read together with Article 3 of that directive, must be
interpreted as meaning that such legislative measures fall
within the scope of that directive.
75. The scope of that directive extends, in particular, to a
legislative measure, such as that at issue in the main
proceedings, that requires such providers to retain traffic and
location data, since to do so necessarily involves the
processing, by those providers, of personal data.
76. The scope of that directive also extends to a legislative
measure relating, as in the main proceedings, to the access of
the national authorities to the data retained by the providers of
electronic communications services.
77. The protection of the confidentiality of electronic
communications and related traffic data, guaranteed in
Article 5(1) of Directive 2002/58, applies to the measures taken
by all persons other than users, whether private persons or
bodies or State bodies. As confirmed in recital 21 of that
directive, the aim of the directive is to prevent unauthorised
access to communications, including ‘any data related to such
communications’, in order to protect the confidentiality of
electronic communications.
78. In those circumstances, a legislative measure whereby a
Member State, on the basis of Article 15(1) of Directive
2002/58, requires providers of electronic communications
services, for the purposes set out in that provision, to grant
national authorities, on the conditions laid down in such a
measure, access to the data retained by those providers,
concerns the processing of personal data by those providers,
and that processing falls within the scope of that directive.
79. Further, since data is retained only for the purpose, when
necessary, of making that data accessible to the competent
national authorities, national legislation that imposes the
retention of data necessarily entails, in principle, the existence
of provisions relating to access by the competent national
authorities to the data retained by the providers of electronic
communications services.
80. That interpretation is confirmed by Article 15(1b) of
Directive 2002/58, which provides that providers are to
establish internal procedures for responding to requests for
access to users’ personal data, based on provisions of national
law adopted pursuant to Article 15(1) of that directive.
81. It follows from the foregoing that national legislation, such
as that at issue in the main proceedings in Cases C-203/15
and C-698/15, falls within the scope of Directive 2002/58.”
Page 23