As long as the national
data retention obligations do not concern the content
of the electronic communications and as long as they provide for safeguards that «effectively protect
personal data» retained by service providers «against the risk
of abuse and against any
unlawful access and
use of that
data» (§ 159), this requirement does not seem to create particular problems in the cases submitted to the CJEU.
In this regard, there seems to be general agreement that the
use of unauthorised
personal data is
unlawful in most domestic legal systems and under international law (it is at the very least a breach
of the human right to privacy).