[2025] UKUT 319 (AAC)

The Court of Justice of the European Union (“CJEU”) has considered the meaning of the phrase “in the course of an activity which falls outside the scope of Union law” in Article 2(2)(a) GDPR and the like phrase (“in the course of an activity which falls outside the scope of Community law”) in Article 3(2) of the earlier 95 Directive, on several occasions. We summarise its decisions at this juncture and will return to consider their significance when we explain our construction of Article 2(2)(a) GDPR under ‘Analysis’ below.

In B v Latvijas Republikas Saeima (Case C-439/19) (“Latvijas”), B received penalty points on their driving licence. The Road Safety Directorate of Latvia (“CSDD”) entered those penalty points in the national register of vehicles and their drivers. This information was accessible to the public. According to B, it had been disclosed, for re-use purposes, to a number of economic operators.

B lodged a constitutional complaint with the Latvian Constitutional Court to examine whether Article 14(2) of the Law on road traffic was consistent with the fundamental right to respect for private life laid down in Article 96 of the Latvian Constitution.

In the main proceedings, the Latvian Parliament confirmed that under Article 14(2) of the Law on road traffic, any person may obtain information relating to penalty points imposed on another person, either by enquiring directly at the CSDD or by using services provided by commercial re-users. Furthermore, that provision was justified by the right of access to information, laid down by the Latvian Constitution. The Latvian Parliament explained that, in practice, disclosing the information in the national register requires a person to provide the national identification number (a unique identifier) of the driver in question.

The questions referred to the CJEU included whether Article 10 of the GDPR must be interpreted as applying to the processing of personal data relating to penalty points imposed on drivers for road traffic offences, consisting in the public disclosure of data. The CJEU said it should first be determined whether the information constituted personal data, and the disclosure constituted processing that came under the material scope of the GDPR as defined in Article 2. The CJEU decided the information was personal data within the meaning of Article 4(1) and it decided disclosure by the CSDD to third parties constituted processing within the meaning of Article 4(2).

The CJEU decided that disclosure of that information fell within the very broad definition in Article 2(1) of the GDPR’s material scope and was not excluded from the material scope of the GDPR by Article 2(2)(a) or (d). At [62] of its judgment, the CJEU decided that the exception in Article 2(2)(a) must, like the other exceptions laid down in Article 2(2), be interpreted strictly. It decided that Article 2(2)(a) and (b) of the GDPR represented partly a continuation of the first indent of Article 3(2) of the 95 Directive.

The CJEU concluded at [64] that Article 2(2)(a) and (b) of the GDPR therefore could not be interpreted in broader terms than the exception resulting from the first indent of Article 3(2) of the 95 Directive. As we have set out at [58] above, that provision excluded from the Directive’s scope, personal data processing taking place in the course “of an activity which falls outside the scope of Community law, such as those provided for by Titles V and VI of the EU Treaty and in any case…processing operations concerning public security, defence, State security.”

At [65], the CJEU observed that only the processing of personal data in the course of an activity of the State / State authorities expressly listed in Article 3(2) of the 95 Directive or in the course of an activity which could be classified in the same category was excluded from the scope of that directive. The CJEU said at [66] that it followed from this that Article 2(2)(a) of the GDPR, read in the light of recital 16, must be regarded as being designed only to exclude from the scope of that regulation the processing of personal data carried out by State authorities in the scope of an activity intended to safeguard national security or of an activity that can be classified in the same category, with the result that the mere fact that an activity is one characteristic of the State or of a public authority, is not sufficient for that exception to apply to it automatically.

The CJEU decided that, while activities safeguarding national security are intended to protect essential State functions and the fundamental interests of society, activities relating to road safety do not pursue such an objective and cannot be classified in the category of activities having the aim of safeguarding national security, which are envisaged in Article 2(2)(a) of the GDPR ([67] to [68] of the decision). The exception to material scope given in Article 2(2)(a) therefore did not apply to them.

