Case C‑362/14

Maximillian Schrems

v

Data Protection Commissioner

(Request for a preliminary ruling from the High Court (Ireland))

(Reference for a preliminary ruling — Personal data — Protection of individuals with regard to the processing of such data — Charter of Fundamental Rights of the European Union — Articles 7, 8 and 47 — Directive 95/46/EC — Articles 25 and 28 — Transfer of personal data to third countries — Decision 2000/520/EC — Transfer of personal data to the United States — Inadequate level of protection — Validity — Complaint by an individual whose data has been transferred from the European Union to the United States — Powers of the national supervisory authorities)

Summary — Judgment of the Court (Grand Chamber), 6 October 2015

1.        Approximation of laws — Protection of individuals with regard to the processing of personal data — Directive 95/46 — Interpretation in the light of fundamental rights

(Charter of Fundamental Rights of the European Union; European Parliament and Council Directive 95/46)

2.        Approximation of laws — Protection of individuals with regard to the processing of personal data — Directive 95/46 — National supervisory authorities — Requirement of independence

(Art. 16(2) TFEU; Charter of Fundamental Rights of the European Union, Art. 8(3); European Parliament and Council Directive 95/46, recital 62 and Art. 28(1))

3.        Approximation of laws — Protection of individuals with regard to the processing of personal data — Directive 95/46 — National supervisory authorities — Powers — Oversight of transfers of personal data to third countries — Included

(Charter of Fundamental Rights of the European Union, Art. 8(3); European Parliament and Council Directive 95/46, Art. 28)

4.        Approximation of laws — Protection of individuals with regard to the processing of personal data — Directive 95/46 — Transfer of personal data to third countries — Adoption by the Commission of a decision finding an adequate level of protection in a third country — Decision binding on all the Member States to which it is addressed — Examination of the validity of such a decision — Respective roles of the national supervisory authorities and of the national courts

(Art. 288, fourth para., TFEU; Charter of Fundamental Rights of the European Union, Arts 8(3) and 47; European Parliament and Council Directive 95/46, Arts 25(6) and 28(3) and (4))

5.        Approximation of laws — Protection of individuals with regard to the processing of personal data — Directive 95/46 — Transfer of personal data to third countries — Adoption by the Commission of a decision finding an adequate level of protection in a third country — Claim lodged with a national supervisory authority concerning the protection of rights and freedoms in regard to the processing of personal data relating to the claimant — Claimant contesting the adequacy of the level of protection in that third country — Obligation on the national supervisory authority to examine the claim — Scope of the examination

(Charter of Fundamental Rights of the European Union, Arts 7, 8 and 47; European Parliament and Council Directive 95/46, Arts 25(6) and 28)

6.        Approximation of laws — Protection of individuals with regard to the processing of personal data — Directive 95/46 — Transfer of personal data to third countries — Adoption by the Commission of a decision finding an adequate level of protection in a third country — Concept of adequate level of protection — Criteria for assessment — Discretion of the Commission

(European Parliament and Council Directive 95/46, Art. 25(2) and (6))

7.        Approximation of laws — Protection of individuals with regard to the processing of personal data — Directive 95/46 — Transfer of personal data to third countries — Adoption by the Commission of a decision finding an adequate level of protection in a third country — Decision 2000/520 finding an adequate level of protection in the United States — Invalidity

(Charter of Fundamental Rights of the European Union; European Parliament and Council Directive 95/46, Arts 25(6) and 28; Commission Decision 2000/520, Arts 1 to 4)

8.        Fundamental rights — Respect for private life — Protection of personal data — EU legislation involving interference with those fundamental rights — Conditions — Sufficient guarantees against the risk of abuse — Observance of the principle of proportionality

(Charter of Fundamental Rights of the European Union, Arts 7 and 8)

1.        See the text of the decision.

(see para. 38)

2.        See the text of the decision.

(see paras 40, 41)

3.        The national supervisory authorities have a wide range of powers. Those powers, listed on a non-exhaustive basis in Article 28(3) of Directive 95/46 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, constitute necessary means to perform their duties, as stated in recital 63 in the preamble to the directive. Thus, those authorities possess, in particular, investigative powers, such as the power to collect all the information necessary for the performance of their supervisory duties, effective powers of intervention, such as that of imposing a temporary or definitive ban on processing of data, and the power to engage in legal proceedings.

As regards the power to oversee transfers of personal data to third countries, it is, admittedly, apparent from Article 28(1) and (6) of Directive 95/46 that the powers of the national supervisory authorities concern processing of personal data carried out on the territory of their own Member State, so that they do not have powers on the basis of Article 28 in respect of processing of such data carried out in a third country. However, the operation consisting in having personal data transferred from a Member State to a third country constitutes, in itself, processing of personal data within the meaning of Article 2(b) of Directive 95/46 carried out in a Member State. Consequently, as, in accordance with Article 8(3) of the Charter of Fundamental Rights of the European Union and Article 28 of Directive 95/46, the national supervisory authorities are responsible for monitoring compliance with the EU rules concerning the protection of individuals with regard to the processing of personal data, each of them is vested with the power to check whether a transfer of personal data from its own Member State to a third country complies with the requirements laid down by the directive.

