Dobesedni zapisi razprav

Četrtek, 20. maj 2021 - Bruselj

5. Data Protection Commissioner proti Facebook Ireland Limited in Maximillianu Schremsu („Schrems II) - Zadeva C-311/18 - Ustrezno varstvo osebnih podatkov v Združenem kraljestvu (razprava)

  President. – The next item is the joint debate on

– the Council and Commission statements on Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (“Schrems II”) – Case C 311/18 (2020/2789(RSP)), and

– the Council and Commission statements on the adequate protection of personal data by the United Kingdom (2021/2594(RSP)).

  Ana Paula Zacarias, President-in-Office of the Council. – Mr President, I would like to thank the Commissioner and honourable Members for this debate on data protection adequacy.

The Council believes that the EU must find the best solution to make the transfer of personal data possible to a European Economic Area third country, territory or international organisation, while at the same time respecting EU legislation and case-law. When the conditions are fulfilled, adequacy decisions should be adopted.

This is in line with the European Council Conclusions of October 2020, in which the heads of state or government welcomed the European strategy for data. This strategy supports the European Union’s global digital ambition to build a true European competitive data economy while ensuring values and a high level of data security, data protection and privacy. As you know, the Council itself does not take part in the adoption of adequacy decisions, although Member States are involved in the comitology procedures.

This being said, let’s look at the transfer of personal data to the UK. According to the Commission explanations provided in the draft decision, the UK has chosen to keep its data protection framework fully aligned with the EU rules. The UK has strong safeguards in the area of government access to data and therefore provides an equivalent to data protection. These elements are essential, both to safeguard economic activity and to maintain a high level of cooperation with the UK in different sectors, including law—enforcement cooperation. The Trade and Cooperation Agreement (TCA) provides for a maximum of six months during which the UK is not to be considered a third country for the purpose of transferring personal data, and, as you know, this period expires at the end of June.

After the draft adequacy decisions have been presented by the Commission and the European Data Protection Board provides its opinion, the process of adopting the adequacy decisions should be completed in time to make sure that there is a solid legal base for the transfer of personal data with the UK. So, we will continue to support the Commission to come up with solutions that at the same time respect the fundamental rights of the Union and the TCA timeframe. That is essential, both to safeguard economic activity, in particular for SMEs and startups, and to maintain a high level of cooperation with the UK in different sectors, including law enforcement, as I said, and judicial cooperation. The UK will continue to be a very important partner of the European Union in these areas.

Besides, adequacy decisions are not the end of the story – it is always important to keep an eye on evolution in the third state concerned, and the adequacy decisions provide for such a mechanism, in addition to the well—known sunset clause. This is also an important safeguard as it is important to make sure that the UK maintains a high level of protection of personal data in the future, and, if there are problematic divergences, this will certainly have consequences.

Now let’s talk about the transfer of personal data to the United States. Turning to this point, it is clear that the invalidation of the Privacy Shield by the European Court of Justice has important implications, even if the Court upheld the validity of the standard contractual clauses. These standard contractual clauses for the transfer of personal data will soon be updated, and they play an important role by providing additional legal certainty. We are confident that negotiations will intensify, following the joint statement by Commissioner Reynders and the US Secretary of Commerce, Gina Raimondo, of 25 March.

The Council and the Member States are following these negotiations closely on the basis of information provided by the Commission and I look forward to hearing Commissioner Reynders speak on this topic.

  Didier Reynders, Member of the Commission. – Mr President, I am grateful for the opportunity to discuss with you all this morning two important draft resolutions of this Parliament: a first one on the consequences and lessons of the Schrems II judgment and a second one on the UK draft adequacy decisions.

On 16 July last year, the European Court of Justice invalidated the EU-US Privacy Shield, concluding that insufficient protections were in place on the US side. The Schrems II ruling is a strong reaffirmation of the fundamental right to data protection under EU law. The Court confirmed that protection must travel with data, and that the level of this protection must meet EU standards.

