but for public security purposes. The decision was not in relation to the data
but the processing. This is made clear, and indeed was adopted, by the Grand
Chamber in paragraph 88 of Ireland v European Parliament [2009] 2
CMLR 37 (the “latter decision” referred to is Parliament v Council):
“88. The latter decision concerned the transfer of passenger
data from the reservation systems of air carriers situated in the
territory of the Member States to the United States Department
of Homeland Security, Bureau of Customs and Border
Protection. The Court held that that the subject matter of that
decision was data-processing which was not necessary for a
supply of services by the air carriers, but which was regarded
as necessary for safeguarding public security and for lawenforcement purposes. At [57] to [59] of the judgment in
Parliament v Council, the Court held that such data
processing was covered by art.3(2) of Directive 95/46,
according to which that Directive does not apply, in particular,
to the processing of personal data relating to public security
and the activities of the state in areas of criminal law. The
Court accordingly concluded that Decision 2004/535 did not
fall within the scope of Directive 95/46.
...
91. Unlike Decision 2004/496 which concerned a transfer of
personal data within a framework instituted by the public
authorities in order to ensure public security, Directive
2006/24 covers the activities of service providers in the internal
market and does not contain any rules governing the activities
of public authorities for law-enforcement purposes.”
34.
Accordingly, Parliament v Council is of direct significance. Notwithstanding
that the processing and transfer of data addressed in that case was effected by
commercial undertakings, whose activities were subject to the DPD, the Grand
Chamber held that the processing of such data was in the course of an activity
which fell outside the scope of Community law, as provided for by Article
3(2). As appears in paragraph 20(i) above, the Court held, at paragraph 57,
that the processing was different in nature from an activity which fell within
the scope of Community law and, at paragraph 58, that the transfer of data fell
Page 34