delivered on 19 December 2019 (1)

Case C‑311/18

Facebook Ireland Limited,

Maximillian Schrems,

interveners:

The United States of America,

Electronic Privacy Information Centre,

BSA Business Software Alliance, Inc.,

Digitaleurope

(request for a preliminary ruling from the High Court, Ireland)

(Reference for a preliminary ruling — Protection of natural persons with regard to the processing of personal data — Regulation (EU) 2016/679 — Article 2(2) — Scope — Transfer of personal data for commercial purposes to the United States of America — Processing by the United States of America’s public authorities for national security purposes of the data transferred — Article 45 — Assessment of the adequacy of the level of protection ensured in a third country — Article 46 — Appropriate safeguards offered by the controller — Standard protection clauses — Article 58(2) — Powers of the national supervisory authorities — Decision 2010/87/EU — Validity — Decision (EU) 2016/1250 — ‘EU-U.S. Privacy Shield — Validity — Articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union)

Table of contents

II. Legal framework

III. The main proceedings, the questions for a preliminary ruling and the procedure before the Court

(a) Explanations concerning the content of the examination of the validity of an adequacy decision

(1) The terms of the comparison permitting an assessment of the ‘essential equivalence’ of the level of protection

(2) The need to ensure an adequate level of protection while the data are in transit

(3) The taking into consideration of the findings of fact made by the Commission and the referring court concerning United States law

(4) The scope of the ‘essential equivalence’ standard

(b) The validity of the ‘privacy shield’ decision by reference to the rights to respect for private life and to the protection of personal data

(1) The existence of interferences

(2) The requirement that the interferences be ‘provided for by law’

(3) No compromising of the essence of the fundamental rights

(4) The pursuit of a legitimate objective

(5) The necessity and the proportionality of the interferences

(c) The validity of the ‘privacy shield’ decision by reference to the exercise of the right to an effective remedy

(1) The effectiveness of the judicial remedies provided for by United States law

(2) The impact of the Ombudsperson Mechanism on the level of protection of the right to an effective remedy

1.In the absence of common personal data protection safeguards at global level, cross-border flows of such data entail a risk of a breach in continuity of the level of protection guaranteed in the European Union. Desirous of facilitating those flows while limiting that risk, the EU legislature has established three mechanisms whereby personal data may be transferred from the European Union to a third State.

2.In the first place, such a transfer may take place on the basis of a decision whereby the European Commission finds that the third State in question ensures an ‘adequate level of protection’ of the data transferred to it. (2) In the second place, in the absence of such a decision, the transfer is authorised when it is accompanied by ‘appropriate safeguards’. (3) Those safeguards may take the form of a contract between the exporter and the importer of the data containing standard protection clauses adopted by the Commission. The GDPR makes provision, in the third place, for certain derogations, based in particular on the consent of the data subject, that allow the data to be transferred to a third country even in the absence of an adequacy decision or appropriate safeguards. (4)

3.The request for a preliminary ruling submitted by the High Court, Ireland (‘the High Court’) relates to the second of those mechanisms. It concerns, more specifically, the validity of Decision 2010/87/EU, (5) whereby the Commission established standard contractual clauses for certain categories of transfers, in the light of Articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union (‘the Charter’).

4.The request was submitted in proceedings brought by the Data Protection Commissioner, Ireland (‘the DPC’) against Facebook Ireland Ltd and Mr Maximillian Schrems in respect of a complaint lodged by Mr Schrems before the DPC concerning the transfer of personal data relating to him by Facebook Ireland to Facebook, Inc., its parent company, established in the United States of America (‘the United States’). The DPC takes the view that the assessment of that complaint is conditional on the validity of Decision 2010/87. In that regard, it requested that the referring court seek clarification from the Court of Justice on that point.

5.Let me state at the outset that examination of the questions for a preliminary ruling has in my view disclosed nothing to affect the validity of Decision 2010/87.

6.Furthermore, the referring court has highlighted certain doubts relating, in essence, to the adequacy of the level of protection guaranteed by the United States with regard to the interferences by the United States intelligence authorities with the exercise of the fundamental rights of the individuals whose data are transferred to the United States. Those doubts indirectly called into question the assessments made by the Commission in that respect in the Implementing Decision (EU) 2016/1250. (6) Although the resolution of the dispute in the main proceedings does not require the Court to settle that issue, and although I therefore suggest that it refrain from doing so, I shall set out, in the alternative, the reasons that lead me to question the validity of that decision.

7.My analysis as a whole will be guided by the desire to strike a balance between, on the one hand, the need to show a ‘reasonable degree of pragmatism in order to allow interaction with other parts of the world’, (7) and, on the other hand, the need to assert the fundamental values recognised in the legal orders of the Union and its Member States, and in particular in the Charter.

II. Legal framework

8.Article 3(2) of Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data (8) provided:

‘This Directive shall not apply to the processing of personal data:

– in the course of an activity which falls outside the scope of Community law, such as those provided for by Titles V and VI of the Treaty on European Union and in any case to processing operations concerning public security, defence, State security (including the economic well-being of the State when the processing operation relates to State security matters) and the activities of the State in areas of criminal law,

…’

‘Member States may adopt legislative measures to restrict the scope of the obligations and rights provided for in Articles 6(1), 10, 11(1), 12 and 21 when such a restriction constitutes a necessary measure to safeguard:

(a) national security;

(b) defence;

(c) public security;

(d) the prevention, investigation, detection and prosecution of criminal offences, or of breaches of ethics for regulated professions;

(e) an important economic or financial interest of a Member State or of the [Union], including monetary, budgetary and taxation matters;

(f) a monitoring, inspection or regulatory function connected, even occasionally, with the exercise of official authority in cases referred to in (c), (d) and (e);

(g) the protection of the data subject or of the rights and freedoms of others.’

‘1. The Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if, without prejudice to compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection.

…

Member States shall take the necessary measures to comply with the Commission’s decision.’

‘2. Without prejudice to paragraph 1, a Member State may authorise a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level of protection within the meaning of Article 25(2), where the controller adduces adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights; such safeguards may in particular result from appropriate contractual clauses.

…

Article 28(3) of Directive 95/46 was worded as follows:

‘Each authority shall in particular be endowed with:

…

–effective powers of intervention, such as, for example, that of delivering opinions before processing operations are carried out, in accordance with Article 20, and ensuring appropriate publication of such opinions, of ordering the blocking, erasure or destruction of data, of imposing a temporary or definitive ban on processing, of warning or admonishing the controller, or that of referring the matter to national parliaments or other political institutions,

…’

Pursuant to Article 94(1), the GDPR repealed Directive 95/46 with effect from 25 May 2018, the date from which that regulation applies, in accordance with Article 99(2) thereof.

Article 2(2) of that regulation provides:

‘This Regulation does not apply to the processing of personal data:

(a) in the course of an activity which falls outside the scope of Union law;

(b) by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the [EU Treaty];

…

(d) by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.’

Article 4(2) of that regulation defines ‘processing’ as ‘any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction’.

Article 23 of the GDPR provides:

‘1. Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:

(a) national security;

(b) defence;

(c) public security;

(d) the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;

(e) other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State …

…

(a) the purposes of the processing or categories of processing;

(b) the categories of personal data;

(c) the scope of the restrictions introduced;

(d) the safeguards to prevent abuse or unlawful access or transfer;

(e) the specification of the controller or categories of controllers;

(f) the storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing;

(g) the risks of the rights and freedoms of data subjects; and

(h) the right of data subjects to be informed about the restriction, unless that may be prejudicial to the purpose of the restriction.’

Article 44 of that regulation, entitled ‘General principle for transfers’, states:

‘Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation. All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined.’

In accordance with Article 45 of that regulation, entitled ‘Transfers on the basis of an adequacy decision’:

‘1. A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation.

(a) the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data, as well as the implementation of such legislation, data protection rules, professional rules and security measures, including rules for the onward transfer of personal data to another third country or international organisation which are complied with in that country or international organisation, case-law, as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are being transferred;

(b) the existence and effective functioning of one or more independent supervisory authorities in the third country or to which an international organisation is subject, with responsibility for ensuring and enforcing compliance with the data protection rules, including adequate enforcement powers, for assisting and advising the data subjects in exercising their rights and for cooperation with the supervisory authorities of the Member States; and

(c) the international commitments the third country or international organisation concerned has entered into, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems, in particular in relation to the protection of personal data.

…

Article 46 of that regulation, entitled ‘Transfers subject to appropriate safeguards’, is worded as follows:

‘1. In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

…

standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93(2);

…

In the words of Article 58(2), (4) and (5) of the GDPR:

‘2. Each supervisory authority shall have all of the following corrective powers:

to issue warnings to a controller or processor that intended processing operations are likely to infringe provisions of this Regulation;

to issue reprimands to a controller or a processor where processing operations have infringed provisions of this Regulation;

to order the controller or the processor to comply with the data subject’s requests to exercise his or her rights pursuant to this Regulation;

to order the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period;

to order the controller to communicate a personal data breach to the data subject;

to impose a temporary or definitive limitation including a ban on processing;

…

to impose an administrative fine pursuant to Article 83, in addition to, or instead of measures referred to in this paragraph, depending on the circumstances of each individual case;

to order the suspension of data flows to a recipient in a third country or to an international organisation.

…

21.

Article 26(4) of Directive 95/46 gave rise to the adoption by the Commission of three decisions in which it found that the standard contractual clauses set out therein afford sufficient safeguards in the light of the protection of the private life and freedoms and the fundamental rights of persons, and also with regard to the exercise of the corresponding rights (‘the SCC decisions’). (9)

Those decisions include Decision 2010/87, Article 1 of which provides that ‘the standard contractual clauses set out in the Annex are considered as offering adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights as required by Article 26(2) of [Directive 95/46]’.

