Procedure : 2016/2727(RSP)
Document stages in plenary
Document selected : B8-0643/2016

Texts tabled :

B8-0643/2016

Debates :

PV 25/05/2016 - 18
CRE 25/05/2016 - 18

Votes :

PV 26/05/2016 - 6.6

Texts adopted :

P8_TA(2016)0233

MOTION FOR A RESOLUTION
PDF 183kWORD 71k
See also joint motion for a resolution RC-B8-0623/2016
23.5.2016
PE582.664v01-00
 
B8-0643/2016

to wind up the debate on the statements by the Council and the Commission

pursuant to Rule 123(2) of the Rules of Procedure


on transatlantic data flows (2016/2727(RSP))


Timothy Kirkhope, Helga Stevens, Daniel Dalton, Monica Macovei on behalf of the ECR Group

European Parliament resolution on transatlantic data flows (2016/2727(RSP))  
B8-0643/2016

The European Parliament,

–  having regard to the Treaty on European Union (TEU), the Treaty on the Functioning of the European Union (TFEU) and Articles 6, 7, 8, 11, 16, 47 and 52 of the Charter of Fundamental Rights of the European Union,

–  having regard to Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data(1) (hereinafter ‘the Data Protection Directive’),

–  having regard to Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters(2),

–  having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)(3), and to Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA(4),

–  having regard to Commission Decision 2000/520/EC of 26 July 2000 (the Safe Harbour decision),

–  having regard to the Commission communication to the European Parliament and the Council of 27 November 2013 on rebuilding trust in EU-US data flows (COM(2013)0846),

–  having regard to the Commission communication to the European Parliament and the Council of 27 November 2013 on the functioning of the Safe Harbour from the perspective of EU citizens and companies established in the EU (the Safe Harbour communication) (COM(2013)0847),

–  having regard to the judgment of the European Court of Justice of 6 October 2015 in Case C-362/14 Maximillian Schrems v Data Protection Commissioner (EU:C:2015:650),

–  having regard to the Judicial Redress Act of 2015,

–  having regard to the USA Freedom Act of 2015,

–  having regard to the reforms of US signals intelligence activities laid down in Presidential Policy Directive 28 (PPD-28),

–  having regard to Article 29 Working Party Opinion 01/2016 of 13 April 2016 on the EU-US Privacy Shield draft adequacy decision,

–  having regard to Rule 123(2) of its Rules of Procedure,

A.  whereas the right to privacy and the right to security are both rights enshrined in the Charter of Fundamental Rights, and whereas both rights are to be fully respected and balanced in equal measure;

B.  whereas national security is a Member State competence, as outlined in the TFEU;

C.  whereas the United States is an essential partner in both the economy and the security of the European Union and its Member States;

D.  whereas the transatlantic investment relationship is the world’s largest, as the total stock that the US and Europe have invested in each other is worth some USD 4 trillion;

E.  whereas data flows between the US and the EU are by far the largest globally;

F.  whereas the free cross-border data flows between the US and the EU are essential for the future growth of US and EU trade and investment, as consumers from the two sides of the Atlantic are increasingly using the internet to purchase goods and services from each other’s marketplaces, including business-to-business transatlantic transactions and services, free flow of data for intra-company purposes, and access and use of the cloud, as well as the potential to expand trade and investment with the developing world with its increasing use of the internet and online products;

G.  whereas small and medium-sized enterprises (SMEs) represent the fastest-growing sector of the EU’s economy, and are increasingly dependent upon the free flow of data; whereas SMEs accounted for 60 % of the companies relying on the Safe Harbour agreement, which allowed them to benefit from the streamlined and cost-effective compliance procedures instead of relying on burdensome and time-consuming binding corporate rules or standard contractual contracts;

H.  whereas the EU Data Protection Directive adopted in 1995, which governs personal data protection in the EU, is to be replaced in the near future by the General Data Protection Regulation (GDPR); whereas the GDPR provides that the transfer of personal data from the EU to a third country can only take place under specific conditions such as an adequacy finding, which is an important mechanism allowing the transfer of personal data to a third country if the Commission finds that the country provides an adequate level of privacy protection;

I.  whereas so far the following countries: Andorra, Argentina, Canada, the Faroe Islands, Guernsey, the Isle of Man, Jersey, Uruguay, Israel, Switzerland and New Zealand, have been recognised as providing adequate levels of data protection, and the United States of America, Canada and Australia have been recognised as adequate for the purposes of transferring passenger name records;

J.  whereas on 26 July 2000 the Commission recognised the Safe Harbour Privacy Principles and Frequently Asked Questions issued by the Department of Commerce as providing adequate protection for the purposes of personal data transfers from the EU and whereas this Safe Harbour decision allowed for the transfer of personal information from the EU to companies in the US that have signed up to the Safe Harbour principles;

K.  whereas in Case C-362/14 Maximillian Schrems v Data Protection Commissioner, the European Court of Justice concluded that the Commission finding under the Safe Harbour framework that the US provides an adequate level of protection of EU personal information is invalid, triggering the urgent need to conclude negotiations on the EU‑US Privacy Shield so as to ensure legal certainty on how personal data should be transferred from the EU to the US;

L.  whereas, following the Schrems decision, the Commission resumed negotiations with the US for a renewed framework with the view to addressing the concerns laid out by the European Court of Justice, and whereas the Commission and the US agreed on a new framework for transatlantic data flows on 2 February 2016, the EU-US Privacy Shield;

