President. – We now continue with the joint debate on the Council and Commission statements on data protection adequacy.

  Cornelia Ernst, im Namen der Fraktion The Left. – Herr Präsident! Demokratie ist, wenn ein einzelner Bürger vor Gericht zieht und rechtswidrige Vertragspraktiken, die gegen elementare Grundrechte verstoßen, gekippt werden. Noch besser stünde es um die Demokratie, wenn er das nicht laufend machen müsste. Und am allerbesten wäre es, wenn die Kommission, die Hüterin der Verträge, endlich mit ihren Eiertänzen aufhören und handeln würde. Ja, das Privacy Shield ist genauso rechtswidrig wie damals Safe Harbour, und wir wissen das seit langer Zeit. Was wir jetzt bestimmt nicht brauchen, ist eine Art Privacy Harbour.

Datentransfer ohne Schutzniveau für personenbezogene Daten im Sinne der GDPR ist verboten, Punkt! Mehr ist da nicht zu sagen, da helfen auch keine halbseidenen Standardvertragsklauseln. Massenüberwachung, Auslieferung von Daten unbescholtener Bürgerinnen und Bürger an Geheimdienste – das hat mit Rechtsstaatlichkeit nichts zu tun, und das muss auch die irische Datenschutzbehörde endlich begreifen.

Meine Damen und Herren, wenn wir noch halbwegs alle Tassen im Schrank haben, können wir auch dem Vereinigten Königreich kein adäquates Datenschutzniveau für den Datentransfer bescheinigen. Cambridge Analytica, Abhörprogramm Tempora, Power Bill – die Downing Street braucht eine einzige klare Antwort: No, Sir! Datenschutz ist keine Petersilie auf dem Kartoffelsalat. Datenschutz ist Grundrechteschutz, und den gilt es bitteschön zu verteidigen – und zwar jetzt!

  Jeroen Lenaers (PPE). – Mr President, the United Kingdom is now a third country and as with all third countries, we need to carefully assess its level of data protection before we allow personal data transfer to take place without any condition. This is essential because those trans-border data flows between the EU and the UK are so important. They are important for our economy, for small and big businesses, they are important for our citizens and they are important for our common fight against crime.

And as we all know until very recently the UK was a member of the European Union and it is therefore evident, also in the words of the European Data Protection Board, that many aspects of the law and practice in the UK are essentially equivalent to the EU and that there is a strong alignment between the GDPR and the UK legal framework. And I’m surprised, therefore, that some colleagues here are arguing that we cannot allow this adequacy decision with the UK to pass.

No adequacy for a third country that even the EDPB characterizes as essentially equivalent. If we can’t apply it to the UK, who can we then apply it to? Unless you want to stop cross—border data transfers altogether and all move back to the 19th century, to the detriment of our citizens, of our businesses and of our security.

I fully support the approach of the European Commission, but that doesn’t mean that there are no concerns and I count on you, Commissioner Reynders, to take the recommendations of the EDPB seriously and to make sure that this decision will stand the test of time by closely monitoring all developments in the UK in this area and respond swiftly where necessary.

  Marina Kaljurand (S&D). – Mr President, we all agree that the ability to transfer personal data across borders has the potential to be a key driver of innovation, productivity and economic competitiveness, especially with close partners like the US and the UK. We also agree that the free movement of personal data has to fulfil the EU standards set out in the GDPR and Law Enforcement Directive, and I hope that we all agree to learn from previous mistakes.

Therefore, it is important that, as the European Parliament, we make it crystal clear that any decisions to transfer data are also in line with EU court rulings and concerns raised by the European Data Protection Board (EDPB). In terms of the US, both the Safe Harbor Agreement and the Privacy Shield have been overruled by the European Court. This Parliament had previously issued several calls on the Commission to address the problems and now this resolution calls for any new personal data transfer agreements to ensure full compliance with GDPR and every aspect of the relevant court rulings. I welcome the fact that the Commission is currently modernising Standard Contractual Clauses (SCCs) and reviewing all existing adequacy decisions to ensure that they comply with the court rulings. I wish you all success in negotiations with the US.