(see paras 43-45, 47)

4.        The Commission may adopt, on the basis of Article 25(6) of Directive 95/46 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, a decision finding that a third country ensures an adequate level of protection. In accordance with the second subparagraph of that provision, such a decision is addressed to the Member States, who must take the measures necessary to comply with it. Pursuant to the fourth paragraph of Article 288 TFEU, it is binding on all the Member States to which it is addressed and is therefore binding on all their organs in so far as it has the effect of authorising transfers of personal data from the Member States to the third country covered by it.

Thus, until such time as the Commission decision is declared invalid by the Court, which alone has jurisdiction to determine that an EU act is invalid, the Member States and their organs, which include their independent supervisory authorities, cannot adopt measures contrary to that decision, such as acts intended to determine with binding effect that the third country covered by it does not ensure an adequate level of protection. Measures of the EU institutions are in principle presumed to be lawful and accordingly produce legal effects until such time as they are withdrawn, annulled in an action for annulment or declared invalid following a reference for a preliminary ruling or a plea of illegality.

Whilst the national courts are admittedly entitled to consider the validity of an EU act, they are not, however, endowed with the power to declare such an act invalid themselves. A fortiori, when the national supervisory authorities examine a claim, within the meaning of Article 28(4) of Directive 95/46, concerning the compatibility of such a Commission decision with the protection of the privacy and of the fundamental rights and freedoms of individuals, they are not entitled to declare that decision invalid themselves.

In a situation where the national supervisory authority comes to the conclusion that the arguments put forward in support of such a claim are unfounded and therefore rejects it, the person who lodged the claim must, as is apparent from the second subparagraph of Article 28(3) of Directive 95/46, read in the light of Article 47 of the Charter of Fundamental Rights of the European Union, have access to judicial remedies enabling him to challenge such a decision adversely affecting him before the national courts. In those circumstances, those courts must stay proceedings and make a reference to the Court for a preliminary ruling on validity where they consider that one or more grounds for invalidity put forward by the parties or, as the case may be, raised by them of their own motion are well founded.

In the converse situation, where the national supervisory authority considers that the objections advanced by the person who has lodged with it a claim concerning the protection of his rights and freedoms in regard to the processing of his personal data are well founded, that authority must, in accordance with the third indent of the first subparagraph of Article 28(3) of Directive 95/46, read in the light in particular of Article 8(3) of the Charter of Fundamental Rights of the European Union, be able to engage in legal proceedings. It is incumbent upon the national legislature to provide for legal remedies enabling the national supervisory authority concerned to put forward the objections which it considers well founded before the national courts in order for them, if they share its doubts as to the validity of the Commission decision, to make a reference for a preliminary ruling for the purpose of examination of the decision’s validity.

(see paras 51, 52, 61, 62, 64, 65)

5.        Article 25(6) of Directive 95/46 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, read in the light of Articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union, must be interpreted as meaning that a decision adopted pursuant to that provision, by which the Commission finds that a third country ensures an adequate level of protection, does not prevent a supervisory authority of a Member State, within the meaning of Article 28 of that directive, from examining the claim of a person concerning the protection of his rights and freedoms in regard to the processing of personal data relating to him which has been transferred from a Member State to that third country when that person contends that the law and practices in force in the third country do not ensure an adequate level of protection.

If that were not so, persons whose personal data has been or could be transferred to the third country concerned would be denied the right, guaranteed by Article 8(1) and (3) of the Charter of Fundamental Rights of the European Union, to lodge with the national supervisory authorities a claim for the purpose of protecting their fundamental rights.

Moreover, a claim, within the meaning of Article 28(4) of Directive 95/46, by which such a person contends that, notwithstanding what the Commission has found in a decision adopted pursuant to Article 25(6) of that directive, the law and practices of that country do not ensure an adequate level of protection must be understood as concerning, in essence, whether that decision is compatible with the protection of the privacy and of the fundamental rights and freedoms of individuals. Accordingly, where a person whose personal data has been or could be transferred to a third country which has been the subject of a Commission decision pursuant to Article 25(6) of Directive 95/46 lodges such a claim with a national supervisory authority, it is incumbent upon the national supervisory authority to examine the claim with all due diligence.

(see paras 58, 59, 63, 66, operative part 1)

6.        The term ‘adequate level of protection’ in Article 25(6) of Directive 95/46 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be understood as requiring the third country in fact to ensure, by reason of its domestic law or its international commitments, a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union by virtue of that directive read in the light of the Charter of Fundamental Rights of the European Union.

