The factor "State activities concerning national security" means that data protection laws typically do not apply to personal data processing activities carried out by state authorities for purposes related to national security, defense, public safety, and law enforcement. This exclusion is designed to allow government agencies to perform critical security and intelligence functions without being constrained by certain data protection requirements.

Key points from different jurisdictions:

European Union (GDPR)

GDPR Recital 16 states: "This Regulation does not apply to issues of protection of fundamental rights and freedoms or the free flow of personal data related to activities which fall outside the scope of Union law, such as activities concerning national security."

Key points:

• National security activities are explicitly excluded from GDPR's scope
• The exclusion extends to Member States' activities related to the EU's common foreign and security policy

Kazakhstan (Law on personal data and its protection)

Article 3(4) provides: "Collection, processing and protection of personal data in the course of intelligence, counterintelligence, operational-search activities, as well as the implementation of security measures to ensure the safety of protected persons and objects within the limits established by the laws of the Republic of Kazakhstan."

Key points:

• Excludes intelligence and counterintelligence activities
• Covers operational-search activities
• Includes security measures for protected persons and objects

Brazil (LGPD)

Article 4 states: "This Law does not apply to the processing of personal data that: III – is done exclusively for purposes of: a) public safety; b) national defense; c) state security; or d) activities of investigation and prosecution of criminal offenses;"

Key points:

• Broad exclusion covering public safety, national defense, and state security
• Extends to criminal investigation and prosecution activities

Uzbekistan (LRU-547)

Article 3(2)(4) provides: "This Law does not apply to relations arising from: processing of personal data obtained in the course of operational-search, intelligence and counter-intelligence activities, combating crime, law enforcement, as well as in the framework of counteracting the legalization of proceeds of crime."

Key points:

• Excludes operational-search, intelligence, and counter-intelligence activities
• Covers law enforcement and crime prevention, including anti-money laundering efforts

Thailand (PDPA)

Section 4(1)(2) states: "This Act shall not apply to: (2) operations of public authorities having the duties to maintain state security, including financial security of the state or public safety, including the duties with respect to the prevention and suppression of money laundering, forensic science or cybersecurity;"

Key points:

• Broad exclusion for state security operations, including financial security
• Covers public safety, anti-money laundering, forensic science, and cybersecurity activities