Der Präsident. – Als nächster Punkt der Tagesordnung folgt die Aussprache über die Erklärung der Kommission zur Weitergabe personenbezogener Daten an China (2016/2762(RSP)).
Violeta Bulc,Member of the Commission. – Mr President, honourable Members, data protection is a fundamental right in the EU and it also applies when personal data is transferred outside the EU. This Parliament played a key role in the data protection reform which will enter into application in 2018 and further strengthen everyone’s right to data protection. China has not enacted any legislation on the protection of personal data.
Under the current and future data protection legislation, personal data transfers to countries that do not ensure an adequate level of protection are possible only if the EU data exporter provides adequate safeguards or if the transfer falls within the scope of one of the strictly interpreted regulations. These safeguards include the use of tools such as standard contractual clauses or binding corporate rules, which are of particular relevance for cloud computing.
Now, as in the future, responsibility for the supervision and enforcement of data protection legislation lies with the national data protection supervisory authorities and the courts. National data protection authorities are endowed with effective powers of intervention. They have the power of ordering the blocking, erasure or destruction of data and of imposing a temporary or definite ban on processing.
While the Commission has not engaged in bilateral discussions with China on the protection of personal data, it is involved in the work of APEC (Asia-Pacific Economic Cooperation) – of which China is a member – on this issue. In particular, the EU is engaged in a dialogue with APEC to explain the requirements under EU law for binding corporate rules to function as adequate safeguards enabling the international transfer of personal data.
Regarding possible data localisation requirements, one point of concern is the question of public security authorities’ access to personal data transferred from the EU to China. The extent of such access affects the validity of safeguards and therefore the lawfulness of transfers to China. As such, it is within the remit of the supervisory authorities of EU Member States competent in the field of enforcement of the Data Protection Directive.
China has adopted or proposed a number of laws and regulations dealing with aspects of cyber-security and national security over the past 18 months. The Commission has welcomed the opportunity to comment on a number of them and welcomes China’s efforts to enhance transparency in the legislative process. The Commission has made it clear to China that global businesses need to be able to transfer, and potentially to store, personal data to different locations for commercial, security and supervisory purposes. China’s security concerns related to cyber-security should be addressed in a proportionate way that does not create unnecessary market access barriers or deviate from World Trade Organisation commitments.
Axel Voss, im Namen der PPE-Fraktion. – Herr Präsident, Frau Kommissarin! Wie Sie bereits erwähnt haben, sind wir mit China weit davon entfernt, ein adäquates Schutzniveau bei den personenbezogenen Daten zu erreichen, wie wir das zurzeit gerade mit den USA verhandeln. Die Weitergabe von personenbezogenen Daten nach China ist aber bereits Realität, nämlich über Cloud-Computing oder auch über die Versandhandelsplattform Alibaba, und von unseren nationalen Datenschutzbeauftragten wie auch von manchem Kollegen oder den Daueraktivisten höre ich diesbezüglich leider überhaupt nichts, wie wir das bei den USA sonst immer wieder feststellen.
Deshalb frage ich die Kommission: Wie kann man denn garantieren, dass die Datenschutzstandards bei den Transfers personenbezogener Daten nach China, die im Moment schon stattfinden, eingehalten werden? Welche Rolle kann man den Datenschutzbehörden und Datenschutzbeauftragten – die ja für diese Dinge zurzeit eigentlich verantwortlich sind – noch besser zuschreiben, als wir das bisher gemacht haben? Denn ich glaube, da passiert bisher sehr wenig.
Andrejs Mamikins, on behalf of the S&D Group. – Mr President, the EU model of personal data protection laws does not yet exist in China. China has not enacted legislation that specifically addresses the collection, storage, transmission and operation of personal information. China has also not entered into any treaty with the EU or anything similar to the EU—US Safe Harbour Framework.
The EU data protection model is not the international standard. China and the EU are different in their underlying approach to personal data processing. In China today the data protection recipient is not an individual or a data subject, as in the European Union, but a consumer. There is no data protection authority or any other state agency to monitor the protection of personal data. Courts are apparently the only viable remedy for the protection of individuals in this regard.
Over the past few years, China has enacted a series of data protection-related legal texts. This initiative has to be strengthened and tested. While commercial and other relationships need to be stifled on data protection grounds, concrete and specific policy recommendations need to be provided to China. China would have the opportunity to demonstrate that its recent data protection effort is part of a persistent policy and not just a pretext to attract more internal and external information-processing businesses. A list of policy recommendations has been drawn up with regard to, firstly, the basic data protection principle, secondly, the basic data protection individuals’ rights, thirdly, data transfers, and, finally, the enforcement mechanism.