In this ruling, the Court also provided us with precise requirements that need to be fulfilled when adopting adequacy decisions, such as the ones we have proposed with respect to the UK, and the one we are discussing with the US, in view of a possible successor to the Privacy Shield.

This being said, the two resolutions that we are discussing today concern two situations that are very different. The one concerning the draft UK adequacy decisions is about managing and remedying possible future divergence, since the UK data protection rules are currently aligned with the EU ones. In contrast, the other resolution is about building convergence with important international partners, such as the US, through the development of additional and strong data protection safeguards.

Complying with EU law standards, including the case-law of the EU Court of Justice, calls, in particular, for the delicate balance between national security and privacy to be addressed. This is not an easy balance to strike. As the commissioner responsible for both the rule of law and the protection of personal data, it is my responsibility and my personal commitment to ensure full compliance with all the elements of the judgment of our highest Court.

Let me now briefly turn to each of the two resolutions. Let me first address the draft adequacy decisions relating to the United Kingdom. Less than three weeks ago, an overwhelming majority in this plenary voted to approve the EU-UK Trade and Cooperation Agreement (TCA) by 660 votes in favour. Data protection standards were not subject to negotiation with the UK. In fact, the TCA provides that transfers of data to be carried out in the context of its implementation will need to take place in compliance with the requirements of the laws of the transferring party (which means, for the EU, the General Data Protection Regulation (GDPR) and the Law Enforcement Directive (LED)).

In this context, the EU’s interest is that the many transfers that will necessarily take place in application of the TCA, in a wide range of areas, from trade to law-enforcement cooperation, will be based on a comprehensive instrument, requiring a high level of protection. Such an instrument should also allow us to react if this level of protection is undermined.

This is what our draft adequacy decisions provide for.

First, they recognise that today the UK system continues to be based on the same rules that were applicable when the UK was a Member State of the EU. This is the result of a deliberate choice of the UK legislator, which has decided to fully incorporate the principles, rights and obligations of the GDPR and the Law Enforcement Directive into the British post-Brexit legal system. It is difficult to find a system that is more equivalent to ours.

In addition, the UK shares with EU Member States a number of international commitments in the area of data protection, be it under the European Convention on Human Rights, as interpreted by the European Court of Human Rights, or the specific treaty on data protection of the Council of Europe. This is particularly important as regards the balance between national security and privacy: it means that also in that area, the UK adheres to the same standards as the EU Member States.

This is why we have made very clear in our draft decisions that adherence to such international instruments is a central element of an adequacy finding.

Second, recognising the current alignment between the UK and the EU does not mean that we are naïve or unprepared. We fully share Parliament’s concerns on the possible future evolution of the UK system. Brexit means that the UK data protection system will be administrated in a fully autonomous way. Even very similar rules can be interpreted, applied or enforced differently. The key question is therefore, in our view, whether we can trust the UK not to lower the current level of protection.

The Commission is aware of the scepticism of a number of Members of this Parliament towards the UK in this regard. As President von der Leyen said of our new relationship with the UK, ‘trust is good, but law is better’.

This is why we have significantly reinforced certain important aspects of our approach on adequacy compared to previous decisions concerning other third countries. In particular, our proposed decisions – for the first time – strictly limit the duration of the adequacy findings by including a sunset clause: the decisions will automatically expire four years after their entry into force. If we were to consider that our adequacy findings can be renewed because the UK continues to ensure an adequate level of data protection, this will need to be subject to new decisions. Such decisions will have to be adopted following the entire adequacy decision-making process, with an opinion of the European Data Protection Board and a comitology procedure.

By including that time limitation, we make clear towards the UK that possible problematic divergences will have consequences. This comes on top of – and does not replace – other mechanisms that we have also reinforced, and that would allow us to react immediately at any time, without waiting for the four year-period to expire if changes are introduced in UK law, or if there are practices that would undermine the level of protection. I am thinking of the suspension and termination mechanisms provided for in our draft decisions, in addition to the sunset clause.

