46
Under Article 1 of the Privacy Shield Decision:
‘1.
For the purposes of Article 25(2) of [Directive 95/46], the United States ensures an adequate
level of protection for personal data transferred from the Union to organisations in the United States
under the EU-U.S. Privacy Shield.
2.
The EU-U.S. Privacy Shield is constituted by the Principles issued by the U.S. Department of
Commerce on 7 July 2016 as set out in Annex II and the official representations and commitments
contained in the documents listed in Annexes I [and] III to VII.
3.
For the purpose of paragraph 1, personal data are transferred under the EU-U.S. Privacy Shield
where they are transferred from the Union to organisations in the United States that are included in the
“Privacy Shield List”, maintained and made publicly available by the U.S. Department of Commerce,
in accordance with Sections I and III of the Principles set out in Annex II.’
47
Under the heading ‘EU-U.S. Privacy Shield Framework Principles issued by the U.S. Department of
Commerce’, Annex II to the Privacy Shield Decision, provides, in paragraph I.5 thereof, that adherence
to those principles may be limited, inter alia, ‘to the extent necessary to meet national security, public
interest, or law enforcement requirements’.
48
Annex III to that decision contains a letter from Mr John Kerry, then Secretary of State (United
States), to the Commissioner for Justice, Consumers and Gender Equality from 7 July 2016, to which a
memorandum, Annex A, was attached, entitled ‘EU-U.S. Privacy Shield Ombudsperson mechanism
regarding signals intelligence’, the latter of which contains the following passage:
‘In recognition of the importance of the EU-U.S. Privacy Shield Framework, this Memorandum sets
forth the process for implementing a new mechanism, consistent with [PPD‑28], regarding signals
intelligence …
… President Obama announced the issuance of a new presidential directive — PPD‑28 — to “clearly
prescribe what we do, and do not do, when it comes to our overseas surveillance.”
Section 4(d) of PPD‑28 directs the Secretary of State to designate a “Senior Coordinator for
International Information Technology Diplomacy” (Senior Coordinator) “to […] serve as a point of
contact for foreign governments who wish to raise concerns regarding signals intelligence activities
conducted by the United States.” …
…
1.
… The Senior Coordinator will serve as the Privacy Shield Ombudsperson and … will work
closely with appropriate officials from other departments and agencies who are responsible for
processing requests in accordance with applicable United States law and policy. The
Ombudsperson is independent from the Intelligence Community. The Ombudsperson reports
directly to the Secretary of State who will ensure that the Ombudsperson carries out its function
objectively and free from improper influence that is liable to have an effect on the response to be
provided.
…’
49
Annex VI to the Privacy Shield Decision contains a letter from the Office of the Director of National
Intelligence to the United States Department of Commerce and to the International Trade
Administration from 21 June 2016, in which it is stated that PPD‑28 allows for ‘“bulk” collection … of
a relatively large volume of signals intelligence information or data under circumstances where the
Intelligence Community cannot use an identifier associated with a specific target … to focus the
collection’.
The dispute in the main proceedings and the questions referred for a preliminary ruling