The relationship between China and the EU in the field of personal data protection will have to overcome many difficulties but, if both sides genuinely want overcome them, they can succeed.
Beatrix von Storch, im Namen der EFDD-Fraktion. – Herr Präsident, Frau Kommissarin! Am Ende der Plenardebatte diskutieren wir jetzt also noch über die Standards bei der Weitergabe personenbezogener Daten nach China. Wir, die Alternative für Deutschland, fordern beim Datenschutz in unserem Grundsatzprogramm: „Gegen andere Bestrebungen ist dem Datenschutz ein hoher Stellenwert einzuräumen, und sein Wirkungsbereich ist auf alle personenbezogenen Merkmale auszuweiten. Die freie Meinungsäußerung und die freie Entfaltung der Persönlichkeit brauchen einen starken Datenschutz.“
Der EuGH hat in seinem Urteil vom 6. Oktober 2015 in der Rechtssache Maximilian Schrems die Standards für den Schutz personenbezogener Daten detailliert dargelegt. Rechtssicherheit bei der Übermittlung personenbezogener Daten und der Schutz dieser Daten sind von entscheidender Bedeutung für das Vertrauen der Bürger. Wenn die Bürger das Vertrauen verlieren, dann sehen wir, was sie machen: Sie verlassen die Europäische Union.
Bestehen wir also darauf, dass genauso wie bei den USA auch bei China höchste und allerhöchste Standards für den Schutz personenbezogener Daten gelten müssen!
Tomáš Zdechovský (PPE). – Pane předsedající, paní komisařko, je škoda, že toto velmi zajímavé a důležité téma se dostává na pořad jednání až nyní, kdy je tento sál téměř prázdný, a zaměření na sál je poměrně malé i z řad novinářů.
Čínská republika patří dlouhodobě mezi největší a nejdůležitější obchodní partnery Evropské unie. Naše rychle se rozvíjející ekonomická, politická a kulturní spolupráce však sebou přináší i zvýšené předávání dat. Mezi ně patří i osobní údaje občanů Evropské unie, což podle mého názoru může být i velice nebezpečné. Tato země totiž nemá ve své legislativě zakotveny žádné předpisy, které by se zabývaly shromažďováním, ukládáním, zpracováním osobních údajů. Tento veliký nedostatek velice ohrožuje Evropskou unii a samotné evropské občany. Je proto, paní komisařko, nutné zajistit, že transfery osobních údajů mezi námi a Čínou budou v souladu s požadavky Evropské unie na soukromí a ochranu údajů.
Seán Kelly (PPE). – Mr President, the Commissioner referred to the Data Protection Regulation, which will be coming into effect in two years. Like my colleagues, Mr Voss and Mr Albrecht, I was involved in that, as the rapporteur for the Committee on Industry, Research and Energy (ITRE) for a four-year period, and it gives adequate protection for European citizens.
Then, of course, we had the situation with the US, with the Safe Harbour being shut down, and that has now been replaced by the Privacy Shield. While all the focus was on the US, we were perhaps negligent in our dealings with China. It has been pointed out that their data protection is certainly inadequate in terms of the protection of European citizens. At the same time, there are increasing flows of data to China – with the increasing use of Chinese products, software, e-commerce, social networks, etcetera – so it is absolutely vital that we engage with the Chinese and maybe try to get some type of extension to the Privacy Shield so that adequate protection is there for European citizens’ data.
Catch-the-eye-Verfahren
Nicola Caputo (S&D). – Signor Presidente, onorevoli colleghi, la Cina non ha alcuna normativa che contempli concretamente la raccolta, l'archiviazione e la trasmissione e il trattamento delle informazioni personali e non ha stipulato alcun accordo con l'Unione europea. Il modello europeo imperniato è punto di riferimento ma non ancora standard globalmente applicabile. Tuttavia, nonostante l'Unione europea limiti i trasferimenti di dati personali verso i paesi che non rispettano i suoi rigorosi requisiti di adeguatezza giuridica in materia di privacy, gli scambi di dati personali tra l'Unione europea e la Cina sono divenuti una realtà importante degli ambienti contemporanei del cloud computing. La Cina ha infatti adottato una politica commerciale aggressiva, allestendo zone internazionali di cloud computing offshore ed estendendo le zone di libero scambio agli investitori stranieri. Occorre garantire in tempi ristretti, che i trasferimenti di dati appartenenti ai cittadini europei verso la Cina siano in linea con i requisiti richiesti dalle nostre normative.