In providing its reasoning at [67], the CJEU expressed agreement with the Advocate General’s view set out at [57] and [58] of his Opinion that the activities having the aim of safeguarding national security envisaged in Article 2(2)(a) encompass, in particular, those intended to protect essential State functions and the fundamental interests of society. In this part of his Opinion, the Advocate General reasoned that the EU legislature had specified elsewhere (but in the context of data protection) that national security is to be understood as “State security”. He also observed that Article 2(2)(a) GDPR should be seen against the background of Article 4(2) TEU, which provides that the EU is to respect Member States’ “essential State functions” and in that respect specifies, by way of example, that national security remains the sole responsibility of each Member State. In this context, the Advocate General opined that Article 2(2)(a) of the GDPR does nothing more than reiterate this constitutional requirement of what must be guaranteed for a State to function.

At [65] of its decision in Latvijas, the CJEU referred to the earlier CJEU decision in Lindqvist(C-101/01) [2004] QB 1014 (“Lindqvist”). At [43] of Lindqvist, the CJEU emphasised that the activities mentioned by way of example in the first indent of Article 3(2) of the 95 Directive were activities of the state or state authorities and unrelated to the fields of activities of individuals. At [44] of Lindqvist, the CJEU explained that the activities mentioned as examples in the first indent of Article 3(2) of the 95 Directive are intended to define the scope of the exception provided, with the result that the exception in question only applies to the activities which are expressly listed there, or which can be classified in the same category (ejusdem generis).

In Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems (United States of America and others intervening) (Case C-311/18) [2021] 1 WLR 751 (“Schrems II”), the data subject was an Austrian national who had used a social networking site. He lodged a complaint with the Irish Data Protection Commissioner regarding the processing of his personal data under the GDPR. Mr Schrems complained that the personal data he provided to the Irish subsidiary of the group operating the site was transferred to the United States parent company for processing in the United States. At that point, the parent company was legally required to make the personal data available to certain domestic state defence and security authorities. Mr Schrems argued this was incompatible with Articles 7, 8 and 47 of the Charter of Fundamental Rights of the EU and that the USA offered insufficient protection of the data, contrary to Articles 2, 45 and 46 of the GDPR.

Mr Schrems sought to require the Data Protection Commissioner to suspend or prohibit future transfers of his personal data. The Commissioner brought an action to the High Court so that it could refer questions to the CJEU for a ruling. The first question raised by the referring court was whether Article 2(1) and 2(2)(a), (b) and (d) of the GDPR, read in conjunction with Article 4(2) TEU, must be interpreted as meaning the Regulation applied to the transfer of personal data by an economic operator established in a member state to another economic operator established in a third country, in circumstances where, at the time of transfer (or thereafter) the data was liable to be processed by the third country authorities for the purposes of public security, defence and state security.

At [102] of his Opinion, the Advocate General expressed the view that Article 2(2) of the GDPR makes clear that it does not apply to, among others, the processing of personal data in the course of an activity which falls outside the scope of EU law or by the competent authorities for the purposes of protecting public security. The Advocate General explained that in his view these provisions reflect the fact that Article 4(2) of TEU recognises competence in matters of the protection of national security is reserved to Member States.

The Advocate General considered that the data transfers referred to in Mr Schrems’ complaint were not excluded from the scope of the GDPR by Article 2(2)(a) and that they therefore came within the scope of EU law ([103] of his Opinion). He explained at [104] that the question the CJEU was being asked to determine did not concern the applicability of EU law to any subsequent processing by the US authorities for national security purposes of the data transferred to the USA, which would be excluded from the scope ratione territoriae of the GDPR. In other words, the Advocate General considered that subsequent processing by the US authorities would be outside GDPR regulation by application of the provisions in Article 3 on territorial scope, rather than outside material scope by virtue of Article 2(2)(a) (in this regard, also see footnote 11 to his Opinion).

At [110] of his Opinion, the Advocate General concluded that EU law applied to a transfer of personal data from a member state to a third country where that transfer forms part of a commercial activity, it being immaterial that the transferred data might undergo, on the part of the third country public authorities, processing intended to protect that third country’s national security.

