2
–
the interpretation and validity of Commission Decision 2010/87/EU of 5 February 2010 on
standard contractual clauses for the transfer of personal data to processors established in third
countries under Directive 95/46 (OJ 2010 L 39, p. 5), as amended by Commission Implementing
Decision (EU) 2016/2297 of 16 December 2016 (OJ 2016 L 344, p. 100) (‘the SCC Decision’);
and
–
the interpretation and validity of Commission Implementing Decision (EU) 2016/1250 of 12 July
2016 pursuant to Directive 95/46 on the adequacy of the protection provided by the EU-US
Privacy Shield (OJ 2016 L 207, p. 1; ‘the Privacy Shield Decision’).
The request has been made in proceedings between the Data Protection Commissioner (Ireland) (‘the
Commissioner’), on the one hand, and Facebook Ireland Ltd and Maximillian Schrems, on the other,
concerning a complaint brought by Mr Schrems concerning the transfer of his personal data by
Facebook Ireland to Facebook Inc. in the United States.
Legal context
Directive 95/46
3
Article 3 of Directive 95/46, under the heading ‘Scope’, stated, in paragraph 2:
‘This Directive shall not apply to the processing of personal data:
4
–
in the course of an activity which falls outside the scope of Community law, such as those
provided for by Titles V and VI of the Treaty on European Union and in any case to processing
operations concerning public security, defence, State security (including the economic well-being
of the State when the processing operation relates to State security matters) and the activities of
the State in areas of criminal law,
–
…’
Article 25 of that directive provided:
‘1.
The Member States shall provide that the transfer to a third country of personal data … may take
place only if, without prejudice to compliance with the national provisions adopted pursuant to the
other provisions of this Directive, the third country in question ensures an adequate level of protection.
2.
The adequacy of the level of protection afforded by a third country shall be assessed in the light
of all the circumstances surrounding a data transfer operation or set of data transfer operations; …
…
6.
The Commission may find, in accordance with the procedure referred to in Article 31(2), that a
third country ensures an adequate level of protection within the meaning of paragraph 2 of this Article,
by reason of its domestic law or of the international commitments it has entered into, particularly upon
conclusion of the negotiations referred to in paragraph 5, for the protection of the private lives and
basic freedoms and rights of individuals.
Member States shall take the measures necessary to comply with the Commission’s Decision.’
5
Article 26(2) and (4) of the directive provided:
‘2.
Without prejudice to paragraph 1, a Member State may authorise a transfer or a set of transfers
of personal data to a third country which does not ensure an adequate level of protection within the
meaning of Article 25(2), where the controller adduces adequate safeguards with respect to the
protection of the privacy and fundamental rights and freedoms of individuals and as regards the
exercise of the corresponding rights; such safeguards may in particular result from appropriate
contractual clauses.