The Opinion of EU Advocate General Bot in Case C‑362/14
Maximillian Schrems
v
Data Protection Commissioner
(Request for a preliminary ruling from the High Court (Ireland)) deals with the transfer of personal data to the United States -
I – Introduction
1. As the European Commission stated in its Communication of 27 November 2013, ‘[t]ransfers of personal data are an important and necessary element of the transatlantic relationship. They form an integral part of commercial exchanges across the Atlantic including for new growing digital businesses, such as social media or cloud computing, with large amounts of data going from the [European Union] to the [United States]’.
2. Such commerce forms the subject-matter of Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce. That decision provides a legal basis for the transfer of personal data from the European Union to undertakings established in the United States that adhere to the safe harbour principles.
3. Decision 2000/520 today faces the challenge of allowing data flows between the European Union and the United States while ensuring a high level of protection for that data, as required by EU law.
4. A number of revelations have recently brought to light the existence of large-scale information-gathering programmes in the United States. Those revelations have given rise to serious concerns as to whether the requirements of EU law are observed when personal data is transferred to undertakings established in the United States and about the weaknesses of the safe harbour scheme.
5. The present reference for a preliminary ruling invites the Court to make clear the approach that the national supervisory authorities and the Commission must take when they are faced with shortcomings in the application of Decision 2000/520.
6. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data lays down in Chapter IV rules on the transfer of personal data to third countries.
7. In that chapter, the principle stated in Article 25(1) is that the transfer to a third country of personal data which is undergoing processing or is intended for processing after transfer may take place only if the third country in question ensures an adequate level of protection of such data.
8. Conversely, as the EU legislature indicates in recital 57 of that directive, the transfer of personal data to a third country which does not ensure an adequate level of protection must be prohibited.
9. As provided in Article 25(2) of Directive 95/46, ‘[t]he adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations; particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in that country’.
10. Under Article 25(6) of that directive, the Commission may find that a third country ensures an adequate level of protection of personal data by reason of its domestic law or of the international commitments it has entered into. If the Commission adopts a decision to that effect, the transfer of personal data to the third country concerned may take place.
11. The Commission adopted Decision 2000/520 pursuant to that provision. It follows from Article 1(1) of Decision 2000/520 that the ‘Safe Harbour Privacy Principles’, implemented in accordance with the guidance provided by the frequently asked questions, are considered to ensure an adequate level of protection for personal data transferred from the European Union to undertakings established in the United States.
12. Consequently, Decision 2000/520 authorises the transfer of personal data from the Member States to undertakings established in the United States which have undertaken to comply with the safe harbour principles.
13. Decision 2000/520 sets out, in Annex I, a number of principles to which undertakings may subscribe voluntarily, together with limits and a specific monitoring system. The number of undertakings which have subscribed to what might be described as a ‘code of conduct’ exceeded 3 200 in 2013.
14. The safe harbour scheme is based on a solution combining self-certification and self-assessment by private organisations and intervention by the public authorities.
15. The safe harbour principles were developed ‘in consultation with industry and the general public to facilitate trade and commerce between the United States and European Union. They are intended for use solely by US organisations receiving personal data from the European Union for the purpose of qualifying for the safe harbour and the presumption of “adequacy” it creates’.
16. The safe harbour principles, set out in Annex I to Decision 2000/520, establish, in particular:
– an obligation to provide information, under which ‘[a]n organisation must inform individuals about the purposes for which it collects and uses information about them, how to contact the organisation with any inquiries or complaints, the types of third parties to which it discloses the information, and the choices and means the organisation offers individuals for limiting its use and disclosure. This notice must be provided … when individuals are first asked to provide personal information to the organisation or as soon thereafter as is practicable, but in any event before the organisation uses such information for a purpose other than that for which it was originally collected or processed by the transferring organisation or discloses it for the first time to a third party’;
– an obligation on the organisations to offer individuals the opportunity to choose whether their personal information is to be disclosed to a third party or to be used for a purpose that is incompatible with the purpose or purposes for which it was originally collected or subsequently authorised by the individual. As regards sensitive information, an individual ‘must be given affirmative or explicit (opt in) choice if the information is to be disclosed to a third party or used for a purpose other than those for which it was originally collected or subsequently authorised by the individual through the exercise of opt in choice’;
– rules on the onward transfer of data. Thus, ‘to disclose information to a third party, organisations must apply the Notice and Choice Principles’;
– as regards data security, an obligation on ‘[o]rganisations creating, maintaining, using or disseminating personal information [to] take reasonable precautions to protect it from loss, misuse and unauthorised access, disclosure, alteration and destruction’;
– as regards data integrity, an obligation on organisations to ‘take reasonable steps to ensure that data is reliable for its intended use, accurate, complete and current’;
– that a person whose personal information is held by an organisation must, in principle, ‘have access to [that] information … and be able to correct, amend, or delete [it] where it is inaccurate’;
– an obligation to make provision for ‘mechanisms for assuring compliance with the Principles, recourse for individuals to whom the data relate affected by non-compliance with the Principles, and consequences for the organisation when the Principles are not followed’.
17. A United States organisation wishing to adhere to the safe harbour principles is required to state in its privacy policy that it discloses the fact that it adheres to those principles and in fact complies with them and to self-certify by declaring to the United States Department of Commerce that it complies with those principles.
18. Organisations have a number of ways of complying with the safe harbour principles. Thus, they may, for example, ‘[join] a self-regulatory privacy programme that adheres to the Principles [o]r qualify by developing their own self-regulatory privacy policies provided that they conform with the Principles. … In addition, organisations subject to a statutory, regulatory, administrative or other body of law (or of rules) that effectively protects personal privacy may also qualify for safe harbour benefits’.
19. A number of mechanisms, combining private dispute resolution and oversight by the public authorities, exist to check compliance with the safe harbour principles. Scrutiny may thus be ensured through a system of out-of-court dispute resolution by an independent third party. Furthermore, undertakings may undertake to cooperate with the EU data protection panel. Last, the Federal Trade Commission (‘the FTC’), on the basis of the powers conferred on it pursuant to section 5 of the Federal Trade Commission Act, and the Department of Transportation, on the basis of the powers conferred on it pursuant to section 41712 of the United States Code in Title 49 of that code, are empowered to deal with complaints.
20. According to the fourth paragraph of Annex I to Decision 2000/520, adherence to the safe harbour principles may be limited, in particular, ‘to the extent necessary to meet national security, public interest, or law enforcement requirements’ and ‘by statute, government regulation, or case-law that create conflicting obligations or explicit authorisations, provided that, in exercising any such authorisation, an organisation can demonstrate that its non-compliance with the Principles is limited to the extent necessary to meet the overriding legitimate interests furthered by such authorisation’.
21. In addition, the possibility for the competent authorities of the Member States to suspend data flows is subject to a number of conditions laid down in Article 3(1) of Decision 2000/520.
22. The present request for a preliminary ruling raises the issue of the effect of Decision 2000/520 in the light of Articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union (‘the Charter’) and of Article 25(6) of Directive 95/46. The request has been submitted in proceedings between Mr Schrems and the Data Protection Commissioner (‘the Commissioner’) concerning the latter’s refusal to investigate a complaint made by Mr Schrems regarding the fact that Facebook Ireland Ltd (‘Facebook Ireland’) keeps its subscribers’ personal data on servers located in the United States.
23. Mr Schrems is an Austrian national residing in Austria. He has been a subscriber to the social network Facebook since 2008.
24. All Facebook subscribers residing in the European Union are asked to sign a contract with Facebook Ireland, a subsidiary of the parent company Facebook Inc. established in the United States (‘Facebook USA’). Some or all of the data of subscribers to Facebook Ireland residing in the European Union is transferred to Facebook USA’s servers in the United States, where it is kept.
25. Mr Schrems lodged a complaint with the Commissioner on 25 June 2013, claiming, in essence, that the law and practices of the United States offer no real protection of the data kept in the United States against State surveillance. That was said to follow from the revelations made by Edward Snowden from May 2013 concerning the activities of the United States intelligence services, in particular those of the National Security Agency (‘the NSA’).
26. According to those revelations, the NSA established a programme called ‘PRISM’ under which it obtained unrestricted access to mass data stored on servers in the United States owned or controlled by a range of companies active in the internet and technology field, such as Facebook USA.
27. The Commissioner considered that he was not required to investigate the complaint, since it was unsustainable in law. He considered that there was no evidence that the NSA accessed Mr Schrems’ data. Furthermore, the complaint, in his view, had to be rejected by reason of Decision 2000/520, whereby the Commission found that under the safe harbour scheme the United States ensured an adequate level of protection of the personal data transferred. Any question relating to the adequacy of the protection of that data in the United States had to be settled in accordance with that decision which prevented him from examining the problem raised by the complaint.
28. The national legislation that led the Commissioner to reject the complaint is the following.
29. Section 10(1) of the Data Protection Act 1988, as amended by the Data Protection (Amendment) Act 2003 (‘the Data Protection Act’), empowers the Commissioner to examine complaints, stating:
‘(a) The Commissioner may investigate, or cause to be investigated, whether any of the provisions of this Act have been, are being or are likely to be contravened in relation to an individual either where the individual complains to him of a contravention of any of those provisions or he is otherwise of opinion that there may be such a contravention.
(b) Where a complaint is made to the Commissioner under paragraph (a) of this subsection, the Commissioner shall—
(i) investigate the complaint or cause it to be investigated, unless he is of opinion that it is frivolous or vexatious, and
(ii) if he or she is unable to arrange, within a reasonable time, for the amicable resolution by the parties concerned of the matter the subject of the complaint, notify in writing the individual who made the complaint of his or her decision in relation to it and that the individual may, if aggrieved by the decision, appeal against it to the Court under section 26 of this Act within 21 days from the receipt by him or her of the notification.’
30. In this instance, the Commissioner concluded that Mr Schrems’ complaint was ‘frivolous or vexatious’, in the sense that it was bound to fail because it was unsustainable in law. It was on that basis that the Commissioner refused to investigate the complaint.
