CENTRUM FÖR RÄTTVISA v. SWEDEN JUDGMENT
level of protection of the personal data transferred could not eliminate or
even reduce the powers available to the national supervisory authorities
under the Charter or the Data Protection Directive. Therefore, even if the
Commission had adopted a decision, the national supervisory authorities
had to be able to examine, with complete independence, whether the
transfer of a person’s data to a third country complied with the requirements
laid down by the Directive.
114. However, only the CJEU could declare a decision of the
Commission invalid. In this regard, it noted that the safe harbour scheme
was applicable solely to the United States’ undertakings which adhered to it,
and United States’ public authorities were not themselves subject to it.
Furthermore, national security, public interest and law enforcement
requirements of the United States prevailed over the safe harbour scheme,
so that United States’ undertakings were bound to disregard, without
limitation, the protective rules laid down by the scheme where they
conflicted with such requirements. The safe harbour scheme therefore
enabled interference by United States’ public authorities with the
fundamental rights of individuals, and the Commission had not, in the Safe
Harbour Decision, referred either to the existence, in the United States, of
rules intended to limit any such interference or to the existence of effective
legal protection against the interference.
115. As to whether the level of protection in the United States was
essentially equivalent to the fundamental rights and freedoms guaranteed
within the EU, the CJEU found that legislation was not limited to what was
strictly necessary where it authorised, on a generalised basis, storage of all
the personal data of all the persons whose data were transferred from the EU
to the United States without any differentiation, limitation or exception
being made in the light of the objective pursued and without an objective
criterion being laid down for determining the limits of the access of the
public authorities to the data and of their subsequent use. Therefore, under
EU law legislation permitting the public authorities to have access on a
generalised basis to the content of electronic communications had to be
regarded as compromising the essence of the fundamental right to respect
for private life. Likewise, legislation not providing for any possibility for an
individual to pursue legal remedies in order to have access to personal data
relating to him, or to obtain the rectification or erasure of such data,
compromised the essence of the fundamental right to effective judicial
protection.
116. Finally, the Court found that the Safe Harbour Decision denied the
national supervisory authorities their powers where a person called into
question whether the decision was compatible with the protection of the
privacy and of the fundamental rights and freedoms of individuals. The
Commission had not had competence to restrict the national supervisory
33