President. – The next item is the debate on the Commission statement on the adequacy of the protection afforded by the EU-US Privacy Shield (2016/3018(RSP)).
Věra Jourová,Member of the Commission. – Mr President, let me first of all thank you for the opportunity to speak to you today and to update you on the state of implementation of the privacy shield and our plans for the upcoming first annual review. Today’s discussion is very timely, as I have just returned from Washington and can inform you of the latest state of play. As you rightly note in the motion for today’s resolution, the privacy shield has attracted a lot of interest, with more than 1 900 companies that have been certified under this framework. This shows the importance of the instrument for our trans-Atlantic relationship. It also means that an increasing volume of the personal data that is transferred across the Atlantic benefits from the many protections that the privacy shield offers for individuals.
I know that some of you had hoped for more, and I too would one day like to see a fully fledged comprehensive data protection law in the United States, but in the meantime, our assessment is that the privacy issue of framework lives up to the requirements of our data protection laws, as interpreted by our highest court. Our highest court has clarified: adequacy does not mean that the rules in the third country have to be an exact photocopy of our rules. Rather, what the Commission has to assess is if that third country offers in law and practice an essentially equivalent level of protection to that guaranteed in the EU legal order.
Clearly the privacy shield is a substantial improvement when compared to the old safe harbour. This is the view of our data protection authorities, and I am glad to see that your motion contains the same clear statement. However, putting in place the privacy shield framework, the privacy principles, together with the commitments and assurances by the United States’ government, was only part of the work. It is equally important that these rules also fully apply in practice. This is why our focus since the adoption of the decision has been on the effective implementation of this new framework. This involves several actors, and I am happy to report that our data protection authorities and the United States authorities have cooperated closely in working out procedures to ensure a robust oversight and enforcement of these new rules.
Representatives from the Ombudsperson’s office as well as the Federal Trade Commission and Department of Commerce have come to Brussels on several occasions to discuss with the Commission and the Article 29 Working Party the details of this cooperation, and to report on their implementation work. During my visit to Washington last week, I put a particular emphasis on some of the key foundations on which the privacy shield is built. This concerns in particular the limitations and safeguards that apply in the area of government access for national security purposes. A central element of this is Presidential Policy Directive number 28, which specifically addresses the privacy protections afforded to foreigners. Another key element is the Ombudsperson mechanism, which ensures that Europeans have a possibility to obtain an individual review if they believe that intelligence authorities have broken the law when accessing their personal data. A third one is the Privacy and Civil Liberties Oversight Board. For the sustainability of the privacy shield it is essential that these elements are part of it.
We will closely monitor any relevant developments in the United States with a possible impact on the privacy shield, including the upcoming debates around a possible reform or prolongation of Section 702 of the Foreign Intelligence Surveillance Act, which expires at the end of this year. This is the message we have been sending since the start of the new administration. I have repeated this message during my recent visit to Washington and my meetings with the White House, the Commerce Secretary, the Attorney General State Department as well as Congress, and I received assurances that this message is well understood by our US counterparts, both as to the value of the privacy shield and the need to keep all of its elements in place.
Let me make this point very clear: If we are faced with any developments that could negatively affect the level of protection afforded under the Privacy Shield, the Commission will take its responsibilities and use all available mechanisms, be it review, suspension, revocation or repeal, to promptly react. My focus is now on the first annual joint review. This will be a crucial moment: a moment of truth where we take stock of how the privacy shield functions in practice and to see whether there are things that need to be improved. I have agreed with the US Commerce Secretary Wilbur Ross that the first annual joint review meeting will take place in Washington in September.