31. Section 11 of the Data Protection Act governs the transfer of personal data outside national territory. Section 11(2)(a) provides:
‘Where in any proceedings under this Act a question arises—
(i) whether the adequate level of protection specified in subsection (1) of this section is ensured by a country or territory outside the European Economic Area [(EEA)] to which personal data are to be transferred, and
(ii) a Community finding has been made in relation to transfers of the kind in question,
the question shall be determined in accordance with that finding.’
32. Section 11(2)(b) of the Data Protection Act defines ‘Community finding’ as follows:
‘[I]n paragraph (a) of this subsection “Community finding” means a finding of the European Commission made for the purposes of paragraph (4) or (6) of Article 25 of [Directive 95/46] under the procedure provided for in Article 31(2) of the Directive in relation to whether the adequate level of protection specified in subsection (1) of this section is ensured by a country or territory outside the [EEA].’
33. The Commissioner observed that Decision 2000/520 was a ‘Community finding’ for the purposes of section 11(2)(a) of the Data Protection Act so that, under that Act, any question relating to the adequacy of data protection in the third country to which the data was transferred had to be settled in accordance with that finding. As this was the gist of Mr Schrems’ complaint — namely that personal data was being transferred to a third country which did not in practice ensure an adequate level of protection — the Commissioner took the view that the nature and very existence of Decision 2000/520 prevented him from examining this question.
34. Mr Schrems brought proceedings before the High Court for judicial review of the Commissioner’s decision rejecting his complaint. After examining the evidence adduced in the main proceedings, the High Court found that the electronic surveillance and interception of personal data serve necessary and indispensable objectives in the public interest, namely the preservation of national security and the prevention of serious crime. The High Court states, in that regard, that the surveillance and interception of personal data transferred from the European Union to the United States serve legitimate counter-terrorism objectives.
35. Nevertheless, according to the High Court, the revelations made by Edward Snowden demonstrated a significant over-reach on the part of the NSA and other similar agencies. While the Foreign Intelligence Surveillance Court (‘the FISC’), which operates under the Foreign Intelligence Surveillance Act of 1978, exercises supervisory jurisdiction, proceedings before that court take place in secret and are ex parte. In addition, apart from the fact that decisions relating to access to personal data are taken on the basis of United States law, citizens of the Union have no effective right to be heard on the question of the surveillance and interception of their data.
36. According to the High Court, it is clear from the extensive exhibits accompanying the affidavits filed in the main proceedings that the accuracy of much of Edward Snowden’s revelations is not in dispute. The High Court therefore concluded that, once personal data is transferred to the United States, the NSA and other United States security agencies such as the Federal Bureau of Investigation (FBI) are able to access it in the course of a mass and indiscriminate surveillance and interception of such data.
37. The High Court notes that in Irish law the importance of the constitutional rights to privacy and to inviolability of the dwelling requires that any interference with those rights be in accordance with the law and proportionate. The mass and undifferentiated accessing of personal data does not satisfy the requirement of proportionality and must therefore be considered contrary to the Constitution of Ireland.
38. The High Court observes that, in order for interception of electronic communications to be regarded as constitutional, it must be shown that specific interceptions of communications and the surveillance of individuals or groups of individuals are objectively justified in the interests of national security and the suppression of crime and that there are appropriate and verifiable safeguards.
39. Accordingly, the High Court states that, if the present case were to be approached solely on the basis of Irish law, a significant issue would arise as to whether the United States ‘ensures an adequate level of protection for the privacy and the fundamental rights and freedoms’ of data subjects, within the meaning of section 11(1)(a) of the Data Protection Act. It follows that, on the basis of Irish law, and in particular of its constitutional requirements, the Commissioner could not have rejected Mr Schrems’ complaint, but would have been required to examine that issue.
40. However, the High Court finds that the case before it concerns the implementation of EU law as referred to in Article 51(1) of the Charter and that the legality of the Commissioner’s decision should therefore be assessed in the light of EU law.
41. The problem facing the Commissioner is explained by the High Court as follows. Under section 11(2)(a) of the Data Protection Act, the Commissioner is required to determine the question of the adequacy of protection in the third country ‘in accordance’ with a Community finding made by the Commission pursuant to Article 25(6) of Directive 95/46. It follows that the Commissioner cannot depart from such a finding. As the Commission found in Decision 2000/520 that the United States provides an adequate level of protection in respect of data processing by companies which adhere to the safe harbour principles, a complaint alleging the inadequacy of such protection must necessarily be rejected by the Commissioner.
42. While finding that the Commissioner thus demonstrated scrupulous steadfastness to the letter of Directive 95/46 and Decision 2000/520, the High Court observes that Mr Schrems’ objection is in reality to the terms of the safe harbour scheme itself rather than to the manner in which the Commissioner applied it, while emphasising that Mr Schrems has not directly challenged the validity of Directive 95/46 or that of Decision 2000/520.
43. According to the High Court, the essential question is therefore whether, in the light of EU law and having regard, in particular, to the subsequent entry into force of Articles 7 and 8 of the Charter, the Commissioner is absolutely bound by the finding of the Commission made in Decision 2000/520 relating to the adequacy of the law and practice applicable to personal data protection in the United States.
44. The High Court further observes that in the proceedings before it no issue has been raised concerning the actions of Facebook Ireland and Facebook USA as such. Article 3(1)(b) of Decision 2000/520, which allows the competent national authorities to direct an undertaking to suspend data flows to a third country, applies, according to the High Court, only in circumstances where the complaint is directed against the conduct of the undertaking concerned, which is not the position in the present case.
45. The High Court emphasises, accordingly, that the real objection is not to the conduct of Facebook USA as such, but rather to the fact that the Commission has determined that the law and practice on data protection in the United States ensure adequate protection when it is clear from Edward Snowden’s disclosures that the United States authorities can have access on a mass and undifferentiated basis to personal data of the population living in the territory of the European Union.
46. In that regard, the High Court considers that it is difficult to see how Decision 2000/520 could in practice satisfy the requirements of Articles 7 and 8 of the Charter, especially if regard is had to the principles articulated by the Court in its judgment in Digital Rights Ireland and Others. In particular, the guarantee enshrined in Article 7 of the Charter and by the core values common to the traditions of the Member States would be compromised if the public authorities were allowed access to electronic communications on a casual and generalised basis without the need for objective justification based on considerations of national security or the prevention of crime specific to the individuals concerned and attended by appropriate and verifiable safeguards. According to the High Court, since Mr Schrems’ action suggests that Decision 2000/520 could be incompatible in abstracto with Articles 7 and 8 of the Charter, the Court of Justice may consider that Directive 95/46, in particular Article 25(6) thereof, and Decision 2000/520 could be interpreted as allowing the national authorities to conduct their own investigations in order to ascertain whether the transfer of personal data to a third country satisfies the requirements of Articles 7 and 8 of the Charter.
47. It was in those circumstances that the High Court decided to stay proceedings and to refer the following questions to the Court for a preliminary ruling:
‘Whether in the course of determining a complaint which has been made to [the Commissioner] that personal data is being transferred to another third country (in this case, the United States of America) the laws and practices of which, it is claimed, do not contain adequate protections for the data subject, [the Commissioner] is absolutely bound by the Community finding to the contrary contained in [Decision 2000/520] having regard to Article 7, Article 8 and Article 47 of [the Charter], the provisions of Article 25(6) of Directive [95/46] notwithstanding?
Or, alternatively, may and/or must the [Commissioner] conduct his or her own investigation of the matter in the light of factual developments in the meantime since [Decision 2000/520] was first published?’
II – My analysis
48. The two questions formulated by the High Court invite the Court to clarify the powers available to the national supervisory authorities when they receive a complaint concerning a transfer of personal data to an undertaking established in a third country and it is claimed, in support of the complaint, that that third country does not guarantee an adequate level of protection of the data transferred, although the Commission, acting on the basis of Article 25(6) of Directive 95/46, has adopted a decision recognising the adequacy of the level of protection ensured by that third country.
49. I would observe that there are two aspects to the complaint that Mr Schrems filed with the Commissioner. It seeks to challenge the transfer of personal data from Facebook Ireland to Facebook USA. Mr Schrems asks that that transfer be brought to an end since, in his submission, the United States does not ensure an adequate level of protection of the personal data transferred under the safe harbour scheme. More specifically, he takes issue with the United States for having set up the PRISM programme, which allows the NSA unrestricted access to the mass data stored on servers located in the United States. Thus, the complaint relates specifically to transfers of personal data from Facebook Ireland to Facebook USA, while challenging more generally the level of protection ensured for such data under the safe harbour scheme.
50. The Commissioner considered that the very existence of a Commission decision recognising that the United States ensures an adequate level of protection under the safe harbour scheme prevented him from investigating the complaint.
51. It is therefore appropriate to examine together the two questions, which seek, in essence, to ascertain whether Article 28 of Directive 95/46, read in the light of Articles 7 and 8 of the Charter, must be interpreted as meaning that the existence of a decision adopted by the Commission on the basis of Article 25(6) of that directive has the effect of preventing a national supervisory authority from investigating a complaint alleging that a third country does not ensure an adequate level of protection of the personal data transferred and, where appropriate, from suspending the transfer of that data.
52. Article 7 of the Charter guarantees the right to respect for private life, while Article 8 expressly proclaims the right to the protection of personal data. Article 8(2) and (3) states that such data must be processed fairly for specific purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law, that everyone has the right of access to data which has been collected concerning him or her and the right to have it rectified, and that compliance with those rules is to be subject to control by an independent authority.
A – The powers of the national supervisory authorities where the Commission has adopted an adequacy decision
53. As Mr Schrems states in his observations, for the purposes of the complaint at issue in the main proceedings the key issue is that of the transfer of personal data from Facebook Ireland to Facebook USA in the light of the generalised access which the NSA and other United States security agencies have under the powers conferred on them by United States legislation to the data stored at Facebook USA.
54. When the national supervisory authority receives a complaint challenging the finding that a third country ensures an adequate level of protection for the transferred data, it is empowered, according to Mr Schrems, if it has evidence that the allegations made in the complaint are well founded, to direct that the transfer of data by the undertaking designated in the complaint be suspended.
