Procedure : 2016/2727(RSP)
Document stages in plenary
Document selected : B8-0623/2016

Texts tabled :

B8-0623/2016

Debates :

PV 25/05/2016 - 18
CRE 25/05/2016 - 18

Votes :

PV 26/05/2016 - 6.6

Texts adopted :

P8_TA(2016)0233

MOTION FOR A RESOLUTION
PDF 284kWORD 91k
See also joint motion for a resolution RC-B8-0623/2016
19.5.2016
PE582.644v01-00
 
B8-0623/2016

to wind up the debate on the statements by the Council and the Commission

pursuant to Rule 123(2) of the Rules of Procedure


on transatlantic data flows (2016/2727(RSP))


Axel Voss, Monika Hohlmeier, Michał Boni, Roberta Metsola, Esteban González Pons, Anna Maria Corazza Bildt on behalf of the PPE Group

European Parliament resolution on transatlantic data flows (2016/2727(RSP))  
B8‑0623/2016

The European Parliament,

–  having regard to the Treaty on European Union (TEU), the Treaty on the Functioning of the European Union (TFEU) and Articles 6, 7, 8, 11, 16, 47 and 52 of the Charter of Fundamental Rights of the European Union,

–  having regard to Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter ‘the Data Protection Directive’)(1),

–  having regard to Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters(2),

–  having regard to Regulation (EU) No 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), and to Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA(3),

–  having regard to Commission Decision 2000/520/EC of 26 July 2000 (the Safe Harbour decision),

–  having regard to the Commission communication to the European Parliament and the Council of 27 November 2013 on rebuilding trust in EU-US data flows (COM(2013)0846),

–  having regard to the Commission communication to the European Parliament and the Council of 27 November 2013 on the functioning of the Safe Harbour from the perspective of EU citizens and companies established in the EU (the Safe Harbour communication) (COM(2013)0847),

–  having regard to the judgment of the European Court of Justice of 6 October 2015 in Case C-362/14 Maximillian Schrems v Data Protection Commissioner (EU:C:2015:650),

–  having regard to the Commission communication to the European Parliament and the Council of 6 November 2015 on the transfer of personal data from the EU to the United States of America under Directive 95/46/EC following the judgment by the Court of Justice in Case C-362/14 (Schrems) (COM(2015)0566),

–  having regard to the statement of the Article 29 Working Party on the consequences of the Schrems Judgment of 3 February 2016,

–  having regard to the Judicial Redress Act of 2015, which was signed into law by President Obama on 24 February 2016 (H.R.1428),

–  having regard to the USA Freedom Act of 2015(4),

–  having regard to the reforms of US signals intelligence activities laid down in Presidential Policy Directive 28 (PPD-28)(5),

–  having regard to the Commission communication to the European Parliament and the Council of 29 February 2016 entitled ‘Transatlantic data flows: Restoring trust through strong safeguards’ (COM(2016)0117),

–  having regard to Article 29 Working Party Opinion 01/2016 of 13 April 2016 on the EU-US Privacy Shield draft adequacy decision,

–  having regard to Rule 123(2) of its Rules of Procedure,

A.  whereas the protection of personal data, respect for private life and communications, the right to security, the right to receive and impart information and the right to conduct a business are all fundamental rights to be upheld and balanced against one another in and by the EU under the Charter of Fundamental Rights of the European Union;

B.  whereas any limitation of these fundamental rights may be made only if it is necessary and genuinely meets objectives of general interest recognised by the EU or the need to protect the rights and freedoms of others; whereas the EU’s framework for the protection of fundamental rights and the pursuit of objectives of general interest is continuously evolving;

C.  whereas the US and EU economies account for over 50 % of global GDP, 25 % of global exports and over 30 % of global imports; whereas the US-EU economic relationship is the highest valued in the world, with total transatlantic trade in 2014 valued at USD 1.09 trillion, compared with total US trade with Canada and China valued at USD 741 billion and USD 646 billion respectively;

D.  whereas the transatlantic investment relationship is also the world’s largest, as the total stock of investment that the US and Europe have invested in each other is worth around USD 4 trillion;

