Procedure : 2016/3018(RSP)
Document stages in plenary
Document selected : B8-0244/2017

Texts tabled :


Debates :

PV 05/04/2017 - 19
CRE 05/04/2017 - 19

Votes :

PV 06/04/2017 - 7.7
CRE 06/04/2017 - 7.7
Explanations of votes

Texts adopted :

PDF 183kWORD 58k

to wind up the debate on the statement by the Commission

pursuant to Rule 123(2) of the Rules of Procedure

on the adequacy of the protection afforded by the EU-US Privacy Shield (2016/3018(RSP))

Axel Voss, Anna Maria Corazza Bildt, Barbara Kudrycka on behalf of the PPE Group
Helga Stevens on behalf of the ECR Group

European Parliament resolution on the adequacy of the protection afforded by the EU-US Privacy Shield (2016/3018(RSP))  

The European Parliament,

–  having regard to the Treaty on European Union (TEU), the Treaty on the Functioning of the European Union (TFEU) and the Charter of Fundamental Rights of the European Union,

–  having regard to Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Data Protection Directive)(1),

–  having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)(2), and to Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA(3),

–  having regard to the judgment of the Court of Justice of the European Union of 6 October 2015 in Case C-362/14 Maximillian Schrems v Data Protection Commissioner(4),

–  having regard to the Commission communication to the European Parliament and the Council of 6 November 2015 on the transfer of personal data from the EU to the United States of America under Directive 95/46/EC following the judgment by the Court of Justice in Case C-362/14 (Schrems) (COM(2015)0566),

–  having regard to Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-US Privacy Shield(5),

–  having regard to Opinion 4/2016 of the European Data Protection Supervisor (EDPS) on the EU-US Privacy Shield draft adequacy decision(6),

–  having regard to the Opinion of the Article 29 Data Protection Working Party of 13 April 2016 on the EU-US Privacy Shield draft adequacy decision(7) and its Statement of 26 July 2016(8),

–  having regard to its resolution of 26 May 2016 on transatlantic data flows(9),

–  having regard to Rule 123(2) of its Rules of Procedure,

A.  whereas in 2015 the Court of Justice of the European Union (CJEU) invalidated the EU-US Safe Harbour decision on the exchange of personal data on the grounds that it provided insufficient protection for EU citizens’ data protection rights; whereas subsequently, in 2016, the Commission negotiated a new agreement, the EU-US Privacy Shield;

B.  whereas Parliament was not directly involved in the negotiations, but it adopted a resolution in May 2016 on transatlantic data flows which welcomed the ‘substantial improvements’ in the Privacy Shield compared with the Safe Harbour decision, but also called for some further improvements;

C.  whereas the Commission will shortly carry out its first annual evaluation of the Privacy Shield and publish the results;

1.  Welcomes the conclusion of the negotiations between the EU and the US on the EU-US Privacy Shield, after more than two years of negotiations between the Commission and the US Department of Commerce, and the adoption of the decision on the EU-US Privacy Shield on 12 July 2016;

2.  Acknowledges that companies are able to sign up to the EU-US Privacy Shield with the US Department of Commerce, which will then verify that their privacy policies comply with the high data protection standards required by the Privacy Shield;

3.  Takes note that 1 937 companies have joined the EU-US Privacy Shield so far;

4.  Welcomes the adoption of the Judicial Redress Act by the US Congress, and recalls Parliament’s long-standing demand for such an act as the pre-requisite for the finalisation of the EU-US Umbrella Agreement and for the conclusion of the Privacy Shield negotiations;

5.  Acknowledges that the EU-US Privacy Shield differs substantially from the Safe Harbour Framework, providing for significantly more detailed documentation that imposes more specific obligations on companies willing to join the framework and that includes new checks and balances ensuring that the rights of EU data subjects can be exercised when their data are being processed in the US;

6.  Welcomes the acknowledgement by the Article 29 Working Party of the significant improvements brought about by the Privacy Shield compared with the Safe Harbour decision;

