– the oral question to the Commission on the extra-territorial impact of third-country legislation and EU data protection laws by Sophia in ’t Veld, Sylvie Goulard, Sonia Alfano, Alexander Alvaro, Sarah Ludford, Theodoros Skylakakis, Ramon Tremosa i Balcells, Philippe De Backer, Jens Rohde, Stanimir Ilchev and Giommaria Uggias, on behalf of the Group of the Alliance of Liberals and Democrats for Europe (O-000315/2011 - B7-0025/2012),
– the oral question to the Commission on the extra-territorial impact of third-country legislation and EU data protection laws by Cornelia Ernst, Miguel Portas and Marisa Matias, on behalf of the Confederal Group of the European United Left – Nordic Green Left (O-000318/2011 - B7-0026/2012),
– the oral question to the Commission on the extra-territorial impact of third-country legislation and EU data protection laws by Jan Philipp Albrecht, Rui Tavares, Raül Romeva i Rueda and Judith Sargentini, on behalf of the Group of the Greens/European Free Alliance (O-000326/2011 - B7-0028/2012), and
– the oral question to the Commission on the extra-territorial impact of third-country legislation and EU data protection laws by Simon Busuttil, Manfred Weber and Jean-Paul Gauzès, on behalf of the Group of the European People’s Party (Christian Democrats) (O-000022/2012 - B7-0035/2012).
Sophia in 't Veld, author. – Mr President, the issue at stake here today is whether we can be certain that our own European laws always apply within Europe, or whether they could be overruled by third-country laws.
The US, for example, considers that its jurisdiction does not only extend to activities and actors within the US, but also the activities of such actors elsewhere in the world. With that interpretation, US law has extra-territorial effect within Europe. The US, for example, can subpoena companies with a presence in the US to provide data stored in Europe. We have identified, in our oral questions, a number of laws that might have this effect – for example the Patriot Act, the Medicare Act on medical data and insurance data, the Foreign Intelligence and Surveillance Act, and the Foreign Account Tax Compliance Act (FATCA).
However, data stored in Europe is covered by EU law and companies there have to comply with EU law. The Commission acknowledges this, but what action has actually been taken to protect companies that find themselves caught between conflicting jurisdictions? This problem does not only concern the extra-territorial effect from US law, but potentially from any other country.
There are also other countries where European companies have a presence. For example, more and more companies have operations in China, and they, too, can be confronted with this problem. As a matter of fact, we are getting more confirmation nowadays that such companies are being confronted with this problem. This does not only concern EU data protection laws, as the title of today’s debate suggests, but all kinds of laws. FATCA, notably, raises strong concerns for European banks and insurers.
Commissioner, we hope to discuss this matter soon in the Committee on Economic and Monetary Affairs with your colleague, Commissioner Barnier. I would urge you to act now. We do not need new legislation, but it is key that we enforce existing European legislation in the interests of our citizens and our companies.
Marisa Matias, author. – (PT) Mr President, welcome to this debate on such an important issue, Commissioner. We are, in fact, talking about key issues relating to data protection, particularly in a context in which there may be conflict between two different jurisdictions. Data protection is, in fact, a sensitive area and one which has generated much controversy and, in my view, should continue to generate controversy, because we are talking about what may be a clash between rights and guarantees, safeguarding the European public, who are protected by European legislation, and who then find themselves undermined when the legislation of other countries supersedes European legislation.
It is sensitive for a number of reasons. It is sensitive because there is doubt as to whether there is, to all intents and purposes, a contract between the European public and the European institutions. When members of the public disclose their personal data, they do so on the understanding that they will be protected by European bodies and institutions, and that they will not be distributed for other purposes. Here, therefore, there is a breach of trust. It is obvious that controlling this is complicated, and it is also a serious and dangerous situation because the European Union ends up transferring personal data to third countries, thus breaking this bond of trust between the European public and the European institutions. In doing so, what we are doing when the public allow the European institutions to be the guardians of their personal data in areas ranging from health issues to other matters that have been referred to companies that ask for data – I am talking specifically about the case of the US, which systematically asks for data from the European Union – is breaching the trust of the public, where the public are acting on the assumption that they are giving their data to the European Union, which will act as a guardian for it.
