Article 2d "This Regulation does not apply to the processing of personal data: [...] by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security." exempts data collection by gov't for security purposes.
Article 6.1c "Processing shall be lawful only if and to the extent that at least one of the following applies: [...] c) processing is necessary for compliance with a legal obligation to which the controller is subject;" exempts data collection by private parties if ordered by gov't, e.g. if they require communications operators to track subscriber identities or something else, then GDPR consent requirements don't apply.
So I'd say that it's materially true that "Data collection for security and intelligence purposes by governments is exempt from GDPR rules", as long as governments are doing this data collection according to whatever other laws they have passed and not in violation of them (which sometimes has been the case, though, with executive branch doing what legislative branch has forbidden them).
Article 6.1c "Processing shall be lawful only if and to the extent that at least one of the following applies: [...] c) processing is necessary for compliance with a legal obligation to which the controller is subject;" exempts data collection by private parties if ordered by gov't, e.g. if they require communications operators to track subscriber identities or something else, then GDPR consent requirements don't apply.
So I'd say that it's materially true that "Data collection for security and intelligence purposes by governments is exempt from GDPR rules", as long as governments are doing this data collection according to whatever other laws they have passed and not in violation of them (which sometimes has been the case, though, with executive branch doing what legislative branch has forbidden them).