European Parliament resolution of 4 July 2013 on the US National Security Agency surveillance programme, surveillance bodies in various Member States and their impact on EU citizens’ privacy (2013/2682(RSP))
The European Parliament,
– having regard to Articles 2, 3, 6 and 7 of the Treaty on European Union (TEU) and to Article 16 of the Treaty on the Functioning of the European Union (TFEU),
– having regard to the Charter of Fundamental Rights of the European Union and to the Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR),
– having regard to Council of Europe Convention 108 of 28 January 1981 for the Protection of Individuals with regard to Automatic Processing of Personal Data and the additional protocol thereto of 8 November 2001,
– having regard to EU law on the right to privacy and data protection, in particular Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and to the free movement of such data, Framework Decision 2008/977/JHA on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters, Directive 2002/58/EC on privacy and electronic communications, and Regulation (EC) No 45/2001 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data,
– having regard to the Commission proposals for a regulation and for a directive on the reform of the data protection regime in the EU,
– having regard to the EU-US Mutual Legal Assistance Agreement allowing exchange of data for the prevention and investigation of criminal activities, to the Convention on Cybercrime (CETS No 185), to the EU-US Safe Harbour Agreement (2000/520/EC) and to the current revision of the Safe Harbour scheme,
– having regard to the US Patriot Act and to the Foreign Intelligence Surveillance Act (FISA), including Section 702 of the 2008 FIS Amendment Act (FISAAA),
– having regard to the ongoing negotiations on an EU-US framework agreement on the protection of personal data when transferred and processed for police and judicial cooperation purposes,
– having regard to its previous resolutions on the right to privacy and data protection, in particular that of 5 September 2001 on the existence of a global system for the interception of private and commercial communications (Echelon interception system)(1),
– having regard to the statements by the President of the European Council, Herman van Rompuy, the President of the European Parliament, Martin Schulz, the Vice‑President of the Commission / Commissioner for Justice, Fundamental Rights and Citizenship, Viviane Reding, and the Vice‑President of the Commission / High Representative of the Union for Foreign Affairs and Security Policy, Catherine Ashton,
– having regard to Rule 110(2) and (4) of its Rules of Procedure,
A. whereas the transatlantic partnership between the EU and the US must be based on mutual trust and respect, loyal and mutual cooperation, respect for fundamental rights and the rule of law;
B. whereas the Member States are obliged to respect the fundamental rights and values enshrined in Article 2 TEU and in the Charter of Fundamental Rights;
C. whereas adherence to these principles is currently in doubt after reports in the international press in June 2013 revealed evidence that, through programmes such as PRISM, the US authorities are accessing and processing on a large scale the personal data of EU citizens using US online service providers;
D. whereas this doubt concerns not only the actions of US authorities, but also those of several EU Member States, which according to the international press have cooperated with PRISM and other such programmes or obtained access to the databases created;
E. whereas, furthermore, several Member States have surveillance programmes of a similar nature to PRISM or are discussing the setting-up of such programmes;
F. whereas particular questions have been raised regarding the compatibility with EU law of the practice of the UK intelligence agency Government Communications Headquarters (GCHQ) directly tapping into undersea transatlantic cables carrying electronic communications, under a programme codenamed Tempora; whereas other Member States reportedly access transnational electronic communications without a regular warrant but on the basis of special courts, share data with other countries (Sweden), and may enhance their surveillance capabilities (the Netherlands, Germany); whereas concerns have been expressed in other Member States in relation to the interception powers of secret services (Poland);
G. whereas there are indications that EU institutions and EU and Member State embassies and representations have been subjected to US surveillance and spying activities;
H. whereas Commissioner Reding has written a letter to the US Attorney General, Eric Holder, raising European concerns and asking for clarification and explanations regarding PRISM and other such programmes involving data collection and searching, and the laws under which such programmes may be authorised; whereas a full response from the US authorities is still pending, despite the discussions which took place at the EU-US Justice Ministerial meeting in Dublin on 14 June 2013;
I. whereas, under the Safe Harbour Agreement, the Member States and the Commission are entrusted with the duty of guaranteeing the security and integrity of personal data; whereas the companies involved in the PRISM case, as reported in the international press, are all parties to the Safe Harbour Agreement; whereas, under Article 3 of that agreement, the Commission has a duty, should the provisions of the agreement not be complied with, to reverse or suspend it;
J. whereas the EU-US Mutual Legal Assistance Agreement, as ratified by the Union and the US Congress, stipulates modalities for gathering and exchanging information, and for requesting and providing assistance in obtaining evidence located in one country to assist in criminal investigations or proceedings in another;
K. whereas it would be unfortunate if the efforts to conclude a Transatlantic Trade and Investment Partnership (TTIP), which demonstrates the commitment to further strengthen the partnership between the EU and the US, were to be affected by the recent allegations;
L. whereas on 14 June 2013 Commissioner Malmström announced the setting-up of a transatlantic group of experts;
M. whereas Commissioner Reding has written to the UK authorities to express concern about media reports on the Tempora programme and asking for clarification of its scope and operation; whereas the UK authorities have defended the GCHQ’s surveillance activities and affirmed that they operate under strict and lawful guidelines;
N. whereas data protection reform is under way at EU level, through the revision of Directive 95/46/EC and its replacement with the proposed general Data Protection Regulation and the Data Protection Directive on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data;
1. Expresses, while confirming its ongoing support for transatlantic efforts in the fight against terrorism and organised crime, serious concern over PRISM and other such programmes, since, should the information available up to now be confirmed, they may entail a serious violation of the fundamental right of EU citizens and residents to privacy and data protection, as well as of the right to private and family life, the confidentiality of communications, the presumption of innocence, freedom of expression, freedom of information, and the freedom to conduct business;
