personal data pursuant to such clauses are suspended or prohibited in the event of the
breach of such clauses or it being impossible to honour them. The Court finds that Decision
2010/87 establishes such mechanisms. In that regard, the Court points out, in particular, that that
decision imposes an obligation on a data exporter and the recipient of the data to verify, prior to
any transfer, whether that level of protection is respected in the third country concerned and that
the decision requires the recipient to inform the data exporter of any inability to comply with the
standard data protection clauses, the latter then being, in turn, obliged to suspend the transfer of
data and/or to terminate the contract with the former.
Lastly, the Court examines the validity of Decision 2016/1250 in the light of the requirements
arising from the GDPR, read in the light of the provisions of the Charter guaranteeing respect for
private and family life, personal data protection and the right to effective judicial protection. In that
regard, the Court notes that that decision enshrines the position, as did Decision 2000/520, that the
requirements of US national security, public interest and law enforcement have primacy, thus
condoning interference with the fundamental rights of persons whose data are transferred to that
third country. In the view of the Court, the limitations on the protection of personal data arising
from the domestic law of the United States on the access and use by US public authorities
of such data transferred from the European Union to that third country, which the Commission
assessed in Decision 2016/1250, are not circumscribed in a way that satisfies requirements
that are essentially equivalent to those required under EU law, by the principle of
proportionality, in so far as the surveillance programmes based on those provisions are not
limited to what is strictly necessary. On the basis of the findings made in that decision, the
Court pointed out that, in respect of certain surveillance programmes, those provisions do not
indicate any limitations on the power they confer to implement those programmes, or the existence
of guarantees for potentially targeted non-US persons. The Court adds that, although those
provisions lay down requirements with which the US authorities must comply when implementing
the surveillance programmes in question, the provisions do not grant data subjects actionable
rights before the courts against the US authorities.
As regards the requirement of judicial protection, the Court holds that, contrary to the view taken by
the Commission in Decision 2016/1250, the Ombudsperson mechanism referred to in that decision
does not provide data subjects with any cause of action before a body which offers
guarantees substantially equivalent to those required by EU law, such as to ensure both the
independence of the Ombudsperson provided for by that mechanism and the existence of
rules empowering the Ombudsperson to adopt decisions that are binding on the US
intelligence services. On all those grounds, the Court declares Decision 2016/1250 invalid.
NOTE: A reference for a preliminary ruling allows the courts and tribunals of the Member States, in disputes
which have been brought before them, to refer questions to the Court of Justice about the interpretation of
European Union law or the validity of a European Union act. The Court of Justice does not decide the
dispute itself. The Court of Justice does not decide the dispute itself. Unofficial document for media use, not
binding on the Court of Justice.
Unofficial document for media use, not binding on the Court of Justice.
The full text of the judgment is published on the CURIA website on the day of delivery
Press contact: Jacques René Zammit (+352) 4303 3355
Pictures of the delivery of the judgment are available from "Europe by Satellite” (+32) 2296 4106