Legislative Observatory
European Parliament
Please fill in this field to find a procedure

Resolution on transatlantic data flows

2016/2727(RSP)

The European Parliament adopted by 501 votes to 119, with 31 abstentions, a resolution on transatlantic data flows.

The text was adopted in plenary by the EPP, S&D, ECR, ALDE and EFDD groups.

Members recalled that the European Court of Justice invalidated the Safe Harbour decision in its judgment of 6 October 2015 in Case C-362/14 Maximillian Schrems  v Data Protection Commissioner and clarified that an adequate level of protection in a third country must be understood to be ‘essentially equivalent’ to the protection provided in the Union.

Highlighting the importance of the transatlantic relationships, Parliament prompted the need to conclude negotiations on the EU-US Privacy Shield so as to ensure legal certainty on how personal data should be transferred from the EU to the US. Cross-border data flows between the United States and Europe are the highest in the world – 50 % higher than data flows between the US and Asia and almost double the data flows between the US and Latin America.

Members stressed that a comprehensive solution between the US and the EU should respect the right to data protection and the right to privacy insisting that the Privacy Shield arrangement must be compliant with EU primary and secondary law and the relevant judgments of both the European Court of Justice and the European Court of Human Rights.

In this regard, Parliament welcomed:

  • the efforts made by the Commission and the US Administration to achieve substantial improvements in the Privacy Shield compared to the Safe Harbour decision, in particular the insertion of key definitions such as ‘personal data’, ‘processing’ and ‘controller’, the mechanisms set up to ensure oversight of the Privacy Shield list and the now mandatory external and internal compliance reviews of compliance;
  • the introduction of the redress mechanism for individuals under the Privacy Shield. The Commission and the US Administration are called upon to address the current complexity in order to make the procedure user-friendly and effective;
  • the appointment of an Ombudsperson in the US Department of State, who will work together with independent authorities to provide a response to EU supervisory authorities channelling individual requests in relation to government surveillance; considers however that this new institution is not sufficiently independent and is not vested with adequate powers to effectively exercise and enforce its duty;
  • the prominent role given by the Privacy Shield framework to Member State data protection agencies in examining and investigating claims related to the protection of personal data under the EU Charter of Fundamental Rights and in suspending transfers of data, as well as the obligation placed on the US Department of Commerce to resolve such complaints.

The Commission is called upon to:

  • fully implement the recommendations expressed by the Article 29 Working Party in its Opinion 01/2016 on the EU-US Privacy Shield draft adequacy decision;
  • fulfil its responsibility under the Privacy Shield framework to conduct periodic robust reviews of its adequacy finding and the legal justifications thereof, in particular in the light of the application of the new General Data Protection Regulation in two years’ time;
  • continue the dialogue with the US Administration in order to negotiate further improvements to the Privacy Shield arrangement in the light of its current deficiencies.