Procedure : 2016/2727(RSP)
Document stages in plenary
Document selected : B8-0639/2016

Texts tabled :

B8-0639/2016

Debates :

PV 25/05/2016 - 18
CRE 25/05/2016 - 18

Votes :

PV 26/05/2016 - 6.6
Explanations of votes

Texts adopted :

P8_TA(2016)0233

MOTION FOR A RESOLUTION
PDF 183kWORD 71k
See also joint motion for a resolution RC-B8-0623/2016
23.5.2016
PE582.660v01-00
 
B8-0639/2016

to wind up the debate on the statements by the Council and the Commission

pursuant to Rule 123(2) of the Rules of Procedure


on transatlantic data flows (2016/2727(RSP))


Claude Moraes, Birgit Sippel, Emilian Pavel, Ana Gomes on behalf of the S&D Group

European Parliament resolution on transatlantic data flows (2016/2727(RSP))  
B8-0639/2016

The European Parliament,

–  having regard to Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter ‘the Data Protection Directive’)(1), in particular Article 25 thereof,

–  having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC(2) (hereinafter ‘the General Data Protection Regulation’), which entered into force on 24 May 2016 and will be applied two years after that date,

–  having regard to the Charter of Fundamental Rights of the European Union (hereinafter ‘the Charter’) and to the European Convention on Human Rights (ECHR),

–  having regard to the judgment of the European Court of Human Rights of 4 December 2015 in the case of Roman Zakharov v. Russia,

–  having regard to the judgment of the European Court of Human Rights of 12 January 2016 in the case of Zsabó and Vissy v. Hungary,

–  having regard to the judgment of the European Court of Justice of 6 October 2015 in Case C-362/14 Maximillian Schrems v Data Protection Commissioner,

–  having regard to the draft Commission implementing decision of 29 February 2016 on the adequacy of the protection provided by the EU-US Privacy Shield, and to the annexes thereto in the form of letters from the US Administration and the US Federal Trade Commission,

–  having regard to the Commission communication of 29 February 2016 on this subject (COM(2016)0117), the Commission communication of 27 November 2013 on the functioning of the Safe Harbour from the perspective of EU citizens and companies established in the EU (COM(2013)0847) and the Commission communication of 27 November 2013 on rebuilding trust in EU-US data flows (COM(2013)0846),

–  having regard to the opinion (WP 238) adopted on 13 April 2016 by the working party set up under Article 29 of the Directive, and to the opinions delivered previously on the same question (WP 12, WP 27, and WP 32),

–  having regard to Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by Member States of the Commission’s exercise of implementing powers(3), and in particular Article 5 thereof concerning the examination procedure,

–  having regard to its resolution of 5 July 2000 on the Draft Commission Decision on the adequacy of the protection provided by the Safe Harbour Privacy Principles and related Frequently Asked Questions issued by the US Department of Commerce(4),

–  having regard to its resolution of 12 March 2014 on the US NSA surveillance programme, surveillance bodies in various Member States and their impact on EU citizens’ fundamental rights and on transatlantic cooperation in Justice and Home Affairs(5), and to its resolution of 29 October 2015 on the follow-up to the European Parliament resolution of 12 March 2014 on the electronic mass surveillance of EU citizens(6),

–  having regard to the joint letter of 16 March 2016 from American and European civil liberties organisations to the Chair of the Article 29 Working Party, the Chair of the Committee on Civil Liberties, Justice and Home Affairs and the Ambassador and Permanent Representative of the Netherlands to the European Union,

–  having regard to Rule 123(2) of its Rules of Procedure,

A.  whereas protecting personal data means protecting the individuals to whom the information being processed relates, and whereas such protection is one of the fundamental rights recognised by the Union (Article 8 of the EU Charter of Fundamental Rights and Article 16 of the Treaty on the Functioning of the European Union);

B.  whereas the Data Protection Directive, which will be replaced by the General Data Protection Regulation by 2018, lays down rights for the data subject and corresponding obligations for those who process personal data or who exercise control over such processing;

C.  whereas the Commission is under an obligation to ensure, on behalf of the citizens of the Union and its Member States, that personal data can be transferred only to countries outside the EU and the EEA where an adequate level of protection is guaranteed;

D.  whereas the term ‘adequate level of protection’ must be understood as requiring the third country to ensure, by reason of its domestic law or its international commitments, a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union by virtue of the Data Protection Directive read in the light of the Charter;

E.  whereas, when examining the level of protection afforded by a third country, the Commission is obliged to assess the content of the rules applicable in that country deriving from its domestic law or its international commitments, as well as the practice designed to ensure compliance with those rules, since it must, under Article 25(2) of the Data Protection Directive, take account of all the circumstances surrounding a transfer of personal data to a third country;

F.  whereas cross-border data flows between the United States and Europe are the highest in the world, and whereas the transfer and exchange of personal data is an essential component underpinning the close links between the European Union and the United States in commercial activities and in the law enforcement sector;

G.  whereas, in its judgment of 6 October 2015, the European Court of Justice invalidated the Commission decision on the adequacy of the protection provided by the Safe Harbour Privacy Principles and related Frequently Asked Questions issued by the US Department of Commerce;

Introduction

1.  Underlines the need to safeguard fundamental rights, including the rights to data protection and to privacy;

2.  Highlights the importance of transatlantic trade and cooperation;

3.  Underlines the importance of legal certainty for data subjects and data controllers in both the European Union and the United States;