At [81] of its decision, the CJEU made clear that the rule in Article 4(2) TEU, according to which, within the EU, national security remains the sole responsibility of each member state, concerns Member States of the EU only. The CJEU explained the rule in Article 4(2) was therefore irrelevant in the present case for the purpose of interpreting Article 2(1) and 2(2)(a), (b) and (d) of the GDPR.

At [84] the CJEU observed that in considering whether the operation in question was excluded from the scope of the GDPR under Article 2(2), it should be noted that Article 2 lays down exceptions to the scope of the Regulation “which must be interpreted strictly”.

At [86] the CJEU confirmed that the possibility that personal data transferred between two economic operators (Facebook Ireland and Facebook Inc) for commercial purposes might undergo, at the time of transfer, or thereafter, processing for the purposes of public security, defence, and state security by the authorities of that third country, could not remove that transfer from the scope of the GDPR.

The CJEU drew support from Article 45(2) of the GDPR which expressly requires the EU Commission, when assessing the adequacy of the protection provided by a third country, to take account, among other things, of “relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law, and the access of public authorities to personal data, as well as the implementation of such legislation”. At [87] of its decision, the CJEU explained this makes patent that no processing by a third country of personal data for the purposes of public security, defence and state security excludes the transfer in issue from the application of GDPR.

At [88] of its decision, the CJEU concluded that such a transfer cannot fall outside the scope of the GDPR on the ground that the data in issue is liable to be processed by the authorities of the third country for the purposes of public security, defence, and state security.

In Österreichische Datenschutzbehörde v WK (Case C-33/22) [2024] 4 WLR 42 (“WK”), WK complained that his personal data (his name) was published on the Austrian Parliament’s website as a result of a committee of inquiry investigating the country’s police state-protection agency. At [37] of its decision, the CJEU again confirmed that the exception to processing falling within material scope of the GDPR, provided for in Article 2(2), must be interpreted strictly (per Latvijas at [62]).

At [41], the CJEU agreed with [84] of the Advocate General’s Opinion that the exception to the scope of the GDPR provided for in Article 2(2)(a) refers only to categories of activities which, by their nature, fall outside the scope of Union law. It does not refer to categories of persons, depending on whether they are private or public in nature, or, where the controller is a public authority, to the fact that its tasks and duties fall directly and exclusively within the scope of a given public power, unless that power is connected with an activity which, in any event, falls outside the scope of Union law.

The CJEU answered the first question referred, in terms that the first sentence of Article 16(2) of TFEU and Article 2(2)(a) of the GDPR must be interpreted as meaning that an activity cannot be regarded as outside the scope of Union law (and therefore outside the scope of GDPR) for the sole reason that it is carried out by a committee of inquiry set up by a Member State’s parliament to exercise its power of scrutiny over the executive ([43] of the judgment).

The CJEU emphasised the strict interpretation required of Article 2(2)(a) of GDPR and that this was designed solely to exclude from scope personal data processing carried out by state authorities in the course of an activity intended to safeguard national security or of an activity that can be classified in the same category (at [45]). At [46], the CJEU indicated that activities with the aim of safeguarding national security are those intended to protect essential state functions and the fundamental interests of society. At [47], the CJEU explained such activities remain the sole responsibility of the Member States, in accordance with Article 4(2) of TEU.

Applying that approach, at [50], the CJEU explained that while it is for the Member States, in accordance with Article 4(2) of TEU, to define their essential security interests and to take appropriate measures to ensure internal and external security, the mere fact a national measure has been taken for the purpose of protecting national security cannot render EU law inapplicable and exempt the Member States from having to comply with EU law. At [51], the CJEU referred back to its analysis at [41] and emphasised that the fact that a controller is a public authority whose main activity is to ensure national security, cannot be sufficient to exclude that controller’s personal data processing from the GDPR when it is in the course of other activities it carries out.