Procedure : 2016/2727(RSP)
Document stages in plenary
Document selected : B8-0622/2016

Texts tabled :

B8-0622/2016

Debates :

PV 25/05/2016 - 18
CRE 25/05/2016 - 18

Votes :

PV 26/05/2016 - 6.6
Explanations of votes

Texts adopted :


MOTION FOR A RESOLUTION
PDF 185kWORD 81k
17.5.2016
PE582.642v01-00
 
B8-0622/2016

to wind up the debate on the statements by the Council and the Commission

pursuant to Rule 123(2) of the Rules of Procedure


on transatlantic data flows (2016/2727(RSP))


Jan Philipp Albrecht, Judith Sargentini on behalf of the Verts/ALE Group

European Parliament resolution on transatlantic data flows (2016/2727(RSP))  
B8‑0622/2016

The European Parliament,

–  having regard to Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data(1) (hereinafter ‘the Directive’), in particular Article 25 thereof,

–  having regard to Regulation (EU) No 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC(2) (hereinafter ‘the General Data Protection Regulation’), which entered into force on 24 May 2016 and will apply from 25 May 2018,

–  having regard to the Charter of Fundamental Rights of the European Union (hereinafter ‘the Charter’) and to the European Convention on Human Rights (ECHR),

–  having regard to the judgment of the European Court of Justice of 6 October 2015 in Case C‑362/14 Maximillian Schrems v Data Protection Commissioner,

–  having regard to the draft Commission implementing decision of 29 February 2016 on the adequacy of the protection provided by the EU-US Privacy Shield, and to the annexes thereto in the form of letters from the US administration and the US Federal Trade Commission,

–  having regard to the Commission communication of 29 February 2016 entitled ‘Transatlantic data flows: restoring trust through strong safeguards’ (COM(2016)0117), the Commission communication of 27 November 2013 on the functioning of the Safe Harbour from the perspective of EU citizens and companies established in the EU (COM(2013)0847) and the Commission communication of 27 November 2013 on rebuilding trust in EU-US data flows (COM(2013)0846),

–  having regard to the opinion on this subject (WP 238) adopted on 13 April 2016 by the working party set up under Article 29 of the Directive, and the opinions delivered previously on the same question (WP12, WP27 and WP 32),

–  having regard to Regulation (EU) No 182/2011 of the European Parliament and of the Council laying down the rules and general principles concerning mechanisms for control by Member States of the Commission’s exercise of implementing powers(3), and in particular Article 5 thereof concerning the examination procedure,

–  having regard to its resolution of 5 July 2000 on the draft Commission decision on the adequacy of the protection provided by the Safe Harbour Privacy Principles and related Frequently Asked Questions issued by the US Department of Commerce(4),

–  having regard to its resolution of 12 March 2014 on the US NSA surveillance programme, surveillance bodies in various Member States and their impact on EU citizens’ fundamental rights and on transatlantic cooperation in Justice and Home Affairs(5), and to its resolution of 29 October 2015 on the follow-up to the European Parliament resolution of 12 March 2014 on the electronic mass surveillance of EU citizens(6),

–  having regard to Rule 123(2) of its Rules of Procedure,

A.  whereas the development of the information society and electronic commerce and the development of interception capabilities by intelligence agencies have led, at global level, to an exponential increase in the movement of data and electronic communication and in the risks involved in the misuse of such data and the interception of such communication;

B.  whereas such misuse not only acts as a brake on the development of e-commerce in that it undermines the trust of consumers, but also often constitutes an infringement of people’s rights and freedoms and, in particular, an invasion of the right to privacy;

C.  whereas protecting data means protecting the people to whom the information being processed relates, and whereas such protection is one of the fundamental rights recognised by the Union (Article 8 of the Charter of Fundamental Rights and Article 16 of the Treaty on the Functioning of the European Union);

D.  whereas the Directive, which will be replaced by the General Data Protection Regulation in 2018, lays down rights for the data subject and corresponding obligations for those who process data or who exercise control over such processing;

E.  whereas such protection would be useless if it were confined to the territory of the Union and did not also provide adequate protection, as provided for by the Directive, in the third countries to which the data is transferred;

F.  whereas the adequacy of protection of personal data in a third country must be assessed by reason of the third country’s domestic law or its international commitments, and whereas those means must prove effective in practice;

G.  whereas the Commission must ensure, on behalf of the citizens of the Union and its Member States, that an adequate level of protection exists in the third countries concerned;

H.  whereas, in its judgement of 6 October 2015, the European Court of Justice invalidated the Commission Decision on the adequacy of the protection provided by the Safe Harbour Privacy Principles and related Frequently Asked Questions issued by the US Department of Commerce;

