Privacy International v Secretary of State

EUR-Lex - 62017CJ0623 - EN - EUR-Lex × Skip to main content Log in My EUR-Lex My EUR-Lex Sign in Register My recent searches (0) English English Select your language Official EU languages: bg български es Español cs Čeština da Dansk de Deutsch et Eesti keel el Ελληνικά en English fr Français ga Gaeilge hr Hrvatski it Italiano lv Latviešu valoda lt Lietuvių kalba hu Magyar mt Malti nl Nederlands pl Polski pt Português ro Română sk Slovenčina sl Slovenščina fi Suomi sv Svenska EUR-Lex Access to European Union law <a href="https://eur-lex.europa.eu/content/help/eurlex-content/experimental-features.html" target="_blank">More about the experimental features corner</a> Experimental features × Choose the experimental features you want to try Do you want to help improving EUR-Lex ? This is a list of experimental features that you can enable. These features are still under development; they are not fully tested, and might reduce EUR-Lex stability. Don't forget to give your feedback! Warning! Experimental feature conflicts detected. Replacement of CELEX identifiers by short titles - experimental feature. It replaces clickable CELEX identifiers of treaties and case-law by short titles. Visualisation of document relationships. It displays a dynamic graph with relations between the act and related documents. It is currently only available for legal acts. Deep linking. It enables links to other legal acts referred to within the documents. It is currently only available for documents smaller than 900 KB. Apply EUR-Lex Access to European Union law This document is an excerpt from the EUR-Lex website You are here EUROPA EUR-Lex home EUR-Lex - 62017CJ0623 - EN Help Print Menu EU law Treaties Treaties currently in force Founding Treaties Accession Treaties Other treaties and protocols Chronological overview Legal acts Consolidated texts International agreements Preparatory documents EFTA documents Lawmaking procedures Summaries of EU legislation Browse by EU institutions European Parliament European Council Council of the European Union European Commission Court of Justice of the European Union European Central Bank European Court of Auditors European Economic and Social Committee European Committee of the Regions Browse by EuroVoc EU case-law Case-law Reports of cases Directory of case-law Official Journal Access to the Official Journal Official Journal L series daily view Official Journal C series daily view Browse the Official Journal Legally binding printed editions Special edition National law and case-law National transposition National case-law JURE case-law Information Themes in focus EUR-Lex developments Statistics ELI register What is ELI ELI background Why implement ELI Countries implementing ELI Testimonials Implementing ELI Glossary EU budget online Quick search Use quotation marks to search for an "exact phrase". Append an asterisk ( * ) to a search term to find variations of it (transp * , 32019R * ). Use a question mark ( ? ) instead of a single character in your search term to find variations of it (ca ? e finds case, cane, care). Search tips Need more search options? Use the Advanced search Document 62017CJ0623 Help Print Text Document information Abstract Case file Permanent link Download notice Save to My items Create an email alert Create an RSS alert ​ Judgment of the Court (Grand Chamber) of 6 October 2020.#Privacy International v Secretary of State for Foreign and Commonwealth Affairs and Others.#Request for a preliminary ruling from the Investigatory Powers Tribunal - London.#Reference for a preliminary ruling – Processing of personal data in the electronic communications sector – Providers of electronic communications services – General and indiscriminate transmission of traffic data and location data – Safeguarding of national security – Directive 2002/58/EC – Scope – Article 1(3) and Article 3 – Confidentiality of electronic communications – Protection – Article 5 and Article 15(1) – Charter of Fundamental Rights of the European Union – Articles 7, 8 and 11 and Article 52(1) – Article 4(2) TEU.#Case C-623/17. Judgment of the Court (Grand Chamber) of 6 October 2020. Privacy International v Secretary of State for Foreign and Commonwealth Affairs and Others. Request for a preliminary ruling from the Investigatory Powers Tribunal - London. Reference for a preliminary ruling – Processing of personal data in the electronic communications sector – Providers of electronic communications services – General and indiscriminate transmission of traffic data and location data – Safeguarding of national security – Directive 2002/58/EC – Scope – Article 1(3) and Article 3 – Confidentiality of electronic communications – Protection – Article 5 and Article 15(1) – Charter of Fundamental Rights of the European Union – Articles 7, 8 and 11 and Article 52(1) – Article 4(2) TEU. Case C-623/17. Judgment of the Court (Grand Chamber) of 6 October 2020. Privacy International v Secretary of State for Foreign and Commonwealth Affairs and Others. Request for a preliminary ruling from the Investigatory Powers Tribunal - London. Reference for a preliminary ruling – Processing of personal data in the electronic communications sector – Providers of electronic communications services – General and indiscriminate transmission of traffic data and location data – Safeguarding of national security – Directive 2002/58/EC – Scope – Article 1(3) and Article 3 – Confidentiality of electronic communications – Protection – Article 5 and Article 15(1) – Charter of Fundamental Rights of the European Union – Articles 7, 8 and 11 and Article 52(1) – Article 4(2) TEU. Case C-623/17. Court reports – general ECLI identifier: ECLI:EU:C:2020:790 Expand all Collapse all Languages and formats available Language