Procedure : 2016/2727(RSP)
Document stages in plenary
Document selected : B8-0644/2016

Texts tabled :

B8-0644/2016

Debates :

PV 25/05/2016 - 18
CRE 25/05/2016 - 18

Votes :

PV 26/05/2016 - 6.6
Explanations of votes

Texts adopted :

P8_TA(2016)0233

MOTION FOR A RESOLUTION
PDF 272kWORD 75k
See also joint motion for a resolution RC-B8-0623/2016
23.5.2016
PE582.665v01-00
 
B8-0644/2016

to wind up the debate on the statements by the Council and the Commission

pursuant to Rule 123(2) of the Rules of Procedure


on transatlantic data flows (2016/2727(RSP))


Sophia in ‘t Veld on behalf of the ALDE Group

European Parliament resolution on transatlantic data flows (2016/2727(RSP))  
B8-0644/2016

The European Parliament,

–  having regard to Article 16 of the Treaty on the Functioning of the European Union (TFEU),

–  having regard to the Charter of Fundamental Rights of the European Union and the European Convention on Human Rights, in particular Articles 7, 8, 47 and 52 thereof,

–  having regard to Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter ‘the Directive’)(1), in particular Article 25 thereof,

–  having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter ‘the General Data Protection Regulation’), which entered into force on 24 May 2016 and will be applied two years after that date,

–  having regard to the judgment of the European Court of Human Rights of 4 December 2015 in the case of Roman Zakharov v. Russia,

–  having regard to the judgment of the European Court of Human Rights of 12 January 2016 in the case of Zsabó and Vissy v. Hungary,

–  having regard to the judgment of the European Court of Justice of 6 October 2015 in Case C-362/14 Maximillian Schrems v Data Protection Commissioner,

–  having regard to the draft Commission implementing decision of 29 February 2016 on the adequacy of the protection provided by the EU-US Privacy Shield, and to the annexes thereto in the form of letters from the US Administration and the US Federal Trade Commission,

–  having regard to the Commission communication of 29 February 2016 on this subject (COM(2016)0117), the Commission communication of 27 November 2013 on the functioning of the Safe Harbour from the perspective of EU citizens and companies established in the EU (COM(2013)0847) and the Commission communication of 27 November 2013 on rebuilding trust in EU-US data flows (COM(2013)0846),

–  having regard to the opinion (WP 238) adopted on 13 April 2016 by the working party set up under Article 29 of the Directive, and to the opinions delivered previously on the same question (WP 12, WP 27 and WP 32),

–  having regard to Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by Member States of the Commission’s exercise of implementing powers(2), and in particular Article 5 thereof concerning the examination procedure,

–  having regard to its resolution of 5 July 2000 on the Draft Commission Decision on the adequacy of the protection provided by the Safe Harbour Privacy Principles and related Frequently Asked Questions issued by the US Department of Commerce(3),

–  having regard to its resolution of 12 March 2014 on the US NSA surveillance programme, surveillance bodies in various Member States and their impact on EU citizens’ fundamental rights and on transatlantic cooperation in Justice and Home Affairs(4), and to its resolution of 29 October 2015 on the follow-up to the European Parliament resolution of 12 March 2014 on the electronic mass surveillance of EU citizens(5),

–  having regard to the initialled Agreement between the United States of America and the European Union on the protection of personal information relating to the prevention, investigation, detection, and prosecution of criminal offences, which the Commission has proposed that the Council should sign,

–  having regard to the legal opinion of its legal service on the EU-US agreement concerning the protection of personal data and cooperation between law enforcement authorities in the EU and the US,

–  having regard to the European Data Protection Supervisor’s Preliminary Opinion on the agreement between the United States of America and the European Union on the protection of personal information relating to the prevention, investigation, detection and prosecution of criminal offences,

–  having regard to the questions put to the Commission by the Committee on Civil Liberties, Justice and Home Affairs on 9 March 2016 on the Umbrella Agreement, and the Commission’s answers thereto,

–  having regard to Rule 123(2) of its Rules of Procedure,

A.  whereas the Court of Justice invalidated the Commission Decision on the adequacy of the protection provided by the Safe Harbour Privacy Principles and related Frequently Asked Questions issued by the US Department of Commerce in its judgment of 6 October 2015, highlighting in particular that US national security and law enforcement legislation was not limited to what is strictly necessary where it authorises, on a general basis, storage and processing of all the personal data of all persons whose data is transferred from the EU to the US;

B.  whereas protecting personal data means protecting the individuals to whom the information being processed relates, and whereas such protection is one of the fundamental rights recognised by the Union (Article 8 of the Charter of Fundamental Rights and Article 16 of the TFEU);