All the various elements that are relevant for the functioning of the EU-US privacy shield will be covered by this review, inter alia: first, how US companies comply with their data protection obligations and the mechanisms they have put in place to ensure a speedy handling of complaints. Second, how the Department of Commerce and Federal Trade Committee certify companies, monitor compliance and cooperate with our data protection authorities in the enforcement. Third, the operation of the rules regarding access by public authorities and the rules and procedures to ensure that the Ombudsperson mechanism functions well. Fourth, in addition, in the issues identified already in the Commission’s adequacy decision, such as the dialogue on automated decision-making, as well as any developments in the United States law that might raise questions concerning the EU-US privacy shield and its operation, will have to be discussed. As partners in this review, we will of course discuss the precise parameters of the review with the Article 29 Working Party. The input from business and from civil society will also be of crucial importance. I met both sides in Washington, and they are committed to contribute. On the US side, we expect the joint review to involve the Department of Commerce and the Federal Trade Commission, but also the Ombudsperson and representatives from the intelligence community. Directly after the joint review we will report our findings to you and to the Member States in the Council. This will allow you and us to assess and discuss where we are on this and also discuss the next necessary steps.
Honourable Members, thank you again for giving me the opportunity to speak to you today, and of course I stand ready to address any questions you might have.
Elnökváltás: GÁLL-PELCZ ILDIKÓ alelnök
Axel Voss, im Namen der PPE-Fraktion. – Frau Präsidentin, Frau Kommissarin! Es ist wichtig, dass wir unseren Unternehmen, KMU und Startups etc., Rechtssicherheit geben, auch eine konkrete Rechtsgrundlage zur Verfügung stellen für den transatlantischen Datenaustausch bei gleichzeitiger Absicherung des Datenschutzes. Und beides vereint meines Erachtens auch der Datenschutzschild. Die Kommission hat in all diesen ganzen Jahren, der letzten Zeit, einerseits was Datenschutz betrifft, andererseits eben auch hinsichtlich des Datenschutzschildes auch viel erreicht.
Wir werden diese 100 % nie bekommen können, die andere Fraktionen in diesem Haus immer gerne hätten, aber es gibt eben auch keinen Grund dafür, zurzeit so negativ über diesen Datenschutzschild zu sprechen. Wir haben selbst im Parlament hier im Juni 2016 bereits einen Entschließungsantrag zum freien Datenverkehr angenommen, wo wir auch den Datenschutzschild positiv bewerten. Aber nun gibt es eigentlich keinen Grund, auch mittendrin – es läuft seit Juni oder Juli letzten Jahres, und jetzt haben wir eigentlich mal abzuwarten, bis im September der neue Bericht kommt, und dann hätte es vielleicht einen Grund gegeben, das mal zu bewerten. So haben wir weder die praktischen Erfahrungen, die wir jetzt bewerten können, und theoretisch lässt sich das hier eben einfach auch nicht so ohne Weiteres durchdringen. Sie haben die positiven Elemente alle auch herausgestellt, und im Vergleich zum Safe-Harbour-Abkommen ist das ein riesengroßer Schritt, den wir so an sich nicht haben erwarten können.
Insbesondere haben Sie mehr erreicht als das, was wir selber in unseren eigenen Mitgliedstaaten zu geben bereit sind, und deshalb ist das gut. Diese Schnittstelle zur nationalen Sicherheit wird immer schwierig zu überkommen sein, aber ich glaube, von diesen transatlantischen Datenströmen profitieren am Ende beide Seiten, und es ist auch eine unverzichtbare Chance für beide Seiten, hier auf dem Weg weiterzugehen.
Claude Moraes, on behalf of the S&D Group. – Madam President, to be very clear, the purpose of this resolution is because we have a September evaluation. I really believe that the members of the Committee on Civil Liberties, Justice and Home Affairs – and indeed other Members who have expertise and interest in this extremely important topic – need to give their views to the Commissioner. I do not see any problem with this. In fact, I think this is a positive and important part of our work.
