before the national courts in order for them to make a reference to the Court for a preliminary ruling
for the purpose of examining the validity of that decision.
158
A complaint lodged under Article 77(1) of the GDPR, by which a person whose personal data has
been or could be transferred to a third country contends that, notwithstanding what the Commission has
found in a decision adopted pursuant to Article 45(3) of the GDPR, the law and practices of that
country do not ensure an adequate level of protection must be understood as concerning, in essence, the
issue of whether that decision is compatible with the protection of the privacy and of the fundamental
rights and freedoms of individuals (see, by analogy, as regards Article 25(6) and Article 28(4) of
Directive 95/46, judgment of 6 October 2015, Schrems, C‑362/14, EU:C:2015:650, paragraph 59).
159
In the present case, in essence, Mr Schrems requested the Commissioner to prohibit or suspend the
transfer by Facebook Ireland of his personal data to Facebook Inc., established in the United States, on
the ground that that third country did not ensure an adequate level of protection. Following an
investigation into Mr Schrems’s claims, the Commissioner brought the matter before the referring court
and that court appears, in the light of the evidence adduced and of the competing arguments put by the
parties before it, to be unsure whether Mr Schrems’s doubts as to the adequacy of the level of
protection ensured in that third country are well founded, despite the subsequent findings of the
Commission in the Privacy Shield Decision, and that has led that court to refer the 4th, 5th and 10th
questions to the Court for a preliminary ruling.
160
As the Advocate General observed in point 175 of his Opinion, those questions must therefore be
regarded, in essence, as calling into question the Commission’s finding, in the Privacy Shield Decision,
that the United States ensures an adequate level of protection of personal data transferred from the
European Union to that third country, and, therefore, as calling into question the validity of that
decision.
161
In the light of the considerations set out in paragraphs 121 and 157 to 160 above and in order to give
the referring court a full answer, it should therefore be examined whether the Privacy Shield Decision
complies with the requirements stemming from the GDPR read in the light of the Charter (see, by
analogy, judgment of 6 October 2015, Schrems, C‑362/14, EU:C:2015:650, paragraph 67).
162
In order for the Commission to adopt an adequacy decision pursuant to Article 45(3) of the GDPR, it
must find, duly stating reasons, that the third country concerned in fact ensures, by reason of its
domestic law or its international commitments, a level of protection of fundamental rights essentially
equivalent to that guaranteed in the EU legal order (see, by analogy, as regards Article 25(6) of
Directive 95/46, judgment of 6 October 2015, Schrems, C‑362/14, EU:C:2015:650, paragraph 96).
The Privacy Shield Decision
163
The Commission found, in Article 1(1) of the Privacy Shield Decision, that the United States ensures
an adequate level of protection for personal data transferred from the Union to organisations in the
United States under the EU-US Privacy Shield, the latter being comprised, inter alia, under Article 1(2)
of that decision, of the Principles issued by the US Department of Commerce on 7 July 2016 as set out
in Annex II to the decision and the official representations and commitments contained in the
documents listed in Annexes I and III to VII to that decision.
164
However, the Privacy Shield Decision also states, in paragraph I.5. of Annex II, under the heading
‘EU-U.S. Privacy Shield Framework Principles’, that adherence to those principles may be limited,
inter alia, ‘to the extent necessary to meet national security, public interest, or law enforcement
requirements’. Thus, that decision lays down, as did Decision 2000/520, that those requirements have
primacy over those principles, primacy pursuant to which self-certified United States organisations
receiving personal data from the European Union are bound to disregard the principles without
limitation where they conflict with the requirements and therefore prove incompatible with them (see,
by analogy, as regards Decision 2000/520, judgment of 6 October 2015, Schrems, C‑362/14,
EU:C:2015:650, paragraph 86).
165
In the light of its general nature, the derogation set out in paragraph I.5 of Annex II to the Privacy
Shield Decision thus enables interference, based on national security and public interest requirements