E.  whereas data flows between the US and the EU, at about 15 terabits per second, are by far the largest globally – approximately 55 % larger than data flows between the US and Asia and 40 % larger than data flows between the US and Latin America;

F.  whereas the ability to access, accumulate and transfer data across borders is linked to the globalisation of the internet, and whereas the volume of transatlantic data flows reflects internet penetration in the US and the EU, which is around 85 % in the US and 90 % in the EU, and the importance of data in underpinning and enabling the bilateral economic relationship;

G.  whereas the free cross-border data flows between the US and the EU are of paramount importance for US and EU trade and investment, as consumers from the two sides of the Atlantic are increasingly using the internet to purchase goods and services from each other’s marketplaces, business-to-business transatlantic transactions and services are a reality, free flow of data for intracompany purposes has become a daily occurrence, and investment in data centres that provide access to the cloud in the US and the EU relies on cross-border data flows;

H.  whereas transatlantic data flows also create opportunities for the US and the EU to expand trade and investment in the developing world as internet access expands globally, which highlights the potential growth of online international commerce and the need for free data flows;

I.  whereas small and medium-sized enterprises (SMEs) are key drivers of both the EU and the US economies and the major drivers of employment, and whereas the free flow of data has created new opportunities for SMEs to engage in international trade and to better access new markets on other continents;

J.  whereas the digitisation of the US and EU economies renders the cross-border flow of data a key element in the competitiveness of businesses domestically and globally, in particular for those engaging in e-commerce, and whereas the US and the EU are the two largest net exporters of digitally deliverable services in the world;

K.  whereas in 2012 the EU exported USD 465 billion in digitally deliverable services, and imported just USD 297 billion, resulting in a trade surplus of USD 168 billion; whereas in 2014 US imports of digitally deliverable services from the EU accounted for 54 % of all bilateral service imports;

L.  whereas digitally deliverable services have been catalysts for the growth of the internet economy in Europe, with over 400 000 Europeans building mobile apps, and the broader app economy supporting 1.8 million European jobs in 2013, contributing EUR 17.5 billion to the EU economy; whereas the app market is a global digital market;

M.  whereas the EU Data Protection Directive adopted in 1995, which governs personal data protection in the EU, is to be replaced in the near future by the General Data Protection Regulation (GDPR); whereas the GDPR provides that the transfer of personal data from the EU to a third country can only take place under specific conditions, such as an adequacy finding, which is an important mechanism that allows the transfer of personal data to a third country if the Commission finds that the country provides an adequate level of privacy protection;

N.  whereas so far the following countries/territories: Andorra, Argentina, Canada, the Faroe Islands, Guernsey, the Isle of Man, Jersey, Uruguay, Israel, Switzerland and New Zealand, have been recognised as providing adequate levels of data protection, and the US, Canada and Australia have been recognised as adequate for the purposes of transferring passenger name records;

O.  whereas on 26 July 2000 the Commission recognised the Safe Harbour Privacy Principles and Frequently Asked Questions issued by the Department of Commerce as providing adequate protection for the purposes of personal data transfers from the EU, and whereas this Safe Harbour decision allowed for the transfer of personal information from the EU to companies in the US that have signed up to the Safe Harbour principles;

P.  whereas since 2014 the US and the EU have been renegotiating the Safe Harbour framework following the Edward Snowden leaks and revelations and the allegations of electronic mass surveillance of EU citizens by the NSA surveillance programme and the use of data collected by private US companies, with a view to addressing the loss of confidence within the EU regarding the protection of privacy of personal data transferred to the US;

Q.  whereas in Case C-362/14 Maximillian Schrems v Data Protection Commissioner, the European Court of Justice concluded that the Commission finding under the Safe Harbour framework that the US provides an adequate level of protection of EU personal information is invalid, triggering the urgent need to conclude negotiations on the EU‑US Privacy Shield so as to ensure legal certainty on how personal data should be transferred from the EU to the US;

R.  whereas, following the Schrems decision, the Commission resumed negotiations with the US for a renewed framework with a view to addressing the concerns laid out by the European Court of Justice, and whereas the Commission and the US agreed on a new framework for transatlantic data flows on 2 February 2016, the EU-US Privacy Shield;