I want to begin with what you said about your trip to the United States. I think it is very important, Commissioner, particularly for the Civil Liberties Committee, that we have an interaction with you before we go to the United States in September. Why are we doing this? Why are we proposing this resolution? We are not doing it because there have not been significant and key improvements on Safe Harbor thanks to Privacy Shield, but because we want to ensure in Parliament that Privacy Shield stands the test of time and that it does not have weaknesses that would be difficult for the future.
We know that Privacy Shield protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States, as well as bringing legal clarity for businesses relying on trans-Atlantic data transfers, and we cannot allow that to fail. So the resolution acknowledges that the final agreement on the Privacy Shield, adopted in July 2016, has taken a number of Parliament’s concerns into consideration. We know that key improvements have been made compared to the former Safe Harbor. We note also that the agreement will facilitate data transfers from the EU to the US, particularly from SMEs and business in the EU, and that the EU Data Protection Authority’s supervisory powers remain unaffected by the adequacy decision, including the power of suspending or banning data transfers to US companies that are members of the Privacy Shield. We also take note of the clarifications and interpretations of the US Administration, in particular as regards the processing of personal data by security agencies.
However, several issues must be resolved. The resolution highlights issues of concern that remain unclear, particularly, for example, those made by the Article 29 Working Party, which – as we all know – is deeply involved in these matters. These include concerns regarding the principle of data retention, the bulk collection of personal data for national security purposes, the need for sufficient judicial redress, and the effect of independent oversight, as well as several law enforcement issues. If these concerns are not taken into account, the Privacy Shield risks not achieving its purpose and could face further challenge in the courts. This is one of our deepest concerns. Both citizens and businesses relying on transatlantic data flows need that certainty of a robust legal framework, and this text calls on the Commission to conduct that proper assessment. It does not doubt that that will happen, but we are doing our job in ensuring that every part of this detail is covered.
We will raise these concerns during our LIBE delegation with our US counterparts, and we are now experienced in these negotiations. The Parliament has consistently called for a stronger agreement, following the invalidation of Safe Harbor in October 2015, and we now want the protection of personal data which meets the requirements of the Charter of Fundamental Rights and the data protection legal framework.
Commissioner, today we are calling on you to conduct a proper assessment to ensure this legal certainty is provided for citizens and business alike. We in the Parliament simply want to do our job. That is what the resolution is saying today.
Helga Stevens, namens de ECR-Fractie. – Ik betreur allereerst dat bepaalde politieke fracties niet wilden wachten op de eerste evaluatie door de Commissie. Dit gezegd zijnde ben ik ook helemaal niet gelukkig met de inhoud van de resolutie van rapporteur Moraes. Ik heb daarom samengewerkt met de EVP-Fractie om een positiever alternatief te bieden. Laat mij hieruit enkele zaken benadrukken.
Ten eerste is de trans-Atlantische gegevensoverdracht van essentieel belang voor onze economie, handel en veiligheid. Niemand kan dit ontkennen en laten we dit dan ook alstublieft niet terzijde schuiven in dit debat. Wie op een schorsing van het privacyschild aanstuurt, moet nadenken over de gevolgen van de juridische onzekerheid die dit met zich meebrengt.
Ten tweede realiseerden we met het privacyschild een nooit eerder bereikt hoog niveau van gegevensbescherming. Er werd een gigantische stap in de goede richting gezet. De rechten en de rechtsbescherming van EU-burgers bij gegevensoverdracht naar de VS gaan er enorm op vooruit.
Uiteraard vind ook ik dat de Commissie steeds moet blijven streven naar de hoogst mogelijke standaard voor gegevensbescherming, maar sommige politieke fracties en parlementsleden blijven echter vinden dat alleen een kopie van de Europese regels kan volstaan. De Verenigde Staten zijn echter een onafhankelijke natie. Hoewel het land een belangrijke strategische bondgenoot is van de EU, mogen we echter niet vergeten dat het geen lid is van de Unie. Ik en mijn delegatie geloven sterk dat het zowel voor onze bedrijven, de Europese economie als de privacy van de EU-burgers het beste is om een operationeel privacyschild te hebben.