Ангел Джамбазки (ECR). – Г-н Председател, уважаеми колеги, Европейският съюз се стреми да задълбочи търговията и инвестициите с цел създаване на равнопоставеност. Въпреки многото призиви за защита на правата върху личните данни и подобряване на положението със сигурността, все още съм скептичен по темата. Свидетели сме на слабите страни на правилата и регламентите, които биват въвеждани.
Трябва да работим, за да се подобри ситуацията в законодателството за защита на личните данни и да сме сигурни, че направените сделки се изпълняват правилно и не се влияят от контрола и интересите на трети страни. С напредъка на технологиите и цифровизацията в днешно време е още по-лесно отколкото преди 20 години да се злоупотреби с лични данни.
Би било безотговорно да се даде възможност на свободни трансфери на лични данни, без да се вземат необходимите мерки за сигурност. Трябва да сме сигурни, че европейските стандарти не са пожертвани за сметка на постигането на сделка.
Ivan Jakovčić (ALDE). – Gospodine predsjedniče, naše poslovanje s Kinom je sve šire, sve češće, sve jače, sve složenije. Naravno da poslujemo sa zemljom koja nema odgovarajući sustav čuvanja podataka, a pogotovo nema sustav zaštite podataka. I tu nailazimo na ozbiljan problem.
Nailazit ćemo na problem ne samo s Kinom, već s mnogim drugim državama s kojima poslujemo, jer je zaštita podataka naših građana uvijek vrlo sumnjive naravi.
Zato bih htio predložiti da jednom ne raspravljamo o podacima koji odlaze preko Atlantika, a drugi put o podacima koji odlaze u Kinu. Pokušajmo učiniti nešto drugo. Pokušajmo sa Sjedinjenim Američkim Državama i drugim partnerima napraviti prve koncepte kibernetičke sigurnosti na svijetu. Jer, kao što nam treba fizička sigurnost, tako nam danas treba i kibernetička sigurnost. Zaista ne vidim razlog zašto EU i njegovi partneri ne bi odmah započeli s tim poslom.
(Ende des Catch-the-eye-Verfahrens)
Violeta Bulc,Member of the Commission. – Mr President, honourable Members, thank you for the very useful contribution to the debate. It is clear that, in today’s digital world, cross-border data flows are indispensable for our economy, businesses and societies. We must pay particular attention to the transfer of personal data. Citizens’ rights, as provided for by the Charter of Fundamental Rights and secondary law, must be fully respected.
In this regard, it is important to emphasise that transfers of personal data can take place only if adequate safeguards are used by the data exporter. Such safeguards can be provided, notably, by means of contractual clauses binding the exporter and the importer of the data. These include obligations as regards security measures; obligations to adopt technical and organisational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access; information provision to the data subjects in the event of transfer of sensitive data; notification to the data exporter of access requests by a third country’s law enforcement authority, or of any accidental or unauthorised access; and the rights of data subjects to access certification and erasure of their personal data; as well as rules on compensation for the data subject in the event of damage arising from a breach.
The model clauses also require that EU data subjects have the possibility to invoke the rights they derive from contractual clauses as a third party beneficiary before a data protection authority (DPA) and/or a court of the Member State in which the data exported is established.
With regard to transfer between different entities of a multinational corporate group, controllers can rely on binding corporate rules (BCRs). These rules are enforceable in the EU: individuals whose data are being processed by an entity in the group shall be entitled as third party beneficiaries to enforce compliance with these rules by lodging a complaint before a data protection authority and bringing an action before a Member State’s court. Under most Member States’ laws transposing the directive, data transfers on the basis of BCRs have to be authorised by the DPA in each Member State from which the company in question intends to transfer data.
The Commission will continue to engage in dialogue with China and other international partners in Asia and North and South America to promote the solid principles that underpin our approach to data flows and to the protection of personal data.
Der Präsident. – Die Aussprache ist geschlossen.
Schriftliche Erklärungen (Artikel 162 GO)
Tibor Szanyi (S&D), in writing. – This is good example to prove that neglecting important European values and principles will ultimately result in harming actual EU interests: providing EU citizens’ and businesses’ data to China, a key partner without any credible data protection laws, but with the largest number of super-computers in the world (even more than in the US) offers the Chinese a clear commercial advantage they will not hesitate to take advantage of. So, for me the issue is not just about principles: it is also about protecting European jobs. I hope the Commission has the right answer, with a viable and reassuring solution to a very practical dilemma.