55. In the light of the Commissioner’s obligations to protect Mr Schrems’ fundamental rights, Mr Schrems maintains that the Commissioner is under an obligation not only to investigate, but also, if the complaint is upheld, to use his powers to suspend the data flows between Facebook Ireland and Facebook USA.
56. However, the Commissioner rejected the complaint on the basis of the provisions of the Data Protection Act which set out his powers. That conclusion was based on the Commissioner’s view that he was bound by Decision 2000/520.
57. It follows that the central issue in the present case is whether the Commission’s assessment as to the adequacy of the level of protection, contained in Decision 2000/520, is absolutely binding on the national data protection authority and prevents it from investigating allegations challenging that finding. The questions referred to the Court therefore relate to the extent of the investigative powers of the national data protection authorities where the Commission has adopted an adequacy decision.
58. According to the Commission, it is necessary to take account of the allocation of powers between it and the national data protection authorities. The powers of the national data protection authorities are focused on the application of the relevant legislation in individual cases, while the general review of the application of Decision 2000/520, including any decision involving its suspension or repeal, comes within the powers of the Commission.
59. The Commission maintains that Mr Schrems has not put forward any specific arguments that would indicate that he was at imminent risk of grave harm owing to the transfer of data between Facebook Ireland and Facebook USA. On the contrary, owing to their general and abstract nature, the concerns which he expresses about the surveillance programmes implemented by the United States security agencies are exactly the same as those that led the Commission to embark on the review of Decision 2000/520.
60. In the Commission’s submission, the national supervisory authorities would encroach upon its power to renegotiate the terms of that decision with the United States or, if necessary, to suspend that decision if they were to take action on the basis of complaints raising only structural and abstract concerns.
61. I do not share the Commission’s opinion. To my mind, the existence of a decision adopted by the Commission on the basis of Article 25(6) of Directive 95/46 cannot eliminate or even reduce the national supervisory authorities’ powers under Article 28 of that directive. Contrary to the Commission’s contention, if the national supervisory authorities receive individual complaints, that does not in my view prevent them, by virtue of their investigative powers and their independence, from forming their own opinion on the general level of protection ensured by a third country and from drawing the appropriate conclusion when they determine individual cases.
62. The Court has consistently held that, in interpreting provisions of EU law, it is necessary to consider not only their wording but also the context in which they occur and the objectives pursued by the rules of which they are part.
63. It is apparent from recital 62 of Directive 95/46 that ‘the establishment in Member States of supervisory authorities, exercising their functions with complete independence, is an essential component of the protection of individuals with regard to the processing of personal data’.
64. As set out in the first subparagraph of Article 28(1) of Directive 95/46, ‘[e]ach Member State shall provide that one or more public authorities are responsible for monitoring the application within its territory of the provisions adopted by the Member States pursuant to this Directive’. The second subparagraph of Article 28(1) provides that ‘[t]hese authorities shall act with complete independence in exercising the functions entrusted to them’.
65. Article 28(3) of Directive 95/46 lists the powers of each supervisory authority, namely: investigative powers; effective powers of intervention, enabling that authority, in particular, to impose a temporary or definitive ban on processing; and the power to engage in legal proceedings where the national provisions adopted pursuant to that directive have been violated or to bring those violations to the attention of the judicial authorities.
66. Furthermore, under the first subparagraph of Article 28(4) of Directive 95/46, ‘[e]ach supervisory authority shall hear claims lodged by any person … concerning the protection of his rights and freedoms in regard to the processing of personal data’. The second subparagraph of Article 28(4) states that ‘[e]ach supervisory authority shall, in particular, hear claims for checks on the lawfulness of data processing lodged by any person when the national provisions adopted pursuant to Article 13 of this Directive apply’. Article 13 enables Member States to adopt legislative measures to restrict the scope of a number of obligations and rights provided for in Directive 95/46 when such a restriction constitutes a necessary measure to safeguard, in particular, national security, defence, public security and the prevention, investigation, detection and prosecution of criminal offences.
67. As the Court has already held, the requirement that compliance with EU rules on the protection of individuals with regard to the processing of personal data is subject to control by an independent authority derives also from the primary law of the European Union, in particular from Article 8(3) of the Charter and Article 16(2) TFEU. It has also observed that ‘[t]he establishment in Member States of independent supervisory authorities is thus an essential component of the protection of individuals with regard to the processing of personal data’.
68. The Court has also held that ‘the second subparagraph of Article 28(1) of Directive 95/46 must be interpreted as meaning that the supervisory authorities responsible for supervising the processing of personal data must enjoy an independence allowing them to perform their duties free from external influence. That independence precludes inter alia any directions or any other external influence in whatever form, whether direct or indirect, which may have an effect on their decisions and which could call into question the performance by those authorities of their task of striking a fair balance between the protection of the right to private life and the free movement of personal data’.
69. The Court has stated too that ‘[t]he guarantee of the independence of national supervisory authorities is intended to ensure the effectiveness and reliability of the supervision of compliance with the provisions on protection of individuals with regard to the processing of personal data’. That guarantee of independence was established ‘in order to strengthen the protection of individuals and bodies affected by [the] decisions [of those national supervisory authorities]’.
70. As is apparent, in particular, from recital 10 and Article 1 of Directive 95/46, that directive seeks to ensure, in the European Union, ‘a high level of protection of fundamental rights and freedoms with respect to the processing of personal data’. (28) According to the Court, ‘[t]he supervisory authorities provided for in Article 28 of Directive 95/46 are therefore the guardians of those fundamental rights and freedoms’.
71. In the light of the importance of the role played by the national supervisory authorities in the protection of individuals with regard to the processing of personal data, their powers of intervention must remain intact even when the Commission has adopted a decision on the basis of Article 25(6) of Directive 95/46.
72. I note, in this connection, that there is nothing to suggest that arrangements for the transfer of personal data to third countries are excluded from the substantive scope of Article 8(3) of the Charter, which enshrines at the highest level of the hierarchy of rules in EU law the importance of control by an independent authority of compliance with the rules on the protection of personal data.
73. If the national supervisory authorities were absolutely bound by decisions adopted by the Commission, that would inevitably limit their total independence. In accordance with their role as guardians of fundamental rights, the national supervisory authorities must be able to investigate, with complete independence, the complaints submitted to them, in the higher interest of the protection of individuals with regard to the processing of personal data.
74. In addition, as the Belgian Government and the European Parliament rightly observed at the hearing, there is no hierarchical connection between Chapter IV of Directive 95/46 on the transfer of personal data to third countries and Chapter VI of that directive which is devoted, in particular, to the role of the national supervisory authorities. There is nothing in Chapter VI to suggest that the provisions on the national supervisory authorities are in any way subordinate to the separate provisions on transfers set out in Chapter IV.
75. On the other hand, it is clearly stated in Article 25(1) of Directive 95/46, which is in Chapter IV, that the authorisation of the transfer of personal data to a third country ensuring an adequate level of protection is applicable only if the national provisions adopted pursuant to the other provisions of that directive are complied with.
76. Under that provision, the Member States are to lay down in their national legislation that the transfer to a third country of personal data which is undergoing processing or is intended for processing after transfer may take place only if, without prejudice to compliance with the national provisions adopted pursuant to the other provisions of Directive 95/46, the third country in question ensures an adequate level of protection.
77. Under Article 28(1) of that directive, the national supervisory authorities are responsible for monitoring the application within the territory of each Member State of the provisions adopted by the Member States pursuant to the directive.
78. A comparison of those two provisions permits the view that the rule laid down in Article 25(1) of Directive 95/46 that the transfer of personal data may take place only if the third country to which it is sent ensures an adequate level of protection of that data is among the rules the application of which is to be monitored by the national supervisory authorities.
79. The powers of the national supervisory authorities to investigate, with complete independence, complaints submitted to them under Article 28 of Directive 95/46 must be interpreted broadly, in accordance with Article 8(3) of the Charter. Those powers cannot therefore be limited by the powers which the EU legislature has conferred on the Commission under Article 25(6) of that directive to find that the level of protection ensured by a third country is adequate.
80. In the light of the essential role which they play with regard to the protection of personal data, the national supervisory authorities must be able to investigate where they receive a complaint alleging matters that could call into question the level of protection ensured by a third country, including where the Commission has found, in a decision adopted on the basis of Article 25(6) of Directive 95/46, that the third country concerned ensures an adequate level of protection.
81. If, on completion of its investigations, a national supervisory authority considers that the contested transfer of data undermines the protection which citizens of the Union must enjoy with regard to the processing of their data, it has the power to suspend the transfer of data in question, irrespective of the general assessment made by the Commission in its decision.
82. It is undisputed, as set out in Article 25(2) of Directive 95/46, that the adequacy of the level of protection afforded by a third country is to be assessed in the light of a range of circumstances, both factual and legal. If one of those circumstances changes and appears to be such as to call into question the adequacy of the level of protection afforded by a third country, the national supervisory authority to which a complaint has been submitted must be able to draw the appropriate conclusions in relation to the contested transfer.
83. Admittedly, as Ireland has observed, the Commissioner, like the other State authorities, is bound by Decision 2000/520. Indeed, it follows from the fourth paragraph of Article 288 TFEU that a decision taken by an institution of the European Union is binding in its entirety. Consequently, Decision 2000/520 is binding on the Member States, to which it is addressed.
84. I would observe, in that regard, that Decision 2000/520 itself provides, in Article 5, that ‘Member States shall take all the measures necessary to comply with this Decision at the end of a period of 90 days from the date of its notification to the Member States’. In addition, Article 6 of Decision 2000/520 confirms that the decision ‘is addressed to the Member States’.
85. However, I consider that, in the light of the abovementioned provisions of Directive 95/46 and the Charter, the mandatory effect of Decision 2000/520 is not such as to preclude any investigation by the Commissioner of complaints alleging that transfers of personal data to the United States within the framework of that decision do not afford the necessary guarantees of protection that are required by EU law. In other words, such a binding effect cannot require that every complaint of that type be rejected summarily, that is to say, immediately and without any examination of its merits.