Sophia in 't Veld, on behalf of the ALDE Group. – Madam President, in reply to Mrs Stevens, we are not actually calling for the suspension of the Privacy Shield, but we do expect the Commission to defend the interests of EU citizens and monitor, extremely critically, what is happening. We had already expressed very serious concerns under the Obama administration and, for some reason, the changes that have been made by the Trump administration do not alleviate my concerns. I do not know why, it is probably me.
Indeed we do not expect the US law to be identical, but we do expect it to be essentially equivalent, because that is what the judges have said. So that is not a party political request but an obligation for the EU institutions, and the Commission is responsible here.
I do not need to outline all the questions that we have put in the resolution. I am actually a little bit disappointed. The resolution has been available in the public domain for some time now. I would have expected the Commission to have already responded to the questions which are in there. What about the privacy and civil liberties oversight board, which is under quota? What about the Ombudsmen, who has not been replaced? What about the impact of Section 14 of the Privacy Act? What about the legal status of the assurances? What about the definition of bulk transfers? What about the interpretation of PPD—28? The Commission could have addressed all these things in its statement.
I would really urge the Commission not just to repeat what should be done, but actually to be on top of things. That is the way the Americans would do it, so why do we not do it on behalf of our citizens?
Two final issues, because this is not about party politics, Mrs Stevens; there is a legal challenge before the ECJ. There is also the other issue, namely that national DPAs may actually decide to suspend the transfers and then we have legal uncertainty. It is not by asking critical questions that we create legal uncertainty; it is by not asking the Americans critical questions. So I would say to the Commissioner, please make privacy great again.
Cornelia Ernst, im Namen der GUE/NGL-Fraktion. – Frau Präsidentin! Genau so ist es. Nein, mit dem privacy shield können wir keinen Frieden schließen. Wir finden, dass das auch keine angemessene Antwort auf das Schrems-Urteil und auf das zu Fall gebracht Safe-Harbour-Abkommen ist, weil es eben keinen gleichen Datenschutz für alle bietet, weil die Massenüberwachung zum Zwecke der Strafverfolgung weiterhin pauschal und anderswo stattfinden soll, weil riesige Datenmengen – wie wir alle wissen – weiter fröhlich frei Haus ohne richterliche Ermächtigung an 16 US-Behörden geliefert werden, weil der vom US-Außenministerium eingesetzte Ombudsmann ein Feigenblatt ist, wie wir alle wissen, weil viele US-Organisationen, die beim privacy shield mitmachen wollen, noch nicht mal eine Datenschutzbehörde haben und weil US-Präsident Trump immerhin ein Dekret unterzeichnet hat, das Nicht-US-Bürger vom Datenschutz ausnehmen will. Wer da noch von Schutzschild redet, der ist ein Träumer. Der privacy shield, von dem hier gesprochen wird, ist ein offenes Scheunentor für Willkür zulasten der Grundrechte.
Und es kann noch viel ärger kommen, wenn es nämlich so ist, dass der US-Senat und das Repräsentantenhaus ein Verbot faktisch gekippt haben, dass das Verbot der Telekomaufsicht FCC praktisch gekippt wurde, sodass Internetprovider danach praktisch ohne Zustimmung ihrer Kunden private Daten sammeln und verkaufen können.
So. Stimmt Donald Trump dem noch zu, dann ist der US-amerikanische Datenschutz Spaß – so sage ich das mal. Wir teilen daher in allen Punkten die kritische Sicht der Entschließung voll und ganz, weil die Probleme in keiner Weise behoben sind.
