Procedure : 2016/2727(RSP)
Document stages in plenary
Document selected : B8-0642/2016

Texts tabled :

B8-0642/2016

Debates :

PV 25/05/2016 - 18
CRE 25/05/2016 - 18

Votes :

PV 26/05/2016 - 6.6
Explanations of votes

Texts adopted :


MOTION FOR A RESOLUTION
PDF 194kWORD 80k
23.5.2016
PE582.663v01-00
 
B8-0642/2016

to wind up the debate on the statements by the Council and the Commission

pursuant to Rule 123(2) of the Rules of Procedure


on transatlantic data flows (2016/2727(RSP))


Cornelia Ernst, Marina Albiol Guzmán, Barbara Spinelli, Javier Couso Permuy, Luke Ming Flanagan, Tania González Peñas, Miguel Urbán Crespo, Lola Sánchez Caldentey, Xabier Benito Ziluaga, Estefanía Torres Martínez, Stelios Kouloglou, Kostas Chrysogonos, Dimitrios Papadimoulis, Marisa Matias, Eleonora Forenza, Patrick Le Hyaric, on behalf of the GUE/NGL Group

European Parliament resolution on transatlantic data flows (2016/2727(RSP))  
B8-0642/2016

The European Parliament,

–  having regard to Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter ‘the Directive’)(1), in particular Article 25 thereof,

–  having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC(2) (hereinafter ‘the General Data Protection Regulation’), which entered into force on 24 May 2016 and will be applied two years after that date,

–  having regard to the Charter of Fundamental Rights of the European Union and the European Convention on Human Rights,

–  having regard to the judgment of the European Court of Justice of 6 October 2015 in Case C-362/14 Maximillian Schrems v Data Protection Commissioner,

–  having regard to the draft Commission implementing decision of 29 February 2016 on the adequacy of the protection provided by the EU-US Privacy Shield, and to the annexes thereto in the form of letters from the US Administration and the US Federal Trade Commission,

–  having regard to the Commission communication of 29 February 2016 on this subject (COM(2016)0117), the Commission communication of 27 November 2013 on the functioning of the Safe Harbour from the perspective of EU citizens and companies established in the EU (COM(2013)0847) and the Commission communication of 27 November 2013 on rebuilding trust in EU-US data flows (COM(2013)0846),

–  having regard to the opinion (WP 238) on this subject adopted on 13 April 2016 by the working party set up under Article 29 of the Directive, and to the opinions delivered previously on the same question (WP 12, WP 27 and WP 32),

–  having regard to Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by Member States of the Commission’s exercise of implementing powers(3), and in particular Article 5 thereof concerning the examination procedure,

–  having regard to its resolution of 5 July 2000 on the Draft Commission Decision on the adequacy of the protection provided by the Safe Harbour Privacy Principles and related Frequently Asked Questions issued by the US Department of Commerce(4),

–  having regard to its resolution of 12 March 2014 on the US NSA surveillance programme, surveillance bodies in various Member States and their impact on EU citizens’ fundamental rights and on transatlantic cooperation in Justice and Home Affairs(5), and to its resolution of 29 October 2015 on the follow-up to the European Parliament resolution of 12 March 2014 on the electronic mass surveillance of EU citizens(6),

–  having regard to Rule 123(2) of its Rules of Procedure,

A.  whereas the development of the information society and electronic commerce, as well as the development of interception capabilities by intelligence agencies, have led at global level to an exponential increase in the movement of data and of electronic communication, and also in the risks involved in the misuse of such data and the interception of such communication;

B.  whereas such abuses not only act as a brake on the development of e-commerce in that they undermine the trust of consumers, but also often constitute an infringement of the rights and freedoms of persons and, in particular, an invasion of the right to privacy;

C.  whereas there is a global trend of public law enforcement authorities processing massive amounts of privately held personal data, thus blurring the line between law enforcement and commercial actors, which raises severe concerns regarding the key fundamental principle of purpose limitation;