86. I should add that it is apparent, moreover, from the scheme of Article 25 of Directive 95/46 that the finding that a third country does or does not ensure an adequate level of protection may be made either by the Member States or by the Commission. The competence to make such a finding is therefore a shared competence.
87. It follows from Article 25(6) of that directive that, where the Commission finds that a third country ensures an adequate level of protection within the meaning of Article 25(2), the Member States are to take the necessary measures to comply with the Commission’s decision.
88. As the effect of such a decision is to allow transfers of personal data to a third country whose level of protection is considered adequate by the Commission, the Member States must therefore, in principle, allow such transfers to be made by undertakings established on their territory.
89. However, Article 25 of Directive 95/46 does not attribute exclusive power to the Commission to find that the level of protection of the personal data transferred is adequate or inadequate. The scheme of that article shows that the Member States also have a role in that respect. A Commission decision does, admittedly, play an important role in ensuring uniformity in the transfer conditions applicable in the Member States. However, that uniformity can continue only while that finding is not called in question.
90. The argument that uniformity of the conditions for the transfer of personal data to a third country is necessary meets its limit, to my mind, in a situation such as that at issue in the main proceedings where not only is the Commission informed that its finding is the subject of criticism, but also the Commission itself makes such criticisms and enters into negotiations with a view to remedying the situation.
91. Assessment of whether or not the level of protection afforded by a third country is adequate may also give rise to cooperation between the Member States and the Commission. Article 25(3) of Directive 95/46 provides, in that regard, that ‘[t]he Member States and the Commission shall inform each other of cases where they consider that a third country does not ensure an adequate level of protection within the meaning of paragraph 2’. As the Parliament observes, that clearly demonstrates that the Member States and the Commission have an equal role to play in identifying cases in which a third country does not ensure an adequate level of protection.
92. The purpose of an adequacy decision is to authorise the transfer of personal data to the third country concerned. That does not mean that citizens of the Union can no longer submit requests to the supervisory authorities aimed at protecting their personal data. I note, in that regard, that the first subparagraph of Article 28(4) of Directive 95/46, which provides that ‘[e]ach supervisory authority shall hear claims lodged by any person … concerning the protection of his rights and freedoms in regard to the processing of personal data’, makes no provision for an exception to that principle where a decision has been adopted by the Commission under Article 25(6) of the directive.
93. Thus, although a decision adopted by the Commission under the implementing powers conferred on it by Article 25(6) of Directive 95/46 has the effect of allowing the transfer of personal data to a third country, such a decision cannot, on the other hand, have the effect of removing all power from the Member States, and in particular from their national supervisory authorities, or even of only restricting their powers, when they are faced with allegations of infringements of fundamental rights.
94. A national supervisory authority must be capable of exercising the powers provided for in Article 28(3) of Directive 95/46, including the power to impose a temporary or definitive ban on the processing of personal data. Although the list of powers set out in that provision does not expressly refer to powers relating to a transfer from a Member State to a third country, such a transfer must in my view be regarded as constituting the processing of data. As is clear from the wording of that provision, the list, moreover, is not exhaustive. In any event, in the light of the essential role played by the national supervisory authorities in the system put in place by Directive 95/46, they must have the power to order the suspension of the transfer of data where there is a proven breach or a risk of a breach of fundamental rights.
95. I would add that to deprive the national supervisory authority of its investigative powers in circumstances such as those at issue in the present case would be contrary not only to the principle of independence but also to the objective of Directive 95/46 as resulting from Article 1(1) thereof.
96. As the Court has observed, ‘[i]t is apparent from recitals 3, 8 and 10 of Directive 95/46 that the European Union legislature sought to facilitate the free movement of personal data by the approximation of the laws of the Member States while safeguarding the fundamental rights of individuals, in particular the right to privacy, and ensuring a high level of protection in the European Union. Article 1 of the directive thus requires the Member States to ensure the protection of the fundamental rights and freedoms of natural persons, in particular their privacy, with respect to the processing of personal data’.
97. The provisions of Directive 95/46 must therefore be interpreted in accordance with its objective of guaranteeing a high level of protection of the fundamental rights and freedoms of natural persons, in particular their right to privacy, with respect to the processing of personal data within the European Union.
98. The importance of that objective and the role which the Member States must play in attaining it mean that, when particular circumstances give rise to a serious doubt as to compliance with the fundamental rights guaranteed by the Charter where personal data is transferred to a third country, the Member States and therefore, within them, the national supervisory authorities cannot be absolutely bound by an adequacy decision adopted by the Commission.
99. The Court has already held that ‘the provisions of Directive 95/46, in so far as they govern the processing of personal data liable to infringe fundamental freedoms, in particular the right to privacy, must necessarily be interpreted in the light of fundamental rights, which, according to settled case-law, form an integral part of the general principles of law whose observance the Court ensures and which are now set out in the Charter’.
100. I would refer, moreover, to the case-law according to which ‘the Member States must not only interpret their national law in a manner consistent with EU law but also make sure they do not rely on an interpretation of an instrument of secondary legislation which would be in conflict with the fundamental rights protected by the European Union legal order or with the other general principles of EU law’.
101. The Court thus held in its judgment in N.S. and Others that ‘an application of Regulation [EC] No 343/2000] on the basis of the conclusive presumption that the asylum seeker’s fundamental rights will be observed in the Member State primarily responsible for his application is incompatible with the duty of the Member States to interpret and apply Regulation No 343/2003 in a manner consistent with fundamental rights’.
102. In that regard, the Court accepted, in the context of the status of the Member States as safe countries of origin in respect to each other for all legal and practical purposes in relation to asylum matters, that it must be assumed that the treatment of asylum seekers in all Member States complies with the requirements of the Charter, the Convention relating to the Status of Refugees, signed in Geneva on 28 July 1951, and the European Convention for the Protection of Human Rights and Fundamental Freedoms, signed in Rome on 4 November 1950. However, the Court held that ‘[i]t is not … inconceivable that that system may, in practice, experience major operational problems in a given Member State, meaning that there is a substantial risk that asylum seekers may, when transferred to that Member State, be treated in a manner incompatible with their fundamental rights’.
103. Consequently, the Court held that ‘the Member States, including the national courts, may not transfer an asylum seeker to the “Member State responsible” within the meaning of Regulation No 343/2003 where they cannot be unaware that systemic deficiencies in the asylum procedure and in the reception conditions of asylum seekers in that Member State amount to substantial grounds for believing that the asylum seeker would face a real risk of being subjected to inhuman or degrading treatment within the meaning of Article 4 of the Charter’.
104. To my mind, the contribution to the case-law made by the judgment in N.S. and Others (41) can be applied by extension to a situation such as that at issue in the main proceedings. Thus, an interpretation of secondary EU law based on an irrebuttable presumption that fundamental rights will be observed — whether by a Member State, by the Commission or by a third country — must be considered to be incompatible with the duty of the Member States to interpret and apply secondary EU law in a manner consistent with fundamental rights. Article 25(6) of Directive 95/46 therefore does not establish such an irrebuttable presumption that fundamental rights are observed as regards the Commission’s assessment of the adequacy of the level of protection offered by a third country. On the contrary, the presumption underlying that provision — that the transfer of data to a third country complies with fundamental rights — must be regarded as rebuttable. Consequently, that provision should not be interpreted as calling in question the guarantees laid down in, notably, Article 28(3) of Directive 95/46 and Article 8(3) of the Charter, relating to the protection of and compliance with the right to protection of personal data.
105. I therefore infer from that judgment that, where systemic deficiencies are found in the third country to which the personal data is transferred, the Member States must be able to take the measures necessary to safeguard the fundamental rights protected by Articles 7 and 8 of the Charter.
106. Furthermore, as the Italian Government stated in its observations, the fact that the Commission has adopted an adequacy decision cannot have the effect of reducing the protection of citizens of the Union with regard to the processing of their data when that data is transferred to a third country by comparison with the level of protection which those persons would enjoy if their data were processed within the European Union. The national supervisory authorities must therefore be in a position to intervene and to exercise their powers with respect to transfers of data to third countries covered by an adequacy decision. Were that not so, citizens of the Union would be less well protected than they would be if their data were processed within the European Union.
107. Thus, the adoption by the Commission of a decision under Article 25(6) of Directive 95/46 has the effect only of removing the general prohibition on exporting personal data to third countries guaranteeing a level of protection comparable to that afforded by that directive. In other words, the point is not the creation of a special system of exceptions that offers less protection for citizens of the Union by comparison with the general system provided for in that directive for the processing of data within the European Union.
108. Admittedly, the Court has stated, in paragraph 63 of its judgment in Lindqvist, that ‘Chapter IV of Directive 95/46, in which Article 25 appears, sets up a special regime’. However, that does not mean, in my view, that such a regime must afford less protection. On the contrary, in order to attain the objective of protecting data established in Article 1(1) of Directive 95/46, Article 25 of that directive imposes a series of obligations on the Member States and on the Commission and it establishes the principle that where a third country does not ensure an adequate level of protection the transfer of personal data to that country must be prohibited.
109. As regards more specifically the safe harbour scheme, the Commission envisages that the national supervisory authorities will intervene and suspend data flows only in the context outlined in Article 3(1)(b) of Decision 2000/520.
110. According to recital 8 of that decision, ‘[i]n the interests of transparency and in order to safeguard the ability of the competent authorities in the Member States to ensure the protection of individuals as regards the processing of their personal data, it is necessary to specify in this Decision the exceptional circumstances in which the suspension of specific data flows should be justified, notwithstanding the finding of adequate protection’.
111. In the context of the present case, it is, more specifically, the application of Article 3(1)(b) of Decision 2000/520 that has been discussed. Under that provision, the national supervisory authorities may decide to suspend data flows where ‘there is a substantial likelihood that the Principles are being violated; there is a reasonable basis for believing that the enforcement mechanism concerned is not taking or will not take adequate and timely steps to settle the case at issue; the continuing transfer would create an imminent risk of grave harm to data subjects; and the competent authorities in the Member State have made reasonable effects under the circumstances to provide the organisation with notice and an opportunity to respond’.
112. That provision lays down a number of conditions which have been given various interpretations by the parties in the course of these proceedings. Without going into detail on those interpretations, it is apparent from them that those conditions strictly circumscribe the national supervisory authorities’ power to suspend data flows.