of the case Language BG ES CS DA DE ET EL EN FR GA HR IT LV LT HU MT NL PL PT RO SK SL FI SV HTML EN Toggle Dropdown BG ES CS DA DE ET EL EN FR GA HR IT LV LT HU MT NL PL PT RO SK SL FI SV PDF EN Toggle Dropdown BG ES CS DA DE ET EL EN FR GA HR IT LV LT HU MT NL PL PT RO SK SL FI SV Document published in the digital reports of cases. They have official status. Multilingual display Language 1 English (en) Bulgarian (bg) Spanish (es) Czech (cs) Danish (da) German (de) Estonian (et) Greek (el) English (en) French (fr) Croatian (hr) Italian (it) Latvian (lv) Lithuanian (lt) Hungarian (hu) Maltese (mt) Dutch (nl) Polish (pl) Portuguese (pt) Romanian (ro) Slovak (sk) Slovenian (sl) Finnish (fi) Swedish (sv) Language 2 Please choose Bulgarian (bg) Spanish (es) Czech (cs) Danish (da) German (de) Estonian (et) Greek (el) English (en) French (fr) Croatian (hr) Italian (it) Latvian (lv) Lithuanian (lt) Hungarian (hu) Maltese (mt) Dutch (nl) Polish (pl) Portuguese (pt) Romanian (ro) Slovak (sk) Slovenian (sl) Finnish (fi) Swedish (sv) Language 3 Please choose Bulgarian (bg) Spanish (es) Czech (cs) Danish (da) German (de) Estonian (et) Greek (el) English (en) French (fr) Croatian (hr) Italian (it) Latvian (lv) Lithuanian (lt) Hungarian (hu) Maltese (mt) Dutch (nl) Polish (pl) Portuguese (pt) Romanian (ro) Slovak (sk) Slovenian (sl) Finnish (fi) Swedish (sv) Display Text JUDGMENT OF THE COURT (Grand Chamber) 6 October 2020 ( *1 ) (Reference for a preliminary ruling – Processing of personal data in the electronic communications sector – Providers of electronic communications services – General and indiscriminate transmission of traffic data and location data – Safeguarding of national security – Directive 2002/58/EC – Scope – Article 1(3) and Article 3 – Confidentiality of electronic communications – Protection – Article 5 and Article 15(1) – Charter of Fundamental Rights of the European Union – Articles 7, 8 and 11 and Article 52(1) – Article 4(2) TEU) In Case C‑623/17, REQUEST for a preliminary ruling under Article 267 TFEU from the Investigatory Powers Tribunal (United Kingdom), made by decision of 18 October 2017, received at the Court on 31 October 2017, in the proceedings Privacy International v Secretary of State for Foreign and Commonwealth Affairs, Secretary of State for the Home Department, Government Communications Headquarters, Security Service, Secret Intelligence Service, THE COURT (Grand Chamber), composed of K. Lenaerts, President, R. Silva de Lapuerta, Vice-President, J.-C. Bonichot, A. Arabadjiev, A. Prechal, M. Safjan, P.G. Xuereb and L.S. Rossi, Presidents of Chambers, J. Malenovský, L. Bay Larsen, T. von Danwitz (Rapporteur), C. Toader, K. Jürimäe, C. Lycourgos and N. Piçarra, Judges, Advocate General: M. Campos Sánchez-Bordona, Registrar: C. Strömholm, Administrator, having regard to the written procedure and further to the hearing on 9 and 10 September 2019, after considering the observations submitted on behalf of: – Privacy International, by B. Jaffey QC and T. de la Mare QC, by D. Cashman, Solicitor, and by H. Roy, avocat, – the United Kingdom Government, by Z. Lavery, D. Guðmundsdóttir and S. Brandon, acting as Agents, by G. Facenna QC and D. Beard QC, and by C. Knight and R. Palmer, Barristers, – the Belgian Government, by P. Cottin and J.-C. Halleux, acting as Agents, and by J. Vanpraet, advocaat, and E. de Lophem, avocat, – the Czech Government, by M. Smolek, J. Vláčil and O. Serdula, acting as Agents, – the German Government, initially by M. Hellmann, R. Kanitz, D. Klebs and T. Henze, and subsequently by J. Möller, M. Hellmann, R. Kanitz and D. Klebs, acting as Agents, – the Estonian Government, by A. Kalbus, acting as Agent, – Ireland, by M. Browne, G. Hodge and A. Joyce, acting as Agents, and by D. Fennelly, Barrister, – the Spanish Government, initially by L. Aguilera Ruiz and M.J. García-Valdecasas Dorrego, and subsequently by L. Aguilera Ruiz, acting as Agents, – the French Government, initially by E. de Moustier, E. Armoët, A.-L. Desjonquères, F. Alabrune, D. Colas and D. Dubois, and subsequently by E. de Moustier, E. Armoët, A.-L. Desjonquères, F. Alabrune and D. Dubois, acting as Agents, – the Cypriot Government, by E. Symeonidou and E. Neofytou, acting as Agents, – the Latvian Government, initially by V. Soņeca and I. Kucina, and subsequently by V. Soņeca, acting as Agents, – the Hungarian Government, initially by G. Koós, M.Z. Fehér, G. Tornyai and Z. Wagner, and subsequently by G. Koós and M.Z. Fehér, acting as Agents, – the Netherlands Government, by C.S. Schillemans and M.K. Bulterman, acting as Agents, – the Polish Government, by B. Majczyna, J. Sawicka and M. Pawlicka, acting as Agents, – the Portuguese Government, by L. Inez Fernandes, M. Figueiredo and F. Aragão Homem, acting as Agents, – the Swedish Government, initially by A. Falk, H. Shev, C. Meyer-Seitz, L. Zettergren and A. Alriksson, and subsequently by H. Shev, C. Meyer-Seitz, L. Zettergren and A. Alriksson, acting as Agents, – the Norwegian Government, by T.B. Leming, M. Emberland and J. Vangsnes, acting as Agents, – the European Commission, initially by H. Kranenborg, M. Wasmeier, D. Nardi and P. Costa de Oliveira, and subsequently by H. Kranenborg, M. Wasmeier, and D. Nardi, acting as Agents, – the European Data Protection Supervisor, by T. Zerdick and A. Buchta, acting as Agents, after hearing the Opinion of the Advocate General at the sitting on 15 January 2020, gives the following Judgment 1 This request for a preliminary ruling concerns the interpretation of Article 1(3) and Article 15(1) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) ( OJ 2002 L 201, p. 37 ), as amended by Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 ( OJ 2009 L 337, p. 11 ) (‘Directive 2002/58’), read in the light of Article 4(2) TEU and Articles 7 and 8 and Article 52(1) of the Charter of Fundamental Rights of the European Union (‘the Charter’). 