Pursuant to Article 3 of that decision:

‘For the purposes of this Decision the following definitions shall apply:

…

(c)“data exporter” means the controller who transfers the personal data;

(d)“data importer” means the processor established in a third country who agrees to receive from the data exporter personal data intended for processing on the data exporter’s behalf after the transfer in accordance with his instructions and the terms of this Decision and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of [Directive 95/46];

…

(f)“applicable data protection law” means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;

…’

In its initial version Article 4 of that decision provided, in paragraph 1:

‘Without prejudice to their powers to take action to ensure compliance with national provisions adopted pursuant to Chapters II, III, V and VI of [Directive 95/46], the competent authorities in the Member States may exercise their existing powers to prohibit or suspend data flows to third countries in order to protect individuals with regard to the processing of their personal data in cases where:

(a)it is established that the law to which the data importer or a sub-processor is subject imposes upon him requirements to derogate from the applicable data protection law which go beyond the restrictions necessary in a democratic society as provided for in Article 13 of [Directive 95/46] where those requirements are likely to have a substantial adverse effect on the guarantees provided by the applicable data protection law and the standard contractual clauses;

(b)a competent authority has established that the data importer or a sub-processor has not respected the standard contractual clauses in the Annex; or

(c)there is a substantial likelihood that the standard contractual clauses in the Annex are not being or will not be complied with and the continuing transfer would create an imminent risk of grave harm to the data subjects.’

In its current version, as resulting from the amendment of Decision 2010/87 by Implementing Decision (EU) 2016/2297, (10) Article 4 of Decision 2010/87 states that ‘whenever the competent authorities in Member States exercise their powers pursuant to Article 28(3) of [Directive 95/46] leading to the suspension or definitive ban of data flows to third countries in order to protect individuals with regard to the processing of their personal data, the Member State concerned shall, without delay, inform the Commission which will forward the information to the other Member States’.

The annex to Decision 2010/87 contains a number of standard contractual clauses. In particular, Clause 3 in that annex, entitled ‘Third-party beneficiary clause’, provides:

‘1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.

…’

Clause 4 in that annex, entitled ‘Obligations of the data exporter’, provides:

‘The data exporter agrees and warrants:

(a)that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;

(b)that it has instructed and throughout the duration of the personal data-processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;

(c)that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;

(d)that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;

(e)that it will ensure compliance with the security measures;

(f)that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of [Directive 95/46];

(g)to forward any notification received from the data importer or any sub-processor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;

(h)to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;

(i)that, in the event of sub-processing, the processing activity is carried out in accordance with Clause 11 by a sub-processor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and

(j)that it will ensure compliance with Clause 4(a) to (i).’

Clause 5 in the same annex, entitled ‘Obligations of the data importer (1)’, states:

‘The data importer agrees and warrants:

(a)to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(b)that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(c)that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;

(d)that it will promptly notify the data exporter about:

(i)any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;

(ii)any accidental or unauthorised access; and

(iii)any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;

(e)to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;

(f)at the request of the data exporter to submit its data-processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;

…’

According to footnote 1, to which the title of Clause 5 in the annex to Decision 2010/87 refers:

‘Mandatory requirements of the national legislation applicable to the data importer which do not go beyond what is necessary in a democratic society on the basis of one of the interests listed in Article 13(1) of Directive [95/46], that is, if they constitute a necessary measure to safeguard national security, defence, public security, the prevention, investigation, detection and prosecution of criminal offences or of breaches of ethics for the regulated professions, an important economic or financial interest of the State or the protection of the data subject or the rights and freedoms of others, are not in contradiction with the standard contractual clauses. Some examples of such mandatory requirements which do not go beyond what is necessary in a democratic society are, inter alia, internationally recognised sanctions, tax-reporting requirements or anti-money-laundering reporting requirements.’

Clause 6 in that annex, entitled ‘Liability’, is worded as follows:

‘1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or sub-processor is entitled to receive compensation from the data exporter for the damage suffered.

…’

Clause 7 in that annex, entitled ‘Mediation and jurisdiction’, provides:

‘1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:

(a)to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;

(b)to refer to dispute to the courts in the Member State in which the data exporter is established.

Clause 9 in that annex, entitled ‘Governing law’, provides that the standard contractual clauses are to be governed by the law of the Member State in which the data exporter is established.

33.Article 25(6) of Directive 95/46 served as the basis for the adoption by the Commission of two successive decisions whereby it found that the United States ensured an adequate level of protection of the personal data transferred to undertakings established in the United States which declared that they adhered, by means of a self-certification procedure, to the principles set out in those decisions.

34.Initially, the Commission adopted Decision 2000/520/EC on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce. (11) In the judgment of 6 October 2015, Schrems, (12) the Court declared that decision invalid.

35.Following that judgment, the Commission then adopted the ‘privacy shield’ decision.

36.Article 1 of that decision provides:

‘1. For the purposes of Article 25(2) of [Directive 95/46], the United States ensures an adequate level of protection for personal data transferred from the Union to organisations in the United States under the EU-U.S. Privacy Shield.

37.Annex III A to that decision, entitled ‘EU-U.S. Privacy Shield Ombudsperson mechanism regarding signals intelligence’, attached to a letter from Mr John Kerry, the then United States Secretary of State, dated 7 July 2016, contains a memorandum describing a new mediation procedure before a ‘Senior Coordinator for International Information Technology Diplomacy’ (‘the Ombudsperson’) designated by the Secretary of State.

38.In the words of that memorandum, that procedure was put in place in order ‘to facilitate the processing of requests relating to national security access to data transmitted from the [Union] to the United States pursuant to the Privacy Shield, standard contractual clauses (SCCs), binding corporate rules (BCSs), “Derogations” or “Possible Future Derogations”, through established avenues under applicable United States laws and policy, and the response to those requests’.

III. The main proceedings, the questions for a preliminary ruling and the procedure before the Court

39.Mr Schrems, an Austrian national residing in Austria, is a user of the social network Facebook. All users of that social network residing in the territory of the European Union are required, when signing up, to enter into a contract with Facebook Ireland, a subsidiary of Facebook Inc., which is established in the United States. Those users’ personal data are transferred, in whole or in part, to servers belonging to Facebook Inc. situated in the territory of the United States, where they are processed.

40.On 25 June 2013, Mr Schrems filed a complaint with the DPC whereby he requested her, in essence, to prohibit Facebook Ireland from transferring the personal data relating to him to the United States. He claimed that the law and practices in force in the United States did not ensure adequate protection of the personal data retained in its territory against intrusions resulting from the surveillance activities practised by the public authorities. Mr Schrems referred in that regard to the revelations made by Mr Edward Snowden concerning the activities of the United States intelligence services, in particular those of the National Security Agency (NSA).

41.That complaint was rejected on the ground, in particular, that any question relating to the adequacy of the protection afforded in the United States had to be settled in accordance with the ‘safe harbour’ decision. In that decision, the Commission had found that the United States offered an adequate level of protection for personal data transferred to undertakings in its territory that adhered to the principles set out in that decision.

42.Mr Schrems brought an action against the decision rejecting his complaint before the High Court, which considered that, although Mr Schrems had not formally contested the validity of the ‘safe harbour’ decision, his complaint impugned, in reality, the legality of the regime established by that decision. In those circumstances, the High Court referred a number of questions to the Court, seeking, in essence, to ascertain whether the authorities of the Member States responsible for data protection (the ‘supervisory authorities’), when dealing with a complaint concerning the protection of the rights and freedoms of a person in regard to the processing of personal data relating to him which have been transferred to a third State, are bound by the findings as to the adequacy of the level of protection afforded by that third State made by the Commission pursuant to Article 25(6) of Directive 95/46, when the complainant disputes those findings.

43.After holding, in paragraphs 51 and 52 of the judgment in Schrems, that an adequacy decision is binding on the supervisory authorities until such time as it is declared invalid, the Court stated the following in paragraphs 63 and 65 of that judgment:

‘63. … where a person whose personal data has been or could be transferred to a third country which has been the subject of a Commission decision pursuant to Article 25(6) of Directive 95/46 lodges with a national supervisory authority a claim concerning the protection of his rights and freedoms in regard to the processing of that data and contests, in bringing the claim …, the compatibility of that decision with the protection of the privacy and of the fundamental rights and freedoms of individuals, it is incumbent upon the national supervisory authority to examine the claim with all due diligence.

…

65. In the … situation … where the national supervisory authority considers that the objections advanced by [that person] are well founded, that authority must, in accordance with the third indent of the first subparagraph of Article 28(3) of Directive 95/46, read in the light in particular of Article 8(3) of the Charter, be able to engage in legal proceedings. It is incumbent upon the national legislature to provide for legal remedies enabling the national supervisory authority concerned to put forward the objections which it considers well founded before the national courts in order for them, if they share its doubts as to the validity of the Commission decision, to make a reference for a preliminary ruling for the purpose of examination of the decision’s validity.’

44.The Court also examined in that judgment the validity of the ‘safe harbour’ decision by reference to the requirements arising under Directive 95/46, read in the light of the Charter. After doing so, it declared that decision invalid. (13)

45.Following the judgment in Schrems, the referring court annulled the decision whereby the DPC had rejected Mr Schrems’ complaint and referred that decision back to the DPC for assessment. The DPC opened an investigation and requested Mr Schrems to reformulate his complaint having regard to the declaration that the ‘safe harbour’ decision was invalid.

46.To that end, Mr Schrems asked Facebook Ireland to identify the legal bases for the transfer of personal data of users of the Facebook social network from the European Union to the United States. Facebook Ireland, without identifying all the legal bases on which it relies, referred to a data transfer processing agreement between it and Facebook Inc., which had been applicable since 20 November 2015, and relied on Decision 2010/87.

47.In his reformulated complaint, Mr Schrems claims, first, that the clauses in that agreement are not consistent with the standard contractual clauses in the annex to Decision 2010/87. Second, Mr Schrems asserts that those standard contractual clauses could not in any event justify the transfer of the personal data relating to him to the United States. That is so because under United States law Facebook Inc. is required make the personal data of its users available to United States authorities, such as the NSA and the Federal Bureau of Investigation (FBI), in the context of surveillance programmes that impede the exercise of the rights guaranteed in Articles 7, 8 and 47 of the Charter. Mr Schrems claims that there is no remedy that would allow the data subjects to rely on their rights to respect for private life and to protection of personal data. In those circumstances, Mr Schrems asks the DPC to suspend the transfer of such data in application of Article 4 of Decision 2010/87.