4.  Welcomes the efforts made by the Commission and the US Administration to achieve substantial improvements in the Privacy Shield compared with the invalidated Safe Harbour decision;

5.  Welcomes the areas where the level of protection has been improved under the Privacy Shield, such as the mechanism to ensure oversight of the Privacy Shield and the now mandatory external or internal compliance reviews;

6.  Welcomes the safeguard in Article 3 of the draft adequacy decision, whereby the European data protection supervisory authorities can still suspend transfers of personal data to data controllers participating in the Privacy Shield arrangement in cases of breaches;

7.  Notes that, once the Regulation is applied, US data controllers will have to comply directly with the Regulation when they offer services on the EU market or monitor individuals in the Union;

8.  Notes that the United States lacks a horizontal, comprehensive consumer data protection act, despite certain efforts in recent years;

Concerns

9.  Is concerned that the redress mechanism for individuals under the Privacy Shield is too complex and difficult to use and would therefore render itself ineffective (complaint to the controller; alternative dispute resolution; complaint to the US Department of Commerce or the US Federal Trade Commission through a European data protection supervisory authority (Privacy Shield Panel, US court)); recalls that, pursuant to Council Directive 93/13/EEC of 5 April 1993, alternative dispute resolution is prohibited for consumer contracts;

10.  Points out that the only penalty for a controller acting in breach of the Privacy Shield Principles is deletion from the Privacy Shield list, which cannot be considered essentially equivalent to the administrative sanctions and other penalties provided for in EU data protection law, especially under the General Data Protection Regulation;

11.  Points out that neither the US Federal Trade Commission nor the US Department of Commerce nor the providers of alternative dispute resolution have investigatory powers essentially equivalent to those of European data protection supervisory authorities, which the European Court of Justice has declared to be necessary for data protection supervision under EU primary law;

12.  Notes that Annex VI (letter from Robert S. Litt, Office of the Director of National Intelligence (ODNI)) clarifies that under Presidential Policy Directive 28 (hereinafter ‘PPD-28’), bulk collection of personal data and communications of non-US persons is still permitted in six cases; points out that such bulk collection only has to be ‘as tailored as feasible’ and ‘reasonable’, which does not meet the stricter criteria of necessity and proportionality as laid down in the Charter;

13.  Welcomes the appointment of an ombudsperson in the US Department of State as a point of contact for EU supervisory authorities in relation to government surveillance; notes that Annex III (letter from Secretary of State John F. Kerry) states that the ombudsperson ‘will neither confirm nor deny whether the individual has been the target of surveillance’ nor ‘confirm specific remedy’ (paragraph 4(e)); is concerned that the ombudsperson lacks adequate powers and the required independence from the executive, as he or she reports to the Secretary of State;

14.  Welcomes the adoption by the United States of the USA Freedom Act of 2015, which has limited mass surveillance by US intelligence agencies inside the United States; is concerned, however, that the legal situation for mass surveillance by US intelligence agencies outside the United States and of non-US persons inside the United States as provided for in the US Code (Title 50, §1881a (‘Section 702’)) has not changed;

15.  Points out that the legal status of the Privacy Shield Principles as set out in Annex II, and the assurances and commitments by the US Administration as set out in Annexes III–V, remain unclear; is concerned that these commitments and assurances could be withdrawn by a future US Administration without consequences for the validity of the adequacy decision;

16.  Points out that no assessment has been made by the Commission of the rights and protections of EU individuals when their personal data are transferred by a US data controller covered by the Privacy Shield to a US law enforcement authority;

17.  Is concerned, in the light of the above and of the opinions adopted by data protection authorities, academics and privacy and data protection organisations, that the Privacy Shield arrangement as it currently stands may not fully meet the requirements of the Charter, the Data Protection Directive, the General Data Protection Regulation and relevant judgments of both the European Court of Justice and the European Court of Human Rights;

Conclusions

18.  Is concerned that the Privacy Shield arrangement as it stands and the legal situation in the United States do not provide substantial enough improvements compared with the Safe Harbour arrangement and therefore do not guarantee the legality of the adequacy decision;

19.  Points out that it is highly likely that the draft adequacy decision, once adopted, will be challenged again in court; highlights that this creates a situation of legal uncertainty for businesses and individuals; notes that data protection experts and business associations are already advising companies to use other means of transfer of personal data to the United States;

20.  Calls on the Commission to duly take into account Article 29 Data Protection Working Party Opinion 01/2016 on the EU-US Privacy Shield draft adequacy decision, and to incorporate their recommendations fully into the draft text;

21.  Calls on the Commission to include a two-year sunset clause for the validity of the adequacy decision, and to start new negotiations with the United States on an improved framework on the basis of the General Data Protection Regulation, so as to ensure that the higher level of protection in the EU is fully incorporated into the new instrument;

22.  Instructs its President to forward this resolution to the Council, the Commission, the governments and parliaments of the Member States, the US Government and the US Congress.

(1)

OJ L 281, 23.11.1995, p. 31.

(2)

OJ L 119, 4.5.2016, p. 1.

(3)

OJ L 55, 28.2.2011, p. 13.

(4)

OJ C 121, 24.4.2001, p. 152.

(5)

Texts adopted, P7_TA(2014)0230.

(6)

Texts adopted, P8_TA(2015)0388.

Legal notice