I would therefore also like to say, Commissioner, that these issues have often been problematic for various reasons, but I will always be on the side of public demonstrations wanting to safeguard personal data protection. If there are demonstrations planned to take place because the European institutions are not doing this, I believe that we should be on the side of the public, not against them. This is almost a type of betrayal, and I, or we, would therefore like to ask you, Commissioner, to clarify this issue once and for all, because no community was ever founded on destroying or diminishing the bonds of trust between the public and its institutions. In view of this, Commissioner, please respond and tell us to what extent we can ensure that European legislation supersedes the legislation of third countries. After all, EU legislation certainly supersedes the legislation of the 27 EU Member States, and the public have relinquished their sovereignty in this matter many times, so why should we accept that other countries such as the US can supersede national legislation, having already superseded EU legislation? This needs to be clarified, because it is indeed a very sensitive and serious issue, which we must take into consideration.
Finally, Commissioner, could you please tell us what the Commission is doing in order to prevent this from happening, and to ensure that it does not recur, and that the personal data of all members of the public, of companies, and of the various sectors mentioned in these issues are, in fact, data which people can trust, and that they remain with those who are protecting us? By this, I mean that I do not even agree that all information which is stored should be stored, but that is another debate. In relation to this, as this issue of citizens’ rights is serious and sensitive, I would like you to provide us with clarification so that we can all rest easy.
Jan Philipp Albrecht , author. – (DE) Mr President, Commissioner, today we are addressing the issue of whether to allow third countries to access the data of European citizens, as well as the application of the laws of third countries to European citizens here in Europe. Of course, this is a question that relates not just to data protection, but also, in an increasingly interconnected and globalised world, to fundamental questions of the application of the law and questions regarding which law actually applies. I think we need answers here.
We are constantly encountering situations, for example, in the so-called ‘cloud’, where more and more personal data is being stored and more and more services are being used, so that it is hard to know which law is actually applicable and which guarantees we in the European Union can offer our citizens, enabling them to trust in the application of European data protection law even in environments of this kind, or in relation to businesses operating internationally. I was pleased to see that we are now about to get to grips with data protection reforms on a European level. We have a good proposal from the European Commission on the table. However, this proposal, unlike previous drafts, does not contain an article making it clear that, in the event that information is requested by third countries, the law may only be applied if its application is also permitted as part of mutual support in the context of cooperation between the police and judiciary. In this context, I would be interested to know what has happened to this provision, and whether reasons exist for why it has been dropped.
I believe it is important that we should agree such provisions in our data protection laws, particularly while there are no common standards shared with these third countries. I am drawing attention to this, in particular, in my capacity as rapporteur for the joint data protection agreement with the US.
Simon Busuttil, author. – Mr President, the PPE Group takes the issue of the privacy of EU citizens and their data protection rights very seriously. It is in this spirit that we have been working very hard in the past few years to make sure that we put in place top-notch data protection laws that guarantee citizens’ rights to the full.
When the processing of data is carried out in Europe, we want citizens’ minds to be at rest that they enjoy high data protection standards. The processing of data by third countries presents a different problem. The concern here is that our standards might not be applied in cases which involve third countries. These are legitimate concerns.
Of course, it would be ironic if it were easier for third countries to process European citizens’ data in their territory than for European entities to do so in Europe. That is not acceptable for our citizens and, of course, cannot be acceptable to our Chamber, which is why we have to work together to find workable solutions.
Our solutions should start from the basic premise that a law enacted by a third country cannot be directly and automatically applied in the territory of the European Union unless EU law or Member State national law has explicitly allowed it to be so. We cannot lose control of this prerogative, and no law of a third country should be able to short-circuit EU law or national law, including EU data protection law.
We must make sure that this principle can be applied in law and in practice. I think that the new data protection package recently presented by the Commission gives us the opportunity to do so, as would the framework agreement with the United States that is being negotiated.
I look forward eagerly to Ms Reding’s replies to our questions.
Viviane Reding, Vice-President of the Commission. – Mr President, I agree entirely with the Members who have said that the high standards which we give to our citizens – rightly so – must also be transferred when there is an exchange of data with third countries. We in the Commission take this question very seriously, because the Commission believes and supports the principle that, in international public law, a legal act which is enacted by a third country cannot be directly and automatically applied in the territory of the EU unless – exceptionally – Union law or Member State law explicitly recognises the facts of such an act in their respective jurisdiction.
No legal acts of a third country as such can legally overrule the relevant EU legislation or Member State legislation, and this includes data protection rules. Any processing of personal data in the EU has to respect the applicable EU data protection law. If – and this was Ms in ’t Veld’s basic question – a US law enforcement authority requires information from companies operating in the European Union, whatever the nationality of those companies, they have to use existing channels of cooperation and mutual legal assistance agreements. This issue also applies when personal data are transferred by an EU company to a company in the US and when the data are subsequently processed for law enforcement purposes.