In terms of the UK, it has to be recognised that the UK legal framework is similar to that of the EU, but there are a number of concerns regarding its implementation, including exceptions in the fields of national security and immigration, which now also apply to EU citizens, and the absence of court oversight of such data policies. The resolution also raises concerns over data transfer to third countries without adequacy agreements.

To conclude, while these resolutions will not block the adequacy decisions, they call on the Commission to ensure that, in line with the EDPB, they should be fully consistent with the Union and case law to ensure that the personal data of our citizens is protected. The ball is in the Commission’s court, and I hope you act responsibly.

  Virginie Joron (ID). – Monsieur le Président, Monsieur le Commissaire, Madame la Secrétaire d’État, à quoi servent les règlements sur la protection des données et les arrêts de la Cour de justice européenne, si les GAFAM peuvent continuer à faire ce qu’ils veulent de nos données personnelles? Sans surprise, les affaires judiciaires les plus importantes concernent Facebook, notoirement connu pour sa conduite à la limite de l’éthique. Le mois dernier, dans un autre cas, il a été révélé que les données personnelles de plus d’un demi-milliard d’utilisateurs avaient été divulguées. Comme l’a dit M. Schrems, les GAFAM font des profits en violant la loi.

Pourtant Facebook et d’autres continuent de collecter des données personnelles et de les stocker en dehors de nos pays, avec tous les risques que cela comporte. Seulement 4 % des données sont stockées en Europe. Que reste-t-il de la souveraineté numérique de nos nations, si nous ne pouvons pas protéger les données de nos concitoyens? Tant que nous resterons dépendants des caprices de ces entreprises rapaces, nous ne pourrons jamais assurer la protection de nos données. Si nous voulons vraiment mettre fin aux abus de données et reprendre le contrôle, nous devons investir dans des solutions alternatives européennes, afin que les données puissent être stockées ici, en Europe. De plus, en investissant dans des capacités de traitement et de stockage de données en Europe, nous donnerons un coup de pouce aux entreprises françaises et européennes.

Oui, nous devons reprendre le contrôle dans le domaine du numérique et mettre fin à la position dominante des GAFAM, car nous avons perdu trop de temps depuis.

  Adam Bielan (ECR). – Mr President, in this Chamber, I think we all agree on the importance of data protection, both as a fundamental right and as a key enabler for the digital economy. The continuation of EU—UK data flows after 30 June will depend on the adoption of the adequacy decisions. My group has always supported the use of adequacy decisions as they provide citizens and businesses with a clear and solid legal basis for the exchange of personal data.

We cannot leave our enterprises without a solution. Indeed, we need to protect the businesses with cross—border data flows that are crucial for economic development and innovation. That is why my group is calling on the Commission today to adopt the adequacy decisions in a timely manner in order to avoid any disruptions for European and UK companies. For this reason, we also do not support the resolution of the Committee on Civil Liberties, Justice and Home Affairs (LIBE).

  Clare Daly (The Left). – Mr President, Ireland’s subservience to multinationals is well known. I’ve spent half my political life calling it out. It’s very problematic, but it’s not the problem here, and suggesting that Ireland is the source of Europe’s privacy ills, as the Schrems resolution does, ignores very real problems.

We have dedicated, well—intentioned staff in regulators all over Europe hobbled by the fact that they’re facing off against hordes of highly paid lawyers in multinationals, with infinite resources, infinite time, infinite wealth and so on. Only nine Data Protection Authorities (DPAs) say that they have enough resources, and the Commission and the EU has given them no extra funding.

We have complaints about the delays, but little acknowledgment that the delays have got nothing to do with the Irish regulator. Big Tech can bury regulators with procedural queries and legal arguments, as they are legally entitled to do, and, when they get through all of that, they need to get agreement with the other European colleagues on that. The Twitter case alone took seven months in the European Data Protection Board (EDPB) stage. I’d love it if all the problems were on Ireland’s door, but it’s not as simple as that. The sooner we get off that bandwagon, the better we’ll be able to deal with our problems.