7.  Takes note of the concerns raised by the Article 29 Working Party and its constructive approach, and further stresses that the data retention limitation principle, as referred to in the Opinion, should first be clarified in the European Union, as the situation and standards in the EU are still uncertain following the CJEU ruling of 2014;

8.  Takes note of the statement by the Chairperson of the Article 29 Working Party according to which the essential guarantees identified by this Working Party should also be valid for EU Member States;

9.  Regrets that the procedure of adoption of an adequacy decision does not provide for a formal consultation of relevant stakeholders such as companies, and in particular SMEs’ representation organisations;

10.  Notes that while the Safe Harbour Framework did not refer to any specific limitations on US Government access to data transferred to the US, the EU-US Privacy Shield Framework documentation now includes binding commitments of the US Government in the form of letters from the Director of National Intelligence, the US Secretary of State and the US Department of Justice;

11.  Stresses that since 2013 the US Congress and Administration have enacted more than two dozen reforms to surveillance laws and programmes, including, inter alia, the USA Freedom Act, which prohibits bulk collection of data, Presidential Policy Directive 28, which makes protecting the privacy and civil liberties rights of persons outside the US an integral part of US surveillance policy, the amendments to the US Foreign Intelligence Act, and the Judicial Redress Act, which extends data protection measures to EU citizens; considers that these reforms are crucial in evaluating the effect of the interference with the fundamental rights of privacy and data protection, as set out in Articles 7 and 8 of the EU Charter of Fundamental Rights;

12.  Recognises and welcomes the initiatives taken by the US Administration and US Congress, such as the Email Privacy Bill unanimously passed by the House of Representatives in April 2016 amending the 1986 Electronic Communications Privacy Act (ECPA), and the adoption by the House in January 2016 and the Senate in March 2016 of the FOIA (Freedom of Information Improvement Act), and strongly supports the signing of the bill into law demonstrating substantial political efforts by the US to enhance privacy protection for all individuals;

13.  Welcomes the creation of the Ombudsperson mechanism within the Department of State, which is independent from national security services and will contribute to ensuring individual redress and independent oversight; calls for rapid nomination of the first Ombudsperson;

14.  Notes that, although US law offers specific protection against adverse decisions in areas where companies are most likely to resort to automated processing (e.g. employment and credit lending), no specific rules on automated decision-making are provided for in the EU-US Privacy Shield, and therefore calls on the Commission to monitor the situation, including through the annual joint reviews;

15.  Notes with satisfaction that under the EU-US Privacy Shield Framework, EU data subjects have several means available to them to pursue legal remedies in the US: first, complaints can be lodged either directly with the company or through the Department of Commerce following a referral by a Data Protection Authority (DPA) or with an independent dispute resolution body, secondly, with regard to interferences with fundamental rights for the purposes of national security, a civil claim can be brought before a US court and similar complaints can also be addressed by the newly created independent Ombudsperson, and finally, complaints about interferences with fundamental rights for the purposes of law enforcement and the public interest can be dealt with by motions challenging subpoenas; encourages further guidance from the Commission and DPAs to make those legal remedies more easily accessible and available;

16.  Notes that, while individuals have the possibility to lodge an objection with the EU controller to any transfer of their personal data to the US, and to the further processing of those data in the US where the EU-US Privacy Shield company acts as a processor on behalf of the EU controller, the EU-US Privacy Shield lacks specific rules on a general right to lodge an objection with the US self-certified company;

17.  Notes the lack of explicit principles on how the EU-US Privacy Shield Principles apply to processors (agents), while recognising that all principles apply to the processing of personal data by any US self-certified company unless otherwise stated and that the transfer for processing purposes always requires a contract with the EU controller which will determine the purposes and means of processing, including whether the processor is authorised to carry out onward transfers (e.g. for sub-processing);