113. However, contrary to the Commission’s submissions, Article 3(1)(b) of Decision 2000/520 must be interpreted in accordance with the objective of protecting personal data pursued by Directive 95/46, and also in the light of Article 8 of the Charter. The requirement that provisions be interpreted in a manner consistent with fundamental rights supports a broad interpretation of that provision.
114. It follows that the conditions laid down in Article 3(1)(b) of Decision 2000/520 cannot in my view prevent a national supervisory authority from exercising, in complete independence, the powers conferred on it by Article 28(3) of Directive 95/46.
115. As the Belgian and Austrian Governments submitted, in essence, at the hearing, the emergency exit that Article 3(1)(b) of Decision 2000/520 represents is so narrow that it is difficult to put into practice. It imposes cumulative criteria and sets the bar too high. In the light of Article 8(3) of the Charter, it is not possible for the national supervisory authorities’ scope for manoeuvre in relation to the powers resulting from Article 28(3) of Directive 95/46 to be limited in such a way that they can no longer be exercised.
116. In that regard, the Parliament has correctly observed that it is the EU legislature that decided what powers were to devolve to the national supervisory authorities. The implementing power conferred by the EU legislature on the Commission in Article 25(6) of Directive 95/46 does not affect the powers which that legislature conferred on the national supervisory authorities in Article 28(3) of the directive. In other words, the Commission is not empowered to restrict the powers of the national supervisory authorities.
117. Consequently, in order to ensure appropriate protection of the fundamental rights of individuals with regard to the processing of personal data, the national supervisory authorities must have the power, where there are allegations regarding infringement of those rights, to conduct investigations. If, following such investigations, those authorities consider that, in a third country covered by an adequacy decision, there are strong indications of a breach of the right of citizens of the Union to the protection of their personal data, they must be able to suspend the transfer of data to the recipient established in that third country.
118. In other words, the national supervisory authorities must be able to carry out their investigations and, where appropriate, suspend the transfer of data, irrespective of the restrictive conditions laid down in Article 3(1)(b) of Decision 2000/520.
119. Furthermore, under their power provided for in Article 28(3) of Directive 95/46 to engage in legal proceedings where the national provisions adopted pursuant to that directive have been violated or to bring those violations to the attention of the judicial authorities, the national supervisory authorities should be able, where they are aware of facts showing that a third country does not ensure an adequate level of protection, to bring the matter before a national court, which will be able to decide, where appropriate, to request a preliminary ruling from the Court for the purpose of assessing the validity of a Commission adequacy decision.
120. It follows from all of the foregoing that Article 28 of Directive 95/46, read in the light of Articles 7 and 8 of the Charter, must be interpreted as meaning that the existence of a decision adopted by the Commission on the basis of Article 25(6) of that directive does not have the effect of preventing a national supervisory authority from investigating a complaint alleging that a third country does not ensure an adequate level of protection of the personal data transferred and, where appropriate, from suspending the transfer of that data.
121. Although the High Court stresses in its order for reference that Mr Schrems has not formally contested in the main proceedings either the validity of Directive 95/46 or the validity of Decision 2000/520, it is clear from that order for reference that Mr Schrems’ main criticism seeks to challenge the finding that the United States ensures, under the safe harbour scheme, an adequate level of protection of the personal data transferred.
122. It is also apparent from the Commissioner’s observations that Mr Schrems’ complaint is intended to put Decision 2000/520 directly in issue. In filing that complaint, Mr Schrems wished to challenge the terms and the functioning of the safe harbour scheme itself on the ground that the mass surveillance of the personal data transferred to the United States shows that there is no meaningful protection of that data in the law and practice in force in that third country.
123. Furthermore, the referring court itself observes that the guarantee provided by Article 7 of the Charter and by the core values common to the constitutional traditions of the Member States would be compromised if the public authorities were allowed access to electronic communications on a casual and generalised basis without the need for objective justification based on considerations of national security or the prevention of crime specific to the individuals concerned and attended by appropriate and verifiable safeguards. The referring court thus indirectly casts doubts on the validity of Decision 2000/520.
124. The assessment of whether under the safe harbour scheme the United States guarantees an adequate level of protection of the personal data transferred therefore necessarily leads to consideration of the validity of that decision.
125. In that regard, it should be observed that in the context of the instrument of cooperation between the Court of Justice and national courts that is established by Article 267 TFEU, even where a request to the Court for a preliminary ruling relates solely to the interpretation of EU law the Court may, in certain specific circumstances, find it necessary to examine the validity of provisions of secondary law.
126. Accordingly, on a number of occasions, the Court has of its own motion declared invalid an act which it was asked only to interpret. It has also held that, ‘[i]f it appears that the real purpose of the questions submitted by a national court is concerned rather with the validity of [EU] measures than with their interpretation, it is appropriate for the Court to inform the national court at once of its view without compelling the national court to comply with purely formal requirements which would uselessly prolong the procedure under Article [267 TFEU] and would be contrary to its very nature’. The Court has already considered, moreover, that the doubts evinced by a referring court as to the compatibility of an act of secondary legislation with the rules concerning the protection of fundamental rights must be understood as questioning the validity of that act in the light of EU law.
127. I would also observe that it follows from the case-law of the Court that the acts of the EU institutions, bodies, offices and agencies are presumed to be lawful, which means that they produce legal effects until such time as they are withdrawn, annulled in an action for annulment or declared invalid following a request for a preliminary ruling or a plea of illegality. The Court alone has jurisdiction to declare an act of the European Union invalid and the purpose of that jurisdiction is to ensure legal certainty through the uniform application of EU law. In the absence of a declaration of invalidity, amendment or repeal by the Commission, the decision remains binding in its entirety and directly applicable in all Member States.
128. In order to provide a full answer to the referring court and to dispel the doubts expressed during the present proceedings as to the validity of Decision 2000/520, I am of the view that the Court should therefore assess the validity of that decision.
129. That said, it should also be made clear that the examination of whether or not Decision 2000/520 is valid must be confined to the grounds of objection discussed in the context of the present proceedings. Not all aspects of the functioning of the safe harbour scheme have been discussed in that context, and for that reason I do not consider it possible to embark here on an exhaustive examination of the shortcomings of that scheme.
130. On the other hand, the question whether the United States intelligence services’ generalised and untargeted access to the transferred data is capable of affecting the legality of Decision 2000/520 has been discussed before the Court in the context of the present proceedings. The validity of that decision can therefore be assessed from that point of view.
B – The validity of Decision 2000/520
1 The factors to be taken into consideration in assessing the validity of Decision 2000/520
131.
It is appropriate to recall the case-law stating that, ‘in the context of an application for annulment, the legality of a measure must be assessed on the basis of the facts and the law as they stood at the time when the measure was adopted, the Commission’s assessment being open to criticism only if it appears manifestly incorrect in the light of the information available to it at the time when the measure in question was adopted’.
132. In its judgment in Gaz de France — Berliner Investissement, the Court noted the principle that ‘the assessment of the validity of a measure which the Court is called upon to undertake on a reference for a preliminary ruling must normally be based on the situation which existed at the time that measure was adopted’. However, the Court appears to have recognised that ‘the validity of a measure might, in certain cases, be assessed by reference to new factors which arose after its adoption’.
133. The more open approach thus outlined by the Court seems to me to be particularly relevant in the context of the present case.
134. Decisions adopted by the Commission on the basis of Article 25(6) of Directive 95/46 have particular characteristics. They are intended to assess whether or not the level of protection of personal data afforded by a third country is adequate. That assessment will necessarily evolve according to the factual and legal context prevailing in the third country.
135. In view of the fact that an adequacy decision is a particular type of decision, the rule that its validity might be assessed only by reference to the factors that existed at the time of its adoption must be qualified in this instance. Otherwise, such a rule would have the consequence that, a number of years after an adequacy decision has been adopted, the assessment of validity that the Court must carry out cannot take into account events that have occurred subsequently, even though there is no limit on the period within which a reference for a preliminary ruling on validity may be made and it may be prompted specifically by subsequent facts that reveal the deficiencies of the act in question.
136. In the present case, the fact that Decision 2000/520 has remained in force for around 15 years demonstrates the Commission’s implicit confirmation of the assessment which it made in 2000. Where, in the context of a reference for a preliminary ruling, the Court is required to appraise the validity of an assessment which has been maintained over time by the Commission, it is therefore not only possible but also appropriate that it may compare that assessment with the new circumstances which have arisen since the adequacy decision was adopted.
137. Given the particular nature of an adequacy decision, it must be regularly reviewed by the Commission. If, following new events which have occurred in the meantime, the Commission does not amend its decision, that is because it confirms implicitly, but necessarily, the initial assessment. It thus reiterates its finding that the third country concerned ensures an adequate level of protection of the personal data transferred. It is for the Court to examine whether that finding continues to be valid in spite of the intervening circumstances.
138. In order to ensure effective judicial review of that type of decision, the assessment of its validity must therefore in my view be carried out by reference to the current factual and legal context.
2. The concept of an adequate level of protection
139. Article 25 of Directive 95/46 is based entirely on the principle that the transfer of personal data to a third country cannot take place unless that third country guarantees an adequate level of protection of such data. The objective of that article is thus to ensure the continuity of the protection afforded by that directive where personal data is transferred to a third country. It is appropriate, in that regard, to bear in mind that that directive affords a high level of protection of citizens of the Union with regard to the processing of their personal data.
140. In view of the important role played by the protection of personal data with regard to the fundamental right to privacy, this kind of high level of protection must, therefore, be guaranteed, including where personal data is transferred to a third country.
141. It is for that reason that I consider that the Commission can find, on the basis of Article 25(6) of Directive 95/46, that a third country ensures an adequate level of protection only where, following a global assessment of the law and practice in the third country in question, it is able to establish that that third country offers a level of protection that is essentially equivalent to that afforded by the directive, even though the manner in which that protection is implemented may differ from that generally encountered within the European Union.
