Index 
 Previous 
 Next 
 Full text 
Procedure : 2016/2727(RSP)
Document stages in plenary
Select a document: :

Texts tabled :

RC-B8-0623/2016

Debates :

PV 25/05/2016 - 18
CRE 25/05/2016 - 18

Votes :

PV 26/05/2016 - 6.6

Texts adopted :

P8_TA(2016)0233

Texts adopted
PDF 175kWORD 75k
Thursday, 26 May 2016 - Brussels Final edition
Transatlantic data flows
P8_TA(2016)0233B8-0623, 0633, 0639, 0643 and 0644/2016

European Parliament resolution of 26 May 2016 on transatlantic data flows (2016/2727(RSP))

The European Parliament,

–  having regard to the Treaty on European Union (TEU), the Treaty on the Functioning of the European Union (TFEU) and Articles 6, 7, 8, 11, 16, 47 and 52 of the Charter of Fundamental Rights of the European Union,

–  having regard to Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data(1) (hereinafter ‘the Data Protection Directive’),

–  having regard to Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters(2) ,

–  having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)(3) , and to Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA(4) ,

–  having regard to Commission Decision 2000/520/EC of 26 July 2000 (the Safe Harbour decision),

–  having regard to the Commission communication to the European Parliament and the Council of 27 November 2013 on rebuilding trust in EU-US data flows (COM(2013)0846),

–  having regard to the Commission communication to the European Parliament and the Council of 27 November 2013 on the functioning of the Safe Harbour from the perspective of EU citizens and companies established in the EU (COM(2013)0847) (the Safe Harbour communication),

–  having regard to the judgment of the European Court of Justice of 6 October 2015 in Case C-362/14 Maximillian Schrems v Data Protection Commissioner (EU:C:2015:650),

–  having regard to the Commission communication to the European Parliament and the Council of 6 November 2015 on the transfer of personal data from the EU to the United States of America under Directive 95/46/EC following the judgment by the Court of Justice in Case C-362/14 (Schrems) (COM(2015)0566),

–  having regard to the statement of the Article 29 Working Party on the consequences of the Schrems Judgment of 3 February 2016,

–  having regard to the Judicial Redress Act of 2015, which was signed into law by President Obama on 24 February 2016 (H.R.1428),

–  having regard to the USA Freedom Act of 2015(5) ,

–  having regard to the reforms of US signals intelligence activities laid down in Presidential Policy Directive 28 (PPD-28)(6) ,

–  having regard to the Commission communication to the European Parliament and the Council of 29 February 2016 entitled ‘Transatlantic data flows: Restoring trust through strong safeguards’ (COM(2016)0117),

–  having regard to Article 29 Working Party Opinion 01/2016 of 13 April 2016 on the EU-US Privacy Shield draft adequacy decision,

–  having regard to its resolution of 12 March 2014 on the US NSA surveillance programme, surveillance bodies in various Member States and their impact on EU citizens’ fundamental rights and on transatlantic cooperation in Justice and Home Affairs(7) , and to its resolution of 29 October 2015 on the follow-up to the European Parliament resolution of 12 March 2014 on the electronic mass surveillance of EU citizens(8) ,

–  having regard to Rule 123(2) and (4) of its Rules of Procedure,

A.  whereas the European Court of Justice invalidated the Safe Harbour decision in its judgment of 6 October 2015 in Case C-362/14 Maximillian Schrems v Data Protection Commissioner and clarified that an adequate level of protection in a third country must be understood to be ‘essentially equivalent’ to the protection provided in the Union, prompting the need to conclude negotiations on the EU-US Privacy Shield so as to ensure legal certainty on how personal data should be transferred from the EU to the US;

B.  whereas ‘protecting data’ means protecting the people to whom the information being processed relates, and whereas such protection is one of the fundamental rights recognised by the Union (Article 8 of the Charter of Fundamental Rights and Article 16 of the Treaty on the Functioning of the European Union);

C.  whereas the protection of personal data, respect for private life and communications, the right to security, the right to receive and impart information and the freedom to conduct a business are all fundamental rights to be upheld and balanced;

D.  whereas, when examining the level of protection afforded by a third country, the Commission is obliged to assess the content of the rules applicable in that country deriving from its domestic law or its international commitments, as well as the practice designed to ensure compliance with those rules, since it must, under Article 25(2) of the Data Protection Directive, take account of all the circumstances surrounding a transfer of personal data to a third country; whereas this assessment must not only refer to legislation and practices relating to the protection of personal data for commercial and private purposes, but must also cover all aspects of the framework applicable to that country or sector, in particular, but not only, law enforcement, national security and respect for fundamental rights;

E.  whereas small and medium-sized enterprises (SMEs) represent the fastest-growing sector of the EU’s economy, and are increasingly dependent upon the free flow of data; whereas SMEs accounted for 60 % of the companies relying on the Safe Harbour agreement, which allowed them to benefit from the streamlined and cost-effective compliance procedures;

F.  whereas the US and EU economies account for over 50 % of global GDP, 25 % of global exports and over 30 % of global imports; whereas the US-EU economic relationship is the highest valued in the world, with total transatlantic trade in 2014 valued at USD 1,09 trillion, compared with total US trade with Canada and China valued at USD 741 billion and USD 646 billion respectively;