Judith Sargentini, namens de Verts/ALE-Fractie. – We leven niet onder een steen en de Groenen begrijpen heel goed dat het mogelijk moet blijven om persoonlijke data voor commerciële doeleinden naar de Verenigde Staten te blijven sturen. Facebook is leuk, whatsappen is eigenlijk niet meer weg te denken, maar het versturen van onze persoonlijke gegevens mag niet ten koste van alles gaan. Onze grondrechten verdienen bescherming en ik maak me daarom zorgen over het privacyschild in zijn huidige vorm, want de bescherming van onze persoonsgegevens is aan de andere kant van de oceaan niet gegarandeerd.
Wanneer de Amerikanen claimen dat de nationale veiligheid in het geding is, blijft analyse van bulkgegevens mogelijk. Laat mij dat nog een keer herhalen en onderstrepen: onder het privacyschild mogen bulkgegevens nog steeds geanalyseerd worden. Dat op zich is voldoende om het privacyschild te verwerpen. Het Europees Hof was toch helder? Opslag en analyse van bulkgegevens is verboden. We kunnen er dus de klok op gelijkzetten: het privacyschild zal net zoals Safe Harbour sneuvelen in Luxemburg.
De resolutie waarover we morgen stemmen, herhaalt dus nog een keer wat we allemaal weten: onder het privacyschild blijven onze rechten in de VS substantieel lager dan hier in de Europese Unie. Niet equivalent, neen, lager. Wat doen we dus? Zijn we hardleers en wachten we tot Max Schrems en zijn kompanen van Ierland naar Luxemburg zijn gereisd en het Hof ons op de vingers tikt? Of gaat de Europese Commissie nu heronderhandelen met de Amerikanen?
Ik zie bovendien dat de belangen van de Amerikaanse commercie uitstekend worden behartigd door de EVP en de ECR. Zij hebben een alternatieve resolutie die kiest voor de bedrijven en tegen de grondrechten van onze burgers. Maar, vrienden aan de rechterkant, een verdrag dat ieder moment door het Hof nietig kan worden verklaard, is niet goed voor business. Het maakt business onbetrouwbaar. Ook de commercie heeft baat bij heronderhandelingen, en dus vraag ik u om onze amendementen die vragen om heronderhandeling te steunen.
Viviane Reding (PPE). – Madam President, my question is simply: is the Privacy Shield stillborn? Vault 7 revealed that the CIA tapped directly into our smartphones; Microsoft and Apple court cases exposed the FBI tendency to bypass existing legal frameworks to access data; the Congressional Review Act allowed Comcast, AT&T and Verizon to use people’s data without their consent and Trump’s Muslim ban ordered agencies to exclude non-American citizens, not only Muslims, from their privacy policies.
Now all this has taken place after the adoption of the new framework and all eyes are now riveted on the Foreign Intelligence Surveillance Act (FISA) Section 702. I would like to ask the Commissioner, does she really feel assured? The Article 29 Working Group does not because yes, the Privacy Shield has improved Safe Harbour but, no, it did not assuage many of our concerns.
The problem is, and always has been, the use of national security as a blanket exemption and this is one of the numerous questions that need answers, most of all during the upcoming review. Concrete evidence must prevail over alternative facts, legal obligations over written commitments, MEPs’ demands over Congressmen’s promises.
We must build a transatlantic digital bridge on a rock-solid privacy pillar and unfortunately, I have the feeling that the shield might already have turned into a smokescreen.
Birgit Sippel (S&D). – Frau Präsidentin! Erst nachdem der Europäische Gerichtshof das Safe—Harbour—Regime für nichtig erklärte, hat sich die Kommission bemüht, bessere Regeln zum Datentransfer in die USA zu schaffen. Doch trotz einiger Fortschritte kann mich das Ergebnis in seiner Gesamtheit nicht überzeugen. Es ist nach wie vor schwierig, sich rechtlich gegen den Missbrauch seiner Daten zu wehren. Die Ombudsperson in den USA ist nicht unabhängig genug. US—Firmen sind nicht verpflichtet, persönliche Daten zu löschen, wenn sie nicht mehr notwendig sind. Das größte Problem ist jedoch, dass auch der neue Datenschutzschild Massenüberwachung nicht ausschließt. Der Europäische Gerichtshof hat in seinem Urteil zur Aufhebung des Vorgängers „Safe Harbour“ jedoch klargemacht: Der generelle Zugriff auf Inhalte elektronischer Kommunikation verletzt den Wesensgehalt, den Kern des Grundrechts auf Achtung des Privatlebens.
