BIG BROTHER WATCH AND OTHERS v. THE UNITED KINGDOM JUDGMENT
the Commissioner to prohibit or suspend the transfer of his personal data to
Facebook Inc.
230. In a draft decision published on 24 May 2016, the Commissioner
took the provisional view that the personal data of European Union citizens
transferred to the United States were likely to be consulted and processed by
the United States’ authorities in a manner incompatible with Articles 7
and 8 of the Charter and that United States’ law did not provide those
citizens with legal remedies compatible with Article 47 of the Charter. The
Commissioner found that the standard data protection clauses in the annex
to Decision 2010/87/EU were not capable of remedying that defect, since
they did not bind the United States’ authorities.
231. Having considered the United States’ intelligence activities under
section 702 of FISA and Executive Order 12333, the High Court concluded
that the United States carried out mass processing of personal data without
ensuring a level of protection essentially equivalent to that guaranteed by
Articles 7 and 8 of the Charter; and that European Union citizens did not
have available to them the same remedies as citizens of the United States,
with the consequence that United States’ law did not afford European Union
citizens a level of protection essentially equivalent to that guaranteed by
Article 47 of the Charter. It stayed the proceedings and referred a number of
questions to the CJEU for a preliminary ruling. It asked, inter alia, whether
European Union law applied to the transfer of data from a private company
in the European Union to a private company in a third country; if so, how
the level of protection in the third country should be assessed; and whether
the level of protection afforded by the United States respected the essence of
the rights guaranteed by Article 47 of the Charter.
232. In a judgment of 16 July 2020, the CJEU held that the General Data
Protection Regulation (“GDPR”) applied to the transfer of personal data for
commercial purposes by an economic operator established in a Member
State to another economic operator established in a third country,
irrespective of whether, at the time of that transfer or thereafter, those data
were liable to be processed by the authorities of the third country in
question for the purposes of public security, defence and State security.
Moreover, the appropriate safeguards, enforceable rights and effective legal
remedies required by the GDPR had to ensure that data subjects whose
personal data were transferred to a third country pursuant to standard data
protection clauses were afforded a level of protection essentially equivalent
to that guaranteed within the European Union. To that end, the assessment
of the level of protection afforded in the context of such a transfer had to
take into consideration both the contractual clauses agreed between the
controller or processor established in the European Union and the recipient
of the transfer established in the third country concerned and, as regards any
access by the public authorities of that third country to the personal data
transferred, the relevant aspects of the legal system of that third country.
74