G.  whereas cross-border data flows between the United States and Europe are the highest in the world – 50 % higher than data flows between the US and Asia and almost double the data flows between the US and Latin America – and whereas the transfer and exchange of personal data is an essential component underpinning the close links between the European Union and the United States in commercial activities and in the law enforcement sector;

H.  whereas in its Opinion 01/2016 the Article 29 Working Party welcomed the significant improvements brought about by the Privacy Shield compared with the Safe Harbour decision, and in particular the insertion of key definitions, the mechanisms set up to ensure the oversight of the Privacy Shield list and the now mandatory external and internal compliance reviews, and whereas the Working Party has also raised strong concerns about both the commercial aspects and access by public authorities to data transferred under the Privacy Shield;

I.  whereas so far the following countries/territories: Andorra, Argentina, Canada, the Faroe Islands, Guernsey, the Isle of Man, Jersey, Uruguay, Israel, Switzerland and New Zealand, have been recognised as providing adequate levels of data protection and were given privileged access to the EU market;

1.  Welcomes the efforts made by the Commission and the US Administration to achieve substantial improvements in the Privacy Shield compared to the Safe Harbour decision, in particular the insertion of key definitions such as ‘personal data’, ‘processing’ and ‘controller’, the mechanisms set up to ensure oversight of the Privacy Shield list and the now mandatory external and internal compliance reviews of compliance;

2.  Highlights the importance of the transatlantic relationships, which remain vital for both partners; emphasises that a comprehensive solution between the US and the EU should respect the right to data protection and the right to privacy; recalls that one of the fundamental objectives of the EU is the protection of personal data, including when transferred to its major international trading partner;

3.  Insists that the Privacy Shield arrangement must be compliant with EU primary and secondary law and the relevant judgments of both the European Court of Justice and the European Court of Human Rights;

4.  Notes that Annex VI (letter from Robert S. Litt, Office of the Director of National Intelligence (ODNI)) clarifies that under Presidential Policy Directive 28 (hereinafter ‘PPD-28’), bulk collection of personal data and communications of non-US persons is still permitted in six cases; points out that such bulk collection only has to be ‘as tailored as feasible’ and ‘reasonable’, which does not meet the stricter criteria of necessity and proportionality as laid down in the Charter;

5.  Recalls that legal certainty, and in particular clear and uniform rules, are a key element in business development and growth, in particular for SMEs, so as to ensure that they do not face legal uncertainty and suffer serious impacts to their operations and to their ability to conduct business across the Atlantic;

6.  Welcomes the introduction of the redress mechanism for individuals under the Privacy Shield; calls on the Commission and the US Administration to address the current complexity in order to make the procedure user-friendly and effective;

7.  Calls on the Commission to seek clarification on the legal status of the ‘written assurances’ provided by the US;

8.  Welcomes the appointment of an Ombudsperson in the US Department of State, who will work together with independent authorities to provide a response to EU supervisory authorities channelling individual requests in relation to government surveillance; considers however that this new institution is not sufficiently independent and is not vested with adequate powers to effectively exercise and enforce its duty;

9.  Welcomes the prominent role given by the Privacy Shield framework to Member State data protection agencies in examining and investigating claims related to the protection of personal data under the EU Charter of Fundamental Rights and in suspending transfers of data, as well as the obligation placed on the US Department of Commerce to resolve such complaints;

10.  Recognises that the Privacy Shield is part of a broader dialogue between the EU and third countries, including the United States, in relation to data privacy, trade, security and related rights and objectives of shared interest; calls on all parties therefore to work together towards the creation and sustained improvement of workable, common international frameworks and domestic legislation that achieve those objectives;

11.  Insists that legal certainty for the transfer of personal data between the EU and US is an essential element for consumer trust, transatlantic business development and law enforcement cooperation, thus making it imperative for their effectiveness and long-term implementation that the instruments allowing for such transfers comply with both EU primary and secondary law;

12.  Calls on the Commission to implement fully the recommendations expressed by the Article 29 Working Party in its Opinion 01/2016 on the EU-US Privacy Shield draft adequacy decision;

13.  Calls on the Commission to fulfil its responsibility under the Privacy Shield framework to conduct periodic robust reviews of its adequacy finding and the legal justifications thereof, in particular in the light of the application of the new General Data Protection Regulation in two years’ time;

14.  Calls on the Commission to continue the dialogue with the US Administration in order to negotiate further improvements to the Privacy Shield arrangement in the light of its current deficiencies;

15.  Instructs its President to forward this resolution to the Council, the Commission, the governments and parliaments of the Member States, and the US Government and Congress.

(1) OJ L 281, 23.11.1995, p. 31.
(2) OJ L 350, 30.12.2008, p. 60.
(3) OJ L 119, 4.5.2016, p. 1.
(4) OJ L 119, 4.5.2016, p. 89.
(5) https://www.congress.gov/114/plaws/publ23/PLAW-114publ23.pdf
(6) https://www.whitehouse.gov/the-press-office/2014/01/17/presidential-policy-directive-signals-intelligence-activities
(7) Texts adopted, P7_TA(2014)0230.
(8) Texts adopted, P8_TA(2015)0388.

Last updated: 13 October 2016Legal notice