in particular, whether the introduction of the ombudsperson referred to in Annex III to the Privacy
Shield Decision is compatible with Article 47 of the Charter.
151
As a preliminary matter, it should be noted that, although the Commissioner’s action in the main
proceedings only calls into question the SCC Decision, that action was brought before the referring
court prior to the adoption of the Privacy Shield Decision. In so far as, by its fourth and fifth questions,
that court asks the Court, at a general level, what protection must be ensured, under Articles 7, 8 and
47 of the Charter, in the context of such a transfer, the Court’s analysis must take into consideration the
consequences arising from the subsequent adoption of the Privacy Shield Decision. A fortiori that is
the case in so far as the referring court asks expressly, by its 10th question, whether the protection
required by Article 47 of the Charter is ensured by the offices of the ombudsperson to which the
Privacy Shield Decision refers.
152
In addition, it is clear from the information provided in the order for reference that, in the main
proceedings, Facebook Ireland claims that the Privacy Shield Decision is binding on the Commissioner
in respect of the finding on the adequacy of the level of protection ensured by the United States and
therefore in respect of the lawfulness of a transfer to that third country of personal data pursuant to the
standard data protection clauses in the annex to the SCC Decision.
153
As appears from paragraph 59 above, in its judgment of 3 October 2017, provided in an annex to the
order for reference, the referring court stated that it was obliged to take account of amendments to the
law that may have occurred in the interval between the institution of the proceedings and the hearing of
the action before it. Thus, that court would appear to be obliged to take into account, in order to
dispose of the case in the main proceedings, the change in circumstances brought about by the adoption
of the Privacy Shield Decision and any binding force it may have.
154
In particular, the question whether the finding in the Privacy Shield Decision that the United States
ensures an adequate level of protection is binding is relevant for the purposes of assessing both the
obligations, set out in paragraphs 141 and 142 above, of the controller and recipient of personal data
transferred to a third country pursuant to the standard data protection clauses in the annex to the SCC
Decision and also any obligations to which the supervisory authority may be subject to suspend or
prohibit such a transfer.
155
As to whether the Privacy Shield Decision has binding effects, Article 1(1) of that decision provides
that, for the purposes of Article 45(1) of the GDPR, ‘the United States ensures an adequate level of
protection for personal data transferred from the [European] Union to organisations in the United
States under the EU-U.S. Privacy Shield’. In accordance with Article 1(3) of the decision, personal
data are regarded as transferred under the EU-US Privacy Shield where they are transferred from the
Union to organisations in the United States that are included in the ‘Privacy Shield List’, maintained
and made publicly available by the US Department of Commerce, in accordance with Sections I and III
of the Principles set out in Annex II to that decision.
156
As follows from the case-law set out in paragraphs 117 and 118 above, the Privacy Shield Decision is
binding on the supervisory authorities in so far as it finds that the United States ensures an adequate
level of protection and, therefore, has the effect of authorising personal data transferred under the EUUS Privacy Shield. Therefore, until the Court should declare that decision invalid, the competent
supervisory authority cannot suspend or prohibit a transfer of personal data to an organisation that
abides by that privacy shield on the ground that it considers, contrary to the finding made by the
Commission in that decision, that the US legislation governing the access to personal data transferred
under that privacy shield and the use of that data by the public authorities of that third country for
national security, law enforcement and other public interest purposes does not ensure an adequate level
of protection.
157
The fact remains that, in accordance with the case-law set out in paragraphs 119 and 120 above, when
a person lodges a complaint with the competent supervisory authority, that authority must examine,
with complete independence, whether the transfer of personal data at issue complies with the
requirements laid down by the GDPR and, if, in its view, the arguments put forward by that person
with a view to challenging the validity of an adequacy decision are well founded, bring an action