European Parliament
2014-2019
TEXTS ADOPTED
Provisional edition
P8_TA-PROV(2016)0233
Transatlantic data flows
European Parliament resolution of 26 May 2016 on transatlantic data flows
(2016/2727(RSP))
The European Parliament,
– having regard to the Treaty on European Union (TEU), the Treaty on the Functioning of
the European Union (TFEU) and Articles 6, 7, 8, 11, 16, 47 and 52 of the Charter of
Fundamental Rights of the European Union,
– having regard to Directive 95/46/EC of the European Parliament and of the Council of 24
October 1995 on the protection of individuals with regard to the processing of personal
data and on the free movement of such data1 (hereinafter ‘the Data Protection Directive’),
– having regard to Council Framework Decision 2008/977/JHA of 27 November 2008 on
the protection of personal data processed in the framework of police and judicial
cooperation in criminal matters2,
– having regard to Regulation (EU) 2016/679 of the European Parliament and of the
Council of 27 April 2016 on the protection of natural persons with regard to the
processing of personal data and on the free movement of such data, and repealing
Directive 95/46/EC (General Data Protection Regulation)3, and to Directive (EU)
2016/680 of the European Parliament and of the Council of 27 April 2016 on the
protection of natural persons with regard to the processing of personal data by competent
authorities for the purposes of the prevention, investigation, detection or prosecution of
criminal offences or the execution of criminal penalties, and on the free movement of such
data, and repealing Council Framework Decision 2008/977/JHA4,
– having regard to Commission Decision 2000/520/EC of 26 July 2000 (the Safe Harbour
decision),
1 OJ L 281, 23.11.1995, p. 31.
2 OJ L 350, 30.12.2008, p. 60.
3 OJ L 119, 4.5.2016, p. 1.
4 OJ L 119, 4.5.2016, p. 89.
– having regard to the Commission communication to the European Parliament and the
Council of 27 November 2013 on rebuilding trust in EU-US data flows
(COM(2013)0846),
– having regard to the Commission communication to the European Parliament and the
Council of 27 November 2013 on the functioning of the Safe Harbour from the
perspective of EU citizens and companies established in the EU (COM(2013)0847) (the
Safe Harbour communication),
– having regard to the judgment of the European Court of Justice of 6 October 2015 in Case
C-362/14
Maximillian Schrems v
Data Protection Commissioner (EU:C:2015:650),
– having regard to the Commission communication to the European Parliament and the
Council of 6 November 2015 on the transfer of personal data from the EU to the United
States of America under Directive 95/46/EC following the judgment by the Court of
Justice in Case C-362/14 (Schrems) (COM(2015)0566),
– having regard to the statement of the Article 29 Working Party on the consequences of the
Schrems Judgment of 3 February 2016,
– having regard to the Judicial Redress Act of 2015, which was signed into law by President
Obama on 24 February 2016 (H.R.1428),
– having regard to the USA Freedom Act of 20151,
– having regard to the reforms of US signals intelligence activities laid down in Presidential
Policy Directive 28 (PPD-28)2,
– having regard to the Commission communication to the European Parliament and the
Council of 29 February 2016 entitled ‘Transatlantic data flows: Restoring trust through
strong safeguards’ (COM(2016)0117),
– having regard to Article 29 Working Party Opinion 01/2016 of 13 April 2016 on the EU-
US Privacy Shield draft adequacy decision,
– having regard to its resolution of 12 March 2014 on the US NSA surveillance programme,
surveillance bodies in various Member States and their impact on EU citizens’
fundamental rights and on transatlantic cooperation in Justice and Home Affairs3, and to
its resolution of 29 October 2015 on the follow-up to the European Parliament resolution
of 12 March 2014 on the electronic mass surveillance of EU citizens4,
– having regard to Rule 123(2) and (4) of its Rules of Procedure,
A. whereas the European Court of Justice invalidated the Safe Harbour decision in its
judgment of 6 October 2015 in Case C-362/14
Maximillian Schrems v
Data Protection
Commissioner and clarified that an adequate level of protection in a third country must be
1 https://www.congress.gov/114/plaws/publ23/PLAW-114publ23.pdf
2 https://www.whitehouse.gov/the-press-office/2014/01/17/presidential-policy-directive-