D.  whereas protecting data means protecting the people to whom the information being processed relates, and whereas such protection is one of the fundamental rights recognised by the Union (Article 8 of the Charter of Fundamental Rights and Article 16 TFEU);

E.  whereas Directive 95/46/EC (‘the Data Protection Directive’), which will be replaced by the General Data Protection Regulation in 2018, lays down the rights of the data subject and the corresponding obligations of those who process data or exercise control over such processing, including when personal data are transferred outside the Union;

F.  whereas the adequacy of protection of personal data in third countries must be assessed through a close scrutiny of their entire body of law, which altogether needs to provide a level of personal data protection equivalent to that of the EU;

G.  whereas the EU data protection legislation entrusts the Commission with the duty to ensure, on behalf of the citizens of the Union and its Member States, that an adequate level of protection exists in third countries;

H.  whereas, in its judgment of 6 October 2015, the European Court of Justice invalidated the Commission decision on the adequacy of the protection provided by the Safe Harbour Privacy Principles and related Frequently Asked Questions issued by the US Department of Commerce;

I.  whereas the Court of Justice clarified in that judgment that an adequate level of protection in a third country must be understood as ‘essentially equivalent’ to the protection provided in the Union;

Introduction

1.  Expresses its firm commitment to the human rights to privacy and the protection of personal data;

2.  Warns against the growing trend towards a culture where both private and public actors flatly disregard the right to data protection and devise business and law enforcement models that infringe this fundamental right, which is core to any democratic society;

3.  Underlines that international commercial activities are perfectly possible within the EU data protection framework, which provides a high level of protection of personal data, as enshrined in the EU Charter of Fundamental Rights;

4.  Rejects, therefore, the false dichotomy according to which, in the context of fundamental rights, high levels of privacy and personal data protection would somehow inhibit the free flow of personal data between Europe and the US;

5.  Insists, rather, on the fact that citizens around the globe are increasingly looking towards businesses that enshrine the ‘privacy by design’ principle in their products, which indicates the existence of an understanding on the part of both citizens (as consumers) and businesses that privacy is an essential element of everyone’s daily life;

6.  Points to developments in the US in which private businesses are increasingly standing up to intrusive state forces which are actively trying to undermine their privacy by design and default policies in their products and services;

Private sector

7.  Underlines that the key problem with the Safe Harbour Agreement was the ludicrous ‘self-certification’ process by which businesses were trusted to self-certify that they uphold the key personal data protection principles, combined with a total lack of enforcement capacity on the part of the Federal Trade Commission (FTC);

8.  Points out that in the realm of fundamental rights, mere self-regulation cannot guarantee the balance of checks and safeguards required to make the fundamental right effective;

9.  Is concerned that the newly negotiated Privacy Shield arrangement will not meet the requirements of the Charter of Fundamental Rights, the Data Protection Directive, the General Data Protection Regulation, or the relevant judgments of both the European Court of Justice and the European Court of Human Rights;

10.  Notes that the Privacy Shield Principles (Annex II) do not provide an ‘essentially equivalent’ set of principles, as they do not require the consent of the data subject, do not include the principle of data minimisation, and allow the processing of personal data for purposes incompatible with that for which the data have been collected, thus failing to comply with key principles of EU data protection law;

11.  Points out that the Privacy Shield Principles give blanket permission for all kinds of processing of personal data without the need for the consent of the data subject or a full right to object; is concerned that even opt-out (‘notice and choice’) is only available in cases of material change of purpose or disclosure to a third party; is concerned that even for sensitive data, the consent of the data subject is only required for those two situations;

12.  Points out that the supplementary principle 2.a is inconsistent with the ‘Google Spain/Costeja’ judgment of the Court of Justice of 13 May 2014 (C-131/12) and with the right to erasure (‘right to be forgotten’) under EU data protection law;