Following the receipt in April of the opinion of the European Data Protection Board (EDPB), which was largely in agreement with the Commission’s approach, we have further strengthened these mechanisms by identifying even more clearly in the draft decisions the aspects requiring specific monitoring and for which, in the event of divergence, we would trigger the suspension or termination procedure that we had already provided for in the initial draft. This concerns, for instance, the way the UK will implement its rules on international transfers.

More generally, following the EDPB’s opinion, we have clarified our decisions on a number of aspects regarding both, firstly, why we consider that today the UK ensures an adequate level of protection, and, secondly, how we intend to react if the situation changes.

This includes aspects that I know are particularly important for this Parliament, and that are discussed in the draft resolution: from certain possible limitations to some data protection rights for other objectives of public interest, such as immigration control, to the conditions, limitations and safeguards that apply in the event that national security authorities seek access to data.

Once again, we believe that we can credibly address the uncertainties of the future while recognising that the starting point is an adequate one at this stage. In particular, the sunset clause sends the message to the UK that problematic divergence will have a cost. However, it will only have its intended dissuasive effect if we clearly distinguish, on the one hand, convergence – and its benefits from, on the other hand, divergence – and its risks and consequences.

To sum up, based on our assessment, after having taken into account the opinion of the EDPB, as well as concerns raised by this Parliament and by the Member States, the Commission is of the view that, as things stand, at this stage, we should go ahead with the adequacy decisions.

Let me now turn to the second issue of today’s debate. In response to some of the points raised in the second draft resolution, I would like to update you on what the Commission is doing following the Schrems II judgment.

First, we are finalising the modernisation of standard contractual clauses for international data transfers that fully take into account the requirements of the Schrems II judgment. We are very close to final adoption, which will probably take place in the next weeks, after a successful conclusion of a comitology procedure.

As standard contractual clauses are the most-used tool by European companies for their international data transfers, this is a top priority for us. We have revised the clauses on the basis of the feedback received from the European Data Protection Board and the European Data Protection Supervisor. We have also taken into account the input we received from stakeholders during a broad public consultation.

The new clauses will provide companies with a practical toolbox to assist them in their compliance efforts. Because they are a ready-made tool, they will be particularly useful for SMEs, which, as is also pointed out in the draft resolution, may have limited resources and expertise. In addition, we will be in consultation with stakeholders to develop a user—friendly practical guide on the basis of questions and answers to further facilitate the use of these new standard contractual clauses.

I also fully agree on the importance, stressed in your resolution, of ensuring consistency between the standard contractual clauses and the guidance of the European Data Protection Board on Schrems II, which is currently being finalised after a public consultation. That is why, in revising the draft standard contractual clauses, we have worked very closely with the Board to align our approaches and to provide companies with legal certainty.

Finally, we are also working with the US on a possible successor arrangement to the Privacy Shield. What is certainly positive is that we see real engagement from the administration of President Biden, and a clear willingness to work on possible solutions. This was also reflected in my recent statement with the US Secretary of Commerce Gina Raimondo, with whom I have been in contact on a regular basis since she took office.

At the same time, we also have to recognise that the issues around access to data for national security purposes that have to be addressed are very complex. As like-minded partners, the EU and the US should be able to find appropriate solutions on fundamental principles, such as access to a court, enforceable individual rights, and safeguards against excessive interferences with privacy. But let me be clear: there are no shortcuts and there will be no quick fix. We will only accept a solution that is fully in line with the requirements of Union law, as interpreted by the Court of Justice. This is a question of compliance with the decision of our highest Court. It is also in the mutual interest of the EU and the US that we put in place a solid, sustainable and legally certain transatlantic transfer mechanism.

I know I can count on your support and the support of the entire Parliament for solutions based on strong safeguards, which can, in that way, facilitate transfers. So I will continue to work and discuss this matter with the US in such a way, and I thank you for your attention this morning on those two very important topics and I am now looking forward to our debate.

  Tom Vandenkendelaere, namens de PPE-Fractie. – Voorzitter, commissaris, staatssecretaris, de gegevensbescherming in de Europese Unie is met de komst van de GDPR van het hoogste niveau wereldwijd, ook in relatie tot derde landen. Net daarom zijn die adequaatheidsbesluiten zo cruciaal. Ze verzekeren dat bedrijven en rechtshandhavingsinstanties binnen een duidelijk juridisch kader veilig met elkaar gegevens kunnen uitwisselen.

