186
In the second place, as regards Article 47 of the Charter, which also contributes to the required level of
protection in the European Union, compliance with which must be determined by the Commission
before it adopts an adequacy decision pursuant to Article 45(1) of the GDPR, it should be noted that
the first paragraph of Article 47 requires everyone whose rights and freedoms guaranteed by the law of
the Union are violated to have the right to an effective remedy before a tribunal in compliance with the
conditions laid down in that article. According to the second paragraph of that article, everyone is
entitled to a hearing by an independent and impartial tribunal.
187
According to settled case-law, the very existence of effective judicial review designed to ensure
compliance with provisions of EU law is inherent in the existence of the rule of law. Thus, legislation
not providing for any possibility for an individual to pursue legal remedies in order to have access to
personal data relating to him or her, or to obtain the rectification or erasure of such data, does not
respect the essence of the fundamental right to effective judicial protection, as enshrined in Article 47
of the Charter (judgment of 6 October 2015, Schrems, C‑362/14, EU:C:2015:650, paragraph 95 and the
case-law cited).
188
To that effect, Article 45(2)(a) of the GDPR requires the Commission, in its assessment of the
adequacy of the level of protection in a third country, to take account, in particular, of ‘effective
administrative and judicial redress for the data subjects whose personal data are being transferred’.
Recital 104 of the GDPR states, in that regard, that the third country ‘should ensure effective
independent data protection supervision and should provide for cooperation mechanisms with the
Member States’ data protection authorities’, and adds that ‘the data subjects should be provided with
effective and enforceable rights and effective administrative and judicial redress’.
189 The existence of such effective redress in the third country concerned is of particular importance in the
context of the transfer of personal data to that third country, since, as is apparent from recital 116 of the
GDPR, data subjects may find that the administrative and judicial authorities of the Member States
have insufficient powers and means to take effective action in relation to data subjects’ complaints
based on allegedly unlawful processing, in that third country, of their data thus transferred, which is
capable of compelling them to resort to the national authorities and courts of that third country.
190
In the present case, the Commission’s finding in the Privacy Shield Decision that the United States
ensures a level of protection essentially equivalent to that guaranteed in Article 47 of the Charter has
been called into question on the ground, inter alia, that the introduction of a Privacy Shield
Ombudsperson cannot remedy the deficiencies which the Commission itself found in connection with
the judicial protection of persons whose personal data is transferred to that third country.
191
In that regard, the Commission found, in recital 115 of the Privacy Shield Decision, that ‘while
individuals, including EU data subjects, … have a number of avenues of redress when they have been
the subject of unlawful (electronic) surveillance for national security purposes, it is equally clear that at
least some legal bases that U.S. intelligence authorities may use (e.g. E.O. 12333) are not covered’.
Thus, as regards E.O. 12333, the Commission emphasised, in recital 115, the lack of any redress
mechanism. In accordance with the case-law set out in paragraph 187 above, the existence of such a
lacuna in judicial protection in respect of interferences with intelligence programmes based on that
presidential decree makes it impossible to conclude, as the Commission did in the Privacy Shield
Decision, that United States law ensures a level of protection essentially equivalent to that guaranteed
by Article 47 of the Charter.
192
Furthermore, as regards both the surveillance programmes based on Section 702 of the FISA and those
based on E.O. 12333, it has been noted in paragraphs 181 and 182 above that neither PPD‑28 nor
E.O. 12333 grants data subjects rights actionable in the courts against the US authorities, from which it
follows that data subjects have no right to an effective remedy.
193
The Commission found, however, in recitals 115 and 116 of the Privacy Shield Decision, that, as a
result of the Ombudsperson Mechanism introduced by the US authorities, as described in a letter from
the US Secretary of State to the European Commissioner for Justice, Consumers and Gender Equality
from 7 July 2016, set out in Annex III to that decision, and of the nature of that Ombudsperson’s role,
in the present instance, a ‘Senior Coordinator for International Information Technology Diplomacy’,