Module 8 · Surveillance framework - Article 23, content vs metadata
Surveillance is observation of individuals - covert or overt, real-time or stored. Article 23 lets EU/Member State law restrict data-subject rights, but only if it respects the essence of fundamental rights and is a necessary and proportionate measure in a democratic society. State surveillance must respect Charter Article 7 (private life) and Article 8 (data protection); the Law Enforcement Directive governs law-enforcement processing. In ePrivacy terms, content (the message itself) is distinguished from metadata (data about data).
Surveillance is observation of individuals, whether covert or overt, in real time or from stored records. Article 23 allows EU/Member State law to restrict data-subject rights, but the restriction must respect the essence of fundamental rights and be a necessary and proportionate measure in a democratic society (see EDPB Guidelines 10/2020 on Article 23 restrictions).
Public/state surveillance for national security or law enforcement must respect Charter Article 7 (respect for private life) and Article 8 (protection of personal data). The Law Enforcement Directive governs law-enforcement processing (lawful, fair, necessary, proportionate), while private surveillance must comply with the GDPR.
| Category | Examples |
|---|---|
| Content | The conversation itself - email body and subject, attachments, the spoken words. |
| Metadata - traffic data | Calling/called numbers, time and duration of a call. |
| Metadata - location data | Latitude/longitude, cell location. |
| Metadata - subscriber data | Account holder details tied to the service. |
The content / metadata distinction drives which ePrivacy rules apply - metadata is not 'harmless', it is still regulated communications data.