Procedure : 2016/2727(RSP)
Document stages in plenary
Document selected : B8-0633/2016

Texts tabled :

B8-0633/2016

Debates :

PV 25/05/2016 - 18
CRE 25/05/2016 - 18

Votes :

PV 26/05/2016 - 6.6
Explanations of votes

Texts adopted :

P8_TA(2016)0233

MOTION FOR A RESOLUTION
PDF 175kWORD 67k
See also joint motion for a resolution RC-B8-0623/2016
23.5.2016
PE582.654v01-00
 
B8-0633/2016

to wind up the debate on the statements by the Council and the Commission

pursuant to Rule 123(2) of the Rules of Procedure


on transatlantic data flows (2016/2727(RSP))


Ignazio Corrao, Laura Ferrara, Beatrix von Storch on behalf of the EFDD Group

European Parliament resolution on transatlantic data flows (2016/2727(RSP))  
B8-0633/2016

The European Parliament,

–  having regard to the legal framework set by the Treaty on European Union (TEU), in particular Articles 2, 3, 4, 5, 6, 7, 10 and 21 thereof, the Charter of Fundamental Rights of the European Union, in particular Articles 1, 3, 6, 7, 8, 10, 11, 20, 21, 42, 47, 48 and 52 thereof, the European Convention on Human Rights, in particular Articles 6, 8, 9, 10 and 13 thereof, and the case law of the European courts concerning security, privacy and freedom of speech,

–  having regard to Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data(1), (hereinafter ‘the Data Protection Directive’),

–  having regard to Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters(2),

–  having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)(3), and to Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA(4),

–  having regard to Commission Decision 2000/520/EC of 26 July 2000 (the Safe Harbour decision),

–  having regard to the Commission communication to the European Parliament and the Council of 27 November 2013 on rebuilding trust in EU-US data flows (COM(2013)0846), the Commission communication to the European Parliament and the Council of 27 November 2013 on the functioning of the Safe Harbour from the perspective of EU citizens and companies established in the EU (the Safe Harbour communication) (COM(2013)0847),

–  having regard to the judgment of the European Court of Justice of 6 October 2015 in Case C-362/14 Maximillian Schrems v Data Protection Commissioner (EU:C:2015:650),

–  having regard to the Commission communication to the European Parliament and the Council of 6 November 2015 on the transfer of personal data from the EU to the United States of America under Directive 95/46/EC following the judgment by the Court of Justice in Case C-362/14 (Schrems) (COM(2015)0566),

–  having regard to the statement of 3 February 2016 of the Article 29 Working Party on the consequences of the Schrems Judgment,

–  having regard to the Judicial Redress Act of 2015, which was signed into law by President Obama on 24 February 2016 (H.R.1428),

–  having regard to the USA Freedom Act of 2015(5),

–  having regard to the reforms of US signals intelligence activities laid down in Presidential Policy Directive 28 (PPD-28)(6), the Commission communication to the European Parliament and the Council of 29 February 2016 entitled ‘Transatlantic data flows: Restoring trust through strong safeguards’ (COM(2016)0117),

–  having regard to Article 29 Working Party Opinion 01/2016 of 13 April 2016 on the EU-US Privacy Shield draft adequacy decision,

–  having regard to Rule 123(2) of its Rules of Procedure,

A.  whereas the European Court of Justice invalidated the Safe Harbour decision in its judgment of 6 October 2015 in Case C-362/14 Maximillian Schrems v Data Protection Commissioner;

B.  whereas the European Court of Justice highlighted the following in its judgment in Case C-362/14:

i.  the importance of the fundamental right to protection of personal data, including when data is transferred outside the EU,

ii.  that the Commission’s Safe Harbour decision did not contain sufficient findings on the limitations with regard to the US public authorities’ access to data transferred under that decision and on the existence of effective legal protection against such interference,

iii.  that US requirements for national security, public interest and law enforcement prevailed over the Safe Harbour framework, so that US companies are bound to disregard the Safe Harbour’s protective rules where they conflict with those requirements,

iv.  that generalised access to the content of electronic communications by public authorities compromises the fundamental right to respect for private life,

v.  that the existence of a Commission decision finding that a third country ensures an adequate level of protection of transferred personal data cannot eliminate or reduce the powers of national supervisory authorities to examine independently whether personal data transfers to a third country comply with the requirements laid down by the Data Protection Directive;

C.  whereas, in the absence of the Safe Harbour decision, companies transferring data from the EU to the US face legal uncertainty and possible enforcement and compliance actions by the Member States but can use other tools to transfer data to the US such as standard contractual clauses (the Commission provides templates of contractual terms for companies dealing with overseas data processors) and binding corporate rules (a set of rules outlining a company’s policies on international transfers of personal data within the same corporate group);

D.  whereas while the EU-US Privacy Shield agreement was broadly welcomed by business community representatives, it is not yet clear whether the new framework will provide lasting legal certainty for businesses transferring data from the EU to the US;

1.  Welcomes the efforts made by the Commission and the US Administration to achieve substantial improvements in the EU-US Privacy Shield compared with the Safe Harbour decision, and underlines the importance of transatlantic trade and cooperation;

2.  Stresses that a healthy EU-US relationship remains absolutely vital for both partners; emphasises in this context that a negotiated solution between the US and the EU as a whole, respecting the right to data protection and the right to privacy, needs to be found;

3.  Acknowledges the consequences of ECJ judgment C-362/14 and of the EU’s rules on the right to be forgotten as outlined in ECJ judgment C-131/12 of 13 May 2014 (Google Spain SL Google Inc. v AEPD) and in Article 17 of the General Data Protection Regulation (GDPR), which will enter into force in 2018, which are already driving a significant legal, economic and cultural wedge between EU and US trading partners;

4.  Recalls that the adequacy decision and the annexes thereto must comply with the requirements of judgment C-362/14 by imposing ‘strong obligations on companies handling Europeans’ data and robust enforcement’, ‘clear safeguards and transparency obligations on US government access’, and ‘effective protection of EU citizens’ rights with several redress possibilities’;

5.  Invites the Commission to implement fully the recommendations expressed by the Article 29 Working Party in its Opinion 01/2016 on the EU-US Privacy Shield draft adequacy decision;

6.  Is concerned that the Privacy Shield arrangement may not fully meet the requirements of the EU Charter of Fundamental Rights, the Data Protection Directive, the General Data Protection Regulation, and relevant judgments of both the European Court of Justice and the European Court of Human Rights;

7.  Calls on the Commission not to exceed its powers of implementation by taking a decision that the Privacy Shield arrangement provides an adequate level of protection in the US without conducting a full assessment of the US system and without taking into account the issues highlighted in this resolution;

8.  Stresses the need to include a two-year sunset clause for the validity of the adequacy decision, and to start new negotiations with the US on an improved framework on the basis of the General Data Protection Regulation;

9.  Instructs its President to forward this resolution to the Council, the Commission, the governments and parliaments of the Member States, and the Government and Congress of the United States of America.

(1)

OJ L 281, 23.11.1995, p. 31.

(2)

OJ L 350, 30.12.2008, p. 60.

(3)

OJ L 119, 4.5.2016, p. 1.

(4)

OJ L 119, 4.5.2016, p. 89.

(5)

https://www.congress.gov/114/plaws/publ23/PLAW-114publ23.pdf

(6)

https://www.whitehouse.gov/the-press-office/2014/01/17/presidential-policy-directive-signals-intelligence-activities

Legal notice