142. Although the English word ‘adequate’ may be understood, from a linguistic viewpoint, as designating a level of protection that is just satisfactory or sufficient, and thus as having a different semantic scope from the French word ‘adéquat’ (‘appropriate’), the only criterion that must guide the interpretation of that word is the objective of attaining a high level of protection of fundamental rights, as required by Directive 95/46.
143. Examination of the level of protection afforded by a third country must focus on two fundamental elements, namely the content of the applicable rules and the means of ensuring compliance with those rules.
144. To my mind, in order to attain a level of protection essentially equivalent to that in force in the European Union, the safe harbour scheme, which is largely based on self-certification and self-assessment by the organisations participating voluntarily in that scheme, should be accompanied by adequate guarantees and a sufficient control mechanism. Thus, transfers of personal data to third countries should not be given a lower level of protection than processing within the European Union.
145. In that regard, I would observe at the outset that within the European Union the prevailing notion is that an external control mechanism in the form of an independent authority is a necessary component of any system designed to ensure compliance with the rules on the protection of personal data.
146. Furthermore, in order to ensure that Article 25(1) to (3) of Directive 95/46 is effective, account should be taken of the fact that the adequacy of the level of protection afforded by a third country involves a developing situation that may change with the passage of time, depending on a series of factors. The Member States and the Commission must therefore be constantly alert to any change of circumstances that may necessitate a reassessment of whether the level of protection afforded by a third country is adequate. An assessment of the adequacy of that level of protection cannot be fixed at a specific time and then be maintained indefinitely, irrespective of any change in circumstances showing that in reality the level of protection afforded is no longer adequate.
147. The obligation for the third country to ensure an adequate level of protection is thus an ongoing obligation. While the assessment is made at a specific time, retention of the adequacy decision presupposes that no circumstance that has since arisen is such as to call into question the initial assessment made by the Commission.
148. Indeed, it must not be forgotten that the objective of Article 25 of Directive 95/46 is to prevent personal data from being transferred to a third country that does not ensure an adequate level of protection, in breach of the fundamental right to protection of personal data guaranteed by Article 8 of the Charter.
149. It must be emphasised that the power conferred on the Commission by the EU legislature in Article 25(6) of Directive 95/46 to find that a third country ensures an adequate level of protection is expressly conditional on the requirement that that third country ensures such a level of protection, within the meaning of Article 25(2). If new circumstances are such as to call the Commission’s initial assessment into question, it should adapt its decision accordingly.
3. My assessment
150. It is to be remembered that, under Article 25(6) of Directive 95/46, ‘[t]he Commission may find, in accordance with the procedure referred to in Article 31(2), that a third country ensures an adequate level of protection within the meaning of paragraph 2 of this Article, by reason of its domestic law or of the international commitments it has entered into, particularly upon conclusion of the negotiations referred to in paragraph 5, for the protection of the private lives and basic freedoms and rights of individuals’. Read in conjunction with Article 25(2) of that directive, Article 25(6) means that, in order to find that a third country ensures an adequate level of protection, the Commission must undertake a global assessment of the rules of law in force in that third country and of their application.
151. We have seen that the fact that the Commission has maintained Decision 2000/520, in spite of changes in the factual and legal position, must be understood as willingness on its part to confirm its initial assessment.
152. It is not for the Court, in the context of a reference for a preliminary ruling, to assess the facts underlying the dispute that led the national court to make that reference.
153. I shall therefore rely on the facts stated by the referring court in its request for a preliminary ruling, facts which, moreover, are largely accepted by the Commission itself as established.
154. The matters put forward before the Court to challenge the Commission’s assessment that the safe harbour scheme ensures an adequate level of protection of the personal data transferred from the European Union to the United States may be described as follows.
155. In its request for a preliminary ruling, the referring court proceeds on the basis of the following two findings of fact. First, personal data transferred by undertakings such as Facebook Ireland to their parent company established in the United States is then capable of being accessed by the NSA and by other United States security agencies in the course of a mass and indiscriminate surveillance and interception of such data. Indeed, in the wake of Edward Snowden’s revelations, the evidence now available would admit of no other realistic conclusion. ( Second, citizens of the Union have no effective right to be heard on the question of the surveillance and interception of their data by the NSA and other United States security agencies.
156. The findings of fact thus made by the High Court are supported by the statements of the Commission itself.
157. Thus, in the Communication on the Functioning of the Safe Harbour from the Perspective of EU Citizens and Companies established in the EU, referred to above, the Commission proceeded on the basis of the finding that in the course of 2013 information on the scale and scope of United States surveillance programmes raised concerns over the continuity of protection of personal data lawfully transferred to the United States under the safe harbour scheme. It observed that all companies involved in the PRISM programme, which grant access to United States authorities to data stored and processed in the United States, appear to be certified under the safe harbour scheme. According to the Commission, this has made the safe harbour scheme one of the conduits through which access is given to United States intelligence authorities to the collecting of personal data initially processed in the European Union.
158. It follows from these factors that the law and practice of the United States allow the large-scale collection of the personal data of citizens of the Union which is transferred under the safe harbour scheme, without those citizens benefiting from effective judicial protection.
159. Those findings of fact demonstrate, in my view, that Decision 2000/520 does not contain sufficient guarantees. Owing to that lack of guarantees, Decision 2000/520 has been implemented in a manner that does not satisfy the requirements of the Charter or of Directive 95/46.
160. The purpose of a decision adopted by the Commission on the basis of Article 25(6) of Directive 95/46 is to find that a third country ‘ensures’ an adequate level of protection. The word ‘ensures’, conjugated in the present tense, implies that, in order to be able to be maintained, such a decision must relate to a third country which, after the adoption of that decision, continues to guarantee an adequate level of protection.
161. In reality, the revelations referred to concerning the activities of the NSA, to the effect that it uses the data transferred under the safe harbour scheme, have shed light on the shortcomings of the legal basis represented by Decision 2000/520.
162. The insufficiencies highlighted in the course of the present proceedings are to be found, more specifically, in the fourth paragraph of Annex I to that decision.
163. Under that provision, ‘[a]dherence to [the Safe Harbour] Principles may be limited: (a) to the extent necessary to meet national security, public interest, or law enforcement requirements; (b) by statute, government regulation, or case-law that create conflicting obligations or explicit authorisations, provided that, in exercising any such authorisation, an organisation can demonstrate that its non-compliance with the Principles is limited to the extent necessary to meet the overriding legitimate interests furthered by such authorisation’.
164. The problem arises essentially from the United States authorities’ use of the derogations provided for in that provision. Because their wording is too general, the implementation of those derogations by the United States authorities is not limited to what is strictly necessary.
165. In addition to that too general wording is the fact that citizens of the Union have no appropriate remedy against the processing of their personal data for purposes other than those for which it was initially collected and then transferred to the United States.
166. The derogations laid down in Decision 2000/520 from the application of the safe harbour principles, in particular for requirements of national security, ought to have been accompanied by the putting in place of an independent control mechanism suitable for preventing the breaches of the right to privacy that have been found.
167. Thus, the revelations about the practices of the United States intelligence services as regards the generalised surveillance of data transferred under the safe harbour scheme have shed light on certain insufficiencies specific to Decision 2000/520.
168. The allegations relied on in the context of the present case do not amount to a breach by Facebook of the safe harbour principles. If a certified undertaking, such as Facebook USA, gives the United States authorities access to the data transferred to it from a Member State, it may be considered that it does so in order to comply with United States legislation. Since such a situation is expressly accepted by Decision 2000/520, owing to the broad wording of the derogations contained in that decision, it is in reality the question of the compatibility of such derogations with primary EU law that is raised in the present case.
169. It should be pointed out, in that regard, that the Court has consistently held that respect for human rights is a condition of the lawfulness of EU acts and that measures incompatible with respect for human rights are not acceptable in the European Union.
170. It also follows from the case-law of the Court that the communication of the personal data collected to third parties, whether public or private, constitutes an interference with the right to respect for private life, ‘whatever the subsequent use of the information thus communicated’. Furthermore, in its judgment in Digital Rights Ireland and Others, the Court confirmed that authorising the competent national authorities to access such data constitutes a further interference with that fundamental right. In addition, any form of processing of personal data is covered by Article 8 of the Charter and constitutes an interference with the right to the protection of such data. The access enjoyed by the United States intelligence services to the transferred data therefore also constitutes an interference with the fundamental right to protection of personal data guaranteed in Article 8 of the Charter, since such access constitutes a processing of that data.
171. Similarly to the findings of the Court in that judgment, the interference thus identified is wide-ranging and must be considered to be particularly serious, given the large number of users concerned and the quantities of data transferred. Those factors, associated with the secret nature of the United States authorities’ access to the personal data transferred to the undertakings established in the United States, make the interference extremely serious.
172. An additional factor is that the citizens of the Union who are Facebook users are not informed that their personal data will be generally accessible to the United States security agencies.
173. It should also be emphasised that the referring court found that in the United States citizens of the Union have no effective right to be heard on the question of the surveillance and interception of their data. There is oversight on the part of the FISC, but the proceedings before it are secret and ex parte. I consider that that amounts to an interference with the right of citizens of the Union to an effective remedy, protected by Article 47 of the Charter.
174. The interference with the fundamental rights protected by Articles 7, 8 and 47 of the Charter which is permitted by the derogations from the safe harbour principles, set out in the fourth paragraph of Annex I to Decision 2000/520, is therefore made out.
175. It is now necessary to ascertain whether or not that interference is justified.
176. In accordance with Article 52(1) of the Charter, any limitation on the exercise of the rights and freedoms laid down by the Charter must be provided for by law and must respect the essence of those rights and freedoms. Subject to the principle of proportionality, limitations may be made to those rights and freedoms only if they are necessary and genuinely meet objectives of general interest recognised by the European Union or the need to protect the rights and freedoms of others.
177. In the light of the conditions thus laid down that must be satisfied in order for limitations on the exercise of the rights and freedoms protected by the Charter to be accepted, I find it extremely doubtful that the limitations at issue in the present case may be regarded as respecting the essence of Articles 7 and 8 of the Charter. The United States intelligence services’ access to the data transferred seems to extend to the content of the electronic communications, which would compromise the essence of the fundamental right to respect for privacy and the other rights enshrined in Article 7 of the Charter. Furthermore, since the broad wording of the limitations provided for in the fourth paragraph of Annex I to Decision 2000/520 potentially allows all the safe harbour principles to be disapplied, it could be considered that those limitations compromise the essence of the fundamental right to protection of personal data.