48.Facebook Ireland recognised, in the context of the DPC’s investigation, that it continues to transfer the personal data of the users of the social network Facebook, who reside in the Union, to the United States and that in doing so it relies largely on the standard contractual clauses in the annex to Decision 2010/87.

49.The DPC’s investigation sought to determine, first, whether the United States ensures adequate protection of the personal data of citizens of the Union and, second, whether the SCC decisions offer sufficient safeguards as regards the protection of those citizens’ fundamental rights and freedoms.

50.In that regard, in a draft decision, the DPC considered provisionally that United States law does not offer effective remedies in accordance with Article 47 of the Charter to citizens of the Union whose data are transferred to the United States, where they are liable to be processed by the United States agencies for national security purposes in a way that is incompatible with Articles 7 and 8 of the Charter. The safeguards provided for in the clauses in the annex to the SCC decisions do not make up for that deficiency, since they are not binding on the United States authorities or agencies and they confer on the data subjects only contractual rights against the data exporter and/or importer.

51.In those circumstances, the DPC considered that it was impossible to adjudicate on Mr Schrems’ complaint unless the Court examined the validity of the SCC decisions. In accordance with paragraph 65 of the judgment in Schrems, the DPC therefore brought proceedings before the referring court so that, if it shared the DPC’s doubts, it would make a reference to the Court for a preliminary ruling on the validity of those decisions.

52.The United States Government, the Electronic Privacy Information Centre (EPIC), the Business Software Alliance (BSA) and Digitaleurope were granted leave to intervene before the referring court.

53.In order to determine whether it shares the doubts expressed by the DPC as to the validity of the SCC decisions, the High Court took evidence from the parties to the dispute and heard argument from them and from the interveners. In particular, evidence relating to the provisions of United States law was submitted by experts. In Irish law, foreign law is considered to be a point of fact to be established by evidence like any other fact. On the basis of that evidence, the referring court assessed the provisions of United States law that authorise surveillance by the Government authorities and agencies, the operation of two publicly recognised surveillance programmes (‘PRISM’ and ‘Upstream’), the various remedies available for individuals whose rights have been violated by surveillance measures and the systematic safeguards and supervisory mechanisms. The High Court set out the results of that assessment in a judgment of 3 October 2017 annexed to its order for reference (‘the judgment of the High Court of 3 October 2017’).

54.In that judgment, the referring court cited, among the legal bases authorising the interception of foreign communications by the United States intelligence services, section 702 of the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333 (‘EO 12333’).

55.According to the findings made in that judgment, section 702 of the FISA allows the United States Attorney General and the United States Director of National Intelligence (DNI) to authorise jointly, for a period of one year, in order to obtain foreign intelligence information, the surveillance of individuals who are not United States citizens and are not permanently resident in the United States (known as ‘non-United States persons’) who are reasonably believed to be located outside the United States. (14) In the words of the FISA, ‘foreign intelligence information’ means information that relates to the ability of the Government to protect against foreign attacks, terrorism, the proliferation of weapons of mass destruction and the conduct of the foreign affairs of the United States. (15)

56.Those annual authorisations, like the procedures governing the targeting of persons to be surveilled and the processing (‘minimisation’) of the information gathered, (16) must be approved by the United States Foreign Intelligence Surveillance Court (FISC). While the ‘traditional’ surveillance carried out on the basis of other provisions of the FISA requires that ‘probable cause’ giving rise to suspicion that the persons surveilled belong to or are the agents of a foreign power be shown, the surveillance activities carried out under section 702 of the FISA do not depend either on such ‘probable cause’ being shown or on the targeting of specific persons being approved by the FISC. In addition, still according to the findings of the referring court, the minimisation procedures do not apply to non-United States persons located outside the United States.

57.In practice, when authorisation has been granted by the FISC, the NSA sends to electronic communications services providers established in the United States orders containing search criteria, called ‘selectors’, associated with the targeted persons (such as telephone numbers or email addresses). Those providers are then required to supply the data corresponding to the selectors to the NSA and must keep secret the orders issued to them. They may make application to the FISC to modify or set aside a directive issued by the NSA. The decision of the FISC may be the subject of an appeal to the Foreign Intelligence Surveillance Court of Review (FISCR).

58.The High Court found that section 702 of the FISA serves as the legal basis for the PRISM and Upstream programmes.

59.In the context of the PRISM programme, the electronic communications services providers are required to submit to the NSA all communications ‘from’ or ‘to’ the selector communicated by the NSA. Some of those communications are sent to the FBI and the United States Central Intelligence Agency (CIA). In 2015, 94386 persons were surveilled and in 2011 the United States Government obtained more than 250 million communications in the context of that programme.

60.The Upstream programme is based on the compelled assistance of undertakings operating the ‘backbone’ — namely the network of cables, switches and routers — over which telephonic communications and internet communications transit. Those undertakings are required to allow the NSA to copy and filter internet traffic flows in order to acquire communications ‘from’, to’ or ‘about’ a selector mentioned in a directive from that agency. Communications ‘about’ a selector designate the communications which refer to that selector, without the non-United States person associated with that selector necessarily being a participant in that communication. Although it follows from an opinion of the FISC of 26 April 2017 that since that date the United States Government has no longer collected or acquired communications ‘about’ a selector, that opinion does not indicate that the NSA has stopped copying and searching communications flows as they pass through its surveillance equipment. The Upstream programme thus entails access by the NSA to both the metadata and the content of the communications. Since 2011 the NSA has received around 26.5 million communications per annum in the context of the Upstream programme, which, however, represents only a small portion of the communications subject to the filtering process carried out on the basis of that programme.

Furthermore, according to the findings of the High Court, EO 12333 authorises the surveillance of electronic communications outside the United States by permitting access, for foreign intelligence purposes, to data either ‘in transit’ to the United States or ‘transiting’ through the United States but not intended to be processed there, and also the collection and retention of those data. EO 12333 defines ‘foreign intelligence’ as including information relating to the capabilities, intentions and activities of foreign powers, organisations or persons. (17)

62.EO 12333 authorises the NSA to access the underwater cables on the floor of the Atlantic Ocean by means of which data are transferred from the EU to the United States before they arrive in the United States and are thus subject to the provisions of the FISA. However, there is no evidence of any programme having been implemented pursuant to that presidential order.

63.Although EO 12333 sets limits on the collection, retention and dissemination of information, those limits do not apply to non-United States persons. The latter benefit solely from the guarantees set out in Presidential Policy Directive 28 (‘PPD 28’), which applies to all activities involving the collection and use of foreign intelligence signals information. PPD 28 provides that respect for privacy is an integral part of the considerations to be taken into account in the planning of those activities, that the collection must be aimed solely at the acquisition of foreign intelligence information and counter-intelligence and that the activities must be ‘as tailored as feasible’.

64.According to the referring court, the NSA’s activities based on EO 12333, which may be amended or revoked at any time by the President of the United States, are not governed by statute, are not subject to judicial oversight and are not justiciable.

65.On the basis of those findings, the referring court considers that the United States carries out mass and indiscriminate processing of personal data that might expose the data subjects to a risk of a violation of the rights which they derive from Articles 7 and 8 of the Charter.

66.In addition, the referring court indicates that EU citizens do not have access to the same remedies against the unlawful processing of their personal data by the United States authorities as United States nationals. The Fourth Amendment to the Constitution of the United States, which constitutes the most important protection against unlawful surveillance, is inapplicable to EU citizens who do not have a significant voluntary connection with the United States. While they do have certain other remedies, those remedies encounter substantial obstacles.

67.In particular, under Article III of the United States Constitution any action before the Federal Courts is subject to the person concerned showing that he has ‘standing’. Standing assumes, in particular, that that person concerned shows that he has suffered an injury in fact, which is (a) concrete and particularised and (b) actual or imminent. Referring, inter alia, to the judgment of the Supreme Court of the United States in Schrems, (18) the referring court considers that that condition is in practice very difficult to satisfy, in view, in particular, of the absence of any obligation to inform the data subjects of the surveillance measures taken against them. (19) A part of the actions available to EU citizens is, moreover, subject to compliance with other restrictive conditions, such as the need to establish pecuniary loss. The sovereign immunity conferred on the intelligence agencies and the classification of the information concerned also constitute an obstacle to the exercise of certain remedies. (20)

68.The High Court also mentions various review and oversight mechanisms applicable to the activities of the intelligence agencies.

69.These include, first, the mechanism of annual certification by the FISC of the programmes based on section 702 of the FISA, although the FISC does not approve individual selectors. Nor is there any prior judicial oversight of the collection of foreign intelligence information under EO 12333.

70.Second, the referring court makes reference to numerous non-judicial oversight mechanisms applicable to intelligence activities. It mentions, in particular, the role of the United States Inspectors General, who, within each intelligence agency, are responsible for overseeing intelligence activities. In addition, the United States Privacy and Civil Liberties Oversight Board (PCLOB), an independent agency within the executive, receives reports from designated persons within each agency acting as civil liberties or privacy officers. The PCLOB regularly reports to the congressional committees and the President. The agencies concerned must report incidents of non-compliance with the rules and procedures governing the collection of foreign intelligence information to, among others, the DNI. Those incidents are also reported to the FISC. The United States Congress, through the intelligence committees of the House of Representatives and the Senate, is also responsible for overseeing foreign intelligence activities.

71.However, the High Court emphasises the fundamental difference between, on the one hand, the rules designed to ensure that the data are obtained in accordance with the law and that, once obtained, they are not misused and, on the other hand, the remedies available when those rules are broken. The protection of the fundamental rights of the data subjects can be ensured only if effective remedies enable them to enforce their rights in the event of non-compliance with those rules.

72.In those circumstances, the referring court considers that the arguments put forward by the DPC, according to which the limitations imposed by United States law on the right to a remedy of the persons whose data are transferred from the EU do not respect the essence of the right guaranteed by Article 47 of the Charter and, in any event, constitute disproportionate interferences with the exercise of that right, are well founded.

