but must be
considered in relation to their function in society (see, to that effect, judgment of 16 July 2020,
Facebook Ireland and Schrems, C‑311/18, EU:C:2020:559, paragraph 172 and the case-law cited).

64

Indeed, as can be seen from Article 52(1) of the Charter, that provision allows limitations to be placed
on the exercise of those rights, provided that those limitations are provided for by law, that they respect
the essence of those rights and that, in compliance with the principle of proportionality, they are
necessary and genuinely meet objectives of general interest recognised by the Union or the need to
protect the rights and freedoms of others.

65

It should be added that the requirement that any limitation on the exercise of fundamental rights must
be provided for by law implies that the legal basis which permits the interference with those rights
must itself define the scope of the limitation on the exercise of the right concerned ( judgment of
16 July 2020, Facebook Ireland and Schrems, C‑311/18, EU:C:2020:559, paragraph 175 and the caselaw cited).

66

Concerning observance of the principle of proportionality, the first sentence of Article 15(1) of
Directive 2002/58 provides that the Member States may adopt a measure derogating from the principle
that communications and the related traffic data are to be confidential where such a measure is
‘necessary, appropriate and proportionate … within a democratic society’, in view of the objectives set
out in that provision. Recital 11 of that directive specifies that a measure of that nature must be
‘strictly’ proportionate to the intended purpose.

67

In that regard, it should be borne in mind that the protection of the fundamental right to privacy
requires, according to the settled case-law of the Court, that derogations from and limitations on the
protection of personal data must apply only in so far as is strictly necessary. In addition, an objective of
general interest may not be pursued without having regard to the fact that it must be reconciled with the
fundamental rights affected by the measure, by properly balancing the objective of general interest
against the rights at issue (see, to that effect, judgments of 16 December 2008, Satakunnan
Markkinapörssi and Satamedia, C‑73/07, EU:C:2008:727, paragraph 56; of 9 November 2010, Volker
und Markus Schecke and Eifert, C‑92/09 and C‑93/09, EU:C:2010:662, paragraphs 76, 77 and 86; and
of 8 April 2014, Digital Rights Ireland and Others, C‑293/12 and C‑594/12, EU:C:2014:238,
paragraph 52; Opinion 1/15 (EU-Canada PNR Agreement) of 26 July 2017, EU:C:2017:592,
paragraph 140).

68

In order to satisfy the requirement of proportionality, the legislation must lay down clear and precise
rules governing the scope and application of the measure in question and imposing minimum
safeguards, so that the persons whose personal data is affected have sufficient guarantees that data will
be effectively protected against the risk of abuse. That legislation must be legally binding under
domestic law and, in particular, must indicate in what circumstances and under which conditions a
measure providing for the processing of such data may be adopted, thereby ensuring that the
interference is limited to what is strictly necessary. The need for such safeguards is all the greater
where personal data is subjected to automated processing, in particular where there is a significant risk
of unlawful access to that data. Those considerations apply especially where the protection of the
particular category of personal data that is sensitive data is at stake (see, to that effect, judgments of
8 April 2014, Digital Rights Ireland and Others, C‑293/12 and C‑594/12, EU:C:2014:238,
paragraphs 54 and 55, and of 21 December 2016, Tele2, C‑203/15 and C‑698/15, EU:C:2016:970,
paragraph 117; Opinion 1/15 (EU-Canada PNR Agreement) of 26 July 2017, EU:C:2017:592,
paragraph 141).

69

As regards the question whether national legislation, such as that at issue in the main proceedings,
meets the requirements of Article 15(1) of Directive 2002/58, read in the light of Articles 7, 8 and 11
and Article 52(1) of the Charter, it should be noted that the transmission of traffic data and location
data to persons other than users, such as security and intelligence agencies, derogates from the
principle of confidentiality. Where that operation is carried out, as in the present case, in a general and
indiscriminate way, it has the effect of making the exception to the obligation of principle to ensure the
confidentiality of data the rule, whereas the system established by Directive 2002/58 requires that that
exception remain an exception.

Select target paragraph3