178. As to whether the interference found meets an objective of general interest, I would recall first of all that, under point (b) in the fourth paragraph of Annex I to Decision 2000/520, adherence to the safe harbour principles may be limited by ‘statute, government regulation, or case-law that create conflicting obligations or explicit authorisations, provided that, in exercising any such authorisation, an organisation can demonstrate that its non-compliance with the Principles is limited to the extent necessary to meet the overriding legitimate interests furthered by such authorisation’.
179. It must be stated that the ‘legitimate interests’ referred to in that provision are not defined. That leads to uncertainty as to the — potentially very wide — scope of that derogation from the application of the safe harbour principles by the undertakings that adhere to them.
180. That impression is confirmed on reading the explanations in Part B of Annex IV to Decision 2000/520, headed ‘Explicit Legal Authorisations’, in particular the assertion that, ‘[c]learly, where US law imposes a conflicting obligation, US organisations whether in the safe harbour or not must comply with the law’. It is further stated, as regards explicit authorisations, that, ‘while the safe harbour principles are intended to bridge the differences between the US and European regimes for privacy protection, we owe deference to the legislative prerogatives of our elected lawmakers’.
181. It follows that, to my mind, that derogation is contrary to Articles 7, 8 and 52(1) of the Charter since it does not pursue an objective of general interest defined with sufficient precision.
182. In any event, the ease and generality with which Decision 2000/520 itself, in point (b) in the fourth paragraph of Annex I and in Part B of Annex IV, provides that the safe harbour principles may be disregarded pursuant to provisions of United States law are incompatible with the condition that derogations from the rules on the protection of personal data must be limited to what is strictly necessary. The ‘necessity’ condition is certainly mentioned, but, quite apart from the fact that it is the undertaking concerned that is responsible for demonstrating that that condition is satisfied, I fail to see how such an undertaking could escape an obligation to disregard the safe harbour principles which arises under the legal rules which it is required to apply.
183. I am therefore of the view that Decision 2000/520 must be declared invalid since the existence of a derogation which allows in such general and imprecise terms the principles of the safe harbour scheme to be disregarded prevents in itself that scheme from being considered to ensure an adequate level of protection of the personal data which is transferred to the United States from the European Union.
184. As regards, now, the first category of limits, provided for in point (a) in the fourth paragraph of Annex I to Decision 2000/520 on account of national security, public interest or law enforcement requirements, only the first objective seems to me to be sufficiently precise to be regarded as an objective of general interest recognised by the European Union within the meaning of Article 52(1) of the Charter.
185. It is now appropriate to ascertain the proportionality of the interference found.
186. In that regard, it should be borne in mind that, ‘according to the settled case-law of the Court, the principle of proportionality requires that acts of the EU institutions be appropriate for attaining the legitimate objectives pursued by the legislation at issue and not exceed the limits of what is appropriate and necessary in order to achieve those objectives’.
187. As regards judicial review of compliance with those conditions, ‘where interferences with fundamental rights are at issue, the extent of the EU legislature’s discretion may prove to be limited, depending on a number of factors, including, in particular, the area concerned, the nature of the right at issue guaranteed by the Charter, the nature and seriousness of the interference and the object pursued by the interference’.
188. I am of the view that decisions which the Commission adopts on the basis of Article 25(6) of Directive 95/46 are subject to comprehensive review by the Court as regards the proportionality of the assessment made by the Commission in relation to the adequacy of the level of protection afforded by a third country by reason ‘of its domestic law or of the international commitments it has entered into’.
189. It should be noted, in that regard, that in its judgment in Digital Rights Ireland and Others the Court held that, ‘in view of the important role played by the protection of personal data in the light of the fundamental right to respect for private life and the extent and seriousness of the interference with that right caused by [the directive at issue], the EU legislature’s discretion is reduced, with the result that review of that discretion should be strict’.
190. Such an interference must be an appropriate means of attaining the objective pursued by the EU measure at issue and be necessary for the purpose of attaining that objective.
191. In that regard, ‘[s]o far as concerns the right to respect for private life, the protection of that fundamental right requires, according to the Court’s settled case-law …, that derogations and limitations in relation to the protection of personal data must apply only in so far as is strictly necessary’.
192. In carrying out its review, the Court also takes into account the fact that ‘the protection of personal data resulting from the explicit obligation laid down in Article 8(1) of the Charter is especially important for the right to respect for private life enshrined in Article 7 of the Charter’.
193. According to the Court, which refers, in that regard, to the case-law of the European Court of Human Rights, ‘the EU legislation in question must lay down clear and precise rules governing the scope and application of the measure in question and imposing minimum safeguards so that the persons whose data [has] been retained have sufficient guarantees to effectively protect their personal data against the risk of abuse and against any unlawful access and use of that data’. The Court states that ‘[t]he need for such safeguards is all the greater where … personal data [is] subjected to automatic processing and where there is a significant risk of unlawful access to [that] data’.
194. In my view, an analogy can be drawn between point (a) in the fourth paragraph of Annex I to Decision 2000/520 and Article 13(1) of Directive 95/46. In the first provision, it is stated that adherence to the safe harbour principles may be limited by ‘national security, public interest, or law enforcement requirements’. In the second, it is provided that Member States may adopt legislative measures to restrict the scope of the obligations and rights provided for in Articles 6(1), 10, 11(1), 12 and 21 of that directive, when such a restriction constitutes a necessary measure to safeguard, in particular, national security, defence, public security and the prevention, investigation, detection and prosecution of criminal offences.
195. As the Court observed in its judgment in IPI, it is apparent from the wording of Article 13(1) of Directive 95/46 that the Member State may lay down the measures referred to in that provision only when they are necessary. The requirement that the measures be ‘necessary’ is thus a precondition for the option granted to Member States by that provision. For the processing of personal data within the European Union, the limits laid down in Article 13 of the directive must be understood as being confined to what is strictly necessary in order to achieve the objective pursued. The same must in my view apply to the limits to the safe harbour principles provided for in the fourth paragraph of Annex I to Decision 2000/520.
196. It must be pointed out that not all the language versions mention the criterion of necessity in the wording of point (a) in the fourth paragraph of Annex I to Decision 2000/520. That applies, in particular, to the French language version, which states that ‘[l]’adhésion aux principes peut être limitée par … les exigences relatives à la sécurité nationale, l’intérêt public et le respect des lois des États-Unis’, whereas, by way of example, the Spanish, German and English language versions state that the limitations imposed must be necessary to achieve the abovementioned objectives.
197. Be that as it may, the facts set out by the referring court and by the Commission in the communications referred to above clearly show that, in practice, the implementation of those limitations is not confined to what is strictly necessary to achieve the objectives referred to.
198. I note, in that regard, that the access which the United States intelligence authorities may have to the personal data transferred covers, in a generalised manner, all persons and all means of electronic communication and all the data transferred, including the content of the communications, without any differentiation, limitation or exception according to the objective of general interest pursued.
199. Indeed, the access of the United States intelligence services to the data transferred covers, in a comprehensive manner, all persons using electronic communications services, without any requirement that the persons concerned represent a threat to national security.
200. Such mass, indiscriminate surveillance is inherently disproportionate and constitutes an unwarranted interference with the rights guaranteed by Articles 7 and 8 of the Charter.
201. As the Parliament has correctly observed in its observations, since it is excluded for the EU legislature or the Member States to adopt legislation, contrary to the Charter, providing for mass and indiscriminate surveillance, it must follow, a fortiori, that third countries cannot under any circumstances be regarded as ensuring an adequate level of protection of personal data of citizens of the Union where their rules of law do in fact permit the mass and indiscriminate surveillance and interception of such data.
202. It should be emphasised, moreover, that the safe harbour scheme, as defined in Decision 2000/520, does not contain appropriate guarantees for preventing mass and generalised access to the transferred data.
203. I observe, in that regard, that in its judgment in Digital Rights Ireland and Others (81) the Court stressed the importance of providing ‘clear and precise rules governing the extent of the interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter’. Such an interference must, according to the Court, be ‘precisely circumscribed by provisions to ensure that it is actually limited to what is strictly necessary’. The Court also drew attention in that judgment to the need to make provision for ‘sufficient safeguards, as required by Article 8 of the Charter, to ensure effective protection of the [personal data] against the risk of abuse and against any unlawful access and use of that data’.
204. However, the private dispute resolution mechanisms and the FTC, owing to its role limited to commercial disputes, are not means of challenging access by the United States intelligence services to personal data transferred from the European Union.
205. The FTC’s jurisdiction covers unfair or deceptive acts and practices in commerce and therefore does not extend to the collection and use of personal information for non-commercial purposes. The FTC’s limited area of competence restricts the individual’s right to protection of personal data. The FTC was established not, as is the case within the European Union of the national supervisory authorities, to ensure the protection of the individual right to privacy, but to ensure fair and trustworthy commerce for consumers, which limits de facto its capacity to intervene in the sphere of personal data protection. The FTC therefore does not play a role comparable to that of the national supervisory authorities which are provided for in Article 28 of Directive 95/46.
206. Citizens of the Union whose data has been transferred may approach specialist dispute resolution bodies established in the United States, such as TRUSTe and BBBOnline, to request information as to whether the undertaking holding their personal data is infringing the conditions of the self-certification regime. The private dispute resolution carried out by bodies such as TRUSTe cannot deal with breaches of the right to protection of personal data by bodies or authorities other than self-certified undertakings. Those dispute resolution bodies have no power to rule on the lawfulness of the activities of the United States security agencies.
207. Neither the FTC nor the private dispute resolution bodies therefore have the power to monitor possible breaches of principles for the protection of personal data by public actors such as the United States security agencies. Such a power is, however, essential in order to guarantee in full the right to effective protection of that data. The Commission was therefore not entitled to find, in adopting Decision 2000/520 and maintaining it in force, that there would be adequate protection for all personal data transferred to the United States of the right granted by Article 8(3) of the Charter, that is to say, that an independent authority would effectively monitor compliance with the requirements for the protection and security of that data.