73.According to the High Court, the introduction by the United States Government of the Ombudsperson Mechanism described in the ‘privacy shield’ decision does not undermine that assessment. After emphasising that that mechanism is available to EU citizens who consider on a reasonable basis that their data have been transferred in accordance with the SCC decisions, (21) the High Court observed that the Ombudsperson is not a tribunal that satisfies the requirements of Article 47 of the Charter and, in particular, is not independent of the executive. (22) It also doubts that the intervention of the Ombudsperson, whose decisions are not amenable to appeal, represents an effective remedy. In fact, that intervention does not enable the persons whose data have been illegally seized, processed or shared to recover damages or obtain an injunction to prevent future wrongdoing, since the Ombudsperson neither confirms nor denies that a person has been subjected to an electronic surveillance measure.

74.Having thus set out its concerns as to the essential equivalence between the safeguards provided by United States law and the requirements arising under Articles 7, 8 and 47 of the Charter, the referring court questioned whether the standard contractual clauses provided for in the SCC decisions — which, by their nature, are not binding on the United States authorities — may nonetheless ensure the protection of the data subjects’ fundamental rights. It concluded that it shared the DPC’s doubts as to the validity of those decisions.

75.In that regard, the referring court considers, in particular, that Article 28(3) of Directive 95/46, to which Article 4 of Decision 2010/87 makes reference, in that it authorises the supervisory authorities to suspend or prohibit the transfer of data on the basis of the standard contractual clauses provided for in that decision, does not suffice to dispel those doubts. Apart from the fact that in its view that power is merely discretionary, the referring court wonders, in the light of recital 11 of Decision 2010/87, whether that power can be exercised when the deficiencies found do not relate to a particular and exceptional case, but are general and systemic. (23) It also considers that the risk that divergent decisions may be made in different Member States might preclude the finding of such shortcomings being entrusted to the supervisory authorities.

76.In those circumstances, the High Court decided, by decision of 4 May 2018, (24) received at the Court on 9 May 2018, to stay proceedings and to refer the following questions to the Court for a preliminary ruling:

(1)‘(1) In circumstances in which personal data is transferred by a private company from a European Union (EU) Member State to a private company in a third country for a commercial purpose pursuant to [Decision 2010/87] and may be further processed in the third country by its authorities for purposes of national security but also for purposes of law enforcement and the conduct of the foreign affairs of the third country, does EU law (including the Charter) apply to the transfer of the data notwithstanding the provisions of Article 4(2) of TEU in relation to national security and the provisions of the first indent of Article 3(2) of [Directive 95/46] in relation to public security, defence and State security?

(2)In determining whether there is a violation of the rights of an individual through the transfer of data from the EU to a third country under [Decision 2010/87] where it may be further processed for national security purposes, is the relevant comparator for the purposes of Directive [95/46]:

(a)the Charter, TEU, TFEU, Directive [95/46], the [European Convention for the Protection of Human Rights and Fundamental Freedoms, signed at Rome on 4 November 1950 (‘the ECHR’)] (or any other provision of EU law); or

(b)the national laws of one or more Member States?

(3)When assessing whether a third country ensures the level of protection required by EU law to personal data transferred to that country for the purposes of Article 26 of Directive [95/46], ought the level of protection in the third country be assessed by reference to:

(a)the rules in the third country resulting from its domestic law or international commitments, and the practice designed to ensure compliance with those rules, to include the professional rules and security measures which are complied with in the third country;

(b)the rules referred to in (a) together with such administrative, regulatory and compliance practices and policy safeguards, procedures, protocols, oversight mechanisms and non-judicial remedies as are in place in the third country?

(4)Given the facts found by the High Court in relation to US law, if personal data is transferred from the EU to the US under [Decision 2010/87] does this violate the rights of individuals under Articles 7 and/or 8 of the Charter?

(5)Given the facts found by the High Court in relation to US law, if personal data is transferred from the EU to the US under [Decision 2010/87]:

(a)does the level of protection afforded by the US respect the essence of an individual’s right to a judicial remedy for breach of his or her data privacy rights guaranteed by Article 47 of the Charter?

If the answer to (a) is yes,

(b)are the limitations imposed by US law on an individual’s right to a judicial remedy in the context of US national security proportionate within the meaning of Article 52 of the Charter and do not exceed what is necessary in a democratic society for national security purposes?

(6)What is the level of protection required to be afforded to personal data transferred to a third country pursuant to standard contractual clauses adopted in accordance with a decision of the Commission under Article 26(4) [of Directive 95/46] in light of the provisions of [that Directive] and in particular Articles 25 and 26 read in the light of the Charter?

(a)What are the matters to be taken into account in assessing whether the level of protection afforded to data transferred to a third country under [Decision 2010/87] satisfies the requirements of [Directive 95/46] and the Charter?

(7)Does the fact that the standard contractual clauses apply as between the data exporter and the data importer and do not bind the national authorities of a third country who may require the data importer to make available to its security services for further processing the personal data transferred pursuant to the clauses provided for in [Decision 2010/87] preclude the clauses from adducing adequate safeguards as envisaged by Article 26(2) of [Directive 95/46]?

(8)If a third country data importer is subject to surveillance laws that in the view of a [supervisory authority] conflict with [the standard contractual clauses] or Article 25 and 26 of Directive [95/46] and/or the Charter, is a data protection authority required to use its enforcement powers under Article 28(3) of the Directive to suspend data flows or is the exercise of those powers limited to exceptional cases only, in light of recital 11 of [Decision 2010/87], or can a [supervisory authority] use its discretion not to suspend data flows?

(9)For the purposes of Article 25(6) of [Directive 95/46], does [the “privacy shield” decision] constitute a finding of general application binding on [the supervisory authorities] and the courts of the Member States to the effect that the US ensures an adequate level of protection within the meaning of Article 25(2) of [Directive 95/46] by reason of its domestic law or the international commitments it has entered into?

(b)If it does not, what relevance, if any, does the “privacy shield” decision have in the assessment conducted into the adequacy of the safeguards provided to data transferred to the United States which is transferred pursuant to [Decision 2010/87]?

(b)If it does not, what relevance, if any, does the “privacy shield” decision have in the assessment conducted into the adequacy of the safeguards provided to data transferred to the United States which is transferred pursuant to [Decision 2010/87]?

(10)Given the findings of the High Court in relation to US law, does the provision of the “privacy shield” Ombudsperson under Annex III A to the “privacy shield” decision when taken in conjunction with the existing regime in the United States ensure that the US provides a remedy to data subjects whose personal data is transferred to the US under [Decision 2010/87] that is compatible with Article 47 of the Charter?

(10)Given the findings of the High Court in relation to US law, does the provision of the “privacy shield” Ombudsperson under Annex III A to the “privacy shield” decision when taken in conjunction with the existing regime in the United States ensure that the US provides a remedy to data subjects whose personal data is transferred to the US under [Decision 2010/87] that is compatible with Article 47 of the Charter?

(11)Does [Decision 2010/87] violate Articles 7, 8 and/or 47 of the Charter?’

(11)Does [Decision 2010/87] violate Articles 7, 8 and/or 47 of the Charter?

The DPC, Facebook Ireland, Mr Schrems, the United States Government, the EPIC, the BSA, Digitaleurope, Ireland, the Belgian, Czech, German, Netherlands, Austrian, Polish, Portuguese and United Kingdom Governments, the European Parliament and the Commission lodged written observations before the Court. The DPC, Facebook Ireland, Mr Schrems, the United States Government, the EPIC, the BSA, Digitaleurope, Ireland, the German, French, Netherlands, Austrian and United Kingdom Governments, the Parliament, the Commission and the European Data Protection Board (EPDB) were represented at the hearing on 9 July 2019.

77.The DPC, Facebook Ireland, Mr Schrems, the United States Government, the EPIC, the BSA, Digitaleurope, Ireland, the Belgian, Czech, German, Netherlands, Austrian, Polish, Portuguese and United Kingdom Governments, the European Parliament and the Commission lodged written observations before the Court. The DPC, Facebook Ireland, Mr Schrems, the United States Government, the EPIC, the BSA, Digitaleurope, Ireland, the German, French, Netherlands, Austrian and United Kingdom Governments, the Parliament, the Commission and the European Data Protection Board (EPDB) were represented at the hearing on 9 July 2019.

Following the declaration by the Court in the judgment in Schrems that the ‘safe harbour’ decision was invalid, transfers of personal data to the United States have continued on the basis of other legal provisions. In particular, data-exporting companies have been able to make use of contracts with data importers, incorporating standard clauses drawn up by the Commission. Those clauses also serve as the legal basis for transfers to a multitude of other third countries in respect of which the Commission has not adopted an adequacy decision. (25) The ‘privacy shield’ decision now allows undertakings which have self-certified their adherence to the principles set out in that decision to transfer personal data to the United States without further formalities.

78.Following the declaration by the Court in the judgment in Schrems that the ‘safe harbour’ decision was invalid, transfers of personal data to the United States have continued on the basis of other legal provisions. In particular, data-exporting companies have been able to make use of contracts with data importers, incorporating standard clauses drawn up by the Commission. Those clauses also serve as the legal basis for transfers to a multitude of other third countries in respect of which the Commission has not adopted an adequacy decision. (25) The ‘privacy shield’ decision now allows undertakings which have self-certified their adherence to the principles set out in that decision to transfer personal data to the United States without further formalities.

79.As the order for reference expressly states, and as the BSA, Digitaleurope, Ireland, the Austrian and French Governments, the Parliament and the Commission have emphasised, the sole issue in the proceedings before the High Court is whether the decision whereby the Commission established the standard contractual clauses relied on in support of the transfers to which Mr Schrems’ complaint relates, namely Decision 2010/87, (26) is valid.

(79)As the order for reference expressly states, and as the BSA, Digitaleurope, Ireland, the Austrian and French Governments, the Parliament and the Commission have emphasised, the sole issue in the proceedings before the High Court is whether the decision whereby the Commission established the standard contractual clauses relied on in support of the transfers to which Mr Schrems’ complaint relates, namely Decision 2010/87, (26) is valid.

80.The dispute has its origin in an application whereby the DPC requested the referring court to refer to the Court a question for a preliminary ruling on the validity of Decision 2010/87. According to the referring court, the dispute in the main proceedings therefore concerns the exercise of the remedy which the Court enjoined the Member States to provide for in paragraph 65 of the judgment in Schrems.

