This document is an excerpt from the EUR-Lex website
Document 62018CN0311
Case C-311/18: Reference for a preliminary ruling from the High Court (Ireland) made on 9 May 2018 — Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems
Case C-311/18: Reference for a preliminary ruling from the High Court (Ireland) made on 9 May 2018 — Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems
Case C-311/18: Reference for a preliminary ruling from the High Court (Ireland) made on 9 May 2018 — Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems
OJ C 249, 16.7.2018, p. 15–17
(BG, ES, CS, DA, DE, ET, EL, EN, FR, HR, IT, LV, LT, HU, MT, NL, PL, PT, RO, SK, SL, FI, SV)
Case C-311/18: Reference for a preliminary ruling from the High Court (Ireland) made on 9 May 2018 — Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems
Reference for a preliminary ruling from the High Court (Ireland) made on 9 May 2018 — Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems
(Case C-311/18)
2018/C 249/21Language of the case: EnglishReferring court
High Court (Ireland)
Parties to the main proceedings
Applicant: Data Protection Commissioner
Defendants: Facebook Ireland Limited, Maximillian Schrems
Questions referred
1. |
In circumstances in which personal data is transferred by a private company from a European Union (EU) member state to a private company in a third country for a commercial purpose pursuant to Decision 2010/87/EU ( 1 ) as amended by Commission Decision 2016/2297 ( 2 ) (‘the SCC Decision’) and may be further processed in the third country by its authorities for purposes of national security but also for purposes of law enforcement and the conduct of the foreign affairs of the third country, does EU law (including the Charter of Fundamental Rights of the European Union (‘the Charter’)) apply to the transfer of the data notwithstanding the provisions of Article 4(2) of TEU in relation to nationalsecurity and the provisions of the first indent of Article 3(2) of Directive 95/46/EC ( 3 ) (‘the Directive’) in relation to public security, defence and State security? |
2. |
|
3. |
When assessing whether a third country ensures the level of protection required by EU law to personal data transferred to that country for the purposes of Article 26 of the Directive, ought the level of protection in the third country be assessed by reference to:
|
4. |
Given the facts found by the High Court in relation to US law, if personal data is transferred from the EU to the US under the SCC Decision does this violate the rights of individuals under Articles 7 and/or 8 of the Charter? |
5. |
Given the facts found by the High Court in relation to US law, if personal data is transferred from the EU to the US under the SCC Decision:
|
6. |
|
7. |
Does the fact that the standard contractual clauses apply as between the data exporter and the data importer and do not bind the national authorities of a third country who may require the data importer to make available to its security services for further processing the personal data transferred pursuant to the clauses provided for in the SCC Decision preclude the clauses from adducing adequate safeguards as envisaged by Article 26(2) of the Directive? |
8. |
If a third country data importer is subject to surveillance laws that in the view of a data protection authority conflict with the clauses of the Annex to the SCC Decision or Article 25 and 26 of the Directive and/or the Charter, is a data protection authority required to use its enforcement powers under Article 28(3) of the Directive to suspend data flows or is the exercise of those powers limited to exceptional cases only, in light of Recital 11 of the Directive, or can a data protection authority use its discretion not to suspend data flows? |
9. |
|
10. |
Given the findings of the High Court in relation to US law, does the provision of the Privacy Shield ombudsperson under Annex A to Annex III of the Privacy Shield Decision when taken in conjunction with the existing regime in the United States ensure that the US provides a remedy to data subjects whose personal data is transferred to the US under the SCC Decision that is compatible with Article 47 of the Charter? |
11. |
Does the SCC Decision violate Articles 7, 8 and/or 47 of the Charter? |
( 1 ) Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (OJ 2010, L 39, p. 5).
( 2 ) Commission Implementing Decision (EU) 2016/2297 of 16 December 2016 amending Decisions 2001/497/EC and 2010/87/EU on standard contractual clauses for the transfer of personal data to third countries and to processors established in such countries, under Directive 95/46/EC of the European Parliament and of the Council (OJ 2016, L 344, p. 100).
( 3 ) Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995, L 281, p. 31).
( 4 ) Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield (OJ 2016, L 207, p. 1).