2 The request has been made in proceedings between Privacy International and the Secretary of State for Foreign and Commonwealth Affairs (United Kingdom), the Secretary of State for the Home Department (United Kingdom), Government Communications Headquarters (United Kingdom) (‘GCHQ’), the Security Service (United Kingdom) (‘MI5’) and the Secret Intelligence Service (United Kingdom) (‘MI6’) concerning the legality of legislation authorising the acquisition and use of bulk communications data by the security and intelligence agencies. Legal context European Union law Directive 95/46 3 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data ( OJ 1995 L 281, p. 31 ), was repealed, with effect from 25 May 2018, by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC ( OJ 2016 L 119, p. 1 ). Article 3 of that directive, entitled ‘Scope’, was worded as follows: ‘1. This Directive shall apply to the processing of personal data wholly or partly by automatic means, and to the processing otherwise than by automatic means of personal data which form part of a filing system or are intended to form part of a filing system. 2. This Directive shall not apply to the processing of personal data: – in the course of an activity which falls outside the scope of Community law, such as those provided for by Titles V and VI [TEU] and in any case to processing operations concerning public security, defence, State security (including the economic well-being of the State when the processing operation relates to State security matters) and the activities of the State in areas of criminal law, – by a natural person in the course of a purely personal or household activity.’ Directive 2002/58 4 Recitals 2, 6, 7, 11, 22, 26 and 30 of Directive 2002/58 state: ‘(2) This Directive seeks to respect the fundamental rights and observes the principles recognised in particular by [the Charter]. In particular, this Directive seeks to ensure full respect for the rights set out in Articles 7 and 8 of [the Charter]. … (6) The Internet is overturning traditional market structures by providing a common, global infrastructure for the delivery of a wide range of electronic communications services. Publicly available electronic communications services over the Internet open new possibilities for users but also new risks for their personal data and privacy. (7) In the case of public communications networks, specific legal, regulatory and technical provisions should be made in order to protect fundamental rights and freedoms of natural persons and legitimate interests of legal persons, in particular with regard to the increasing capacity for automated storage and processing of data relating to subscribers and users. … (11) Like [Directive 95/46], this Directive does not address issues of protection of fundamental rights and freedoms related to activities which are not governed by [EU] law. Therefore it does not alter the existing balance between the individual’s right to privacy and the possibility for Member States to take the measures referred to in Article 15(1) of this Directive, necessary for the protection of public security, defence, State security (including the economic well-being of the State when the activities relate to State security matters) and the enforcement of criminal law. Consequently, this Directive does not affect the ability of Member States to carry out lawful interception of electronic communications, or take other measures, if necessary for any of these purposes and in accordance with the European Convention for the Protection of Human Rights and Fundamental Freedoms, [signed in Rome on 4 November 1950], as interpreted by the rulings of the European Court of Human Rights. Such measures must be appropriate, strictly proportionate to the intended purpose and necessary within a democratic society and should be subject to adequate safeguards in accordance with the European Convention for the Protection of Human Rights and Fundamental Freedoms. … (22) The prohibition of storage of communications and the related traffic data by persons other than the users or without their consent is not intended to prohibit any automatic, intermediate and transient storage of this information in so far as this takes place for the sole purpose of carrying out the transmission in the electronic communications network and provided that the information is not stored for any period longer than is necessary for the transmission and for traffic management purposes, and that during the period of storage the confidentiality remains guaranteed. Where this is necessary for making more efficient the onward transmission of any publicly accessible information to other recipients of the service upon their request, this Directive should not prevent such information from being further stored, provided that this information would in any case be accessible to the public without restriction and that any data referring to the individual subscribers or users requesting such information are erased. … (26) The data relating to subscribers processed within electronic communications networks to establish connections and to transmit information contain information on the private life of natural persons and concern the right to respect for their correspondence or concern the legitimate interests of legal persons. Such data may only be stored to the extent that is necessary for the provision of the service for the purpose of billing and for interconnection payments, and for a limited time. Any further processing of such data … may only be allowed if the subscriber has agreed to this on the basis of accurate and full information given by the provider of the publicly available electronic communications services about the types of further processing it intends to perform and about the subscriber’s right not to give or to withdraw his/her consent to such processing. Traffic data used for marketing communications services … should also be erased or made anonymous …. … (30) Systems for the provision of electronic communications networks and services should be designed to limit the amount of personal data necessary to a strict minimum. …’ 5 Article 1 of Directive 2002/58, entitled ‘Scope and aim’, provides: ‘1. This Directive provides for the harmonisation of the national provisions required to ensure an equivalent level of protection of fundamental rights and freedoms, and in particular the right to privacy and confidentiality, with respect to the processing of personal data in the electronic communication sector and to ensure the free movement of such data and of electronic communication equipment and services in [the European Union]. 2. The provisions of this Directive particularise and complement [Directive 95/46] for the purposes mentioned in paragraph 1. Moreover, they provide for protection of the legitimate interests of subscribers who are legal persons. 3. This Directive shall not apply to activities which fall outside the scope of [the TFEU], such as those covered by Titles V and VI of the Treaty on European Union, and in any case to activities concerning public security, defence, State security (including the economic well-being of the State when the activities relate to State security matters) and the activities of the State in areas of criminal law.’ 6 According to Article 2 of that directive, entitled ‘Definitions’: ‘Save as otherwise provided, the definitions in [Directive 95/46] and in Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common regulatory framework for electronic communications networks and services (Framework Directive) [( OJ 2002 L 108, p. 33 )] shall apply. The following definitions shall also apply: (a) “user” means any natural person using a publicly available electronic communications service, for private or business purposes, without necessarily having subscribed to this service; (b) “traffic data” means any data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing thereof; (c) “location data” means any data processed in an electronic communications network or by an electronic communications service, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service; (d) “communication” means any information exchanged or conveyed between a finite number of parties by means of a publicly available electronic communications service. This does not include any information conveyed as part of a broadcasting service to the public over an electronic communications network except to the extent that the information can be related to the identifiable subscriber or user receiving the information; …’ 7 Article 3 of that directive, entitled ‘Services concerned’, provides: ‘This Directive shall apply to the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks in [the European Union], including public communications networks supporting data collection and identification devices.’ 8 Under Article 5 of Directive 2002/58, entitled ‘Confidentiality of the communications’: ‘1. Member States shall ensure the confidentiality of communications and the related traffic data by means of a public communications network and publicly available electronic communications services, through national legislation. In particular, they shall prohibit listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than users, without the consent of the users concerned, except when legally authorised to do so in accordance with Article 15(1). This paragraph shall not prevent technical storage which is necessary for the conveyance of a communication without prejudice to the principle of confidentiality. … 3. Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with [Directive 95/46], inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.’ 9 Article 6 of Directive 2002/58, entitled ‘Traffic data’, provides: ‘1. Traffic data relating to subscribers and users processed and stored by the provider of a public communications network or publicly available electronic communications service must be erased or made anonymous when it is no longer needed for the purpose of the transmission of a communication without prejudice to paragraphs 2, 3 and 5 of this Article and Article 15(1). 2. Traffic data necessary for the purposes of subscriber billing and interconnection payments may be processed. Such processing is permissible only up to the end of the period during which the bill may lawfully be challenged or payment pursued. 3. For the purpose of marketing electronic communications services or for the provision of value added services, the provider of a publicly available electronic communications service may process the data referred to in paragraph 1 to the extent and for the duration necessary for such services or marketing, if the subscriber or user to whom the data relate has given his or her prior consent. Users or subscribers shall be given the possibility to withdraw their consent for the processing of traffic data at any time. … 5. Processing of traffic data, in accordance with paragraphs 1, 2, 3 and 4, must be restricted to persons acting under the authority of providers of the public communications networks and publicly available electronic communications services handling billing or traffic management, customer enquiries, fraud detection, marketing electronic communications services or providing a value added service, and must be restricted to what is necessary for the purposes of such activities.’ 