BIG BROTHER WATCH AND OTHERS v. THE UNITED KINGDOM JUDGMENT
222. It did not consider access to the data which were the subject of the
request to be a particularly serious interference because it:
“only enables the SIM card or cards activated with the stolen mobile telephone to be
linked, during a specific period, with the identity of the owners of those SIM cards.
Without those data being cross-referenced with the data pertaining to the
communications with those SIM cards and the location data, those data do not make it
possible to ascertain the date, time, duration and recipients of the communications
made with the SIM card or cards in question, nor the locations where those
communications took place or the frequency of those communications with specific
people during a given period. Those data do not therefore allow precise conclusions to
be drawn concerning the private lives of the persons whose data is concerned.”
4. Maximillian Schrems v. Data Protection
(Case C-362/14; ECLI:EU:C:2015:650)
Commissioner
223. This request for a preliminary ruling arose from a complaint against
Facebook Ireland Ltd which was made to the Irish Data Protection
Commissioner by Mr. Schrems, an Austrian privacy advocate. Mr. Schrems
challenged the transfer of his data by Facebook Ireland to the United States
and the retention of his data on servers located in that country. The Data
Protection Commissioner rejected the complaint since, in a decision of
26 July 2000, the European Commission had considered that the United
States ensured an adequate level of protection of the personal data
transferred (“the Safe Harbour Decision”).
224. In its ruling of 6 October 2015, the CJEU held that the existence of
a Commission decision finding that a third country ensured an adequate
level of protection of the personal data transferred could not eliminate or
even reduce the powers available to the national supervisory authorities
under the Charter or the Data Protection Directive. Therefore, even if the
Commission had adopted a decision, the national supervisory authorities
had to be able to examine, with complete independence, whether the
transfer of a person’s data to a third country complied with the requirements
laid down by the Directive.
225. However, only the CJEU could declare a decision of the
Commission invalid. In this regard, it noted that the safe harbour scheme
was applicable solely to the United States’ undertakings which adhered to it,
and United States’ public authorities were not themselves subject to it.
Furthermore, national security, public interest and law enforcement
requirements of the United States prevailed over the safe harbour scheme,
so that United States’ undertakings were bound to disregard, without
limitation, the protective rules laid down by the scheme where they
conflicted with such requirements. The safe harbour scheme therefore
enabled interference by United States’ public authorities with the
fundamental rights of individuals, and the Commission had not, in the Safe
Harbour Decision, referred either to the existence, in the United States, of
72