13.  Is concerned that enforcement under the Privacy Shield Principles would be an extremely demanding process, as a data subject would need to take five consecutive steps (complaint to the controller; alternative dispute resolution; complaint to the Department of Commerce or the FTC through a European data protection supervisory authority; Privacy Shield Panel; US court); recalls that, pursuant to Council Directive 93/13/EEC of 5 April 1993, alternative dispute resolution is prohibited for consumer contracts;

14.  Points out that the only penalty for a controller acting in breach of the Privacy Shield Principles is deletion from the Privacy Shield list; fails to see this as essentially equivalent to the administrative sanctions and other penalties provided for in EU data protection law, especially the General Data Protection Regulation;

15.  Points out that neither the FTC nor the Department of Commerce nor the providers of alternative dispute resolution have investigatory powers comparable to those of the European supervisory authorities; recalls that the Court of Justice has declared effective supervisory powers to be a necessity for data protection supervision under EU primary law;

16.  Calls for the Privacy Shield to simplify and streamline the enforcement procedure so as to ensure equivalent enforcement, and to allow for direct procedural involvement of the national data protection authority acting on behalf of the data subject affected;

17.  Recalls that an adequacy decision gives data controllers from the third country concerned privileged access to the EU market; is concerned that the lower requirements of the Privacy Shield Principles as compared to EU data protection law would give a competitive advantage to controllers and processors based in the US over those established in the EU;

18.  Deplores the fact that the US still lacks a comprehensive consumer data protection act, despite certain efforts made in recent years;

Government surveillance

19.  Is highly concerned at the possibility of access by public authorities to data transferred under the Privacy Shield, which does not provide sufficient detail to exclude the massive and indiscriminate collection of personal data originating in the EU; recalls that this element was the key element in the judgment of the Court of Justice in Case C‑362/14 (Maximillian Schrems v Data Protection Commissioner), in which it declared the Safe Harbour Decision invalid because it did not protect the complainant against the intrusive surveillance powers of the US authorities, as revealed by the Snowden revelations;

20.  Notes that Annex VI (letter from Robert S. Litt of the US Office of the Director of National Intelligence (ODNI)) clarifies that under Presidential Policy Directive 28 (hereinafter ‘PPD-28’), bulk collection of personal data and communications of non-US individuals is still permitted in six cases; points out that such bulk collection only has to be ‘as tailored as feasible’ and ‘reasonable’, which does not meet the stricter criteria of necessity and proportionality as required under the Charter; points out that last year the European Court of Human Rights ruled that to ensure the test of necessity and proportionality had been properly applied, an interception authorisation must clearly identify ‘a specific person to be placed under surveillance or a single set of premises as the premises in respect of which the authorisation is ordered’, and that ‘such identification may be made by names, addresses, telephone numbers or other relevant information’ (Roman Zakharov v. Russia (2015), 47143/06 , 4 December 2015, § 264); points out that the ECHR also specified last year that the necessity test requires the interference to be ‘strictly necessary, as a particular consideration, for the obtaining of vital intelligence in an individual operation’ (Szabó and Vissy v. Hungary, 37138/14, 12 January 2016, § 73);

21.  Notes that Annex VI also clarifies that personal data and communications may be retained for five years or even longer if it is considered to be ‘in the national security interests of the United States’; is concerned that this is in breach of the judgment of the Court of Justice of 2014 on data retention (Joined Cases C-293/12 and C-594/12);

22.  Notes that PPD-28 imposes new rules limiting the use and dissemination of non-US persons’ personal data and communications, but does not limit their bulk collection; also notes that PPD-28 clarifies in its footnote 5 that ‘bulk collection’ in the understanding of the US administration does not include mass surveillance of and access to personal data or communications, but only the mass storage of such data or communications; is concerned that this is in breach of the CoJ’s Schrems judgment, which states that legislation permitting ‘access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life’;

23.  Notes that the general exception relating to national security contained in Annex II, point 5 of the Privacy Shield Principles is copied verbatim from the Safe Harbour Principles and not limited further;

