Dies ist eine HTML Version eines Anhanges der Informationsfreiheitsanfrage 'EEG expertise on third countries'.


 
European Parliament 
2014-2019 
 
 
TEXTS ADOPTED 
Provisional edition 
 
P8_TA-PROV(2016)0233 
Transatlantic data flows  
European Parliament resolution of 26 May 2016 on transatlantic data flows 
(2016/2727(RSP)) 

 
The European Parliament
–  having regard to the Treaty on European Union (TEU), the Treaty on the Functioning of 
the European Union (TFEU) and Articles 6, 7, 8, 11, 16, 47 and 52 of the Charter of 
Fundamental Rights of the European Union, 
–  having regard to Directive 95/46/EC of the European Parliament and of the Council of 24 
October 1995 on the protection of individuals with regard to the processing of personal 
data and on the free movement of such data1 (hereinafter ‘the Data Protection Directive’), 
–  having regard to Council Framework Decision 2008/977/JHA of 27 November 2008 on 
the protection of personal data processed in the framework of police and judicial 
cooperation in criminal matters2, 
–  having regard to Regulation (EU) 2016/679 of the European Parliament and of the 
Council of 27 April 2016 on the protection of natural persons with regard to the 
processing of personal data and on the free movement of such data, and repealing 
Directive 95/46/EC (General Data Protection Regulation)3, and to Directive (EU) 
2016/680 of the European Parliament and of the Council of 27 April 2016 on the 
protection of natural persons with regard to the processing of personal data by competent 
authorities for the purposes of the prevention, investigation, detection or prosecution of 
criminal offences or the execution of criminal penalties, and on the free movement of such 
data, and repealing Council Framework Decision 2008/977/JHA4, 
–  having regard to Commission Decision 2000/520/EC of 26 July 2000 (the Safe Harbour 
decision), 
                                                 
1   OJ L 281, 23.11.1995, p. 31. 
2   OJ L 350, 30.12.2008, p. 60. 
3   OJ L 119, 4.5.2016, p. 1. 
4   OJ L 119, 4.5.2016, p. 89. 
 

 
–  having regard to the Commission communication to the European Parliament and the 
Council of 27 November 2013 on rebuilding trust in EU-US data flows 
(COM(2013)0846), 
–  having regard to the Commission communication to the European Parliament and the 
Council of 27 November 2013 on the functioning of the Safe Harbour from the 
perspective of EU citizens and companies established in the EU (COM(2013)0847) (the 
Safe Harbour communication), 
–  having regard to the judgment of the European Court of Justice of 6 October 2015 in Case 
C-362/14 Maximillian Schrems v Data Protection Commissioner (EU:C:2015:650), 
–  having regard to the Commission communication to the European Parliament and the 
Council of 6 November 2015 on the transfer of personal data from the EU to the United 
States of America under Directive 95/46/EC following the judgment by the Court of 
Justice in Case C-362/14 (Schrems) (COM(2015)0566), 
–  having regard to the statement of the Article 29 Working Party on the consequences of the 
Schrems Judgment of 3 February 2016, 
–  having regard to the Judicial Redress Act of 2015, which was signed into law by President 
Obama on 24 February 2016 (H.R.1428), 
–  having regard to the USA Freedom Act of 20151, 
–  having regard to the reforms of US signals intelligence activities laid down in Presidential 
Policy Directive 28 (PPD-28)2, 
–  having regard to the Commission communication to the European Parliament and the 
Council of 29 February 2016 entitled ‘Transatlantic data flows: Restoring trust through 
strong safeguards’ (COM(2016)0117), 
–  having regard to Article 29 Working Party Opinion 01/2016 of 13 April 2016 on the EU-
US Privacy Shield draft adequacy decision, 
–  having regard to its resolution of 12 March 2014 on the US NSA surveillance programme, 
surveillance bodies in various Member States and their impact on EU citizens’ 
fundamental rights and on transatlantic cooperation in Justice and Home Affairs3, and to 
its resolution of 29 October 2015 on the follow-up to the European Parliament resolution 
of 12 March 2014 on the electronic mass surveillance of EU citizens4, 
–  having regard to Rule 123(2) and (4) of its Rules of Procedure, 
A.  whereas the European Court of Justice invalidated the Safe Harbour decision in its 
judgment of 6 October 2015 in Case C-362/14 Maximillian Schrems v Data Protection 
Commissioner
 and clarified that an adequate level of protection in a third country must be 
                                                 