This sounds good – except that this issue is not explicitly addressed in the current EU legal framework. That is exactly the reason why (as the rapporteur knows perfectly well) we have the Data Protection Regulation, which the Commission put on the table on 25 January to try to provide additional legal clarity in these matters. The regulation makes it clear that transmissions can only take place when the conditions of the regulation for such transfers are met, notably when there is a justification on an important ground of public interest – and the public interest has to be recognised in Union law or in Member State law. This could involve, for instance, data transfer between competition authorities, tax and customs administrations, and it could also be for the prevention and investigation, detection and prosecution of criminal offences.
As you rightly said, this issue has been raised in the umbrella agreement on the protection of personal data. As Parliament has been informed, this negotiation is still continuing. For the moment, we have not yet reached a conclusion with this negotiation. As Parliament also underlined, this is an element which, for my colleague who is responsible for taxation, has to be seen in the framework of the FATCA regulations.
Here, I would like to make it very clear (this may be new information for Parliament) that the Commission has raised this issue with the United States regularly and intensively in the framework of the Financial Markets Regulatory Dialogue and, as a result of the discussion, on 6 February, the US announced that the Foreign Account Tax Compliance Act (FATCA) should be complied with by the transfer of data between tax administrations rather than by the imposition of direct obligations on EU financial intermediaries. So that is good news, which now has to be put into a clear text. But this is the direction we want to go in, and the Commission will continue to work with the US and with the Member States in order to identify the best way to address this issue and achieve legal certainty and compliance with the EU Charter of Fundamental Rights.
When I speak here about the United States, this means that it also applies to other third countries. The relations between the EU and the United States are those which are most discussed, but in future, we will certainly also have many discussions about other continents with which we have a specific relationship.
Agustín Díaz de Mera García Consuegra, on behalf of the PPE Group. – (ES) Mr President, I understand that regulation when it comes to data protection can be based on internal security strategies. We cannot forget, however, that its extra-territorial impact could infringe on the rights of European citizens.
What has arisen in connection with the Medicare Act, FISA, the Patriot Act and FATCA cases is more than mere concern. It appears that many of these measures stipulate that European financial entities, in the widest sense of the term, are obliged to provide all types of information, whether it concerns the title holder, their account types or the withholding of payments, among others.
There is no prior agreement to justify obtaining this data, nor do the users know what the data will be used for or the amount of time for which it will be stored.
It is therefore necessary to adopt measures and design a body of regulations and legislation to avoid infringement of the principle of territoriality. We should be able to maintain our relationships outside the Union, as well as our territory’s security, whilst totally respecting the rights of European citizens.
The European Commission should show much more commitment and interest in this task.
Dimitrios Droutsas, on behalf of the S&D Group. – (EL) Mr President, the potential extra-territorial repercussions of third-country legislation, especially US legislation, and especially in the data protection sector, is of immense and obvious importance to the European Parliament. It is imperative for us in the European Parliament to clearly know, including from you the Commissioner, if there is any infringement of EU legislation, especially on data protection. This relates directly to the rights of European citizens and impacts on the economic community within EU territory.
However, I should like to take advantage of today’s debate to repeat something which I said during the recent presentation of your proposals to revise the 1995 Personal Data Protection Directive which, I, too, will repeat, is a step in the right direction as far as we are concerned. We are living in times in which Europe is being accused of a lack of leadership. Unfortunately, the European Union has lost standing and clout internationally, especially in the foreign policy sector, but that is another story.
As far as data protection is concerned, however, Europe is at the vanguard and is showing the way to other countries outside the European Union. I hope and trust that, after our numerous discussions, Europe and you personally will continue work in this direction with the same degree of commitment.
Véronique Mathieu (PPE). – (FR) Mr President, Commissioner, data protection standards in third countries still differ considerably from European standards. It is, however, our duty to ensure that European citizens are guaranteed compliance with our minimum European protection standards, on which we pride ourselves. This personal data must be fairly processed and collected for particular and legitimate purposes. European citizens should be guaranteed a right of access to and rectification of personal details concerning them and should be able to bring legal action should their rights be violated.
We must act to ensure that European and international standards can coexist and to resolve a legal dispute which is potentially detrimental to European citizens. European legislation alone is not sufficient. It must tie in and coexist intelligently with international standards, as we cannot shirk our duties and commitments towards European citizens.
This situation is similar to other debates in this Parliament. It reminds us of the relevance of projects such as the introduction of a European Terrorist Finance Tracking Programme. A system of this nature would provide us with a tool, which has proven its effectiveness in the United States, while fully respecting national law, and consequently the protection of the personal data of European citizens.
The European institutions must continue to work in this direction and to pursue fully their protection standards.
