2010/87.7 Taking the view that the outcome of Mr Schrems’s complaint depends, in particular, on
the validity of Decision 2010/87, the Irish supervisory authority brought proceedings before the
High Court in order for it to refer questions to the Court of Justice for a preliminary ruling. After the
initiation of those proceedings, the Commission adopted Decision 2016/1250 on the adequacy of
the protection provided by the EU-U.S. Privacy Shield8 (‘the Privacy Shield Decision’).
By its request for a preliminary ruling, the referring court asks the Court of Justice whether the
GDPR applies to transfers of personal data pursuant to the standard data protection clauses in
Decision 2010/87, what level of protection is required by the GDPR in connection with such a
transfer, and what obligations are incumbent on supervisory authorities in those circumstances.
The High Court also raises the question of the validity both of Decision 2010/87 and of Decision
2016/1250.
In today’s judgment, the Court of Justice finds that examination of Decision 2010/87 in the
light of the Charter of Fundamental Rights has disclosed nothing to affect the validity of
that decision. However, the Court declares Decision 2016/1250 invalid.
The Court considers, first of all, that EU law, and in particular the GDPR, applies to the transfer of
personal data for commercial purposes by an economic operator established in a Member State to
another economic operator established in a third country, even if, at the time of that transfer or
thereafter, that data may be processed by the authorities of the third country in question for the
purposes of public security, defence and State security. The Court adds that this type of data
processing by the authorities of a third country cannot preclude such a transfer from the scope of
the GDPR.
Regarding the level of protection required in respect of such a transfer, the Court holds that the
requirements laid down for such purposes by the GDPR concerning appropriate safeguards,
enforceable rights and effective legal remedies must be interpreted as meaning that data subjects
whose personal data are transferred to a third country pursuant to standard data protection clauses
must be afforded a level of protection essentially equivalent to that guaranteed within the EU
by the GDPR, read in the light of the Charter. In those circumstances, the Court specifies that
the assessment of that level of protection must take into consideration both the contractual
clauses agreed between the data exporter established in the EU and the recipient of the
transfer established in the third country concerned and, as regards any access by the
public authorities of that third country to the data transferred, the relevant aspects of the
legal system of that third country.
Regarding the supervisory authorities’ obligations in connection with such a transfer, the Court
holds that, unless there is a valid Commission adequacy decision, those competent supervisory
authorities are required to suspend or prohibit a transfer of personal data to a third country
where they take the view, in the light of all the circumstances of that transfer, that the standard
data protection clauses are not or cannot be complied with in that country and that the protection
of the data transferred that is required by EU law cannot be ensured by other means, where
the data exporter established in the EU has not itself suspended or put an end to such a
transfer.
Next, the Court examines the validity of Decision 2010/87. The Court considers that the validity of
that decision is not called into question by the mere fact that the standard data protection clauses
in that decision do not, given that they are contractual in nature, bind the authorities of the third
country to which data may be transferred. However, that validity, the Court adds, depends on
whether the decision includes effective mechanisms that make it possible, in practice, to
ensure compliance with the level of protection required by EU law and that transfers of
7
Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to
processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council, as
amended by Commission Implementing Decision (EU) 2016/2297 of 16 December 2016 (OJ 2016 L 344, p. 100).
8 Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European
Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield (OJ 2016 L 207,
p. 1).