C.  whereas Directive 95/46/EC, which will be replaced by the General Data Protection Regulation in 2018, lays down rights for the data subject and corresponding obligations on those who process personal data or who exercise control over such processing;

D.  whereas the Commission must ensure, on behalf of the citizens of the Union and its Member States, that personal data can only be transferred to countries outside the EU and the EEA where an adequate level of protection is guaranteed;

E.  whereas the term ‘adequate level of protection’ must be understood as requiring the third country to ensure, by reason of its domestic law or its international commitments, a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union by virtue of Directive 95/46/EC read in the light of the Charter;

F.  whereas, when examining the level of protection afforded by a third country, the Commission is obliged to assess the content of the rules applicable in that country deriving from its domestic law or its international commitments, as well as the practice designed to ensure compliance with those rules, since it must, under Article 25(2) of Directive 95/46/EC, take account of all the circumstances surrounding a transfer of personal data to a third country; whereas this assessment must not only refer to legislation and practices relating to the protection of personal data for commercial and private purposes, but must also cover all aspects of the framework applicable to that country or sector, in particular, but not only, law enforcement, national security and respect for fundamental rights;

G.  whereas the Article 29 Data Protection Working Party (WP 29) has assessed the consequences of the Schrems judgment to all data transfers to the United States, through an inventory and analysis of CJEU jurisprudence related to Articles 7, 8 and 47 of the Charter of Fundamental Rights (hereinafter: the Charter) and the jurisprudence of the European Court of Human Rights (hereinafter: ECtHR) related to Article 8 of the European Convention on Human Rights (hereinafter: ECHR) dealing with surveillance issues in States party to the ECHR; whereas this resulted in the WP29 identifying four ‘European Essential Guarantees’, namely that processing should be based on clear, precise and accessible rules; necessity and proportionality should be demonstrated with regard to the legitimate objectives pursued; an independent oversight mechanism should exist; and effective remedies need to be available to the individual;

H.  whereas cross-border data flows between the US and Europe are the highest in the world – 50 % higher than data flows between the US and Asia and almost double the data flows between the US and Latin America – and whereas the transfer and exchange of personal data is an essential component underpinning the close links between the European Union (EU) and the United States (US) in both the commercial area and the law enforcement sector;

I.  whereas an important dimension of the transatlantic relationship is the capacity for the EU, the Member States and the US to respond effectively to common security threats and challenges in a cooperative and coordinated way, relying notably on the ability to exchange personal data in the framework of police and judicial cooperation in criminal matters, thus necessitating a comprehensive and legally compliant framework in order to ensure the lawfulness of such transfer;

J.  whereas in summer 2015 the EU and the US finalised their negotiations on an international data protection agreement in the area of law enforcement, the EU-US Data Protection ‘Umbrella Agreement’ initialled on 8 September 2015 in Luxembourg, and whereas the US Judicial Redress Act providing for the equal treatment of EU citizens with US citizens under the 1974 US Privacy Act was approved by Congress on 10 February 2016 and signed into law on 24 February 2016;

1.  Welcomes the efforts made by the Commission and the US administration to achieve substantial improvements in the Privacy Shield compared to the Safe Harbour decision, in particular the insertion of key definitions such as ‘personal data’, ‘processing’ and ‘controller’, the mechanisms set up to ensure oversight of the Privacy Shield list and the now mandatory external or internal reviews of compliance;

2.  Recognises the efforts made by the US administration to provide greater insight into the legal framework regarding interference with personal data transferred under the EU-US Privacy Shield for law enforcement purposes, including the applicable limitations and safeguards;

3.  Notes with satisfaction that, according to Article 3 of the draft Commission implementing decision, EU data protection supervisory authorities can still suspend transfers of personal data to data controllers participating in the Privacy Shield arrangement; points out that this is in line with Article 4 of Commission Decision 2001/497/EC on standard contractual clauses for the transfer of personal data to third countries;

4.  Recognises and welcomes the progresses made towards greater access to judicial remedies for EU citizens in the US with the adoption by Congress of the US Judicial Redress Act, signed into law on 24 February 2016;

Ensuring a lawful and sustainable instrument for transatlantic data flows

5.  Insists that legal certainty for the transfer of personal data between the EU and US is an essential element for consumer trust, transatlantic business development and law enforcement cooperation, thus making it imperative for their effectiveness and long-term implementation that the instruments allowing for such transfers comply with both EU primary and secondary law;

6.  Insists that the Privacy Shield arrangement must be compliant with EU primary and secondary law, as well as with the relevant judgments of both the Court of Justice and the European Court of Human Rights; calls on the Commission to adapt the arrangement and its draft decision accordingly;