Accordingly, when examining the level of protection afforded by a third country, the Commission is obliged to assess the content of the applicable rules in that country resulting from its domestic law or international commitments and the practice designed to ensure compliance with those rules, since it must, under Article 25(2) of Directive 95/46, take account of all the circumstances surrounding a transfer of personal data to a third country. Also, in the light of the fact that the level of protection ensured by a third country is liable to change, it is incumbent upon the Commission, after it has adopted a decision pursuant to Article 25(6) of Directive 95/46, to check periodically whether the finding relating to the adequacy of the level of protection ensured by the third country in question is still factually and legally justified. Such a check is required, in any event, when evidence gives rise to a doubt in that regard.

In view of, first, the important role played by the protection of personal data in the light of the fundamental right to respect for private life and, secondly, the large number of persons whose fundamental rights are liable to be infringed where personal data is transferred to a third country not ensuring an adequate level of protection, the Commission’s discretion as to the adequacy of the level of protection is reduced, with the result that review of the requirements stemming from Article 25 of Directive 95/46, read in the light of the Charter of Fundamental Rights of the European Union, should be strict.

(see paras 73, 75, 76, 78)

7.        In order for the Commission to adopt a decision pursuant to Article 25(6) of Directive 95/46 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, such as Decision 2000/520 on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce, it must find, duly stating reasons, that the third country concerned in fact ensures, by reason of its domestic law or its international commitments, a level of protection of fundamental rights essentially equivalent to that guaranteed in the EU legal order.

Since the Commission did not so find in Decision 2000/520, Article 1 of that decision fails to comply with the requirements laid down in Article 25(6) of Directive 95/46, read in the light of the Charter of Fundamental Rights of the European Union, and is accordingly invalid. Indeed, the safe harbour principles are applicable solely to self-certified United States organisations receiving personal data from the European Union, and United States public authorities are not required to comply with them. Moreover, Decision 2000/520 enables interference, founded on national security and public interest requirements or on domestic legislation of the United States, with the fundamental rights of the persons whose personal data is or could be transferred from the European Union to the United States, without containing any finding regarding the existence, in the United States, of rules adopted by the State intended to limit any interference with those rights and without referring to the existence of effective legal protection against interference of that kind.

Furthermore, the Commission exceeded the power which is conferred upon it in Article 25(6) of Directive 95/46, read in the light of the Charter of Fundamental Rights of the European Union, in adopting Article 3 of Decision 2000/520 and that article is therefore invalid. Article 3 of the decision must be understood as denying the national supervisory authorities the powers which they derive from Article 28 of Directive 95/46, where a person, in bringing a claim under that provision, puts forward matters that may call into question whether a Commission decision that has found, on the basis of Article 25(6) of the directive, that a third country ensures an adequate level of protection is compatible with the protection of the privacy and of the fundamental rights and freedoms of individuals. The implementing power granted by the EU legislature to the Commission in Article 25(6) of Directive 95/46 does not confer upon it competence to restrict those powers of the national supervisory authorities.

As Articles 1 and 3 of Decision 2000/520 are inseparable from Articles 2 and 4 of that decision and the annexes thereto, their invalidity affects the validity of the decision in its entirety.

(see paras 82, 87-89, 96-98, 102-105, operative part 2)

8.        EU legislation involving interference with the fundamental rights guaranteed by Articles 7 and 8 of the Charter of Fundamental Rights of the European Union must lay down clear and precise rules governing the scope and application of a measure and imposing minimum safeguards, so that the persons whose personal data is concerned have sufficient guarantees enabling their data to be effectively protected against the risk of abuse and against any unlawful access and use of that data. The need for such safeguards is all the greater where personal data is subjected to automatic processing and where there is a significant risk of unlawful access to that data. Furthermore and above all, protection of the fundamental right to respect for private life at EU level requires derogations and limitations in relation to the protection of personal data to apply only in so far as is strictly necessary.

Legislation is not limited to what is strictly necessary where it authorises, on a generalised basis, storage of all the personal data of all the persons whose data has been transferred from the European Union without any differentiation, limitation or exception being made in the light of the objective pursued and without an objective criterion being laid down by which to determine the limits of the access of the public authorities to the data, and of its subsequent use, for purposes which are specific, strictly restricted and capable of justifying the interference which both access to that data and its use entail.

In particular, legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter of Fundamental Rights of the European Union.

Likewise, legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, does not respect the essence of the fundamental right to effective judicial protection, as enshrined in Article 47 of the Charter of Fundamental Rights of the European Union. The first paragraph of Article 47 requires everyone whose rights and freedoms guaranteed by the law of the European Union are violated to have the right to an effective remedy before a tribunal in compliance with the conditions laid down in that article. The very existence of effective judicial review designed to ensure compliance with provisions of EU law is inherent in the existence of the rule of law.

(see paras 91-95)