the United States can be deemed to ensure a level of protection essentially equivalent to that
guaranteed by Article 47 of the Charter.
194
An examination of whether the ombudsperson mechanism which is the subject of the Privacy Shield
Decision is in fact capable of addressing the Commission’s finding of limitations on the right to
judicial protection must, in accordance with the requirements arising from Article 47 of the Charter and
the case-law recalled in paragraph 187 above, start from the premiss that data subjects must have the
possibility of bringing legal action before an independent and impartial court in order to have access to
their personal data, or to obtain the rectification or erasure of such data.
195
In the letter referred to in paragraph 193 above, the Privacy Shield Ombudsperson, although described
as ‘independent from the Intelligence Community’, was presented as ‘[reporting] directly to the
Secretary of State who will ensure that the Ombudsperson carries out its function objectively and free
from improper influence that is liable to have an effect on the response to be provided’. Furthermore, in
addition to the fact that, as found by the Commission in recital 116 of that decision, the Ombudsperson
is appointed by the Secretary of State and is an integral part of the US State Department, there is, as the
Advocate General stated in point 337 of his Opinion, nothing in that decision to indicate that the
dismissal or revocation of the appointment of the Ombudsperson is accompanied by any particular
guarantees, which is such as to undermine the Ombudsman’s independence from the executive (see, to
that effect, judgment of 21 January 2020, Banco de Santander, C‑274/14, EU:C:2020:17,
paragraphs 60 and 63 and the case-law cited).
196
Similarly, as the Advocate General stated, in point 338 of his Opinion, although recital 120 of the
Privacy Shield Decision refers to a commitment from the US Government that the relevant component
of the intelligence services is required to correct any violation of the applicable rules detected by the
Privacy Shield Ombudsperson, there is nothing in that decision to indicate that that ombudsperson has
the power to adopt decisions that are binding on those intelligence services and does not mention any
legal safeguards that would accompany that political commitment on which data subjects could rely.
197 Therefore, the ombudsperson mechanism to which the Privacy Shield Decision refers does not provide
any cause of action before a body which offers the persons whose data is transferred to the United
States guarantees essentially equivalent to those required by Article 47 of the Charter.
198
Therefore, in finding, in Article 1(1) of the Privacy Shield Decision, that the United States ensures an
adequate level of protection for personal data transferred from the Union to organisations in that third
country under the EU-US Privacy Shield, the Commission disregarded the requirements of
Article 45(1) of the GDPR, read in the light of Articles 7, 8 and 47 of the Charter.
199
It follows that Article 1 of the Privacy Shield Decision is incompatible with Article 45(1) of the
GDPR, read in the light of Articles 7, 8 and 47 of the Charter, and is therefore invalid.
200
Since Article 1 of the Privacy Shield Decision is inseparable from Articles 2 and 6 of, and the annexes
to, that decision, its invalidity affects the validity of the decision in its entirety.
201
In the light of all of the foregoing considerations, it is to be concluded that the Privacy Shield Decision
is invalid.
202
As to whether it is appropriate to maintain the effects of that decision for the purposes of avoiding the
creation of a legal vacuum (see, to that effect, judgment of 28 April 2016, Borealis Polyolefine and
Others, C‑191/14, C‑192/14, C‑295/14, C‑389/14 and C‑391/14 to C‑393/14, EU:C:2016:311,
paragraph 106), the Court notes that, in any event, in view of Article 49 of the GDPR, the annulment of
an adequacy decision such as the Privacy Shield Decision is not liable to create such a legal vacuum.
That article details the conditions under which transfers of personal data to third countries may take
place in the absence of an adequacy decision under Article 45(3) of the GDPR or appropriate
safeguards under Article 46 of the GDPR.
Costs