7.  Urges the Commission to seek full clarification on the legal status of the ‘Written assurances’ provided by the US;

Private sector considerations

8.  Insists that the Privacy Shield Principles (Annex II) provide an essentially equivalent set of principles, including the principle of data minimisation, allowing for processing of personal data only for purposes compatible with the purpose for which the data have been collected; would be concerned if certain processing of personal data were allowed without the need for the data subject’s consent or his/her full right to object;

9.  Recalls that the adoption of an adequacy decision gives data controllers from the third country concerned privileged access to the EU market; is concerned that if the requirements of the Privacy Shield Principles turn out to be lower than those provided by EU data protection law controllers and processors based in the United States could be given a competitive advantage over those established in the Union;

Government surveillance, law enforcement access, and national security exemption

10.  Recalls that to establish the existence of an interference with the fundamental right to respect for private life, it does not matter whether the information in question relating to private life is sensitive or whether the persons concerned have suffered any adverse consequences on account of that interference (judgment in Digital Rights Ireland and Others, C‑293/12 and C‑594/12, EU:C:2014:238, paragraph 33);

11.  Highlight in this regard that Annex VI (letter from Robert S. Litt, ODNI) clarifies that under Presidential Policy Directive 28 (hereafter ‘PPD-28’), bulk collection of the personal data and communications of non-US persons is still permitted in six cases; stresses that while it imposes new rules limiting the use and dissemination of non-US persons’ personal data and communications, PPD-28 does not limit its bulk collection; notes that ‘bulk collection’ in the US administration’s understanding does not include mass surveillance of and access to personal data or communications, but only the mass storage of such data or communications, thus potentially contradicting the ECJ Schrems judgment which states that legislation permitting ‘access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life’;

12.  Regrets that the general exception on national security in Annex II point 5 of the Privacy Shield Principles is copied verbatim from the Safe Harbour Principles and not limited further;

13.  Points out that no assessment has been made by the Commission of the rights and protection of EU individuals where their personal data are transferred by a US data controller covered by the Privacy Shield to a US law enforcement authority; points out that Annex VII (letter from Bruce C. Swartz, Department of Justice) on law enforcement access to data only refers to the access to data stored by companies, but does not address the data subject and the judicial redress rights of the individuals whose data are accessed;

Redress mechanisms

14.  Is concerned about the complexity and lack of clarity of the overall architecture of the mechanism for the exercise of EU individuals’ rights of redress, which might impact negatively on its effective application;

15.  Welcomes the establishment by the US authorities of an Ombudsperson as a new redress mechanism, but considers that this new institution is not sufficiently independent, is not vested with adequate powers to effectively exercise and enforce its duty and thus does not guarantee a satisfactory remedy in case of disagreement; regrets that no judicial remedy is granted to EU data subjects against a decision of the Ombudsperson, in contrast with the requirements of the ECHtR;

Recommendations

16.  Calls on the Commission to take due account of, and respond to, the considerations made in this resolution, as well as the Article 29 Data Protection Working Party Opinion 01/2016 on the EU – US Privacy Shield draft adequacy decision, before adopting its own adequacy decision, with particular regard to the following four essential guarantees: that processing should be based on clear, precise and accessible rules; necessity and proportionality should be demonstrated with regard to the legitimate objectives pursued; an independent oversight mechanism should exist; and effective remedies need to be available to the individual;

17.  Urges in particular that the Commission address the concerns expressed by the Article 29 Data Protection Working Party in its related opinion, namely that the language used in the draft adequacy decision does not oblige organisations to delete data if they are no longer necessary, that the US administration does not fully rule out the continued massive and indiscriminate collection of data even if such data collection constitutes unjustified interference with the fundamental rights of individuals, and that the powers and the position of the Ombudsperson need to be clarified in order to demonstrate that the role is truly independent and can offer an effective remedy to non-compliant data processing;

18.  Calls on the Commission to only apply the adequacy decision temporarily pending the outcome of new negotiations with the United States on an improved framework on the basis of the General Data Protection Regulation;

19.  Calls on the Commission to ensure that EU data subjects shall enjoy effective administrative and judicial remedies when their personal data transferred within the Privacy Shield are further accessed and processed by US law enforcement authorities for law enforcement purposes, in order to ensure compliance with the Charter;

20.  Urges the Commission to address the concerns expressed, as the Commission may otherwise exceed its power of implementation by deciding that the Privacy Shield arrangement provides for an adequate level of protection in the US without conducting a full assessment of the US system;

21.  Instructs its President to forward this resolution to the Council, the Commission, the governments and parliaments of the Member States, and the US Government and Congress.

(1)

OJ L 281, 23.11.1995, p. 31.

(2)

OJ L 55, 28.2.2011, p. 13.

(3)

OJ C 121, 24.4.2001, p. 152.

(4)

Texts adopted, P7_TA(2014)0230.

(5)

Texts adopted, P8_TA(2015)0388.

Legal notice