Begin dit jaar hebben we in dit halfrond de verkiezing van Joe Biden en Kamala Harris op applaus onthaald en was het onze boodschap om de relaties met de VS opnieuw op te bouwen. Dat doen we nu ook met een duidelijke uitgestoken hand om samen met de Commissie te werken aan een nieuw solide, toekomstbestendig kader.

Maar toch ben ik verbaasd. Drie weken geleden klonk hier in deze zelfde kamer, in het debat over de handels- en samenwerkingsovereenkomst, nog vanop alle banken dat vertrouwen de sleutel tot succes is wat betreft onze toekomstige relaties met het Verenigd Koninkrijk. Loze woorden, zo blijkt drie weken later ... In een van de eerste concrete dossiers waarin we dit vertrouwen gestalte kunnen geven, slagen we daar niet in, integendeel! De manier waarop deze resolutie over het adequaatheidsbesluit ten aanzien van het Verenigd Koninkrijk tot stand gekomen is, tart echt alle verbeelding. Van dat vertrouwen richting de Britten om het niveau van gegevensbescherming – dat overigens volledig gebaseerd is op de GDPR – hoog te houden, blijft niets meer over. Van enig vertrouwen in de expertise en de onafhankelijkheid van de Europese Commissie evenmin.

De Europese burger verwacht van ons dat we gegevensbescherming serieus nemen. Maar die verwacht evenzeer van dit Parlement dat we verantwoordelijkheid tonen. Daarom roep ik jullie op: trek niet aan de noodrem. Ondermijn onze samenwerking met de Britten tegen de georganiseerde misdaad niet, houd onze bedrijven niet langer in een wurggreep.

  Juan Fernando López Aguilar, en nombre del Grupo S&D. – Señor presidente, Presidencia portuguesa, señor comisario Reynders, en este debate conjunto discutimos dos asuntos que son competencia de la comisión que tengo el honor de presidir, la Comisión de Libertades Civiles, Justicia y Asuntos de Interior, y de los que he sido ponente.

El punto de conexión son los derechos fundamentales: la protección de datos consagrada en el artículo 8 de la Carta de los Derechos Fundamentales. La Comisión LIBE ha empleado muchas horas desde que entró en vigor la Carta con el Tratado de Lisboa, mucho tiempo de trabajo en aprobar el régimen de protección de datos de mayor estándar del mundo: el Reglamento de protección de datos y la Directiva sobre protección de datos en el ámbito penal. Y ambos tienen que ver con la llamada de atención que hacemos a la Comisión para que reconsidere esa decisión de adecuación del régimen de protección de datos del Reino Unido.

Discutimos durante años el acuerdo de salida del Reino Unido. Y también hemos empleado mucho tiempo en un Acuerdo de Comercio y Cooperación; no solo comercio: cooperación, que incluye transferencia de datos. Pero hemos expresado preocupaciones legítimas que, además, han sido reflejadas en el informe del Comité Europeo de Protección de Datos, que tienen que ver con las excepciones en materia de inmigración y de seguridad que contempla el régimen de protección de datos de los Estados Unidos, que se está aplicando incluso a ciudadanos de la Unión Europea que intentan residir o establecerse en el Reino Unido. Y por supuesto, con la transferencia de datos a los Estados Unidos, que es el segundo asunto que tratamos.

Sentencias determinantes del Tribunal de Justicia, que utilizan la Carta como parámetro de enjuiciamiento, han declarado incompatibles con el Derecho europeo el principio de «puerto seguro», en la sentencia Schrems de 2015, y el Escudo de la privacidad, en la sentencia Schrems de 2020. Lo que quiere decir que transferir datos a los Estados Unidos, que es una práctica habitual del Reino Unido, es incompatible con el estándar de protección del Derecho europeo.