S.  whereas in its Opinion 01/2016 the Article 29 Working Party welcomed the significant improvements brought about by the Privacy Shield compared with the Safe Harbour decision, and whereas it found, in particular, the insertion of key definitions, the mechanisms set up to ensure the oversight of the Privacy Shield list and the now mandatory external and internal compliance reviews to be a positive step forward; whereas the Working Party has also raised strong concerns about both the commercial aspects and access by public authorities to data transferred under the Privacy Shield;

T.  whereas the procedure for adoption of an adequacy decision does not provide for a formal and proper consultation process with the stakeholders to whom it applies, and in particular companies and SMEs for which the impact is significant;

U.  whereas the US Judicial Redress Act, which provides European citizens and citizens of other US allies with the right to review and correct inaccurate information about them held by US federal agencies under the US Privacy Act, was adopted by the House of Representatives on 20 October 2015, passed by the Senate Judiciary Committee on 28 January 2016 and signed by US President Barack Obama on 24 February 2016;

V.  whereas the adoption of the Judicial Redress Act was the European Parliament’s major precondition for giving consent to the EU-US Umbrella Agreement, and an important aspect of the negotiations on the EU-US Privacy Shield;

W.  whereas SMEs accounted for 60 % of the companies relying on the Safe Harbour agreement, which allowed them to benefit from the streamlined and cost-effective compliance procedures instead of relying on binding corporate rules or standard contractual clauses, which ensure an equivalent level of protection but require a considerably greater investment of administrative resources to be put in place; whereas SMEs stand to gain the most from the new Privacy Shield;

X.  whereas privacy and data protection in the US are embedded in a comprehensive system for regulating and protecting data privacy, in particular regarding the most sensitive categories of personal data such as those on health, finance, electronic communications and minors;

Y.  whereas EU Member State national surveillance laws are characterised by variety and wide discretion as to the need for surveillance and the safeguards in place to limit interference with fundamental rights and freedoms;

1.  Welcomes the conclusion of the negotiations between the EU and the US on the Privacy Shield after more than two years of negotiations between the Commission and the US Department of Commerce;

2.  Welcomes the adoption of the Judicial Redress Act by the US Congress, and recalls its longstanding demand for such an act as a prerequisite for the finalisation of the EU-US Umbrella Agreement and for the conclusion of the Privacy Shield negotiations;

3.  Acknowledges that the EU-US Privacy Shield differs substantially from the Safe Harbour framework, providing for significantly more detailed documentation that imposes more specific obligations on companies willing to join the framework, including new checks and balances ensuring that the rights of EU data subjects can be exercised when their data are processed in the US;

4.  Welcomes the acknowledgement by the Article 29 Working Party of the significant improvements brought about by the Privacy Shield compared with the Safe Harbour framework;

5.  Takes note of the concerns raised by the Article 29 Working Party and its constructive approach, and further stresses that the data retention limitation principle, as referred to in the opinion, should first be clarified in the European Union, as the situation and standards in the EU are still uncertain following the European Court of Justice ruling of 2014;

6.  Takes note of the statement by the Chair of the Article 29 Working Party according to which the essential guarantees identified by the Working Party should also be valid for the EU Member States;

7.  Regrets that the adequacy decision adoption procedure does not provide for a formal consultation process with relevant stakeholders such as companies, and in particular organisations representing SMEs;

8.  Notes that while the Safe Harbour framework did not refer to any specific limitations on US Government access to data transferred to the US, the Privacy Shield framework documentation now includes binding commitments from the US Government in the form of letters from the Director of National Intelligence, the US Secretary of State and the US Department of Justice;

9.  Stresses that since 2013 the US Congress and Administration have enacted more than two dozen reforms of surveillance laws and programmes, including the USA Freedom Act, which prohibits bulk collection of data, Presidential Policy Directive 28, which makes protecting the privacy rights and civil liberties of individuals outside the US an integral part of US surveillance policy, the amendments to the US Foreign Intelligence Act, and the Judicial Redress Act, which extends data protection measures to EU citizens; considers that these reforms are crucial in evaluating the effect of interference with the fundamental rights of privacy and data protection, as set out in Article 7 and 8 of the EU Charter of Fundamental Rights;

