Abstract
The article deals with the material scope of EU data protection rules. The relevant case law of the CJEU shows that the material scope of EU secondary law in this area must be understood much more broadly than it might seem at the first sight.
This is because, in order to ensure the maximum level of protection, the CJEU interprets the restrictions on the scope of these legislative acts as "exceptions to the rule", without due regard to their legal basis and the principle of conferral. The author points out the problematic aspects of this approach and demonstrates - on the recent CJEU data retention jurisprudence - that the EU data protection rules are now likely to affect the area of national security, traditionally the domain of the Member States.