Y esto significa que hay que valorar no solamente la legislación del Reino Unido, sino sus prácticas aplicativas. Y esta es la recomendación que expresa la preocupación legítima que la Comisión LIBE tiene el deber de trasladar a la Comisión. Porque sabemos muy bien que la implementación, el acto de ejecución corresponde a la Comisión y lo va a adoptar.

La Comisión y el Consejo están haciendo su trabajo, pero el Parlamento Europeo hace también su trabajo llamando la atención sobre la importancia de valorar adecuadamente las prácticas aplicativas del Reino Unido en el presente y en el futuro.

  Moritz Körner, im Namen der Renew-Fraktion. – Herr Präsident, liebe Kolleginnen und Kollegen! Wir diskutieren hier oft über Europas Rolle in der Welt, und diese Kommission hat sich sogar zum Auftrag gemacht, eine geopolitische Kommission zu sein. Diesem Anspruch werden wir nicht gerecht, wenn wir nicht in der Lage sind, die Grundrechte der EU-Bürger überall zu schützen und unsere eigenen Regeln hier in Europa in der digitalen Welt durchzusetzen. Safe Harbour, Privacy Shield – beide Abkommen sind vom Europäischen Gerichtshof gekippt worden.

Die US-Sicherheitsgesetze auf der einen und die Grundrechtecharta auf der anderen Seite sind wie zwei Züge, die gegeneinander rasen – sie sind nicht vereinbar. Die entscheidende Frage ist doch an dieser Stelle jetzt: Wer knickt ein? Wird es am Ende so sein, dass es wieder Europa ist? Ich sage hier ganz klar: Wir werden die Grundrechtecharta nicht ändern, und die Urteile des Europäischen Gerichtshofs sind absolut klar. Wir brauchen legislative Änderungen auf der US-Seite bei ihren Sicherheitsgesetzen oder ein EU/US-No-Spy-Abkommen. Das ist klar, dass wir das brauchen.

Die Zeit dafür ist doch günstig. Wir sehen gerade, dass selbst Trump jetzt Sorge hatte bei TikTok, dass chinesische Sicherheitsbehörden Zugriff auf Daten haben. Die Sorge ist berechtigt, aber die Sorge, die wir da bei TikTok sehen – die kennen wir seit Snowden ganz sicher für US-Anbieter. Deswegen müssen wir doch hier klar sagen, auch gegenüber China: Wir brauchen die EU als Partner. Zusammen mit den USA müssen wir doch für Privatsphäre und Datenschutz kämpfen. Jetzt sagen ja einige: Wir müssen jetzt auch beim Vereinigten Königreich möglichst schnell Adequacy machen, wir brauchen da das Abkommen, die Wirtschaft braucht das.

Ehrlich gesagt, das Schlimmste für die Wirtschaft ist die Rechtsunsicherheit. Das Schlimmste ist, dass Sie der Wirtschaft zweimal zugemutet haben, dass sie sich immer wieder auf neue Abkommen eingestellt hat, ihre Prozesse daraufhin ausgerichtet hat, und dann waren sie eben nicht mit EU-Recht vereinbar, und dann hat der Europäische Gerichtshof das gekippt. Das darf nicht noch einmal passieren!

Ich sage das ganz klar auch in Richtung Kommission: Wenn Sie mal mehr tatsächlich Ihren Anspruch deutlich machen würden, weniger das Europäische Parlament, weniger den Europäischen Datenschutzausschuss und mehr unsere internationalen Partner zu beeinflussen, dann würden Sie Ihrer Rolle als tatsächlich geopolitische Kommission mehr gerecht.

  Marco Campomenosi, a nome del gruppo ID. – Signor Presidente, signora Segretaria di Stato, signor Commissario, onorevoli colleghi, la mia premessa è che le preoccupazioni espresse nelle risoluzioni che voteremo oggi sono anche le mie, assolutamente.