10 Article 9 of that directive, entitled ‘Location data other than traffic data’, provides, in paragraph 1 thereof: ‘Where location data other than traffic data, relating to users or subscribers of public communications networks or publicly available electronic communications services, can be processed, such data may only be processed when they are made anonymous, or with the consent of the users or subscribers to the extent and for the duration necessary for the provision of a value added service. The service provider must inform the users or subscribers, prior to obtaining their consent, of the type of location data other than traffic data which will be processed, of the purposes and duration of the processing and whether the data will be transmitted to a third party for the purpose of providing the value added service. …’ 11 Article 15 of that directive, entitled ‘Application of certain provisions of [Directive 95/46]’, states, in paragraph 1 thereof: ‘Member States may adopt legislative measures to restrict the scope of the rights and obligations provided for in Article 5, Article 6, Article 8(1), (2), (3) and (4), and Article 9 of this Directive when such restriction constitutes a necessary, appropriate and proportionate measure within a democratic society to safeguard national security (i.e. State security), defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system, as referred to in Article 13(1) of [Directive 95/46]. To this end, Member States may, inter alia, adopt legislative measures providing for the retention of data for a limited period justified on the grounds laid down in this paragraph. All the measures referred to in this paragraph shall be in accordance with the general principles of [EU] law, including those referred to in Article 6(1) and (2) of the Treaty on European Union.’ Regulation 2016/679 12 Article 2 of Regulation 2016/679 provides: ‘1. This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system. 2. This Regulation does not apply to the processing of personal data: (a) in the course of an activity which falls outside the scope of Union law; (b) by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU; … (d) by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. …’ 13 Article 4 of that regulation provides: ‘For the purposes of this Regulation: … (2) “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; …’ 14 Under Article 23(1) of that regulation: ‘Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard: (a) national security; (b) defence; (c) public security; (d) the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security; (e) other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation matters, public health and social security; (f) the protection of judicial independence and judicial proceedings; (g) the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions; (h) a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in points (a) to (e) and (g); (i) the protection of the data subject or the rights and freedoms of others; (j) the enforcement of civil law claims.’ 15 Under Article 94(2) of Regulation 2016/679: ‘References to the repealed Directive shall be construed as references to this Regulation. References to the Working Party on the Protection of Individuals with regard to the Processing of Personal Data established by Article 29 of [Directive 95/46] shall be construed as references to the European Data Protection Board established by this Regulation.’ United Kingdom law 16 Section 94 of the Telecommunications Act 1984, in the version applicable to the facts in the main proceedings (‘the 1984 Act’), entitled ‘Directions in the interests of national security etc.’, provides: ‘(1) The Secretary of State may, after consultation with a person to whom this section applies, give to that person such directions of a general character as appear to the Secretary of State to be necessary in the interests of national security or relations with the government of a country or territory outside the United Kingdom. (2) If it appears to the Secretary of State to be necessary to do so in the interests of national security or relations with the government of a country or territory outside the United Kingdom, he may, after consultation with a person to whom this section applies, give to that person a direction requiring him (according to the circumstances of the case) to do, or not to do, a particular thing specified in the direction. (2A) The Secretary of State shall not give a direction under subsection (1) or (2) unless he believes that the conduct required by the direction is proportionate to what is sought to be achieved by that conduct. (3) A person to whom this section applies shall give effect to any direction given to him by the Secretary of State under this section notwithstanding any other duty imposed on him by or under Part 1 or Chapter 1 of Part 2 of the Communications Act 2003 and, in the case of a direction to a provider of a public electronic communications network, notwithstanding that it relates to him in a capacity other than as the provider of such a network. (4) The Secretary of State shall lay before each House of Parliament a copy of every direction given under this section unless he is of [the] opinion that disclosure of the direction is against the interests of national security or relations with the government of a country or territory outside the United Kingdom, or the commercial interests of any person. (5) A person shall not disclose, or be required by virtue of any enactment or otherwise to disclose, anything done by virtue of this section if the Secretary of State has notified him that the Secretary of State is of the opinion that disclosure of that thing is against the interests of national security or relations with the government of a country or territory outside the United Kingdom, or the commercial interests of some other person. … (8) This section applies to [the Office of Communications (OFCOM)] and to providers of public electronic communications networks.’ 