Demnächst steht die erste Überprüfung des privacy shield an. Uns Sozialdemokraten ist wichtig, dass die erwähnten Kritikpunkte dort ausreichend Beachtung finden und Rechtssicherheit geschaffen wird. Das Parlament kann den privacy shield nicht aussetzen, die Kommission schon, sofern die Mängel im Grundrechtsschutz zu groß sind. Ich bedaure es sehr, dass die Konservativen im Innenausschuss unsere gemeinsam ausgehandelte Entschließung nicht unterstützen wollten. Scheinbar sind ihnen schnelle Scheinlösungen für Unternehmen wichtiger als nachhaltige, grundrechtsfreundliche Ansätze, die auch mehr Rechtsschutz für die betroffenen Unternehmen bieten.
Ich hoffe daher, dass wir im Plenum eine Mehrheit für diese Entschließung finden werden. So können wir ein Signal an die Kommission senden. Das Europäische Parlament wird das Funktionieren des privacy shield in der Praxis äußerst kritisch verfolgen. Wenn die Überprüfung ergibt, dass der privacy shield nicht mit der EU—Grundrechtecharta und den neuen EU—Datenschutzregeln im Einklang steht, muss die Kommission ihn aussetzen. Sonst riskiert sie die Blamage, dass auch dieser Schutzschild erneut vor dem Europäischen Gerichtshof scheitert.
Martina Anderson (GUE/NGL). – Madam President, last year some of us stood here and warned that the Commission’s EU-US Privacy Shield agreement would not protect citizens’ privacy rights; and how right we were. The so-called ‘shield’ is an insult to citizens across Europe whose privacy has been further undermined.
The agreement allows the US intelligence to carry out mass surveillance and collect huge amounts of private data and bulk information indiscriminately. It allows US companies to collect data on individual citizens every time they go online, with no effective legal protection, and it is only voluntary. It only applies to companies that have signed up. The rest can run fancy free with our information. So this shambles breaches our fundamental privacy rights and it needs to be fixed.
It needs to be fixed urgently with a robust, effective and enforceable system that protects the privacy rights of citizens, not the interest of spooks and big business. I would call on the Commissioner to fix it before the European Court of Justice forces you to do so for a second time.
Ana Gomes (S&D). – Senhora Presidente, como frisamos na resolução sobre big data e direitos fundamentais que redigi e que foi aprovada por este Parlamento, no mês passado, nesta era digital é de extrema importância reforçar a confiança dos cidadãos no uso das novas tecnologias da comunicação e assegurar a segurança dos dados pessoais recolhidos online e por todo o tipo de aparelhos eletrónicos.
Estes princípios aplicam-se necessariamente às transferências transatlânticas de dados para garantir segurança jurídica a empresas e cidadãos, num quadro legal, robusto em regimes de proteção de dados equivalentes e menos vulneráveis à utilização criminosa e indevida. Esta resolução do Parlamento Europeu reconhece que o escudo de proteção da privacidade entre a União Europeia e os Estados Unidos contém melhorias significativas no que diz respeito à clareza das normas, em comparação com o antigo regime, dito de porto seguro, em resultado dos esforços da Comissão Europeia para solucionar as insuficiências suscitadas pelo Tribunal de Justiça, o grupo de trabalho do artigo 29 e pelo Parlamento Europeu, entre outros.