Abbiamo deciso di dotarci di standard molto elevati, con un sistema di regole complesso ma a tutela degli utenti e dei cittadini, in questo caso della rete, però non mi sento del tutto convinto nel puntare il dito solo nei confronti di paesi terzi come la Gran Bretagna e gli Stati Uniti, quando vedo che abbiamo delle difficolta estreme nell'applicare i principi del regolamento sulla protezione dei dati anche all'interno dell'Unione europea, perché casualmente, probabilmente attratte dalla cultura gaelica e da un'isola stupenda, i giganti del web hanno scelto di avere sede in Europea in Irlanda.

L'Autorità per la protezione dei dati irlandese, però, che cosa sta facendo? Risponde e porta a termine solo 7 ricorsi sui 10 000 che i cittadini di tutta Europa hanno presentato. Allora un esempio positivo è avvenuto proprio nel mio paese, dove il Garante per la privacy italiano ha utilizzato l'articolo 66 del GDPR, quello per le procedure di circostanza eccezionale, e ha fatto applicare una norma per cui abbiamo un social network cinese che stipulava contratti con ragazzini minori di tredici anni e la situazione è stata risolta in maniera efficiente. Anche la Germania sta seguendo questo esempio.

Quello che mi preoccupa quindi, e sarebbe un peccato non approfittare di questo dibattito per parlarne – l'ho chiesto anche in un'interrogazione fatta pochi giorni fa – è di implementare anche all'interno dell'Unione europea l'applicazione delle regole, perché se i cittadini fanno ricorso ma questi ricorsi non vengano portati avanti, è inutile che ci dotiamo di standard così elevati.

  Gwendoline Delbos-Corfield, on behalf of the Verts/ALE Group. – Mr President, what have we learned from the Schrems judgment? Given that the Commission is ready to hand the United Kingdom an adequacy decision in a too hasty way, we could think the European Union has learned nothing. But we should know better.

The Privacy Shield was invalidated at the European Court of Justice because of the mass surveillance practices used by the US Government, and thanks to the 2013 revelations by Edward Snowden we are well aware now that the UK Government uses similar mass surveillance devices, and it should be obvious to everyone that mass surveillance – indiscriminate mass surveillance – is a huge threat to our fundamental rights.

European citizens have the right to not be considered first as criminals by their governments. European citizens have the right to protect their very personal and sensitive information. In concrete life would it be possible to have someone knocking at your door every five minutes trying to sell you something or make you do something, complete strangers that know everything about you, not only where you went, what you did, who you met, who are your relatives, but very intimate things – your tastes, your habits, your wishes, your frustrations, your dreams, your angers, your joys.

It seems that some lobbies, and maybe some people in the Commission, want to bargain these fundamental rights. And this is not in the interest of citizens, but neither of business, because good business is done with good democratic rules and stability and good faith.

There has been legal uncertainty for too long, there have been various attempts at prioritising hazardous data flows for too long. First, with the US, now with the UK, but soon with third countries which the UK Government will go into trade with, not respecting any of our rules and accepting to share data with no rules. We are at serious risk of sharing personal European citizens’ data everywhere in the world, even with authoritarian countries.

  Assita Kanko, on behalf of the ECR Group. – Mr President, there is a charade happening with some in this Parliament, a charade that could cost jobs across the EU. I strongly believe in the highest standards of data protection. Our citizens deserve to know their data is being treated correctly and lawfully when it leaves the EU, but that is exactly what the United Kingdom is doing. It has fully implemented the GDPR and has committed to maintaining it in words and spirit. The European Commission has confirmed that the UK meets the adequacy criteria, yet still some in this Parliament object.

We already have adequacy agreements with Argentina, Uruguay, Israel, Japan and more. Are we honestly saying that these countries have better data protection standards than the UK, which helped create the EU’s current standards? The British may sometimes appear irritating to the Left, but honestly, they are not dangerous.

The only conclusion I can draw here is that this is payback, but it’s time to leave the past and Brexit where it belongs. After a divorce, people should be able to share a meal together. Let’s start shaping a constructive and fruitful relationship with an important strategic ally. By punishing the UK, you are harming the EU too. Haven’t our businesses already suffered enough in this past year? Businesses and consumers need certainty. Therefore, the PPE and ECR have tabled a better alternative. Please support it.

(The debate was suspended)