1   https://www.congress.gov/114/plaws/publ23/PLAW-114publ23.pdf 
2   https://www.whitehouse.gov/the-press-office/2014/01/17/presidential-policy-directive-
signals-intelligence-activities 
3   Texts adopted, P7_TA(2014)0230. 
4   Texts adopted, P8_TA(2015)0388. 
 

 
understood to be ‘essentially equivalent’ to the protection provided in the Union, 
prompting the need to conclude negotiations on the EU-US Privacy Shield so as to ensure 
legal certainty on how personal data should be transferred from the EU to the US; 
B.  whereas ‘protecting data’ means protecting the people to whom the information being 
processed relates, and whereas such protection is one of the fundamental rights recognised 
by the Union (Article 8 of the Charter of Fundamental Rights and Article 16 of the Treaty 
on the Functioning of the European Union); 
C.  whereas the protection of personal data, respect for private life and communications, the 
right to security, the right to receive and impart information and the freedom to conduct a 
business are all fundamental rights to be upheld and balanced;  
D.  whereas, when examining the level of protection afforded by a third country, the 
Commission is obliged to assess the content of the rules applicable in that country 
deriving from its domestic law or its international commitments, as well as the practice 
designed to ensure compliance with those rules, since it must, under Article 25(2) of the 
Data Protection Directive, take account of all the circumstances surrounding a transfer of 
personal data to a third country; whereas this assessment must not only refer to legislation 
and practices relating to the protection of personal data for commercial and private 
purposes, but must also cover all aspects of the framework applicable to that country or 
sector, in particular, but not only, law enforcement, national security and respect for 
fundamental rights; 
E.  whereas small and medium-sized enterprises (SMEs) represent the fastest-growing sector 
of the EU’s economy, and are increasingly dependent upon the free flow of data; whereas 
SMEs accounted for 60 % of the companies relying on the Safe Harbour agreement, 
which allowed them to benefit from the streamlined and cost-effective compliance 
procedures; 
F.  whereas the US and EU economies account for over 50 % of global GDP, 25 % of global 
exports and over 30 % of global imports; whereas the US-EU economic relationship is the 
highest valued in the world, with total transatlantic trade in 2014 valued at USD 1,09 
trillion, compared with total US trade with Canada and China valued at USD 741 billion 
and USD 646 billion respectively; 
G.  whereas cross-border data flows between the United States and Europe are the highest in 
the world – 50 % higher than data flows between the US and Asia and almost double the 
data flows between the US and Latin America – and whereas the transfer and exchange of 
personal data is an essential component underpinning the close links between the 
European Union and the United States in commercial activities and in the law 
enforcement sector; 
H.  whereas in its Opinion 01/2016 the Article 29 Working Party welcomed the significant 
improvements brought about by the Privacy Shield compared with the Safe Harbour 
decision, and in particular the insertion of key definitions, the mechanisms set up to 
ensure the oversight of the Privacy Shield list and the now mandatory external and 
internal compliance reviews, and whereas the Working Party has also raised strong 
concerns about both the commercial aspects and access by public authorities to data 
transferred under the Privacy Shield; 
 

