under the Charter of Fundamental Rights of the European Union and the directive. The Court
stresses in this regard the right, guaranteed by the Charter, to the protection of personal data and
the task with which the national supervisory authorities are entrusted under the Charter.
The Court states, first of all, that no provision of the directive prevents oversight by the national
supervisory authorities of transfers of personal data to third countries which have been the subject
of a Commission decision. Thus, even if the Commission has adopted a decision, the national
supervisory authorities, when dealing with a claim, must be able to examine, with complete
independence, whether the transfer of a person’s data to a third country complies with the
requirements laid down by the directive. Nevertheless, the Court points out that it alone has
jurisdiction to declare that an EU act, such as a Commission decision, is invalid. Consequently,
where a national authority or the person who has brought the matter before the national authority
considers that a Commission decision is invalid, that authority or person must be able to bring
proceedings before the national courts so that they may refer the case to the Court of Justice if
they too have doubts as to the validity of the Commission decision. It is thus ultimately the Court
of Justice which has the task of deciding whether or not a Commission decision is valid.
The Court then investigates whether the Safe Harbour Decision is invalid. In this connection, the
Court states that the Commission was required to find that the United States in fact ensures, by
reason of its domestic law or its international commitments, a level of protection of fundamental
rights essentially equivalent to that guaranteed within the EU under the directive read in the light of
the Charter. The Court observes that the Commission did not make such a finding, but merely
examined the safe harbour scheme.
Without needing to establish whether that scheme ensures a level of protection essentially
equivalent to that guaranteed within the EU, the Court observes that the scheme is applicable
solely to the United States undertakings which adhere to it, and United States public authorities are
not themselves subject to it. Furthermore, national security, public interest and law enforcement
requirements of the United States prevail over the safe harbour scheme, so that United States
undertakings are bound to disregard, without limitation, the protective rules laid down by that
scheme where they conflict with such requirements. The United States safe harbour scheme
thus enables interference, by United States public authorities, with the fundamental rights of
persons, and the Commission decision does not refer either to the existence, in the United States,
of rules intended to limit any such interference or to the existence of effective legal protection
against the interference.
The Court considers that that analysis of the scheme is borne out by two Commission
communications,4 according to which the United States authorities were able to access the
personal data transferred from the Member States to the United States and process it in a way
incompatible, in particular, with the purposes for which it was transferred, beyond what was strictly
necessary and proportionate to the protection of national security. Also, the Commission noted that
the persons concerned had no administrative or judicial means of redress enabling, in particular,
the data relating to them to be accessed and, as the case may be, rectified or erased.
As regards a level of protection essentially equivalent to the fundamental rights and freedoms
guaranteed within the EU, the Court finds that, under EU law, legislation is not limited to what
is strictly necessary where it authorises, on a generalised basis, storage of all the personal
data of all the persons whose data is transferred from the EU to the United States without any
differentiation, limitation or exception being made in the light of the objective pursued and
without an objective criterion being laid down for determining the limits of the access of the public
authorities to the data and of its subsequent use. The Court adds that legislation permitting the
public authorities to have access on a generalised basis to the content of electronic
4
Communication from the Commission to the European Parliament and the Council entitled ‘Rebuilding Trust in EU-US
Data Flows’ (COM(2013) 846 final, 27 November 2013) and Communication from the Commission to the European
Parliament and the Council on the Functioning of the Safe Harbour from the Perspective of EU Citizens and Companies
Established in the EU (COM(2013) 847 final, 27 November 2013).
www.curia.europa.eu