17 Section 21(4) and (6) of the Regulation of Investigatory Powers Act 2000 (‘the RIPA’) provides: ‘(4) … “communications data” means any of the following— (a) any traffic data comprised in or attached to a communication (whether by the sender or otherwise) for the purposes of any postal service or telecommunication system by means of which it is being or may be transmitted; (b) any information which includes none of the contents of a communication (apart from any information falling within paragraph (a)) and is about the use made by any person— (i) of any postal service or telecommunications service; or (ii) in connection with the provision to or use by any person of any telecommunications service, of any part of a telecommunication system; (c) any information not falling within paragraph (a) or (b) that is held or obtained, in relation to persons to whom he provides the service, by a person providing a postal service or telecommunications service. … (6) … “traffic data”, in relation to any communication, means— (a) any data identifying, or purporting to identify, any person, apparatus or location to or from which the communication is or may be transmitted, (b) any data identifying or selecting, or purporting to identify or select, apparatus through which, or by means of which, the communication is or may be transmitted, (c) any data comprising signals for the actuation of apparatus used for the purposes of a telecommunication system for effecting (in whole or in part) the transmission of any communication, and (d) any data identifying the data or other data as data comprised in or attached to a particular communication. …’ 18 Sections 65 to 69 of the RIPA lay down the rules on the functioning and jurisdiction of the Investigatory Powers Tribunal (United Kingdom). Under section 65 of the RIPA, a complaint may be made to the Investigatory Powers Tribunal if there is reason to believe that data has been acquired inappropriately. The dispute in the main proceedings and the questions referred for a preliminary ruling 19 At the beginning of 2015, the existence of practices for the acquisition and use of bulk communications data by the various security and intelligence agencies of the United Kingdom, namely GCHQ, MI5 and MI6, was made public, including in a report by the Intelligence and Security Committee of Parliament (United Kingdom). On 5 June 2015, Privacy International, a non-governmental organisation, brought an action before the Investigatory Powers Tribunal (United Kingdom) against the Secretary of State for Foreign and Commonwealth Affairs, the Secretary of State for the Home Department and those security and intelligence agencies, challenging the lawfulness of those practices. 20 The referring court examined the lawfulness of those practices in the light, first of all, of national law and the provisions of the European Convention for the Protection of Human Rights and Fundamental Freedoms, signed in Rome on 4 November 1950 (‘the ECHR’), and, subsequently, of EU law. In a judgment of 17 October 2016, that court held that the defendants in the main proceedings had acknowledged that those agencies acquired and used, in their activities, sets of bulk personal data, such as biographical data or travel data, financial or commercial information, communications data liable to include sensitive data covered by professional secrecy, or journalistic material. That data, obtained by various, possibly secret, means, would be analysed by cross-checking and by automated processing and could be disclosed to other persons and authorities and shared with foreign partners. In that context, the security and intelligence agencies would also use bulk communications data, acquired from providers of public electronic communications networks under, inter alia, directions issued by a Secretary of State on the basis of section 94 of the 1984 Act. GCHQ and MI5 have been doing this since 2001 and 2005 respectively. 21 The referring court found that those measures for the acquisition and use of data were consistent with national law and, since 2015, subject to issues that remained under consideration concerning the proportionality of those measures and the transfer of data to third parties, with Article 8 ECHR. In that regard, it stated that evidence had been submitted to it concerning the applicable safeguards, in particular as regards the procedures for accessing and disclosing data outside the security and intelligence agencies, the arrangements for retaining data, and independent oversight arrangements. 22 As regards the lawfulness of the acquisition and use measures at issue in the main proceedings in the light of EU law, the referring court examined, in a judgment of 8 September 2017, whether those measures fell within the scope of EU law and, if so, whether they were compatible with EU law. That court found, as regards bulk communications data, that the providers of electronic communications networks were required, under section 94 of the 1984 Act, should a Secretary of State issue directions to that effect, to provide the security and intelligence agencies with data collected in the course of their economic activity falling within the scope of EU law. However, that was not the case for the acquisition of other data obtained by those agencies without the use of such binding powers. On the basis of that finding, the referring court considered it necessary to refer questions to the Court in order to determine whether a regime such as that resulting from section 94 of the 1984 Act falls within the scope of EU law and, if so, whether and in what way the requirements laid down by the case-law resulting from the judgment of 21 December 2016, Tele2 Sverige and Watson and Others ( C‑203/15 and C‑698/15 , EU:C:2016:970 ; ‘ Tele2 ’) apply to that regime. 