M.  whereas in its Opinion 01/2016 the Article 29 Working Party welcomed the significant improvements brought about by the Privacy Shield compared with the Safe Harbour decision;

N.  whereas the US Judicial Redress Act, which provides European citizens and citizens of US allies with the right to review and correct inaccurate information about them held by US federal agencies under the US Privacy Act, was adopted by the House of Representatives on 20 October 2015, passed by the Senate Judiciary Committee on 28 January 2016 and signed by US President Barack Obama on 24 February 2016;

O.  whereas the adoption of the Judicial Redress Act was the European Parliament’s major precondition for giving consent to the EU-US Umbrella Agreement, and an important aspect of the negotiations on the EU-US Privacy Shield;

1.  Stresses that the United States is one of the EU’s most essential partners in terms of security, the economy and shared values;

2.  Stresses that an agreed legal framework such as the Privacy Shield and the EU-US data protection Umbrella Agreement are essential in order to uphold the fundamental rights and privacy of citizens and to ensure citizens’ trust and confidence in EU-US transatlantic security and economic cooperation;

3.  Notes that the EU and the US already share vital agreements regarding data flows in connection with security and the fight against terrorism, namely the EU-US Terrorist Finance Tracking Programme and the EU-US Passenger Name Record Agreement; notes that these agreements have been essential in the investigation and prosecution of criminal offences and in ensuring the safety and security of US and EU citizens;

4.  Welcomes the conclusion of the negotiations between the EU and the US on the Privacy Shield after more than two years of negotiations between the Commission and the US Department of Commerce; stresses that it is absolutely necessary to put in place the new, improved Privacy Shield in order to establish a clear legal framework, legal clarity and a defined set of rules and rights under which to operate; this is a particularly important step for small and medium-sized companies and for consumers;

5.  Stresses that the right to privacy is a right enshrined in the legal systems of both the US and the EU, through the American Constitution and Bill of Rights and the Charter of Fundamental Rights of the European Union respectively; stresses that it is essential to respect the compatibility of these two different systems but not demand total equivalence;

6.  Welcomes the fact that the EU and the US have negotiated the new Privacy Shield and the EU-US Data Protection Umbrella Agreement in the last 12 months, both of which represent the highest levels of data privacy and digital and legal protection ever offered to EU citizens;

7.  Acknowledges that the EU-US Privacy Shield differs substantially from the Safe Harbour framework, providing for significantly more detailed documentation that imposes more specific obligations on companies willing to join the framework, including new checks and balances ensuring that the rights of EU data subjects can be exercised when their data are processed in the US;

8.  Welcomes the acknowledgement by the Article 29 Working Party of the significant improvements brought about by the Privacy Shield compared with the Safe Harbour framework;

9.  Takes note of the concerns raised by the Article 29 Working Party and its constructive approach, and further stresses that the data retention limitation principle, as referred to in the opinion, should first be clarified in the European Union, as the situation and standards in the EU are still uncertain following the European Court of Justice ruling of 2014;

10.  Welcomes the adoption of the Judicial Redress Act by the US Congress, and recalls its longstanding demand for such an act as a prerequisite for the finalisation of the EU-US Umbrella Agreement and for the conclusion of the Privacy Shield negotiations;

11.  Stresses the importance of the new Privacy Shield and the new EU-US Data Protection Umbrella Agreement, which give consumers, businesses and citizens a clear legal framework within which to operate and provide a clear set of rights and redress mechanisms;

12.  Notes that while the Safe Harbour framework did not refer to any specific limitations on US Government access to data transferred to the US, the Privacy Shield framework documentation now includes binding commitments from the US Government in the form of letters from the Director of National Intelligence, the US Secretary of State and the US Department of Justice;

13.  Stresses that since 2013 the US Congress and Administration have enacted more than two dozen reforms of surveillance laws and programmes, including the USA Freedom Act, which prohibits bulk collection of data, Presidential Policy Directive 28, which makes protecting the privacy rights and civil liberties of individuals outside the US an integral part of US surveillance policy, the amendments to the US Foreign Intelligence Act, and the Judicial Redress Act, which extends data protection measures to EU citizens; stresses that these reforms have increased the rights and privacy of US and EU citizens, in order to reach the standards of adequacy demanded by the EU;

14.  Welcomes the very recent initiatives taken by the US Administration and US Congress such as the Email Privacy Bill, which was unanimously passed by the House of Representatives in April 2016 and which amends the 1986 Electronic Communications Privacy Act (ECPA), and the adoption by the House of Representatives in January 2016 and the Senate in March 2016 of the Freedom of Information Improvement Act (FOIA);

15.  Welcomes the creation of the Ombudsperson mechanism within the Department of State, which will be independent from national security services and will help to ensure individual redress and independent oversight;

16.  Welcomes the fact that under the new Privacy Shield framework, EU data subjects are offered several avenues of legal redress for the use of their data;

17.  Stresses that a legal vacuum such as that which occurred following the Schrems judgement should not be created again, and stresses, therefore, that it is the Commission’s responsibility to carry out a thorough review of all aspects of the legal arrangement, in particular the impact on fundamental rights and privacy;

18.  Instructs its President to forward this resolution to the Council, the Commission, the governments and parliaments of the Member States, and the US Congress and Administration.

(1)

OJ L 281, 23.11.1995, p. 31.

(2)

OJ L 350, 30.12.2008, p. 60.

(3)

OJ L 119, 4.5.2016, p. 1.

(4)

OJ L 119, 4.5.2016, p. 89.

Last updated: 24 May 2016Legal notice