Laws restricting what the government and private entities can do with data almost invariably (e.g. the GDPR) just have a blanket exception for security services.
Very long term we might trend away from that, just as eventually countries which had outlawed capital punishment "except in times of war" realised they had no intention of doing it in a war either so many of them began removing that caveat. But today this is the case with every such restriction I've seen, it either says in the law itself that it doesn't apply to security services or there's a superseding law that says the security services needn't obey the data protection rules.
Very long term we might trend away from that, just as eventually countries which had outlawed capital punishment "except in times of war" realised they had no intention of doing it in a war either so many of them began removing that caveat. But today this is the case with every such restriction I've seen, it either says in the law itself that it doesn't apply to security services or there's a superseding law that says the security services needn't obey the data protection rules.