Sophia in 't Veld, author. – Mr President, I do not know about the procedure. Simply, the most important question has remained unanswered, and I would like to be able to put the question again to the Commissioner in order to get an answer before we leave.
The question is: under current EU data protection rules, what can a company do to protect itself if it has an operation in the US and it has to comply with the subpoena? The subpoena says that data stored in Europe – and therefore covered by EU law – must be provided to the US authorities. This is not through a mutual legal assistance treaty; this is a company which has an operation in the US and is being obliged to provide data stored in the EU.
That data is covered by EU laws. How is the Commission going to protect those companies, which are asking for protection?
Phil Prendergast (S&D). – Mr President, in the context of the potential threat to EU citizens’ rights to data protection and privacy from third countries, I am particularly concerned at the provisions foreseen in the Anti-Counterfeiting Trade Agreement with regard to international cooperation, which compound the serious questions that the Treaty raises.
I intend to pursue this matter with the Commission and hope that the Commissioner will enlighten us on the implementing measures necessitated by these international cooperation provisions.
Inês Cristina Zuber (GUE/NGL). – (PT) Mr President, in recent years, we believe that we have seen a wave of security and repression driven by imperialism, especially with the supposed justification for the so-called War against Terror, which infringes civil liberties and the fundamental rights and guarantees of citizens, gradually weakening the democracy in which we live. We are concerned about various things that are public knowledge, such as the illegal use of personal data by the CIA, for example, and the establishment of arrangements between the EU and the US, as in the case of the agreement on the Society for Worldwide Interbank Financial Telecommunications, which puts both criminals and non-criminals, suspects and non-suspects, into a process that has not been confirmed to be effective. In addition, there is the risk of resistance movements being pursued through the use of data, under the pretext of combating terrorism.
We cannot exchange freedom for more security because, in the end, we will lose both. These two values are not incompatible: quite the contrary, a society can only be safer by guaranteeing extensive rights and democratic freedoms.
Jaroslav Paška (EFD). – (SK) Mr President, the protection of the data of European Union citizens and institutions is guaranteed by the legal and contractual documents of the EU. Any intervention by third countries in the protected rights of our citizens is unacceptable. In my opinion, it is therefore necessary, in order to maintain good relations with the United States, to maintain an open dialogue with them in order to create better partnership relations. The European Union is not yet a colony of the United States, and we cannot therefore accept the extra-territorial effects of American laws on EU territory. Our citizens expect the European Commission to be aware of these basic rules and to reach an agreement during regulatory negotiations with our American partners that will eliminate the concerns of our citizens and institutions about the potential effects of the Patriot or FACTA Acts on their lives.
Elena Băsescu (PPE). – (RO) Mr President, this debate is welcomed, all the more so as today, we have also discussed the topic of respect for human rights.
I believe that the issue of data transfer to third countries must be tackled in a balanced manner. Information transfer is necessary to combat terrorism. At the same time, a minimum threshold of the right to privacy must be observed by applying the principle of proportionality.
I would like to remind you of the debates generated by the negotiation of the PNR Agreement between the EU and the United States. The final agreement contains clauses that ensure such a balance. For example, information can be communicated only for the purpose of combating serious offences and only for certain operations. Due to the guarantees included in the Treaty, citizens are provided with a high degree of transparency, and sensitive information is protected by strict conditions of use.
Silvia-Adriana Ţicău (S&D). – (RO) Mr President, in the context of this debate, I shall refer to the passenger name record.
The EU has signed or is renegotiating bilateral agreements regarding the passenger name record with the United States, Canada and Australia. Parliament is currently analysing the proposal for a PNR Directive which establishes a common treatment for the passenger name record within the EU. However, in third countries, there are data protection systems different from the European Union’s system. Within the Committee on Transport and Tourism, I requested that where third countries are concerned, PNR data transfer should take place only when there are adequate guarantees with respect to personal data protection, and that the storage, processing and analysis of PNR data corresponding to passengers on international flights be carried out only on European Union territory, so that the applicable legislation is the European legislation on private data protection.
As regards PNR, I ask the Commission: how does it guarantee European citizens that private data transfer and processing are protected under European Union legislation?
Kay Swinburne (ECR). – Mr President, time and time again in the Committee on Economic and Monetary Affairs, when we have considered the Alternative Investment Fund Managers Directive (AIFMD), short-selling, the European Market Infrastructure Regulation (EMIR) and now the Markets in Financial Instruments Directive (MiFID), we have dealt with the issue of the extra-territorial implications of US legislation. The European institutions have all stated their commitment to maintaining open markets in order to keep investment flowing around the world.