(80)The dispute has its origin in an application whereby the DPC requested the referring court to refer to the Court a question for a preliminary ruling on the validity of Decision 2010/87. According to the referring court, the dispute in the main proceedings therefore concerns the exercise of the remedy which the Court enjoined the Member States to provide for in paragraph 65 of the judgment in Schrems.

(81)It will be recalled that the Court held, in paragraph 63 of that judgment, that a supervisory authority is required to deal with all due diligence with a complaint in which a person whose personal data have been or could be transferred to a third country which has been the subject of an adequacy decision disputes the compatibility of that decision with the fundamental rights enshrined in the Charter. In the words of paragraph 65 of that judgment, where the supervisory authority considers that the objections advanced in that complaint are well founded, it must, in accordance with the third indent of the first subparagraph of Article 28(3) of Directive 95/46 (to which Article 58(5) of the GDPR corresponds), read in the light of Article 8(3) of the Charter, be able to engage in legal proceedings. In that regard, it is incumbent upon the national legislature to provide for legal remedies enabling the person concerned to put forward those objections before the national courts in order for them, if they share the supervisory authority’s doubts, to make a reference for a preliminary ruling on the validity of the decision at issue.

81.It will be recalled that the Court held, in paragraph 63 of that judgment, that a supervisory authority is required to deal with all due diligence with a complaint in which a person whose personal data have been or could be transferred to a third country which has been the subject of an adequacy decision disputes the compatibility of that decision with the fundamental rights enshrined in the Charter. In the words of paragraph 65 of that judgment, where the supervisory authority considers that the objections advanced in that complaint are well founded, it must, in accordance with the third indent of the first subparagraph of Article 28(3) of Directive 95/46 (to which Article 58(5) of the GDPR corresponds), read in the light of Article 8(3) of the Charter, be able to engage in legal proceedings. In that regard, it is incumbent upon the national legislature to provide for legal remedies enabling the person concerned to put forward those objections before the national courts in order for them, if they share the supervisory authority’s doubts, to make a reference for a preliminary ruling on the validity of the decision at issue.

(82)Like the referring court, I consider that those findings apply by analogy when a supervisory authority, when assessing a complaint brought before it, doubts the validity not of an adequacy decision but of a decision, such as Decision 2010/87, setting out standard contractual clauses for the transfer of personal data to third countries. Contrary to the view put forward by the German government, it is not determinative that those doubts are raised by the complainant in arguments before the supervisory authority or that that authority questions, of its own motion, the validity of the decision at issue. In fact, the requirements arising under Article 58(5) of the GDPR and Article 8(3) of the Charter, on which the Court’s reasoning is based, apply irrespective of the legal basis of the transfer referred to in the complaint lodged with the supervisory authority and of the reasons leading that authority to question the validity of the decision at issue in the context of the adjudication of that compliant.

82.Like the referring court, I consider that those findings apply by analogy when a supervisory authority, when assessing a complaint brought before it, doubts the validity not of an adequacy decision but of a decision, such as Decision 2010/87, setting out standard contractual clauses for the transfer of personal data to third countries. Contrary to the view put forward by the German government, it is not determinative that those doubts are raised by the complainant in arguments before the supervisory authority or that that authority questions, of its own motion, the validity of the decision at issue. In fact, the requirements arising under Article 58(5) of the GDPR and Article 8(3) of the Charter, on which the Court’s reasoning is based, apply irrespective of the legal basis of the transfer referred to in the complaint lodged with the supervisory authority and of the reasons leading that authority to question the validity of the decision at issue in the context of the adjudication of that compliant.

83.That being said, the reason why the DPC asked the referring court to question the Court about the validity of Decision 2010/87 was because she considers that clarification by the Court on that point seems to be necessary in order for her to adjudicate on the complaint whereby Mr Schrems requests her to exercise her power, under the second indent of Article 28(3) of Directive 95/46 — and now conferred by Article 58(2)(f) of the GDPR — to suspend the transfer of the personal data relating to him by Facebook Ireland to Facebook Inc.

(83)That being said, the reason why the DPC asked the referring court to question the Court about the validity of Decision 2010/87 was because she considers that clarification by the Court on that point seems to be necessary in order for her to adjudicate on the complaint whereby Mr Schrems requests her to exercise her power, under the second indent of Article 28(3) of Directive 95/46 — and now conferred by Article 58(2)(f) of the GDPR — to suspend the transfer of the personal data relating to him by Facebook Ireland to Facebook Inc.

84.Thus, while the dispute in the main proceedings relates solely to the validity in abstracto of Decision 2010/87, the underlying procedure pending before the DPC relates to the exercise by her of her power to adopt corrective measures in a specific case. I shall propose that the Court confine itself to examining the questions before it to the extent necessary to adjudicate on the validity of Decision 2010/87, since such an examination will suffice to put the referring court in a position to settle the dispute pending before it. (27)

(84)Thus, while the dispute in the main proceedings relates solely to the validity in abstracto of Decision 2010/87, the underlying procedure pending before the DPC relates to the exercise by her of her power to adopt corrective measures in a specific case. I shall propose that the Court confine itself to examining the questions before it to the extent necessary to adjudicate on the validity of Decision 2010/87, since such an examination will suffice to put the referring court in a position to settle the dispute pending before it. (27)

(85)Before I assess the validity of that decision, it is appropriate to dismiss certain objections raised against the admissibility of the request for a preliminary ruling.

85.Before I assess the validity of that decision, it is appropriate to dismiss certain objections raised against the admissibility of the request for a preliminary ruling.

86.The admissibility of the request for a preliminary ruling has been contested for various reasons relating, essentially, to the non-applicability ratione temporis of Directive 95/46 referred to in the questions (section 1), to the fact that the procedure before the DPC has not reached a sufficiently advanced stage to justify the utility of such a request (section 2) and to the existence of uncertainties with regard to the factual background described by the referring court (section 3).

(86)The admissibility of the request for a preliminary ruling has been contested for various reasons relating, essentially, to the non-applicability ratione temporis of Directive 95/46 referred to in the questions (section 1), to the fact that the procedure before the DPC has not reached a sufficiently advanced stage to justify the utility of such a request (section 2) and to the existence of uncertainties with regard to the factual background described by the referring court (section 3).

87.I shall address those pleas of inadmissibility while bearing in mind the presumption of relevance enjoyed by questions referred to the Court under Article 267 TFEU. According to a consistent line of decisions, the Court may refuse to rule on a question referred for a preliminary ruling only where it is quite obvious that the interpretation of EU law that is sought bears no relation to the actual facts of the main action or its purpose, where the problem is hypothetical or where the Court does not have before it the factual or legal material necessary to give a useful answer to the questions submitted to it. (28)

(87)I shall address those pleas of inadmissibility while bearing in mind the presumption of relevance enjoyed by questions referred to the Court under Article 267 TFEU. According to a consistent line of decisions, the Court may refuse to rule on a question referred for a preliminary ruling only where it is quite obvious that the interpretation of EU law that is sought bears no relation to the actual facts of the main action or its purpose, where the problem is hypothetical or where the Court does not have before it the factual or legal material necessary to give a useful answer to the questions submitted to it. (28)

(88)Facebook Ireland submits that the questions for a preliminary ruling are inadmissible on the ground that they refer to Directive 95/46, when that directive was repealed and replaced by the GDPR with effect from 25 May 2018. (29)

88.Facebook Ireland submits that the questions for a preliminary ruling are inadmissible on the ground that they refer to Directive 95/46, when that directive was repealed and replaced by the GDPR with effect from 25 May 2018. (29)

89.I share the view that the validity of Decision 2010/87 must be examined by reference to the provisions of the GDPR.

(89)I share the view that the validity of Decision 2010/87 must be examined by reference to the provisions of the GDPR.

(90)In accordance with Article 94(2) of that regulation, ‘references to the repealed Directive shall be construed as references to [that regulation]’. It follows, in my view, that Decision 2010/87, in that it mentions as a legal basis Article 26(4) of Directive 95/46, must be understood as referring to Article 46(2)(c) of the GDPR, which essentially reproduces the content of the former provision. (30) Consequently, the implementing decisions adopted by the Commission on the basis of Article 26(4) of Directive 95/46, before the entry into force of the GDPR, must be interpreted in the light of that regulation. It is also by reference to that regulation that their validity must, where necessary, be evaluated.

90.In accordance with Article 94(2) of that regulation, ‘references to the repealed Directive shall be construed as references to [that regulation]’. It follows, in my view, that Decision 2010/87, in that it mentions as a legal basis Article 26(4) of Directive 95/46, must be understood as referring to Article 46(2)(c) of the GDPR, which essentially reproduces the content of the former provision. (30) Consequently, the implementing decisions adopted by the Commission on the basis of Article 26(4) of Directive 95/46, before the entry into force of the GDPR, must be interpreted in the light of that regulation. It is also by reference to that regulation that their validity must, where necessary, be evaluated.

91.That conclusion is not affected by the case-law according to which the legality of an EU measure must be assessed on the basis of the facts and the law as they stood at the time when the measure was adopted. That case-law relates to the examination of the validity of an EU measure in the light of the relevant factual circumstances at the time of its adoption (31) or the procedural rules governing its adoption. (32) Conversely, the Court has repeatedly examined the validity of acts of secondary law against higher-ranking substantive norms that have come into force after the adoption of those acts. (33)

(91)That conclusion is not affected by the case-law according to which the legality of an EU measure must be assessed on the basis of the facts and the law as they stood at the time when the measure was adopted. That case-law relates to the examination of the validity of an EU measure in the light of the relevant factual circumstances at the time of its adoption (31) or the procedural rules governing its adoption. (32) Conversely, the Court has repeatedly examined the validity of acts of secondary law against higher-ranking substantive norms that have come into force after the adoption of those acts. (33)

92.However, while the designation, in the wording of the questions for a preliminary ruling, of a measure which is no longer applicable ratione temporis justifies the reformulation of those questions, it cannot render them inadmissible. (34) As the DPC and Mr Schrems have claimed, the references to Directive 95/46 in the wording of the questions for a preliminary ruling may, moreover, be explained by the procedural calendar of the present case, as the questions were referred to the Court before the GDPR entered into force.