208. It should therefore be found that within the safe harbour scheme provided for by Decision 2000/520 there is no independent authority capable of verifying that the implementation of the derogations from the safe harbour principles is limited to what is strictly necessary. Yet we have seen that such control by an independent authority is, from the point of view of EU law, an essential component of the protection of individuals with regard to the processing of personal data. (86)
209. It is appropriate, in that regard, to note the role played, in the system of personal data protection in force in the European Union, by the national supervisory authorities in monitoring the limitations provided for by Article 13 of Directive 95/46. According to the second subparagraph of Article 28(4) of that directive, ‘[e]ach supervisory authority shall, in particular, hear claims for checks on the lawfulness of data processing lodged by any person when the national provisions adopted pursuant to Article 13 of this Directive apply’. By analogy, I consider that the reference in the fourth paragraph of Annex I to Decision 2000/520 to limits to the application of the safe harbour principles ought to have been accompanied by the establishment of a control mechanism operated by an independent authority specialising in personal data protection.
210. The intervention of independent supervisory authorities is in fact at the heart of the European system of personal data protection. It is therefore natural that the existence of such authorities was considered from the outset to be one of the conditions necessary for a finding that the level of protection afforded by third countries was adequate; and it is a condition that must be satisfied in order for data flows from the territory of the Member States to the territory of third countries not to be prohibited under Article 25 of Directive 95/46. As noted in the working document adopted by the Working Party established by Article 29 of that directive, in Europe there is broad agreement that ‘a system of “external supervision” in the form of an independent authority is a necessary feature of a data protection compliance system’.
211. I observe, moreover, that the FISC does not offer an effective judicial remedy to citizens of the Union whose personal data is transferred to the United States. The protection against surveillance by government services provided for in section 702 of the Foreign Intelligence Surveillance Act of 1978 applies only to United States citizens and to foreign citizens legally resident on a permanent basis in the United States. As the Commission itself has observed, the oversight of United States intelligence collection programmes would be improved by strengthening the role of the FISC and by introducing remedies for individuals. Those mechanisms could reduce the processing of personal data of citizens of the Union that is not relevant for national security purposes. (89)
212. Furthermore, the Commission has itself pointed out that there are no opportunities for citizens of the Union to obtain access to or rectification or erasure of data, or administrative or judicial redress with regard to collection and further processing of their personal data taking place under the United States surveillance programmes.
213. It should be observed, last, that the United States rules on the protection of privacy may be applied differently to United States citizens and to foreign citizens.
214. It follows from the foregoing that Decision 2000/520 does not lay down clear and precise rules governing the extent of the interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter. It must therefore be found that that decision and the way in which it is applied entail a wide-ranging and particularly serious interference with those fundamental rights, without that interference being precisely circumscribed by provisions to ensure that it is in fact limited to what is strictly necessary.
215. By adopting Decision 2000/520 and then maintaining it in force, the Commission therefore exceeded the limits imposed by compliance with the principle of proportionality in the light of Articles 7, 8 and 52(1) of the Charter. To that must be added the finding of an unwarranted interference with the right of citizens of the Union to an effective remedy as protected by Article 47 of the Charter.
216. That decision must therefore be declared invalid since, owing to the breaches of fundamental rights described above, the safe harbour scheme which it establishes cannot be regarded as ensuring an adequate level of protection of the personal data transferred from the European Union to the United States under that scheme.
217. Given such a finding of infringements of the fundamental rights of citizens of the Union, I consider that the Commission ought to have suspended the application of Decision 2000/520.
218. That decision is of indefinite duration. The present case shows that the adequacy of the level of protection afforded by a third country may change over time, according to the change in both the factual and the legal circumstances on which the decision was based.
219. I observe that Decision 2000/520 itself contains provisions allowing for the Commission to adapt the decision according to the circumstances.
220. Thus, recital 9 of that decision states that ‘[t]he “safe harbour” created by the Principles and the FAQs may need to be reviewed in the light of experience, of developments concerning the protection of privacy in circumstances in which technology is constantly making easier the transfer and processing of personal data and in the light of reports on implementation by enforcement authorities involved’.
221. Also, as stated in Article 3(4) of that decision, ‘[i]f the information collected under paragraphs 1, 2 and 3 provides evidence that any body responsible for ensuring compliance with the Principles implemented in accordance with the FAQs in the United States is not effectively fulfilling its role, the Commission shall inform the US Department of Commerce and, if necessary, present draft measures … with a view to reversing or suspending the present Decision or limiting its scope’.
222. Furthermore, according to Article 4(1) of Decision 2000/520, that decision ‘may be adapted at any time in the light of experience with its implementation and/or if the level of protection provided by the Principles and the FAQs is overtaken by the requirements of US legislation. The Commission shall in any case evaluate the implementation of the present Decision on the basis of available information three years after its notification to the Member States and report any pertinent findings to the Committee established under Article 31 of Directive 95/46…, including any evidence that could affect the evaluation that the provisions set out in Article 1 of this Decision provide adequate protection within the meaning of Article 25 of Directive 95/46’. Under Article 4(2) of Decision 2000/520, ‘[t]he Commission shall, if necessary, present draft measures in accordance with the procedure referred to in Article 31 of Directive 95/46’.
223. The Commission has stated in its observations that ‘there is a substantial likelihood that adherence to the Safe Harbour Privacy Principles [has] been limited in a way that fails to comply with the strictly tailored national security exemption’. It observes, in that regard, that ‘[t]he revelations in question point to a level of surveillance of a massive and indiscriminate scale incompatible with the standard of necessity laid down in that exemption as well as, more generally, with the right to personal data protection as enshrined in Article 8 of the Charter’. The Commission itself has stated, moreover, that ‘[t]he reach of these surveillance programmes, combined with the unequal treatment of EU citizens, brings into question the level of protection afforded by the Safe Harbour arrangement’. (94)
224. In addition, the Commission expressly acknowledged at the hearing that, under Decision 2000/520, as currently applied, there is no guarantee that the right of citizens of the Union to protection of their data will be ensured. However, in the Commission’s submission, that finding is not such as to render that decision invalid. While the Commission agrees with the statement that it must act when faced with new circumstances, it maintains that it has taken appropriate and proportionate measures by entering into negotiations with the United States in order to reform the safe harbour scheme.
225. I do not share that view. In the meantime, it must be possible for transfers of personal data to the United States to be suspended at the initiative of the national supervisory authorities or following complaints lodged with them.
226. In addition, I consider that, faced with such findings, the Commission ought to have suspended the application of Decision 2000/520. The objective of protecting personal data pursued by Directive 95/46 and Article 8 of the Charter places obligations not only on the Member States but also on the EU institutions, as follows from Article 51(1) of the Charter.
227. In its assessment of the level of protection afforded by a third country, the Commission must examine not only the internal laws and international commitments of that third country, but also the manner in which the protection of personal data is guaranteed in practice. Where the examination of practice reveals that the arrangements are not working correctly, the Commission must take action and, where appropriate, suspend its decision or adapt it without delay.
228. As we have seen above, the obligation owed by the Member States consists mainly in ensuring, by the action of their national supervisory authorities, compliance with the rules laid down in Directive 95/46.
229. The obligation owed by the Commission is to suspend the application of a decision which it has adopted on the basis of Article 25(6) of that directive in the case of proven shortcomings on the part of the third country concerned, while it conducts negotiations with that country in order to put an end to those shortcomings.
230. It will be recalled that the purpose of a decision adopted by the Commission on the basis of that provision is to find that a third country ‘ensures’ an adequate level of protection of the personal data which is transferred to that country. The word ‘ensures’, conjugated in the present tense, implies that, in order to be able to be maintained, such a decision must relate to a third country which, after the adoption of the decision, continues to guarantee such an adequate level of protection.
231. According to recital 57 of Directive 95/46, ‘the transfer of personal data to a third country which does not ensure an adequate level of protection must be prohibited’.
232. Under Article 25(4) of that directive, ‘[w]here the Commission finds, under the procedure provided for in Article 31(2), that a third country does not ensure an adequate level of protection within the meaning of paragraph 2 of this Article, Member States shall take the measures necessary to prevent any transfer of data of the same type to the third country in question’. Furthermore, Article 25(5) of the directive provides that ‘[a]t the appropriate time, the Commission shall enter into negotiations with a view to remedying the situation resulting from the finding made pursuant to paragraph 4’.
233. It follows from the latter provision that, in the system put in place by Article 25 of Directive 95/46, the purpose of the negotiations entered into with a third country is to remedy the absence of an adequate level of protection found in accordance with the procedure laid down in Article 31(2) of that directive. In the case with which we are concerned, the Commission did not formally find, in accordance with that procedure, that the safe harbour scheme no longer ensured an adequate level of protection. None the less, if the Commission decided to enter into negotiations with the United States, that is because it considered beforehand that the level of protection ensured by that third country was no longer adequate.
234. Although it was aware of shortcomings in the application of Decision 2000/520, the Commission neither suspended nor adapted that decision, thus entailing the continuation of the breach of the fundamental rights of the persons whose personal data was and continues to be transferred under the safe harbour scheme.
235. The Court has already held, admittedly in a different context, that the Commission has the task of bringing about an amendment to the rules in the light of new information. (95)
236. Such a failure to act on the part of the Commission, which directly impairs the fundamental rights protected by Articles 7, 8 and 47 of the Charter, is to my mind an additional ground on which to declare Decision 2000/520 invalid in the context of the present reference for a preliminary ruling. (96)
III – Conclusion
237. In the light of the foregoing, I propose that the Court should answer the questions referred by the High Court as follows:
Article 28 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, read in the light of Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, must be interpreted as meaning that the existence of a decision adopted by the European Commission on the basis of Article 25(6) of Directive 95/46 does not have the effect of preventing a national supervisory authority from investigating a complaint alleging that a third country does not ensure an adequate level of protection of the personal data transferred and, where appropriate, from suspending the transfer of that data.
Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the Department of Commerce of the United States of America is invalid.