However, we are yet to come up with a clear solution to the questions being raised tonight. As a result, we are having to insert clauses in our EU financial services legislation in order to give the EU equal weighting to the US in the regulation of financial entities and products.
We have been forced to incorporate word-for-word in EMIR what I consider to be protectionist language from the Dodd-Frank Act. This does not seem to be an optimal solution to this problem, but I cannot yet see an alternative to US regulatory overreach into European companies and markets.
The implications of these extra-territorial provisions for access to and from our financial markets for Asia, Latin America and the rest of the world are yet to be seen, yet any solution that is proposed must, above all else, not just suit the US.
End of the catch-the-eye procedure
Viviane Reding, Vice-President of the Commission. – Mr President, I agree with the speakers: it is high time that we say to the rest of the world, to our partners, that we are a continent of 500 million citizens who must be respected, and that the laws which we have decided together with this House have to be applied on the territory of the European Union. You might have seen that the Commissioner who is speaking to you has been very explicit on this: saying that the high guarantees which are our values, which are in our European laws, must not be eliminated in relations with third countries.
This is why we already have laws in place, and we are going to improve and strengthen them with the guarantees which the Treaty and the Charter of Fundamental Rights give to our citizens. We will make our European laws – which have to be respected by third countries on our territory – stronger. This is exactly the reason why I have tabled before this House a reform of the 1995 data protection rules and why I have said very clearly – and you can see what is going on in other territories at the moment in the political discussions – that those laws which we make here will become a world standard. That is what we want to achieve in the future.
For the time being, I have been very clear on the fact that the data protection rules of 1995 are missing some elements, such as arrangements concerning infringements, which we have included in our reform. The monitoring of data protection law compliance is also left completely up to national authorities, who are not currently obliged to inform the public or the European Commission. This should be changed, because the set of rules on data protection should, in future, be made on a continent-wide level in order to reinforce application.
Since the entry into force of the Treaty of Lisbon, agreements which we have with third countries – colleagues have been speaking about SWIFT and PNR – have to be agreed on by Parliament. This has dramatically changed the way that third countries approach the European Union. Lessons have been learnt from the way in which questions on SWIFT were dealt with. PNR is under discussion now and you know that the umbrella agreement which I negotiated with the United States will be on the table for this House to accept or to reject.
In the ACTA agreement, which this House also has to decide upon, the Internet freedom provision has been included in the final text of the legislation precisely because of the remarks made by this House, because we do have problems (in answer to the question from the Member asking the fundamental question of tonight’s debate), because there is the problem of the conflict between two jurisdictions. This is a conflict of international law – and such issues of international law must be clarified by the Court in The Hague – but we have tried in our new legislation to clarify all these points.
If you read Recital 90 of the regulation, you will see, and I quote, that: ‘the extra-territorial application of these laws, regulations and other legislative instruments may be in breach of international law and may impede the attainment of the protection of individuals guaranteed in the Union by this regulation’. That is why transfers should only be allowed where the conditions of this regulation for the transfer to third countries are met. That is what we have to work on now, beyond the conflicts which will arise between partners, beyond the international agreements which we have to vote on in this House and beyond the implementation of our European legislation in the framework of international law.
I therefore count on your support in the forthcoming legislative process on the data protection legal framework and on the umbrella framework, in order to clarify these points and in order to make it crystal clear that, on European territory, European law has to be applied.
President. – Thank you very much Ms Reding. What a pity. I almost managed to bring the session to a close before 23.00. I, too, would like to thank all the Members for their discipline nonetheless. Thank you to the ushers, the House’s services staff and, not least, to the translators for their efforts. Thank you very much for today’s work.
The debate is closed.
Written statements (Rule 149)
Carlos Coelho (PPE), in writing. – (PT) Given that the level of data protection in the EU is much higher and more comprehensive than in the vast majority of third countries, it was important to enshrine the extra-territorial reach of the directive, in order to prevent European companies from being able to transmit personal data to their facilities outside Europe with offshore processing, in order to circumvent the application of the strict limits imposed by the directive.
The directive bans the transfer of personal data to any third country that does not have an adequate level of data protection. The number of countries that meet this criterion, according to the Commission, is currently very low. It is unacceptable that cases such as the agreement on the Society for Worldwide Interbank Financial Telecommunications may occur, whereby, in the context of internal company transfers, European personal data must be made available to the US authorities because they are in US territory, negating the rights and guarantees offered by European legislation to citizens and businesses. There is an urgent need to adopt the necessary measures, in order to guarantee effective application of the rules of European data protection, and to prevent the possibility of any third-country legislation superseding Union law on protecting the interests of European citizens and companies based in the EU.