(92)However, while the designation, in the wording of the questions for a preliminary ruling, of a measure which is no longer applicable ratione temporis justifies the reformulation of those questions, it cannot render them inadmissible. (34) As the DPC and Mr Schrems have claimed, the references to Directive 95/46 in the wording of the questions for a preliminary ruling may, moreover, be explained by the procedural calendar of the present case, as the questions were referred to the Court before the GDPR entered into force.

(93)In any event, the provisions of the GDPR that will be addressed for the purposes of the analysis of the questions for a preliminary ruling — namely, in particular, Articles 45, 46 and 58 — essentially reproduce, while developing it and introducing certain nuances, the content of Articles 25, 26 and 28 of Directive 95/46. As regards their relevance for the purposes of adjudicating on the validity of Decision 2010/87, I see no reason to attribute to those provisions of the GDPR a scope different from that of the corresponding provisions of Directive 95/46. (35)

93.In any event, the provisions of the GDPR that will be addressed for the purposes of the analysis of the questions for a preliminary ruling — namely, in particular, Articles 45, 46 and 58 — essentially reproduce, while developing it and introducing certain nuances, the content of Articles 25, 26 and 28 of Directive 95/46. As regards their relevance for the purposes of adjudicating on the validity of Decision 2010/87, I see no reason to attribute to those provisions of the GDPR a scope different from that of the corresponding provisions of Directive 95/46. (35)

(94)In the German Government’s submission, the request for a preliminary ruling is inadmissible on the ground that the remedy referred to in paragraph 65 of the judgment in Schrems assumes that the supervisory authority has formed a definitive opinion as to the merits of the complaints put forward by the applicant against the validity of the decision at issue. That, it submits, is not the case here, since the DPC expressed her doubts as to the validity of Decision 2010/87 which, moreover, Mr Schrems does not contest in a draft decision, delivered provisionally without prejudice to further observations being lodged by Facebook Ireland and Mr Schrems.

94.In the German Government’s submission, the request for a preliminary ruling is inadmissible on the ground that the remedy referred to in paragraph 65 of the judgment in Schrems assumes that the supervisory authority has formed a definitive opinion as to the merits of the complaints put forward by the applicant against the validity of the decision at issue. That, it submits, is not the case here, since the DPC expressed her doubts as to the validity of Decision 2010/87 which, moreover, Mr Schrems does not contest in a draft decision, delivered provisionally without prejudice to further observations being lodged by Facebook Ireland and Mr Schrems.

(95)To my mind, the provisional nature of the doubts expressed by the DPC has no impact on the admissibility of the reference for a preliminary ruling. The criteria as to the admissibility of a question for a preliminary ruling must be assessed by reference to the subject matter of the dispute as defined by the referring court. (36) It is common ground that that dispute concerns the validity of Decision 2010/87. According to the order for reference and the judgment annexed thereto, the referring court considered that the doubts expressed by the DPC — irrespective of whether they were provisional or definitive — are well founded and therefore asked the Court to rule on the validity of that decision. In those circumstances, the light that the Court will shed on that subject is undoubtedly relevant for the purpose of enabling the referring court to resolve the dispute before it.

95.To my mind, the provisional nature of the doubts expressed by the DPC has no impact on the admissibility of the reference for a preliminary ruling. The criteria as to the admissibility of a question for a preliminary ruling must be assessed by reference to the subject matter of the dispute as defined by the referring court. (36) It is common ground that that dispute concerns the validity of Decision 2010/87. According to the order for reference and the judgment annexed thereto, the referring court considered that the doubts expressed by the DPC — irrespective of whether they were provisional or definitive — are well founded and therefore asked the Court to rule on the validity of that decision. In those circumstances, the light that the Court will shed on that subject is undoubtedly relevant for the purpose of enabling the referring court to resolve the dispute before it.

96.The United Kingdom Government submits that the factual background described by the referring court reveals a number of deficiencies that compromise the admissibility of the questions referred for a preliminary ruling. It maintains that the referring court has not made clear whether the personal data relating to Mr Schrems were actually transferred to the United States or, if they were, whether they were collected by the United States authorities. Nor was the legal basis for those transfers identified with certainty, as the order for reference merely mentions that the data of European users of the social network Facebook are transferred ‘in large part’ on the basis of the standard contractual clauses provided for in Decision 2010/87. It has not in any event been established that the contract between Facebook Ireland and Facebook Inc., relied on in support of the transfer at issue, faithfully incorporates those clauses. The German Government also disputes the admissibility of the reference for a preliminary ruling on the ground that the referring court did not examine whether Mr Schrems undoubtedly consented to the transfers in question, in which case they were validly based on Article 26(1) of Directive 95/46 (the content of which is essentially reproduced in Article 49(1)(a) of the GDPR).

(96)The United Kingdom Government submits that the factual background described by the referring court reveals a number of deficiencies that compromise the admissibility of the questions referred for a preliminary ruling. It maintains that the referring court has not made clear whether the personal data relating to Mr Schrems were actually transferred to the United States or, if they were, whether they were collected by the United States authorities. Nor was the legal basis for those transfers identified with certainty, as the order for reference merely mentions that the data of European users of the social network Facebook are transferred ‘in large part’ on the basis of the standard contractual clauses provided for in Decision 2010/87. It has not in any event been established that the contract between Facebook Ireland and Facebook Inc., relied on in support of the transfer at issue, faithfully incorporates those clauses. The German Government also disputes the admissibility of the reference for a preliminary ruling on the ground that the referring court did not examine whether Mr Schrems undoubtedly consented to the transfers in question, in which case they were validly based on Article 26(1) of Directive 95/46 (the content of which is essentially reproduced in Article 49(1)(a) of the GDPR).

(97)Those arguments do not call into question the relevance of the reference for a preliminary ruling in the light of the object of the dispute in the main proceedings. Since that dispute has its source in the exercise by the DPC of the remedy provided for in paragraph 65 of the judgment in Schrems, its very object consists in having the national court make a reference to the Court for a preliminary ruling on the validity of Decision 2010/87. The German and United Kingdom Governments are disputing, in reality, the need for the questions for a preliminary ruling not for the purpose of determining whether that decision is valid, but rather for the purpose of putting the DPC in a position to give an actual ruling on Mr Schrems’ complaint.

97.Those arguments do not call into question the relevance of the reference for a preliminary ruling in the light of the object of the dispute in the main proceedings. Since that dispute has its source in the exercise by the DPC of the remedy provided for in paragraph 65 of the judgment in Schrems, its very object consists in having the national court make a reference to the Court for a preliminary ruling on the validity of Decision 2010/87. The German and United Kingdom Governments are disputing, in reality, the need for the questions for a preliminary ruling not for the purpose of determining whether that decision is valid, but rather for the purpose of putting the DPC in a position to give an actual ruling on Mr Schrems’ complaint.

98.In any event, even from the perspective of that procedure underlying the dispute in the main proceedings, the questions for a preliminary ruling on the validity of Decision 2010/87 do not seem irrelevant to me. In fact, the referring court has established that Facebook Ireland has continued to transfer its users’ data to the United States after the ‘safe harbour’ decision was declared invalid and that those transfers are based, at least in part, on Decision 2010/87. Furthermore, while it may be advantageous for all the relevant facts to be established before it exercises its jurisdiction under Article 267 TFEU, it is for the referring court alone to determine at what stage of the proceedings it needs a preliminary ruling from the Court. (37)

(98)In any event, even from the perspective of that procedure underlying the dispute in the main proceedings, the questions for a preliminary ruling on the validity of Decision 2010/87 do not seem irrelevant to me. In fact, the referring court has established that Facebook Ireland has continued to transfer its users’ data to the United States after the ‘safe harbour’ decision was declared invalid and that those transfers are based, at least in part, on Decision 2010/87. Furthermore, while it may be advantageous for all the relevant facts to be established before it exercises its jurisdiction under Article 267 TFEU, it is for the referring court alone to determine at what stage of the proceedings it needs a preliminary ruling from the Court. (37)

99.In the light of all of the foregoing, I consider that the request for a preliminary ruling is admissible.

100.By its first question, the referring court seeks to ascertain whether EU law applies to a transfer of personal data by a company in a Member State to a company established in a third country for commercial reasons when, after the transfer has been initiated, the data may be processed by the public authorities of that third country for purposes that include the protection of national security.

101.The significance of that question for the outcome of the dispute in the main proceedings lies in the fact that, if such a transfer fell outside the scope of EU law, all the objections raised against the validity of Decision 2010/87 in the present case would be rendered baseless.

102.As the referring court has observed, the processing of personal data for the purpose of public security was excluded from the scope of Directive 95/46 by Article 3(2) of that directive. Article 2(2) of the GDPR now makes clear that that regulation is not to apply to, inter alia, the processing of personal data in the course of an activity which falls outside the scope of EU law or by the competent authorities for the purposes of the protection of public security. Those provisions reflect the fact that Article 4(2) TEU recognises that competence in matters of the protection of national security is reserved to Member States.

103.The DPC, Mr Schrems, Ireland, the German, Austrian, Belgian, Czech, Netherlands, Polish and Portuguese Governments, and likewise the Parliament and the Commission, claim that transfers such as those referred to in Mr Schrems’ complaint are not covered by those provisions and therefore come within the scope of EU law. Facebook Ireland defends the opposite argument. I support the viewpoint of the first-mentioned parties.

104.In that regard, it must be emphasised that the transfer of personal data from a Member State to a third country constitutes, as such, ‘processing’ within the meaning of Article 4(2) of the GDPR, carried out on the territory of a Member State. The first question is specifically intended to determine whether EU law applies to the processing consisting in the transfer itself. That question does not concern the applicability of EU law to any subsequent processing by the United States authorities for national security purposes of the data transferred to the United States, which is excluded from the scope ratione territoriae of the GDPR.

105.From that aspect, the only factor that must be taken into consideration, for the purposes of determining whether EU law applies to the data transfer at issue, is the activity of which that transfer forms part, while the purpose of any further processing that the transferred data will undergo by the public authorities in the third country of destination is irrelevant.