23 In that regard, in its request for a preliminary ruling, the referring court states that, pursuant to section 94 of the 1984 Act, the Secretary of State may give providers of electronic communications services such general or specific directions as appear to him to be necessary in the interests of national security or relations with a foreign government. Referring to the definitions set out in section 21(4) and (6) of the RIPA, that court states that the data concerned includes traffic data and service use information, within the meaning of that provision, with only the content of communications being excluded. Such data and information make it possible, in particular, to know the ‘who, where, when and how’ of a communication. That data is transmitted to the security and intelligence agencies and retained by them for the purposes of their activities. 24 According to the referring court, the regime at issue in the main proceedings differs from that resulting from the Data Retention and Investigatory Powers Act 2014, at issue in the case which gave rise to the judgment of 21 December 2016, Tele2 ( C‑203/15 and C‑698/15 , EU:C:2016:970 ), since the latter regime provided for the retention of data by providers of electronic communications services and the making available of that data not only to security and intelligence agencies, in the interests of national security, but also to other public authorities, depending on their needs. Furthermore, that judgment concerned a criminal investigation, not national security. 25 The referring court adds that the databases compiled by the security and intelligence agencies are subject to bulk, unspecific, automated processing, with the aim of discovering unknown threats. To that end, the referring court states that the sets of metadata thus compiled should be as comprehensive as possible, so as to have a ‘haystack’ in order to find the ‘needle’ hidden therein. As regards the usefulness of bulk data acquisition by those agencies and the techniques for consulting that data, that court refers in particular to the findings of the report drawn up on 19 August 2016 by David Anderson QC, then United Kingdom Independent Reviewer of Terrorism Legislation, who relied, when drawing up that report, on a review conducted by a team of intelligence specialists and on the testimony of security and intelligence agency officers. 26 The referring court also states that, according to Privacy International, the regime at issue in the main proceedings is unlawful in the light of EU law, while the defendants in the main proceedings consider that the obligation to transfer data provided for by that regime, access to that data and its use do not fall within the competences of the European Union, in accordance, in particular, with Article 4(2) TEU, according to which national security remains the sole responsibility of each Member State. 27 In that regard, the Investigatory Powers Tribunal considers, on the basis of the judgment of 30 May 2006, Parliament v Council and Commission ( C‑317/04 and C‑318/04 , EU:C:2006:346 , paragraphs 56 to 59 ), concerning the transfer of passenger name record data for the purpose of protecting public security, that the activities of commercial undertakings in processing and transferring data for the purpose of protecting national security do not appear to fall within the scope of EU law. For the referring court, it is necessary to examine not whether the activity in question constitutes data processing, but only whether, in substance and effect, the purpose of such activity is to advance an essential State function, within the meaning of Article 4(2) TEU, through a framework established by the public authorities that relates to public security. 28 Should the measures at issue in the main proceedings nevertheless fall within the scope of EU law, the referring court considers that the requirements set out in paragraphs 119 to 125 of the judgment of 21 December 2016, Tele2 ( C‑203/15 and C‑698/15 , EU:C:2016:970 ) appear inappropriate in the context of national security and would undermine the ability of the security and intelligence agencies to tackle some threats to national security. 29 In those circumstances, the Investigatory Powers Tribunal decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling: ‘In circumstances where: (a) the [security and intelligence agencies’] capabilities to use [bulk communications data] supplied to them are essential to the protection of the national security of the United Kingdom, including in the fields of counter-terrorism, counter-espionage and counter-nuclear proliferation; (b) a fundamental feature of the [security and intelligence agencies’] use of [bulk communications data] is to discover previously unknown threats to national security by means of non-targeted bulk techniques which are reliant upon the aggregation of [those data] in one place. Its principal utility lies in swift target identification and development, as well as providing a basis for action in the face of imminent threat; (c) the provider of an electronic communications network is not thereafter required to retain [the bulk communications data] (beyond the period of their ordinary business requirements), which [are] retained by the State (the [security and intelligence agencies]) alone; (d) the national court has found (subject to certain reserved issues) that the safeguards surrounding the use of [bulk communications data] by the [security and intelligence agencies] are consistent with the requirements of the ECHR; and (e) the national court has found that the imposition of the requirements