Kingdom) (‘MI6’) concerning the legality of legislation authorising the acquisition and use of bulk
communications data by the security and intelligence agencies.
Legal context
European Union law
Directive 95/46
3
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the
protection of individuals with regard to the processing of personal data and on the free movement of
such data (OJ 1995 L 281, p. 31), was repealed, with effect from 25 May 2018, by Regulation (EU)
2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural
persons with regard to the processing of personal data and on the free movement of such data, and
repealing Directive 95/46/EC (OJ 2016 L 119, p. 1). Article 3 of that directive, entitled ‘Scope’, was
worded as follows:
‘1.
This Directive shall apply to the processing of personal data wholly or partly by automatic
means, and to the processing otherwise than by automatic means of personal data which form part of a
filing system or are intended to form part of a filing system.
2.
This Directive shall not apply to the processing of personal data:
–
in the course of an activity which falls outside the scope of Community law, such as those
provided for by Titles V and VI [TEU] and in any case to processing operations concerning
public security, defence, State security (including the economic well-being of the State when the
processing operation relates to State security matters) and the activities of the State in areas of
criminal law,
–
by a natural person in the course of a purely personal or household activity.’
Directive 2002/58
4
Recitals 2, 6, 7, 11, 22, 26 and 30 of Directive 2002/58 state:
‘(2)
This Directive seeks to respect the fundamental rights and observes the principles recognised in
particular by [the Charter]. In particular, this Directive seeks to ensure full respect for the rights
set out in Articles 7 and 8 of [the Charter].
…
(6)
The Internet is overturning traditional market structures by providing a common, global
infrastructure for the delivery of a wide range of electronic communications services. Publicly
available electronic communications services over the Internet open new possibilities for users
but also new risks for their personal data and privacy.
(7)
In the case of public communications networks, specific legal, regulatory and technical
provisions should be made in order to protect fundamental rights and freedoms of natural persons
and legitimate interests of legal persons, in particular with regard to the increasing capacity for
automated storage and processing of data relating to subscribers and users.
…
(11)
Like [Directive 95/46], this Directive does not address issues of protection of fundamental
rights and freedoms related to activities which are not governed by [EU] law. Therefore it does
not alter the existing balance between the individual’s right to privacy and the possibility for
Member States to take the measures referred to in Article 15(1) of this Directive, necessary for
the protection of public security, defence, State security (including the economic well-being of
the State when the activities relate to State security matters) and the enforcement of criminal law.