signals-intelligence-activities
3 Texts adopted, P7_TA(2014)0230.
4 Texts adopted, P8_TA(2015)0388.
understood to be ‘essentially equivalent’ to the protection provided in the Union,
prompting the need to conclude negotiations on the EU-US Privacy Shield so as to ensure
legal certainty on how personal data should be transferred from the EU to the US;
B. whereas ‘protecting data’ means protecting the people to whom the information being
processed relates, and whereas such protection is one of the fundamental rights recognised
by the Union (Article 8 of the Charter of Fundamental Rights and Article 16 of the Treaty
on the Functioning of the European Union);
C. whereas the protection of personal data, respect for private life and communications, the
right to security, the right to receive and impart information and the freedom to conduct a
business are all fundamental rights to be upheld and balanced;
D. whereas, when examining the level of protection afforded by a third country, the
Commission is obliged to assess the content of the rules applicable in that country
deriving from its domestic law or its international commitments, as well as the practice
designed to ensure compliance with those rules, since it must, under Article 25(2) of the
Data Protection Directive, take account of all the circumstances surrounding a transfer of
personal data to a third country; whereas this assessment must not only refer to legislation
and practices relating to the protection of personal data for commercial and private
purposes, but must also cover all aspects of the framework applicable to that country or
sector, in particular, but not only, law enforcement, national security and respect for
fundamental rights;
E. whereas small and medium-sized enterprises (SMEs) represent the fastest-growing sector
of the EU’s economy, and are increasingly dependent upon the free flow of data; whereas
SMEs accounted for 60 % of the companies relying on the Safe Harbour agreement,
which allowed them to benefit from the streamlined and cost-effective compliance
procedures;
F. whereas the US and EU economies account for over 50 % of global GDP, 25 % of global
exports and over 30 % of global imports; whereas the US-EU economic relationship is the
highest valued in the world, with total transatlantic trade in 2014 valued at USD 1,09
trillion, compared with total US trade with Canada and China valued at USD 741 billion
and USD 646 billion respectively;
G. whereas cross-border data flows between the United States and Europe are the highest in
the world – 50 % higher than data flows between the US and Asia and almost double the
data flows between the US and Latin America – and whereas the transfer and exchange of
personal data is an essential component underpinning the close links between the
European Union and the United States in commercial activities and in the law
enforcement sector;
H. whereas in its Opinion 01/2016 the Article 29 Working Party welcomed the significant
improvements brought about by the Privacy Shield compared with the Safe Harbour
decision, and in particular the insertion of key definitions, the mechanisms set up to
ensure the oversight of the Privacy Shield list and the now mandatory external and
internal compliance reviews, and whereas the Working Party has also raised strong
concerns about both the commercial aspects and access by public authorities to data
transferred under the Privacy Shield;
I. whereas so far the following countries/territories: Andorra, Argentina, Canada, the Faroe
Islands, Guernsey, the Isle of Man, Jersey, Uruguay, Israel, Switzerland and New Zealand,
have been recognised as providing adequate levels of data protection and were given
privileged access to the EU market;
1. Welcomes the efforts made by the Commission and the US Administration to achieve
substantial improvements in the Privacy Shield compared to the Safe Harbour decision, in
particular the insertion of key definitions such as ‘personal data’, ‘processing’ and
‘controller’, the mechanisms set up to ensure oversight of the Privacy Shield list and the
now mandatory external and internal compliance reviews of compliance;
2. Highlights the importance of the transatlantic relationships, which remain vital for both
partners; emphasises that a comprehensive solution between the US and the EU should
respect the right to data protection and the right to privacy; recalls that one of the
fundamental objectives of the EU is the protection of personal data, including when
transferred to its major international trading partner;
3. Insists that the Privacy Shield arrangement must be compliant with EU primary and
secondary law and the relevant judgments of both the European Court of Justice and the
European Court of Human Rights;
4. Notes that Annex VI (letter from Robert S. Litt, Office of the Director of National
Intelligence (ODNI)) clarifies that under Presidential Policy Directive 28 (hereinafter
‘PPD-28’), bulk collection of personal data and communications of non-US persons is still
permitted in six cases; points out that such bulk collection only has to be ‘as tailored as
feasible’ and ‘reasonable’, which does not meet the stricter criteria of necessity and
proportionality as laid down in the Charter;
5. Recalls that legal certainty, and in particular clear and uniform rules, are a key element in
business development and growth, in particular for SMEs, so as to ensure that they do not
face legal uncertainty and suffer serious impacts to their operations and to their ability to
conduct business across the Atlantic;
6. Welcomes the introduction of the redress mechanism for individuals under the Privacy
Shield; calls on the Commission and the US Administration to address the current
complexity in order to make the procedure user-friendly and effective;
7. Calls on the Commission to seek clarification on the legal status of the ‘written
assurances’ provided by the US;
8. Welcomes the appointment of an Ombudsperson in the US Department of State, who will
work together with independent authorities to provide a response to EU supervisory
authorities channelling individual requests in relation to government surveillance;
considers however that this new institution is not sufficiently independent and is not
vested with adequate powers to effectively exercise and enforce its duty;
9. Welcomes the prominent role given by the Privacy Shield framework to Member State
data protection agencies in examining and investigating claims related to the protection of
personal data under the EU Charter of Fundamental Rights and in suspending transfers of
data, as well as the obligation placed on the US Department of Commerce to resolve such
complaints;
10. Recognises that the Privacy Shield is part of a broader dialogue between the EU and third
countries, including the United States, in relation to data privacy, trade, security and
related rights and objectives of shared interest; calls on all parties therefore to work
together towards the creation and sustained improvement of workable, common
international frameworks and domestic legislation that achieve those objectives;
11. Insists that legal certainty for the transfer of personal data between the EU and US is an
essential element for consumer trust, transatlantic business development and law
enforcement cooperation, thus making it imperative for their effectiveness and long-term
implementation that the instruments allowing for such transfers comply with both EU
primary and secondary law;
12. Calls on the Commission to implement fully the recommendations expressed by the
Article 29 Working Party in its Opinion 01/2016 on the EU-US Privacy Shield draft
adequacy decision;
13. Calls on the Commission to fulfil its responsibility under the Privacy Shield framework to
conduct periodic robust reviews of its adequacy finding and the legal justifications
thereof, in particular in the light of the application of the new General Data Protection
Regulation in two years’ time;
14. Calls on the Commission to continue the dialogue with the US Administration in order to
negotiate further improvements to the Privacy Shield arrangement in the light of its
current deficiencies;
15. Instructs its President to forward this resolution to the Council, the Commission, the
governments and parliaments of the Member States, and the US Government and
Congress.