Ainda assim, o Parlamento aponta várias reservas, estando em causa quer os aspetos comerciais quer o acesso por parte das autoridades públicas dos Estados Unidos aos dados transferidos da União Europeia. E numero apenas algumas, como a ausência de regras específicas em matéria de decisões automatizadas e a aplicação dos princípios do escudo a subcontratantes.
A ausência de um direito geral de oposição por parte dos cidadãos, a necessidade de garantias sobre a independência e os poderes do mecanismo de mediação e a ausência de garantias sobre a não realização de uma recolha maciça indiscriminada de dados pessoais que é proibida pela Carta Europeia dos Direitos Fundamentais.
Todas estas preocupações podem conduzir a uma contestação deste regime junto dos tribunais. Para além disso, a situação política nos Estados Unidos é hoje claramente diferente. Não podemos ignorar, Senhora Comissária, o impacto da eleição de Donald Trump no cumprimento do acordo e das garantias dadas pela administração Obama. Trump já demonstrou completo desprezo por acordos celebrados pela anterior administração. Ainda esta semana o Presidente promulgou uma lei que dá às operadoras da Internet nos Estados Unidos a liberdade de venda dos dados dos seus clientes, tais como histórico de navegação e restante informação privada, ao mercado publicitário, sem o consentimento das pessoas em causa, o que demonstra o desprezo da nova administração pelas garantias mínimas de proteção da privacidade e de dados pessoais que existiam anteriormente.
É por isso que, por ocasião da primeira reapreciação conjunta anual, a Comissão deve proceder a uma análise aprofundada de todas as lacunas e deficiências que estão referidas nesta resolução e tem que verificar a compatibilidade das novas leis e ordens executivas de Trump com os compromissos assumidos no quadro do escudo de proteção da privacidade, bem como o seu impacto ao nível da proteção dos dados...
(A Presidente retira a palavra à oradora.)
Věra Jourová,Member of the Commission. – Madam President, I said at the beginning that I very much appreciate the opportunity to take part in the discussion here today, to answer your questions and to hear your views because I think the period between the moment when we started the full functioning of Privacy Shield and the first annual report, which will come out as late as September, is very important. I am grateful for hearing your views, including the critical voices, because we take all of them very seriously and share many of them. That is why – as I also said at the beginning – we are closely monitoring the situation in the United States. It is not true that we only say what should be done. I am informing you about the things we are doing. This is something I want to emphasise very strongly.
I am aware of the fact – as Mr Moraes, Mr Voss and some others clearly said – that at the moment we still do not have a full assessment of the functioning of Privacy Shield, because this is just the beginning. It is also for this reason that I am glad about the idea which we discussed today with the Chair of the Committee on Civil Liberties, Justice and Home Affairs, namely that I could come in the first half of this year to give full information about how we see and assess the functioning of Privacy Shield. This is my commitment which I would like to repeat here in the plenary.
When I say that the first annual review will be the moment of truth, I mean it very seriously. This must not be just another report. I want to give an honest and true reflection of the situation. That is why I want to use all possible channels to have this fully-fledged review which will reflect how Privacy Shield protects the privacy of Europeans and whether it fully protects according our requirement, the requirement of European law, and the requirement of the court ruling.
That is why I want to take all the inputs from the State Administration, from the Article 29 Working Party on the European side and the Federal Trade Commission on the American side. I want to take on board all the critical comments from the NGOs. I spoke to NGOs on both the European and American sides. They are very critical and share some of the concerns which you voiced here today. I want to a create a precise and detailed questionnaire which will be sent to the certified companies – the companies which have been certified under Privacy Shield – so that we receive information from them about the number of requests from the intelligence services and security bodies on the American side, and much other detailed information. I also want to use the media reports about the atmosphere, tendencies and trends in the United States to capture something which I call a real feel for how to look at the situation in the United States.