18.  Notes that the Commission has published a guide for citizens explaining how individuals’ data protection rights are guaranteed under the EU-US Privacy Shield and what remedies are available for individuals if they consider that their data has been misused and their data protection rights have not been respected; recommends that this guide be promoted so that citizens are made aware of the advantages of the Privacy Shield;

19.  Welcomes the prominent role given by the Privacy Shield Framework to Member State DPAs to examine and investigate claims related to the protection of the rights to privacy and family life under the EU Charter of Fundamental Rights and to suspend transfers of data, as well as the obligation placed upon the US Department of Commerce to resolve such complaints;

20.  Recalls that one of the fundamental objectives of the EU in this matter should be the protection of personal data as it flows to its major international trading partner, and that the Privacy Shield will help ensure that the fundamental rights of EU data subjects flow with their data;

21.  Welcomes the fact that companies are no longer left in legal limbo, as the EU-US Privacy Shield Framework provides a legal base for the data transfer;

22.  Also recalls that legal certainty, and in particular clear and uniform rules, are a key element for businesses development and growth, in particular for SMEs, and therefore warns against any attempt to jeopardise the adopted EU-US Privacy Shield Framework, which would lead to thousands of companies of all types and sizes – in both the European Union and the United States – facing uncertainty and have a serious impact on their operations and their ability to conduct business across the Atlantic;

23.  Insists that SMEs accounted for 60 % of the companies relying on the Safe Harbour Agreement and that SMEs stand to gain the most from the new EU-US Privacy Shield, and calls on the Commission, in close cooperation with the DPAs, to provide for greater clarity, precision and accessibility in the implementing and functioning of the Privacy Shield for those companies;

24.  Considers that the Privacy Shield is crucial in bridging the gap between European and American approaches to privacy and it is therefore essential for rebuilding transatlantic trust; expresses its confidence that the EU-US Privacy Shield will be subject to strict scrutiny by regulators and by the Commission through the annual joint review mechanism as it becomes an established framework for compliance, in order to ensure its robustness and legal validity;

25.  Calls on the Commission to fully implement its responsibility under the EU-US Privacy Shield Framework to periodically review its adequacy findings and the legal justifications thereof, with a view to ensuring that personal data are adequately protected and that the Privacy Shield is functioning efficiently without unnecessary impairment to the other fundamental rights, such as the right to privacy and security, the right to receive and impart information, and the right to conduct a business, and to report back to Parliament on an annual basis on its precise findings and remedies thereto;

26.  Calls on the Commission to ensure that the annual joint review mechanism focuses on the number of registered complaints from citizens, the effectiveness and accessibility for EU data subjects of redress mechanisms, including the Ombudsperson, the progress in US reforms of surveillance law, cooperation between EU DPAs and the US Department of Commerce (DoC) / US Federal Trade Commission (FTC), the monitoring/enforcement role of the DoC/FTC when it comes to compliance of US companies with the Privacy Shield/their privacy policies, and the number of companies that have signed up;

27.  Recognises that the EU-US Privacy Shield is part of a broader dialogue between the EU and third countries, including the United States, in relation to data privacy, trade, security and related rights and objectives of shared interest; calls, therefore, on all parties to work together towards the creation and sustained improvement of workable international frameworks and domestic legislation that achieve those objectives;

28.  Regrets the anticipated timing of this debate and considers that the presentation of the first annual joint review would be a more appropriate time to draw the first conclusions on the functioning of the EU-US Privacy Shield Framework;

29.  Instructs its President to forward this resolution to the Commission, the Council, the national parliaments of the Member States and the US Congress and the US Administration.


OJ L 281, 23.11.1995, p. 31.


OJ L 119, 4.5.2016, p. 1.


OJ L 119, 4.5.2016, p. 89.




OJ L 207, 1.8.2016, p. 1.


OJ C 257, 15.7.2016, p. 8.




Texts adopted, P8_TA(2016)0233.

Legal notice - Privacy policy