2. Strongly condemns the spying on EU representations as, should the information available up to now be confirmed, it would imply a serious violation of the Vienna Convention on Diplomatic Relations, in addition to its potential impact on transatlantic relations; calls for immediate clarification from the US authorities on the matter;
3. Calls on the US authorities to provide the EU, without undue delay, with full information on PRISM and other such programmes involving data collection, in particular as regards their legal basis, necessity and proportionality and the safeguards implemented to protect the fundamental rights of EU citizens, such as limitation of scope and duration, conditions for access, and independent supervision, as provided for under the Convention on Cybercrime and as requested by Commissioner Reding in her letter of 10 June 2013 to Attorney General Eric Holder; calls on the US authorities to suspend and review any laws and surveillance programmes that violate the fundamental right of EU citizens to privacy and data protection, the sovereignty and jurisdiction of the EU and its Member States, and the Convention on Cybercrime;
4. Calls on the Commission, the Council and the Member States to give consideration to all the instruments at their disposal in discussions and negotiations with the US, at both political and expert level, in order to achieve the above-mentioned objectives, including the possible suspension of the passenger name record (PNR) and terrorist finance tracking programme (TFTP) agreements;
5. Demands that the transatlantic expert group, as announced by Commissioner Malmström and in which Parliament will participate, be granted an appropriate level of security clearance and access to all relevant documents in order to be able to conduct its work properly and within a set deadline; further demands that Parliament be adequately represented in this expert group;
6. Calls on the Commission and the US authorities to resume, without delay, the negotiations on the framework agreement on the protection of personal data when transferred and processed for police and judicial cooperation purposes; calls on the Commission, during these negotiations, to make sure that the agreement meets at least the following criteria:
(a)
granting EU citizens the right to information when their data is processed in the US;
(b)
ensuring that EU citizens’ access to the US judicial system is equal to that enjoyed by US citizens;
(c)
granting the right to redress, in particular;
7. Calls on the Commission to ensure that EU data protection standards, and the negotiations on the current EU data protection package, are not undermined as a result of the Transatlantic Trade and Investment Partnership (TTIP) with the US;
8. Calls on the Commission to conduct a full review of the Safe Harbour Agreement in the light of the recent revelations, under Article 3 of that agreement;
9. Expresses serious concern at the revelations relating to the alleged surveillance programmes run by Member States, either with the help of the US National Security Agency or unilaterally; calls on all the Member States to examine the compatibility of such programmes with EU primary and secondary law, in particular Article 16 TFEU on data protection, and with the EU’s fundamental rights obligations deriving from the ECHR and the constitutional traditions common to the Member States;
10. Stresses that all companies providing services in the EU must comply with EU law without exception and are liable for any breaches;
11. Stresses that companies falling under third-country jurisdiction should provide users located in the EU with a clear and distinguishable warning concerning the possibility of personal data being processed by law enforcement and intelligence agencies following secret orders or injunctions;
12. Regrets the fact that the Commission has dropped the former Article 42 of the leaked version of the Data Protection Regulation; calls on the Commission to clarify why it decided to do so; calls on the Council to follow Parliament’s approach and reinsert such a provision;
13. Stresses that in democratic and open states based on the rule of law, citizens have a right to know about serious violations of their fundamental rights and to denounce them, including those involving their own government; stresses the need for procedures allowing whistleblowers to unveil serious violations of fundamental rights and the need to provide such people with the necessary protection, including at international level; expresses its continued support for investigative journalism and media freedom;
14. Calls on the Council, as a matter of urgency, to accelerate its work on the whole of the Data Protection Package, and specifically on the proposed Data Protection Directive;
15. Stresses the need to set up a European equivalent of the mixed parliamentary-judicial control and inquiry committees on intelligence services that currently exist in some Member States;
16. Instructs its Committee on Civil Liberties, Justice and Home Affairs to conduct an in‑depth inquiry into the matter in collaboration with national parliaments and the EU-US expert group set up by the Commission and to report back by the end of the year, by:
(a)
gathering all relevant information and evidence from both US and EU sources (fact‑finding);
(b)
investigating the alleged surveillance activities of US authorities as well as any carried out by certain Member States (mapping of responsibilities);
(c)
assessing the impact of surveillance programmes as regards: the fundamental rights of EU citizens (in particular the right to respect for private life and communications, freedom of expression, the presumption of innocence and the right to an effective remedy); actual data protection both within the EU and for EU citizens outside the EU, focusing in particular on the effectiveness of EU law in respect of extraterritoriality mechanisms; the safety of the EU in the era of cloud computing; the added value and proportionality of such programmes with regard to the fight against terrorism; the external dimension of the area of freedom, security and justice (assessing the validity of adequacy decisions for EU transfers to third countries, such as those carried out under the Safe Harbour Agreement, international agreements and other legal instruments providing for legal assistance and cooperation) (damage and risk analysis);
(d)
exploring the most appropriate mechanisms for redress in the event of confirmed violations (administrative and judicial redress and compensation schemes);
(e)
putting forward recommendations aimed at preventing further violations, and ensuring credible, high-level protection of EU citizens’ personal data via adequate means, in particular the adoption of a fully-fledged data protection package (policy recommendations and law‑making);
(f)
issuing recommendations aimed at strengthening IT security in the EU’s institutions, bodies and agencies by means of proper internal security rules for communication systems, in order to prevent and remedy unauthorised access and the disclosure or loss of information and personal data (remedying of security breaches);
17. Instructs its President to forward this resolution to the Commission, the Council, the Council of Europe, the parliaments of the Member States, the US President, the US Senate and House of Representatives and the US Secretaries for Homeland Security and Justice.