106.It is apparent from the order for reference that the transfer referred to in Mr Schrems’ complaint is part of a commercial activity. Nor does that transfer have the purpose of allowing the data in question to be processed subsequently by the United States intelligence services for national security purposes.

107.Moreover, the approach proposed by Facebook Ireland would render the provisions of the GDPR relating to transfers to third countries devoid of purpose, since it can never be precluded that data transferred in the course of a commercial activity will be processed for national security purposes after being transferred.

108.The interpretation which I recommend finds confirmation in the wording of Article 45(2)(a) of the GDPR. That provision states that, when adopting an adequacy decision, the Commission is to take account of, inter alia, the legislation of the third country concerned relating to national security. It can thus be inferred that the possibility that the data will undergo processing by the authorities of the third country of destination for the purposes of the protection of national security does not render EU law inapplicable to the processing consisting in the transfer of data to that third country.

109.The reasoning and the conclusions adopted by the Court in the judgment in Schrems are also based on that premiss. In particular, in that judgment the Court evaluated the validity of the ‘safe harbour’ decision with regard to Article 25(6) of Directive 95/46 read in light of the Charter in so far as that decision concerned transfers of personal data to the United States where they might be collected and processed for national security protection purposes.

110.Having regard to those considerations, I consider that EU law applies to a transfer of personal data from a Member State to a third country where that transfer forms part of a commercial activity, it being immaterial that the transferred data might undergo, on the part of the public authorities of that third country, processing intended to protect the national security of that country.

111.By the first part of its sixth question, the referring court seeks to ascertain the level of protection of the fundamental rights of data subjects that must be ensured in order for personal data to be able to be transferred to a third country on the basis of the standard contractual clauses provided for in Decision 2010/87.

112.It observes that, in the judgment in Schrems, the Court interpreted Article 25(6) of Directive 95/46 (the content of which is essentially reproduced in Article 45(3) of the GDPR), in that it provided that the Commission can adopt an adequacy decision only after it has ensured that the third country concerned guarantees an adequate level of protection, as supposing that the Commission establish that that country ensures a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union by virtue of that directive, read in the light of the Charter.

113.In that context, the first part of the sixth question invites the Court to determine whether the application of standard contractual clauses adopted by the Commission on the basis of Article 26(4) of Directive 95/46 — and now corresponding to standard data protection clauses referred to in Article 46(2)(c) of the GDPR — must permit a level of protection corresponding to the same standard of ‘essential equivalence’ to be attained.

114.In that respect, Article 46(1) of the GDPR provides that the controller or processor may, in the absence of an adequacy decision, transfer personal data to a third country ‘only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available’ (emphasis added). In the words of Article 46(2)(c) of the GDPR, those safeguards may be provided by standard data protection clauses drawn up by the Commission.

115.Like the DPC, Mr Schrems and Ireland, I consider that the ‘appropriate safeguards’ provided by the controller or processor to which Article 46(1) of the GDPR refers must ensure that the rights of the persons whose data are transferred benefit, as in the context of a transfer based on an adequacy decision, from a level of protection essentially equivalent to that which follows from the GDPR, read in the light of the Charter.

116.That conclusion follows from the objective of that provision and from the instrument of which it forms part.

117.Articles 45 and 46 of the GDPR are aimed at ensuring the continuity of the high level of protection of personal data ensured by that regulation when they are transferred outside the European Union. In fact, Article 44 of the GDPR, entitled ‘General principle for transfers’, opens Chapter V, on transfers to third countries, by announcing that all the provisions in that chapter are to be applied in order to ensure that the level of protection guaranteed by the GDPR is not undermined where data are transferred to a third State. That rule is designed to ensure that the standards of protection resulting from EU law are not circumvented by transfers of personal data to a third country for the purpose of being processed there. Having regard to that objective, it is immaterial that the transfer is based on an adequacy decision or on guarantees provided by the controller or processor, in particular by means of contractual clauses. The requirements of protection of fundamental rights guaranteed by the Charter do not differ according to the legal basis for a specific transfer.

118.Conversely, the way in which the continuity of the high level of protection is maintained does differ according to the legal basis of the transfer.

119.On the one hand, the purpose of an adequacy decision is to find that the third country concerned itself ensures a level of protection essentially equivalent to that imposed by EU law. The adoption of an adequacy decision assumes that the Commission first evaluates, for a given third country, the level of protection guaranteed by the law and practices of that third country in the light of the factors set out in Article 45(3) of the GDPR. Personal data may then be transferred to that third country without the controller being required to obtain specific authorisation.

120.On the other hand, as explained in greater detail in the following section, the appropriate safeguards afforded by the controller or processor are intended to ensure a high level of protection where the safeguards available in the third country of destination are inadequate. Thus, although Article 46(1) of the GDPR allows personal data to be transferred to a third country which does not provide an adequate level of protection, it authorises such transfers only when appropriate safeguards are provided by other means. The standard contractual clauses adopted by the Commission represent, in that respect, a general mechanism applicable to transfers irrespective of the third country of destination and the level of protection guaranteed there.

121.By its seventh question, the referring court asks essentially whether Decision 2010/87 is invalid because it is not binding on the authorities of the third States to which the data are transferred on the basis of the standard contractual clauses provided for in the annex to that decision and, in particular, it does not prevent the authorities requiring a data importer to make those data available to them. Thus, by that question the referring court calls into question the actual possibility of ensuring an adequate level of protection of such data by means of exclusively contractual mechanisms. The eleventh question relates, more generally, to the validity of Decision 2010/87 in the light of Articles 7, 8 and 47 of the Charter.

122.The eighth question invites the Court to determine whether a supervisory authority is required to use the powers conferred on it by Article 58(2)(f) and (j) of the GDPR to suspend a transfer to a third country based on the standard contractual clauses provided for in Decision 2010/87 when it considers that the data importer is subject there to obligations that prevent it from honouring those clauses and have the effect that appropriate protection of the transferred data is not guaranteed. In so far as the answer to that question has in my view an impact on the validity of Decision 2010/87, I shall deal with it together with the seventh and eleventh questions.

123.The wording of Article 46(1) of the GDPR, in that it provides that, ‘in the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country … only if the controller or processor has provided appropriate safeguards …’ (emphasis added), underlines the logic behind the contractual mechanisms such as that provided for in Decision 2010/87. As emphasised in recitals 108 and 114 of the GDPR, the purpose of those mechanisms is to allow transfers to third countries in respect of which the Commission has not adopted an adequacy decision, as any inadequacies in the protection afforded in the legal order of that third country is then compensated by safeguards which the data exporter and importer contractually undertake to respect.

124.Since the raison d’être of the contractual safeguards consists specifically in compensating for any deficiencies in the protection afforded by the third country of destination, whatever they may be, the validity of a decision whereby the Commission finds that certain standard clauses adequately compensate for those deficiencies cannot depend on the level of protection guaranteed in each of the individual third countries to which data might be transferred. The validity of such a decision depends only on the soundness of the safeguards which those clauses provide in order to compensate for any inadequacy of the protection afforded in the third country of destination. The effectiveness of those safeguards must be evaluated by taking account also of the safeguards consisting in the powers of the supervisory authorities under Article 58(2) of the GDPR.

125.In that regard, as, in essence, the DPC, Mr Schrems, the BSA, Ireland, the Austrian, French, Polish and Portuguese Governments and the Commission have submitted, the safeguards in the standard contractual clauses may be reduced, or indeed eliminated, when the law of the third country of destination imposes obligations that are contrary to the requirements of those clauses on the importer. Thus, the prevailing legal context in the third country of destination may, depending on the actual circumstances of the transfer, make the obligations set out in those clauses impossible to implement.

126.In those circumstances, as Mr Schrems and the Commission have observed, the contractual mechanism set out in Article 46(2)(c) of the GDPR is based on responsibility being placed on the exporter and, in the alternative, the supervisory authorities. It is on a case-by-case basis, for each specific transfer, that the controller or, failing that, the supervisory authority will examine whether the law of the third country of destination constitutes an obstacle to the implementation of the standard clauses and, therefore, to an adequate protection of the transferred data, so that the transfers must be prohibited or suspended.

In the light of those observations, I consider that the fact that Decision 2010/87 and the standard contractual clauses which it sets out are not binding on the authorities of the third country of destination does not in itself render that decision invalid. The compatibility of Decision 2010/87 with Articles 7, 8 and 47 of the Charter depends, in my view, on whether there are sufficiently sound mechanisms to ensure that transfers based on the standard contractual clauses are suspended or prohibited where those clauses are breached or impossible to honour.

128.By the first part of its sixth question, the referring court seeks to ascertain the level of protection of the fundamental rights of data subjects that must be ensured in order for personal data to be able to be transferred to a third country on the basis of the standard contractual clauses provided for in Decision 2010/87.

In that regard, Article 46(1) of the GDPR provides that a transfer on the basis of appropriate safeguards can take place only ‘on condition that enforceable data subject rights and effective legal remedies for data subjects are available’. It will be necessary to ascertain whether the safeguards provided for in the clauses in the annex to Decision 2010/87, supplemented by the powers of the supervisory authorities, make it possible to ensure that that condition is met. That, in my view, is the position only in so far as there is an obligation — placed on the controllers (section 1) and, where the latter fail to act, on the supervisory authorities (section 2) — to suspend or prohibit a transfer when, because of a conflict between the obligations arising under the standard clauses and those imposed by the law of the third country of destination, those clauses cannot be complied with.

129.In the first place, the contractual clauses set out in the annex to Decision 2010/87 require that, in the event of conflict between the obligations which they lay down and the requirements of the law of the third country of destination, those clauses will not be relied on in support of a transfer to that third country or, if the transfer has already taken place on the basis of those clauses, the exporter will be informed and may suspend that transfer.