24.  Notes the appointment of an Ombudsperson in the US Department of State as a point of contact for the EU supervisory authorities in relation to government surveillance; points out that under Article 47 of the Charter, a legal redress possibility for the data subject himself or herself is, however, required; notes that Annex III (letter from Secretary of State John F. Kerry) states that the Ombudsperson ‘will neither confirm nor deny whether the individual has been the target of surveillance’ and will not ‘confirm the specific remedy that was applied’ (paragraph 4(e)); also points out that the Ombudsperson lacks the required independence from the executive, as he or she reports to the Secretary of State;

25.  Notes that since the invalidation of the Safe Harbour decision, the US has taken no measures to curb the surveillance programmes referred to by the Court of Justice, but, on the contrary, has adopted the Cybersecurity Information Sharing Act of 2015 and is currently set to finalise changes to Federal Rules of Criminal Procedure Rule 41 which would further undermine the privacy of non-US persons;

26.  Notes that despite these actions, the US remains the only country that has taken steps to protect fundamental rights in the wake of the revelations on global surveillance operations, with the adoption of the USA Freedom Act of 2015, which has limited mass surveillance by US intelligence agencies inside the US; is, however, concerned that the legal situation regarding mass surveillance by US intelligence agencies outside the US . and of non-US persons inside the US. as provided for by 50 USC §1881a (‘Section 702’), has not changed; considers that the US should pass further legislation to remedy this situation;

27.  Points out that several EU Member States, including France and the UK, are considering adopting or have adopted legislation which significantly increases their surveillance powers and capacities but fails to comply with Articles 7 and 8 of the Charter of Fundamental Rights or with the case law of the Court of Justice and the European Court of Human Rights; calls on the Commission to initiate infringement procedures against those Member States;

Other issues

28.  Points out that no assessment has been made by the Commission of the rights and protection of EU individuals where their personal data are transferred by a US data controller covered by the Privacy Shield to a US law enforcement authority; points out that Annex VII (letter from Bruce C. Swartz, Department of Justice, on law enforcement access to data, only refers to the access to data stored by companies, but does not address the data subject and the judicial redress rights of the individuals whose data are accessed;

29.  Welcomes the fact that according to Article 3 of the draft Commission implementing decision, EU data protection supervisory authorities can still suspend transfers of personal data to data controllers participating in the Privacy Shield arrangement; points out that this is in line with Article 4 of Commission Decision 2001/497/EC on standard contractual clauses for the transfer of personal data to third countries;

30.  Highlights the market location principle introduced with the General Data Protection Regulation; points out that once that Regulation is applied, many US data controllers who have used the Safe Harbour arrangement and may use the Privacy Shield arrangement will have to comply directly with the Regulation when they offer services on the EU market or monitor persons who are in the Union, including with the enforcement regime as laid down in the Regulation;

Conclusions

31.  Concludes that the Privacy Shield arrangement and the situation in the US do not provide for enough substantial improvements compared to the Safe Harbour arrangement;

32.  Points out that it is highly likely that the draft adequacy decision, once it is adopted, will be challenged again in court; points out that this creates a situation of legal uncertainty for individuals and businesses alike; notes that data protection experts and business associations are already advising companies to use other means of transfer of personal data to the US;

33.  Is concerned that the Commission may exceed its power of implementation by deciding that the Privacy Shield arrangement provides for an adequate level of protection in the US without conducting a full assessment of the US system and not taking into account the issues highlighted in this resolution;

34.  Calls on the Commission to include a sunset clause of two years for the validity of the adequacy decision, and start new negotiations with the US for an improved framework on the basis of the General Data Protection Regulation;

35.  Instructs its President to forward this resolution to the Council, the Commission, the governments and parliaments of the Member States, and the US Government and Congress.

(1)

OJ L 281, 23.11.1995, p. 31.

(2)

OJ L 119, 4.5.2016, p. 1.

(3)

OJ L 55, 28.2.2011, p. 13.

(4)

OJ C 121, 24.4.2001, p. 152.

(5)

Texts adopted, P7_TA(2014)0230.

(6)

Texts adopted, P8_TA(2015)0388.

Legal notice