I.  whereas the European Court of Justice clarified in that judgment that an adequate level of protection in a third country must be understood to be ‘essentially equivalent’ to the protection provided in the Union;

Introduction

1.  Welcomes the efforts made by the Commission and the US administration to achieve substantial improvements in the Privacy Shield compared with the Safe Harbour decision;

2.  Underlines the importance of safeguarding fundamental rights, including the rights to data protection and to privacy;

3.  Underlines the importance of transatlantic trade and cooperation;

4.  Underlines the importance of legal certainty for data subjects and data controllers;

5.  Is concerned that the Privacy Shield arrangement may not fully meet the requirements of the Charter, the Directive, the General Data Protection Regulation, and relevant judgments of both the European Court of Justice and the European Court of Human Rights;

Private sector

6.  Notes that the Privacy Shield Principles (Annex II) do not provide an essentially equivalent set of principles, as they do not require the consent of the data subject, do not include the principle of data minimisation, and allow the processing of personal data for purposes incompatible with the purpose for which the data have been collected;

7.  Points out that the Privacy Shield Principles give blanket permission for all types of processing of personal data without the need for the data subject’s consent or a full right to object; is concerned that even opt-outs (‘notice and choice’) are only provided for in the event of a material change of purpose or disclosure to a third party; is concerned that, even in the case of sensitive data, the consent of the data subject is only required in these two situations;

8.  Points out that supplemental principle 2(a) is inconsistent with the Google Spain/Costeja judgment of the Court of Justice of 13 May 2014 (C-131/12) and the right to erasure (‘right to be forgotten’) under EU data protection law;

9.  Is concerned that enforcement under the Privacy Shield Principles would be extremely demanding, because a data subject would need to take five consecutive steps (complaint to the controller; alternative dispute resolution; complaint to the Department of Commerce or the Federal Trade Commission through a European data protection supervisory authority; Privacy Shield Panel, US court); recalls that, pursuant to Council Directive 93/13/EEC of 5 April 1993, alternative dispute resolution is prohibited for consumer contracts;

10.  Points out that the only penalty for a controller acting in breach of the Privacy Shield Principles is deletion from the Privacy Shield list; fails to see this as essentially equivalent to the administrative sanctions and other penalties provided in EU data protection law, especially the General Data Protection Regulation;

11.  Points out that neither the Federal Trade Commission (FTC), nor the Department of Commerce nor the providers of alternative dispute resolution have investigatory powers comparable to European supervisory authorities; recalls that the European Court of Justice has declared effective supervisory powers to be essential for data protection supervision under EU primary law;

12.  Recalls that an adequacy decision gives data controllers from the third country concerned privileged access to the EU market; is concerned that the lower requirements of the Privacy Shield Principles as compared with EU data protection law would give a competitive advantage to controllers and processors based in the United States over those established in the Union;

13.  Deplores that the US is still lacking a comprehensive consumer data protection act, despite certain efforts in recent years;

Government surveillance

14.  Notes that Annex VI (letter from Robert S. Litt, ODNI) clarifies that under Presidential Policy Directive 28 (hereinafter ‘PPD-28’), use of personal data and communications of non-US persons collected in bulk is still permitted in six cases; points out that such bulk collection only has to be ‘as tailored as feasible’ and ‘reasonable’, which does not meet the stricter criteria of necessity and proportionality laid down in the Charter; points out that last year the European Court of Human Rights ruled that, to ensure that the necessity and proportionality test had been properly applied, an interception authorisation must clearly identify ‘a specific person to be placed under surveillance or a single set of premises as the premises in respect of which the authorisation is ordered’ and that ‘such identification may be made by names, addresses, telephone numbers or other relevant information’ (Zakharov v Russia (2015), paragraph 264); points out that last year the same court also specified that the necessity test required the interference to be ‘strictly necessary, as a particular consideration, for the obtaining of vital intelligence in an individual operation’ (Szabó and Vissy v Hungary (2015), paragraph 73);

15.  Notes that Annex VI also clarifies that personal data and communications may be retained for five years and even longer if this is considered to be ‘in the national security interests of the United States’; is concerned that this is in breach of the judgment of the European Court of Justice on data retention of 2014 (joined cases C-293/12 and C-594/12);

16.  Notes that PPD-28 imposes new rules limiting the use and dissemination of non-US persons’ personal data and communications, but does not limit their bulk collection; notes that footnote 5 of PPD-28 clarifies that ‘bulk collection’ in the understanding of the US administration does not include mass surveillance of and access to personal data or communications, but only the mass storage of such data or communications; is concerned that this is in breach of the Schrems judgment of the European Court of Justice, which states that legislation permitting ‘access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life’;