130.Thus, under Clause 5(a), the importer undertakes to process the personal data only on behalf of the data exporter and in compliance with its instructions and the standard contractual clauses. If the importer cannot comply with those clauses, it agrees to inform the exporter promptly, in which case the exporter is to be entitled to suspend the transfer and/or to terminate the contract. (49)

131.Footnote 5 relating to Clause 5 states that the standard clauses are not breached where the importer complies with mandatory requirements of the national legislation applicable to it in the third country, provided that those requirements do not go beyond what is necessary in a democratic society in order to protect one of the interests listed in Article 13(1) of Directive 95/46 (the content of which is reproduced, in essence, in Article 23(1) of the GDPR), which include public security and the safeguarding of the State. Conversely, breach of those clauses in order to comply with a contradictory obligation based on the law of the third country of destination which goes beyond what is proportionate to the safeguarding of a legitimate interest recognised by the Union is treated as a breach of those clauses.

132.To my mind, and as Mr Schrems and the Commission have maintained, Clause 5(a) cannot be interpreted as meaning that suspension of the transfer or termination of the contract is merely optional where the importer cannot comply with the standard clauses. Although that clause refers only to a right in that sense for the benefit of the exporter, that wording must be understood by reference to the contractual framework of which it forms part. The fact that the exporter is given a right, in its bilateral relations with the importer, to suspend the transfer or terminate the contract where the importer is unable to honour the standard clauses is without prejudice to the obligation placed on the exporter to do so in the light of the requirements to protect the rights of the persons concerned arising under the GDPR. Any other interpretation would render Decision 2010/87 invalid in that the standard contractual clauses which it sets out would not permit the transfer to be accompanied by ‘appropriate safeguards’ as required by Article 46(1) of the GDPR, read in the light of the provisions of the Charter. (50)

133.In addition, according to Clause 5(b) the importer is to certify that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the exporter and its obligations under the contract. In the event of a change in that legislation that is likely to have a substantial adverse effect on the warranties and obligations provided by the standard clauses, the importer will promptly notify that change to the exporter, in which case the exporter is entitled to suspend the transfer of data and/or terminate the contract. In accordance with Clause 4(g), the exporter must forward the notification received from the importer to the competent supervisory authority if it decides to continue the transfer.

134.I believe it is necessary to make a few points here about the content of the examination which the parties to the contract should carry out in order to determine, in the light of the footnote referring to Clause 5, whether the obligations which the law of the third State imposes on the importer entail a breach of the standard clauses and thus prevent the transfer from being accompanied by appropriate safeguards. That issue has been raised, in essence, in the context of the second part of the sixth question.

Such an examination entails in my view a consideration of all of the circumstances characterising each transfer, which may include the nature of the data and whether they are sensitive, the mechanisms employed by the exporter and/or the importer to ensure its security, (51) the nature and the purpose of the processing by the public authorities of the third country which the data will undergo, the details of such processing and the limitations and safeguards ensured by that third country. The factors characterising the processing activities carried out by the public authorities and the safeguards applicable in the legal order of that third country may, in my view, overlap with those set out in Article 45(2) of the GDPR.

136.In the second place, the standard contractual clauses set out in the annex to Decision 2010/87 establish, in favour of data subjects, enforceable rights and remedies against the exporter and, in the alternative, against the importer.

137.Thus, Clause 3, entitled ‘Third-party beneficiary’, provides, in paragraph 1, for a remedy by the data subject against the exporter in the event of a breach of, in particular, Clause 5(a) or (b). In accordance with Clause 3(2) where the exporter has factually disappeared or has ceased to exist in law, the data subject may enforce that clause against the importer.

138.Clause 6(1) grants, to any data subject who has suffered damage as a result of a breach of the obligations referred to in Clause 3, the right to receive compensation from the data exporter for the damage suffered. Under Clause 7(1), the importer agrees that if the data subject invokes third-party beneficiary rights against it and/or claims compensation for damages, it will accept the decision of the data subject either to refer the dispute to mediation by an independent person or, where applicable, by the supervisory authority, or to refer the dispute to the courts in the Member State in which the exporter is established.

139.In addition to the remedies available to them under the standard contractual clauses set out in the annex to Decision 2010/87, data subjects may, when they consider that there has been a breach of those clauses, request the supervisory authorities to exercise its corrective powers under Article 58(2) of the GDPR, to which Article 4 of Decision 2010/87 makes reference. (52)

140.The following reasons lead me to consider that, as Mr Schrems, Ireland, the German, Austrian, Belgian, Netherlands and Portuguese Governments and the EDPB submit, under Article 58(2) of the GDPR the supervisory authorities are required, when they consider following a diligent examination that data transferred to a third country do not benefit from appropriate protection because the contractual clauses agreed are not complied with, to take adequate measures to remedy that illegality, if necessary by ordering suspension of the transfer.

141.In the first place, I note that, contrary to the DPC’s submission, no provision of Decision 2010/87 limits to exceptional cases the exercise of the powers to ‘impose a temporary or definitive limitation including a ban on processing’ or to ‘order the suspension of data flows to a recipient in a third country’ which the supervisory authorities enjoy under Article 58(2)(f) and (j) of the GDPR.

142.The initial version of Article 4 of Decision 2010/87 did admittedly, in paragraph 1, confine the exercise by the supervisory authorities of their powers to suspend or prohibit cross-border data flows to specific cases where it is established that a transfer on contractual basis is likely to have a substantial adverse effect on the warranties intended to protect the data subject. However, Article 4 of that decision, as amended by the Commission in 2016 in order to comply with the judgment in Schrems, (53) now merely refers to those powers, without limiting them in any way. In any event, a Commission implementing decision, such as Decision 2010/87, cannot validly restrict the powers conferred on the supervisory authorities under the GDPR itself. (54)

143.That conclusion is not called into question by recital 11 of Decision 2010/87, which states that the powers to suspend and prohibit transfers may be exercised by the supervisory authorities only in ‘exceptional cases’. That recital, which was already present in the initial version of that decision, referred to the former Article 4(1) of that decision, which limited the supervisory authorities’ powers. When Decision 2010/87 was revised by Decision 2016/2297, the Commission failed to remove or amend that recital in order to adapt its content to the requirements of the new Article 4. However, recital 5 of Decision 2016/2297 reasserted the supervisory authorities’ power to suspend or prohibit any transfer which they consider to be contrary to EU law, in particular where the importer does not respect the standard contractual clauses. Recital 11 of Decision 2010/87, in that it now contradicts both the wording and the objective of a legally binding provision of that decision, must be deemed obsolete. (55)

144.In the second place, contrary to a further submission of the DPC, the exercise of the powers to suspend and prohibit transfers set out in Article 58(2)(f) and (j) of the GDPR is no longer merely an option left to the supervisory authorities’ discretion. That conclusion follows, in my view, from an interpretation of Article 58(2) of the GDPR in the light of other provisions of that regulation and of the Charter, and also from the general scheme and the objectives of Decision 2010/87.

145.In particular, Article 58(2) of the GDPR must be read in the light of Article 8(3) of the Charter and Article 16(2) TFEU. In accordance with those provisions, compliance with the requirements entailed by the fundamental right to protection of personal data is subject to review by independent authorities. That task of monitoring compliance with the requirements relating to the protection of personal data, which is also referred to in Article 57(1)(a) of the GDPR, entails an obligation for the supervisory authorities to act in such a way as to ensure the proper application of that regulation.

146.Thus, a supervisory authority must examine with all due diligence the complaint lodged by a person whose data are alleged to be transferred to a third country in breach of the standard contractual clauses applicable to the transfer. (56) Article 58(1) of the GDPR confers on the supervisory authorities, for that purpose, significant investigative powers. (57)

147.The competent supervisory authority is also required to react appropriately to any infringements of the rights of the data subject which it has established following its investigation. In that regard, each supervisory authority has, under Article 58(2) of the GDPR, a wide range of means — the various powers to adopt corrective measures listed in that provision — of carrying out the task entrusted to it. (58)

148.Although the choice of the most effective means is a matter for the discretion of the competent supervisory authority having regard to all the circumstances of the transfer at issue, that authority is required to carry out in full the supervisory task entrusted to it. Where appropriate, it must suspend the transfer if it concludes that the standard contractual clauses are not being complied with and that appropriate protection of the data transferred cannot be ensured by other means, where the exporter has not itself put an end to the transfer.

149.That interpretation is supported by Article 58(4) of the GDPR, which provides that the exercise of the powers conferred on the supervisory authorities pursuant to that article is to be subject to appropriate safeguards, including an effective judicial remedy in accordance with Article 47 or the Charter. Article 78(1) and (2) of the GDPR, moreover, recognises the right of each person to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them or where that authority fails to deal with his complaint. (59)

150.Those provisions imply, that, as Mr Schrems, the BSA, Ireland, the Polish and United Kingdom Governments and the Commission claim, in essence, a decision whereby a supervisory authority refrains from prohibiting or suspending a transfer to a third country, at the request of a person claiming that there is a risk that data relating to him will be processed in that third country in a manner that fails to respect his fundamental rights, may be the subject of a judicial action. The recognition of a right to a judicial remedy assumes the existence of a strict, and not purely discretionary, power on behalf of the supervisory authorities. In addition, Mr Schrems and the Commission have correctly emphasised that the exercise of an effective judicial remedy implies that the authority that adopts the contested act states to an adequate degree the reasons on which it is based. (60) To my mind, that obligation to state reasons extends to supervisory authorities’ choice to use one or other of the powers conferred on them by Article 58(2) of the GDPR.

151.However, it is still necessary to respond to the arguments whereby the DPC claims that, even if the supervisory authorities were required to suspend or prohibit the transfer where the protection of the data subject’s rights requires it, the validity of Decision 2010/87 would still not be ensured.

152.First, the DPC considers that such an obligation on the supervisory authorities would not redress the systemic problems relating to the absence of adequate safeguards in a third country such as the United States. The supervisory authorities’ powers can be exercised only on a case-by-case basis, whereas the deficiencies characteristic of United States law are general and structural in nature. There is thus a risk that different supervisory authorities will adopt diverging decisions in respect of comparable transfers.

153.On that point, I cannot overlook the practical difficulties linked to the legislative choice to make the supervisory authorities responsible for ensuring that data subjects’ fundamental rights are observed in the context of specific transfers or of data flows to a specific recipient. However, those difficulties do not seem to me to render Decision 2010/87 invalid.