77
As a preliminary matter, it must be borne in mind that the present request for a preliminary ruling has
arisen following a complaint made by Mr Schrems requesting that the Commissioner order the
suspension or prohibition, in the future, of the transfer by Facebook Ireland of his personal data to
Facebook Inc. Although the questions referred for a preliminary ruling refer to the provisions of
Directive 95/46, it is common ground that the Commissioner had not yet adopted a final decision on
that complaint when that directive was repealed and replaced by the GDPR with effect from 25 May
2018.
78
That absence of a national decision distinguishes the situation at issue in the main proceedings from
those which gave rise to the judgments of 24 September 2019, Google (Territorial scope of dereferencing) (C‑507/17, EU:C:2019:772), and of 1 October 2019, Planet49 (C‑673/17,
EU:C:2019:801), in which decisions adopted prior to the repeal of that directive were at issue.
79
The questions referred for a preliminary ruling must therefore be answered in the light of the
provisions of the GDPR rather than those of Directive 95/46.
The first question
80
By its first question, the referring court wishes to know, in essence, whether Article 2(1) and
Article 2(2)(a), (b) and (d) of the GDPR, read in conjunction with Article 4(2) TEU, must be
interpreted as meaning that that regulation applies to the transfer of personal data by an economic
operator established in a Member State to another economic operator established in a third country, in
circumstances where, at the time of that transfer or thereafter, that data is liable to be processed by the
authorities of that third country for the purposes of public security, defence and State security.
81
In that regard, it should be made clear at the outset that the rule in Article 4(2) TEU, according to
which, within the European Union, national security remains the sole responsibility of each Member
State, concerns Member States of the European Union only. That rule is therefore irrelevant, in the
present case, for the purposes of interpreting Article 2(1) and Article 2(2)(a), (b) and (d) of the GDPR.
82
Under Article 2(1) of the GDPR, that regulation applies to the processing of personal data wholly or
partly by automated means and to the processing other than by automated means of personal data
which form part of a filing system or are intended to form part of a filing system. Article 4(2) of that
regulation defines ‘processing’ as ‘any operation or set of operations which is performed on personal
data or on sets of personal data, whether or not by automated means’ and mentions, by way of
example, ‘disclosure by transmission, dissemination or otherwise making available’, but does not
distinguish between operations which take place within the European Union and those which are
connected with a third country. Furthermore, the GDPR subjects transfers of personal data to third
countries to specific rules in Chapter V thereof, entitled ‘Transfers of personal data to third countries or
international organisations’, and also confers specific powers on the supervisory authorities for that
purpose, which are set out in Article 58(2)(j) of that regulation.
83
It follows that the operation of having personal data transferred from a Member State to a third
country constitutes, in itself, processing of personal data within the meaning of Article 4(2) of the
GDPR, carried out in a Member State, and falls within the scope of that regulation under Article 2(1)
thereof (see, by analogy, as regards Article 2(b) and Article 3(1) of Directive 95/46, judgment of
6 October 2015, Schrems, C‑362/14, EU:C:2015:650, paragraph 45 and the case-law cited).
84
As to whether such an operation may be regarded as being excluded from the scope of the GDPR
under Article 2(2) thereof, it should be noted that that provision lays down exceptions to the scope of
that regulation, as defined in Article 2(1) thereof, which must be interpreted strictly (see, by analogy, as
regards Article 3(2) of Directive 95/46, judgment of 10 July 2018, Jehovan todistajat, C‑25/17,
EU:C:2018:551, paragraph 37 and the case-law cited).
85
In the present case, since the transfer of personal data at issue in the main proceedings is from
Facebook Ireland to Facebook Inc., namely between two legal persons, that transfer does not fall
within Article 2(2)(c) of the GDPR, which refers to the processing of data by a natural person in the
course of a purely personal or household activity. Such a transfer also does not fall within the
exceptions laid down in Article 2(2)(a), (b) and (d) of that regulation, since the activities mentioned