 
I.  whereas so far the following countries/territories: Andorra, Argentina, Canada, the Faroe 
Islands, Guernsey, the Isle of Man, Jersey, Uruguay, Israel, Switzerland and New Zealand, 
have been recognised as providing adequate levels of data protection and were given 
privileged access to the EU market; 
1.  Welcomes the efforts made by the Commission and the US Administration to achieve 
substantial improvements in the Privacy Shield compared to the Safe Harbour decision, in 
particular the insertion of key definitions such as ‘personal data’, ‘processing’ and 
‘controller’, the mechanisms set up to ensure oversight of the Privacy Shield list and the 
now mandatory external and internal compliance reviews of compliance; 
2.  Highlights the importance of the transatlantic relationships, which remain vital for both 
partners; emphasises that a comprehensive solution between the US and the EU should 
respect the right to data protection and the right to privacy; recalls that one of the 
fundamental objectives of the EU is the protection of personal data, including when 
transferred to its major international trading partner; 
3.  Insists that the Privacy Shield arrangement must be compliant with EU primary and 
secondary law and the relevant judgments of both the European Court of Justice and the 
European Court of Human Rights; 
4.  Notes that Annex VI (letter from Robert S. Litt, Office of the Director of National 
Intelligence (ODNI)) clarifies that under Presidential Policy Directive 28 (hereinafter 
‘PPD-28’), bulk collection of personal data and communications of non-US persons is still 
permitted in six cases; points out that such bulk collection only has to be ‘as tailored as 
feasible’ and ‘reasonable’, which does not meet the stricter criteria of necessity and 
proportionality as laid down in the Charter; 
5.  Recalls that legal certainty, and in particular clear and uniform rules, are a key element in 
business development and growth, in particular for SMEs, so as to ensure that they do not 
face legal uncertainty and suffer serious impacts to their operations and to their ability to 
conduct business across the Atlantic; 
6.  Welcomes the introduction of the redress mechanism for individuals under the Privacy 
Shield; calls on the Commission and the US Administration to address the current 
complexity in order to make the procedure user-friendly and effective; 
7.  Calls on the Commission to seek clarification on the legal status of the ‘written 
assurances’ provided by the US; 
8.  Welcomes the appointment of an Ombudsperson in the US Department of State, who will 
work together with independent authorities to provide a response to EU supervisory 
authorities channelling individual requests in relation to government surveillance; 
considers however that this new institution is not sufficiently independent and is not 
vested with adequate powers to effectively exercise and enforce its duty; 
9.  Welcomes the prominent role given by the Privacy Shield framework to Member State 
data protection agencies in examining and investigating claims related to the protection of 
personal data under the EU Charter of Fundamental Rights and in suspending transfers of 
data, as well as the obligation placed on the US Department of Commerce to resolve such 
complaints; 
 

 
10. Recognises that the Privacy Shield is part of a broader dialogue between the EU and third 
countries, including the United States, in relation to data privacy, trade, security and 
related rights and objectives of shared interest; calls on all parties therefore to work 
together towards the creation and sustained improvement of workable, common 
international frameworks and domestic legislation that achieve those objectives; 
11. Insists that legal certainty for the transfer of personal data between the EU and US is an 
essential element for consumer trust, transatlantic business development and law 
enforcement cooperation, thus making it imperative for their effectiveness and long-term 
implementation that the instruments allowing for such transfers comply with both EU 
primary and secondary law; 
12. Calls on the Commission to implement fully the recommendations expressed by the 
Article 29 Working Party in its Opinion 01/2016 on the EU-US Privacy Shield draft 
adequacy decision; 
13. Calls on the Commission to fulfil its responsibility under the Privacy Shield framework to 
conduct periodic robust reviews of its adequacy finding and the legal justifications 
thereof, in particular in the light of the application of the new General Data Protection 
Regulation in two years’ time; 
14. Calls on the Commission to continue the dialogue with the US Administration in order to 
negotiate further improvements to the Privacy Shield arrangement in the light of its 
current deficiencies; 
15. Instructs its President to forward this resolution to the Council, the Commission, the 
governments and parliaments of the Member States, and the US Government and 
Congress.