BIG BROTHER WATCH AND OTHERS v. THE UNITED KINGDOM JUDGMENT
rules intended to limit any such interference, or to the existence of effective
legal protection against the interference.
226. As to whether the level of protection in the United States was
essentially equivalent to the fundamental rights and freedoms guaranteed
within the European Union, the CJEU found that legislation was not limited
to what was strictly necessary where it authorised, on a generalised basis,
storage of all the personal data of all the persons whose data were
transferred from the European Union to the United States without any
differentiation, limitation or exception being made in the light of the
objective pursued and without an objective criterion being laid down for
determining the limits of the access of the public authorities to the data and
of their subsequent use. Therefore, under European Union law legislation
permitting the public authorities to have access on a generalised basis to the
content of electronic communications had to be regarded as compromising
the essence of the fundamental right to respect for private life. Likewise,
legislation not providing for any possibility for an individual to pursue legal
remedies in order to have access to personal data relating to him, or to
obtain the rectification or erasure of such data, compromised the essence of
the fundamental right to effective judicial protection.
227. Finally, the Court found that the Safe Harbour Decision denied the
national supervisory authorities their powers where a person called into
question whether the decision was compatible with the protection of the
privacy and of the fundamental rights and freedoms of individuals. The
Commission had not had competence to restrict the national supervisory
authorities’ powers in that way and, consequently, the CJEU held the Safe
Harbour Decision to be invalid
5. Data Protection Commissioner v. Facebook Ireland and Maximillian
Schrems Case (C-311/18; ECLI:EU:C:2020:559)
228. Following the judgment of the CJEU of 6 October 2015, the
referring court annulled the rejection of Mr Schrems’ complaint and referred
that decision back to the Commissioner. In the course of the
Commissioner’s investigation, Facebook Ireland explained that a large part
of personal data were transferred to Facebook Inc. pursuant to the standard
data protection clauses set out in the annex to Commission Decision
2010/87/EU, as amended.
229. Mr Schrems reformulated his complaint, claiming, inter alia, that
the United States’ law required Facebook Inc. to make the personal data
transferred to it available to certain United States’ authorities, such as the
NSA and the Federal Bureau of Investigation. Since those data were used in
the context of various monitoring programmes in a manner incompatible
with Articles 7, 8 and 47 of the Charter, Decision 2010/87/EU could not
justify the transfer of those data to the United States. On this basis, he asked
73