The National Center for Personal Data Protection, for information and application purposes, communicates about the Court of Justice Decision declaring invalid Decision 2016/1250 on the adequacy of the protection provided by the EU-US Data Protection Shield, however, considering that Commission Decision 2010/87 on standard contractual clauses for the transfer of personal data to processors established in third countries is valid.
The decision was taken following a complaint submitted by an Austrian national residing in Austria, a Facebook user since 2008. As in the case of other users residing in EU, some or all of his personal data is transferred by Facebook to servers that are located in the United States, where it undergoes processing. The complainant claimed that the law and practices in the US do not offer sufficient protection against access by the public authorities to the data transferred to that country.
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC provides that the transfer of such data to a third country may, in principle, take place only if the third country in question ensures an adequate level of data protection or details the conditions under which such a transfer may take place in the absence of an adequacy decision or appropriate safeguards.
In the complainant case, according to the Court, the limitations on the protection of personal data arising from the domestic law of the US on the access and use by US public authorities of such data transferred from the EU to that third country, which the Commission assessed in Decision 2016/1250, are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, by the principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary. Furthermore, the Ombudsperson mechanism referred to that decision does not provide data subjects with any cause of action before a body which offers guarantees substantially equivalent to those required by EU law, such as to ensure both the independence of the Ombudsperson provided for by that mechanism and the existence of rules empowering the Ombudsperson to adopt decisions that are binding on the US intelligence services.
On all those grounds, the Court declares Decision 2016/1250 invalid.
The full decision of the Court of Justice of the European Union declaring invalid Decision 2016/1250 on the adequacy of the protection provided by the EU-US Data Protection Shield can be found by accessing the following link: