or on domestic legislation of the United States, with the fundamental rights of the persons whose
personal data is or could be transferred from the European Union to the United States (see, by analogy,
as regards Decision 2000/520, judgment of 6 October 2015, Schrems, C‑362/14, EU:C:2015:650,
paragraph 87). More particularly, as noted in the Privacy Shield Decision, such interference can arise
from access to, and use of, personal data transferred from the European Union to the United States by
US public authorities through the PRISM and UPSTREAM surveillance programmes under
Section 702 of the FISA and E.O. 12333.
166
In that context, in recitals 67 to 135 of the Privacy Shield Decision, the Commission assessed the
limitations and safeguards available in US law, inter alia under Section 702 of the FISA, E.O. 12333
and PPD‑28, as regards access to, and use of, personal data transferred under the EU-US Privacy
Shield by US public authorities for national security, law enforcement and other public interest
purposes.
167
Following that assessment, the Commission found, in recital 136 of that decision, that ‘the United
States ensures an adequate level of protection for personal data transferred from the [European] Union
to self-certified organisations in the United States’, and, in recital 140 of the decision, it considered
that, ‘on the basis of the available information about the U.S. legal order, … any interference by U.S.
public authorities with the fundamental rights of the persons whose data are transferred from the
[European] Union to the United States under the Privacy Shield for national security, law enforcement
or other public interest purposes, and the ensuing restrictions imposed on self-certified organisations
with respect to their adherence to the Principles, will be limited to what is strictly necessary to achieve
the legitimate objective in question, and that there exists effective legal protection against such
interference’.
The finding of an adequate level of protection
168
In the light of the factors mentioned by the Commission in the Privacy Shield Decision and the
referring court’s findings in the main proceedings, the referring court harbours doubts as to whether US
law in fact ensures the adequate level of protection required under Article 45 of the GDPR, read in the
light of the fundamental rights guaranteed in Articles 7, 8 and 47 of the Charter. In particular, that court
considers that the law of that third country does not provide for the necessary limitations and
safeguards with regard to the interferences authorised by its national legislation and does not ensure
effective judicial protection against such interferences. As far as concerns effective judicial protection,
it adds that the introduction of a Privacy Shield Ombudsperson cannot, in its view, remedy those
deficiencies since an ombudsperson cannot be regarded as a tribunal within the meaning of Article 47
of the Charter.
169 As regards, in the first place, Articles 7 and 8 of the Charter, which contribute to the level of protection
required within the European Union, compliance with which must be established by the Commission
before it adopts an adequacy decision under Article 45(1) of the GDPR, it must be borne in mind that
Article 7 of the Charter states that everyone has the right to respect for his or her private and family
life, home and communications. Article 8(1) of the Charter expressly confers on everyone the right to
the protection of personal data concerning him or her.
170
Thus, access to a natural person’s personal data with a view to its retention or use affects the
fundamental right to respect for private life guaranteed in Article 7 of the Charter, which concerns any
information relating to an identified or identifiable individual. Such processing of data also falls within
the scope of Article 8 of the Charter because it constitutes the processing of personal data within the
meaning of that article and, accordingly, must necessarily satisfy the data protection requirements laid
down in that article (see, to that effect, judgments of 9 November 2010, Volker und Markus Schecke
and Eifert, C‑92/09 and C‑93/09, EU:C:2010:662, paragraphs 49 and 52, and of 8 April 2014, Digital
Rights Ireland and Others, C‑293/12 and C‑594/12, EU:C:2014:238, paragraph 29; and Opinion 1/15
(EU-Canada PNR Agreement) of 26 July 2017, EU:C:2017:592, paragraphs 122 and 123).
171
The Court has held that the communication of personal data to a third party, such as a public authority,
constitutes an interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter,
whatever the subsequent use of the information communicated. The same is true of the retention of