specified in [paragraphs 119 to 125 of the judgment of 21 December 2016, Tele2 ( C‑203/15 and C‑698/15 , EU:C:2016:970 )], if applicable, would frustrate the measures taken to safeguard national security by the [security and intelligence agencies], and thereby put the national security of the United Kingdom at risk; (1) Having regard to Article 4 TEU and Article 1(3) of [Directive 2002/58], does a requirement in a direction by a Secretary of State to a provider of an electronic communications network that it must provide bulk communications data to the [security and intelligence agencies] of a Member State fall within the scope of Union law and of [Directive 2002/58]? (2) If the answer to Question (1) is “yes”, do any of the [requirements applicable to retained communications data, set out in paragraphs 119 to 125 of the judgment of 21 December 2016, Tele2 ( C‑203/15 and C‑698/15 , EU:C:2016:970 )] or any other requirements in addition to those imposed by the ECHR, apply to such a direction by a Secretary of State? And, if so, how and to what extent do those requirements apply, taking into account the essential necessity of the [security and intelligence agencies] to use bulk acquisition and automated processing techniques to protect national security and the extent to which such capabilities, if otherwise compliant with the ECHR, may be critically impeded by the imposition of such requirements?’ Consideration of the questions referred Question 1 30 By its first question, the referring court asks, in essence, whether Article 1(3) of Directive 2002/58, read in the light of Article 4(2) TEU, is to be interpreted as meaning that national legislation enabling a State authority to require providers of electronic communications services to forward traffic data and location data to the security and intelligence agencies for the purpose of safeguarding national security falls within the scope of that directive. 31 In that regard, Privacy International argues, in essence, that, having regard to the guidance derived from the case-law of the Court of Justice as regards the scope of Directive 2002/58, both the acquisition of data by the security and intelligence agencies from those providers under section 94 of the 1984 Act and the use of that data by those agencies fall within the scope of that directive, whether that data is acquired by means of a transmission carried out in real-time or subsequently. In particular, it argues that the fact that the objective of protecting national security is explicitly listed in Article 15(1) of that directive does not mean that the directive does not apply to such situations, and that assessment is not affected by Article 4(2) TEU. 32 By contrast, the United Kingdom, Czech and Estonian Governments, Ireland, and the French, Cypriot, Hungarian, Polish and Swedish Governments contend, in essence, that Directive 2002/58 does not apply to the national legislation at issue in the main proceedings, as the purpose of that legislation is to safeguard national security. They argue that the activities of the security and intelligence agencies are essential State functions relating to the maintenance of law and order and the safeguarding of national security and territorial integrity, and, accordingly, are the sole responsibility of the Member States, as attested to by, in particular, the third sentence of Article 4(2) TEU. 33 According to those governments, Directive 2002/58 cannot therefore be interpreted as meaning that national measures concerning the safeguarding of national security fall within its scope. Article 1(3) of that directive defines the scope of that directive and excludes from that scope, as was previously provided in the first indent of Article 3(2) of Directive 95/46, activities concerning public security, defence, and State security. Those provisions reflect the allocation of competences laid down in Article 4(2) TEU and would be deprived of any practical effect if it were necessary for measures in the field of national security to meet the requirements of Directive 2002/58. Furthermore, the case-law of the Court derived from the judgment of 30 May 2006, Parliament v Council and Commission ( C‑317/04 and C‑318/04 , EU:C:2006:346 ), concerning the first indent of Article 3(2) of Directive 95/46 can be transposed to Article 1(3) of Directive 2002/58. 34 In that regard, it should be stated that, under Article 1(1) thereof, Directive 2002/58 provides, inter alia, for the harmonisation of the national provisions required to ensure an equivalent level of protection of fundamental rights and freedoms, and in particular the right to privacy and confidentiality, with respect to the processing of personal data in the electronic communications sector. 35 Article 1(3) of that directive excludes from its scope ‘activities of the State’ in specified fields, including activities in areas of criminal law and in the areas of public security, defence and State security, including the economic well-being of the State when the activities relate to State security matters. The activities thus mentioned by way of example are, in any event, activities of the State or of State authorities and are unrelated to fields in which individuals are active (judgment of 2 October 2018, Ministerio Fiscal, C‑207/16 , EU:C:2018:788 , paragraph 32 and the case-law cited). 36 In addition, Article 3 of Directive 2002/58 states that the directive is to apply to the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks in the European Union, including public communications networks supporting data collection and identification devices (‘electronic communications services’). Consequently, that directive must be regarded as regulating the activities of the providers of such services (judgment of 2 October 2018, Minister