10.  Recognises and welcomes the very recent initiatives taken by the US Administration and US Congress such as the Email Privacy Bill, which was unanimously passed by the House in April 2016 and which amends the 1986 Electronic Communications Privacy Act (ECPA), and the adoption by the House of Representatives in January 2016 and the Senate in March 2016 of the Freedom of Information Improvement Act (FOIA), and strongly supports the signing of the bill into law, demonstrating substantial political efforts by the US to enhance privacy protection for all individuals;

11.  Welcomes the creation of the Ombudsperson mechanism within the Department of State, which will be independent from national security services and will help to ensure individual redress and independent oversight;

12.  Notes with satisfaction that, under the Privacy Shield framework, EU data subjects have several ways to pursue legal remedies in the US: first, complaints can be lodged either directly with the company or through the Department of Commerce following a referral by a Data Protection Authority (DPA) or with an independent dispute resolution body; second, with regard to interference with fundamental rights for the purposes of national security, a civil claim can be brought before a US court; similar complaints can also be addressed by the newly created independent Ombudsperson; finally, complaints about interference with fundamental rights for the purposes of law enforcement and the public interest can be dealt with by motions challenging subpoenas; encourages further guidance from the Commission and DPAs to make all these legal remedies more easily accessible and available;

13.  Welcomes the prominent role given by the Privacy Shield framework to Member State DPAs in examining and investigating claims related to the protection of the rights to privacy and family life under the EU Charter of Fundamental Rights and in suspending transfers of data, as well as the obligation placed on the US Department of Commerce to resolve such complaints;

14.  Recalls that one of the fundamental objectives of the EU in this matter should be the protection of personal data as it flows to its main international trading partner, and that the Privacy Shield will help ensure that the fundamental rights of EU data subjects are protected during data transfer;

15.  Recalls also that legal certainty, and in particular clear and uniform rules, are a key element in businesses development and growth, in particular for SMEs, and therefore warns against any attempt to jeopardise the finalisation of the Privacy Shield, which would lead to thousands of companies of all types and sizes – in both the European Union and the United States – facing widespread uncertainty, being in legal limbo and suffering serious impacts to their operations and their ability to conduct business across the Atlantic;

16.  Stresses that SMEs accounted for 60 % of the companies relying on the Safe Harbour agreement, and that SMEs stand to gain most from the new Privacy Shield; calls on the Commission, in close cooperation with the DPAs, to provide for greater clarity, precision and accessibility in the implementation and functioning of the Privacy Shield for those companies;

17.  Considers that the Privacy Shield is crucial in bridging the gap between European and American approaches to privacy, and that it is therefore essential for rebuilding transatlantic trust; expresses its confidence that, as it becomes an established framework for compliance, the Privacy Shield will be subject to strict scrutiny by regulators and by the Commission through the annual joint review mechanism, thus ensuring its robustness and legal validity;

18.  Calls on the Commission to implement fully its responsibility under the Privacy Shield framework to periodically review its adequacy finding and the legal justifications thereof, with a view to ensuring both that personal data are adequately protected and that the framework is functioning efficiently without unnecessary impairment to fundamental rights such as the right to privacy and security, the right to receive and impart information and the right to conduct a business, and to report back annually to Parliament on its precise findings and remedies thereto;

19.  Recognises that the Privacy Shield is part of a broader dialogue between the EU and third countries, including the United States, in relation to data privacy, trade, security and related rights and objectives of shared interest; calls on all parties therefore to work together towards the creation and sustained improvement of workable, harmonised international frameworks and domestic legislation that achieve those objectives;

20.  Instructs its President to forward this resolution to the Council, the Commission, the governments and parliaments of the Member States, the US Congress and the US Administration.

(1)

OJ L 281, 23.11.1995, p. 31.

(2)

OJ L 350, 30.12.2008, p. 60.

(3)

OJ L 119, 4.5.2016, p. 89.

(4)

https://www.congress.gov/114/plaws/publ23/PLAW-114publ23.pdf

(5)

https://www.whitehouse.gov/the-press-office/2014/01/17/presidential-policy-directive-signals-intelligence-activities

Last updated: 24 May 2016Legal notice