17.  Notes that PPD-28 is not equivalent to a US law and can be unilaterally withdrawn by any future US President; warns that this creates legal uncertainty for EU citizens relying on the Privacy Shield, in that all data transferred to the US could in the future lose protection from the Privacy Shield, without possible remedies, legislative process, or advance warning;

18.  Notes that the general exception on national security in Annex II, point 5 of the Privacy Shield Principles is copied verbatim from the Safe Harbour Principles and not limited further;

19.  Notes the appointment of an ombudsperson in the US Department of State as a point of contact for EU supervisory authorities in relation to government surveillance; points out, however, that under Article 47 of the Charter a legal redress possibility for the data subject himself or herself is required; notes that Annex III (letter from Secretary of State John F. Kerry) states that the ombudsperson ‘will neither confirm nor deny whether the individual has been the target of surveillance’ nor ‘confirm the specific remedy’ (paragraph 4(e)); also points out that the ombudsperson lacks the required independence from the executive, as he or she reports to the Secretary of State;

20.  Notes that, since the invalidation of the Safe Harbour decision, the US has taken no measures to curb the surveillance programmes referred to by the European Court of Justice, but on the contrary has adopted the Cybersecurity Information Sharing Act of 2015 and is currently set to finalise changes to Rule 41 of the Federal Rules of Criminal Procedure which would further undermine the privacy of non-US persons;

21.  Notes that, despite these actions, the US remains the only country that has taken steps to protect fundamental rights in the wake of the revelations on global surveillance operations, with the adoption of the USA Freedom Act of 2015, which has limited mass surveillance by US intelligence agencies inside the United States; is concerned, however, that the legal situation for mass surveillance by US intelligence agencies outside the US and of non-US persons inside the US as provided for in the US Code, (Title 50, §1881a (‘Section 702’)) has not changed; considers that the US should pass further legislation to remedy this situation;

22.  Points out that several Member States, including France, the United Kingdom and the Netherlands, are considering adopting or have already adopted legislation which significantly increases their surveillance powers and capacities but fails to comply with Articles 7 and 8 of the Charter of Fundamental Rights and with the case law of the European Court of Justice and the European Court of Human Rights; calls on the Commission to initiate infringement proceedings against these Member States;

Other issues

23.  Points out that no assessment has been made by the Commission of the rights and protection of EU individuals where their personal data are transferred by a US data controller covered by the Privacy Shield to a US law enforcement authority; points out that Annex VII (letter from Bruce C. Swartz, Department of Justice) on law enforcement access to data only refers to the access to data stored by companies, but does not address the data subject and the judicial redress rights of the individuals whose data are accessed;

24.  Welcomes the fact that, according to Article 3 of the draft Commission implementing decision, EU data protection supervisory authorities can still suspend transfers of personal data to data controllers participating in the Privacy Shield arrangement; points out that this is in line with Article 4 of Commission Decision 2001/497/EC on standard contractual clauses for the transfer of personal data to third countries;

25.  Highlights the market location principle introduced in the General Data Protection Regulation; points out that, once that regulation is applied, many US data controllers which have used the Safe Harbour arrangement and may use the Privacy Shield arrangement will have to directly comply with the regulation when they offer services on the EU market or monitor persons who are in the Union;

Conclusions

26.  Concludes that the Privacy Shield arrangement and the situation in the US do not provide enough substantial improvements compared with the Safe Harbour arrangement;

27.  Points out that it is highly likely that the draft adequacy decision, once it is adopted, will be challenged again in court; points out that this creates a situation of legal uncertainty for businesses and individuals; notes that data protection experts and business associations are already advising companies to use other means of transfer of personal data to the US;

28.  Is concerned that the Commission may exceed its power of implementation by deciding that the Privacy Shield arrangement provides for an adequate level of protection in the US without conducting a full assessment of the US system and while not taking into account the issues highlighted in this resolution;

29.  Calls on the Commission to continue the dialogue with the US in order to push for further improvements to the Privacy Shield arrangement in light of its current deficiencies, so as to minimise the risk of the adequacy decision failing in court;

30.  Calls on the Commission, at the very least, to include a two-year sunset clause for the validity of the adequacy decision, and to start new negotiations with the US on an improved framework on the basis of the General Data Protection Regulation;

31.  Instructs its President to forward this resolution to the Council, the Commission, the governments and parliaments of the Member States, and the US Government and Congress.

(1)

OJ L 281, 23.11.1995, p. 31.

(2)

OJ L 119, 4.5.2016, p. 1.

(3)

OJ L 55, 28.2.2011, p. 13.

(4)

OJ C 121, 24.4.2001, p. 152.

(5)

Texts adopted, P7_TA(2014)0230.

(6)

Texts adopted, P8_TA(2015)0388.

Legal notice