We must focus on three main things: the legal environment in the United States; the capacities which the United States partners invest in the full functioning of Privacy Shield; the way Privacy Shield is used and respected by the certified companies; and the way Privacy Shield is used by the citizens themselves, because, as you know, an important part of the Privacy Shield mechanism is offering new ways of redress for EU citizens. These are the things which we are going to fully focus and reflect on through the first annual review.
Mrs in 't Veld asked for a specific answers to some questions. I will try to answer them now but, as I said, we are ready to give you more detailed responses whenever you ask. On the Ombudsperson, the Privacy and Civil Liberties Oversight Board (PCLOB) and the Federal Trade Commission, what I said before is relevant, namely that we are focusing on the United States institutions to be fully equipped as regards the capacities and the responsible leadership to keep Privacy Shield running. We shared our concerns in Washington about the fact that we do not see any persons nominated or appointed to these positions. We now have to face the reality that the new American Administration still has to appoint about 5 000 people to senior positions in the State Administration, out of which 1 000 must also be also endorsed and authorised by the Senate. The Ombudsperson, for instance, is one of them so we will now have to negotiate with and monitor the work of the acting Ombudsperson. My colleague has spoken to this person, so we are in contact and they understand how important this is for us. As for the Ombudsperson, I will rely for the review on the information from the Ombudsperson’s office because there should not only be information about the complaints he or she received, but also information about how many requests were sent from the intelligence services to the companies. I will push hard to get such information because we also want the Ombudsperson to act as the relevant source of trustworthy information for us.
On PCLOB the situation is similar. We urge the American side to have the full capacity of the Federal Trade Commission. I spoke to its acting Chair, and we made it very clear that we are waiting for the official new representation. On PPD-28, we have been assured that no changes are foreseen, but we will of course keep monitoring this. We also have strong allies in the Congress and among the experts who are monitoring the situation on this piece of legislation, which I made absolutely clear to our American partners is the main pillar, as it is for the American legislation, for keeping Privacy Shield running. This is what we need to see in place and fully functioning.
Regarding Section 702 of the Foreign Intelligence Surveillance Act (FISA), still no information can be received on whether there will be amendments or whether it will continue in the same way as it is in force now. We have to follow all the information we receive in the months to come, but I am rather sceptical about whether before the review we will have anything more concrete about whether there will be any changes. I made it very clear that, if there are changes to the detriment of the situation for the protection of Europeans’ private data, we will have to act because this is an absolutely crucial piece of legislation for Privacy Shield.
The situation on the executive order is different, according to our legal analysis, because the protections of Privacy Shield are not based on the US Privacy Act. Therefore the executive order which you mentioned has no impact on this. This is the executive order on enhancing public safety. In Section 14 this concerns protections under the US Privacy Act of 1974. The Privacy Act only applies to US citizens and permanent residents. The Obama Administration had instructed federal agencies to use their discretion also to apply these protections to others in the context of migration databases and this policy has now has been reversed. But let us be clear: as I indicated, the Privacy Act never granted any rights to Europeans. That is why we had to negotiate new arrangements, notably the umbrella agreement and the accompanying Judicial Redress Act, to ensure the necessary protection for Europeans and these remain unaffected by the executive order. This has also been confirmed in writing by the United States.
Let me conclude by saying that for us the main message to take to Washington was that we can see that security is a very high priority in the United States. I made it absolutely clear that for us the protection of Europeans’ private data is a very high priority and a fundamental right which must also be protected in the transfer of data to the United States. I think that this was well understood by all our key American partners. I would say that the protection of private data must remain great, not be made great again. This was our message to our American partners.
Elnök asszony. – Köszönöm szépen Biztos asszonynak a tényleg kimerítő és átfogó válaszát, csak remélni tudjuk, hogy ez az adatvédelmi pajzs által biztosított védelem is ilyen jól fog működni.
Kettő állásfoglalásra irányuló indítványt juttattak el hozzám, melyeket az eljárási szabályzat 123. cikkének (2) bekezdésével összhangban nyújtottak be.A vitát lezárom.