  Seán Kelly (PPE). – Mr President, the drama, worry, frustration and relief associated with the entire Brexit process has been replaced with the slow reality of what it means. Beyond the bluster and tabloid outrage, the new reality is starting to dawn: that deeper cooperation is in our mutual interest and that the UK should remain a close partner of the EU.

Yet, there is no doubt that in an increasingly digitalised world, the future relationship between the EU and the UK depends on the continued free flow of data. The securing of adequacy for data transfers is crucial to the future prospects of our economies.

We need to provide legal certainty for businesses and citizens, but also for our own security in order to effectively combat cross-border crime. I know there are some in this House who hold reservations about the adequacy decisions proposed by the Commission. Nevertheless, the fact remains that the United Kingdom’s system is the most convergent to the EU’s of any country in the world.

The rules in the UK and EU are identical in GDPR and the Law Enforcement Directive. The Commission also wisely introduced a sunset clause, which will allow us to continuously monitor UK law and practices.

So, I call on the United Kingdom Government to maintain its high level of protection of personal data, now and in the future, and I call on colleagues in this House not to erect unnecessary barriers that will severely impact businesses and people’s livelihoods.

  Paul Tang (S&D). – Voorzitter, dinsdag vierden wij de derde verjaardag van de algemene verordening gegevensbescherming. Een standaard voor de digitale wereld: een feestje waard. En precies twee weken geleden maakte Microsoft bekend persoonsgegevens van Europese burgers enkel nog in Europa op te slaan. Dit volgt de Schrems II-uitspraak van het Europese Hof. Het Hof concludeert terecht dat onze data in de VS niet voldoende beschermd worden. Laat dit een duidelijk signaal voor de Commissie zijn.

Hoewel het Verenigd Koninkrijk nog maar pas uit de EU is, geldt dat de Britten zich evengoed aan onze Europese principes moeten houden. Massasurveillance, een toezichthouder die bewust de advertentiesector de hand boven het hoofd houdt, misbruik van data over migranten, dit alles is niet te aanvaarden. Zolang en als de Commissie de persoonlijke data van Europeanen als bruidsschat ziet, stevenen we af op een ongelukkig langeafstandshuwelijk met de Verenigde Staten en met het Verenigd Koninkrijk.

  Tomislav Sokol (PPE). – Poštovani predsjedavajući, povjereniče, kolegice i kolege, s pravom možemo kazati da je Europska unija svjetski predvodnik u zaštiti osobnih podataka.

Opća uredba o zaštiti osobnih podataka jamči našim građanima sigurnost u postupku njihovog tretiranja. Uredba predviđa i mogućnost prijenosa podataka s trećim državama temeljem odluke o primjerenosti, što je tema današnje rasprave. S obzirom na to da je Ujedinjena Kraljevina izlaskom iz Europske unije postala treća država, a kako bi se osigurala sigurna razmjena osobnih podataka, potrebno je da Europska komisija u komitološkom postupku donese odluku o primjerenosti.

Taj postupak odlučivanja ne uključuje Europski parlament, međutim to ne znači da bismo mi kao izabrani predstavnici građana trebali biti isključeni iz čitavog postupka. Zato pozdravljam današnju raspravu i tražimo da Europska komisija donese ovu odluku te iskoristi sve dostupne mehanizme kako bi osigurala da osobni podaci naših građana i u Ujedinjenoj Kraljevini budu tretirani u skladu s najvišim standardima pravne zaštite.

Ostavština članstva Ujedinjene Kraljevine je njezino iskustvo u primjeni europskih pravila o zaštiti osobnih podataka. Međutim, snažno pozivam Europsku komisiju da se ne ustručava staviti izvan snage ili pak suspendirati odluku o primjerenosti ako se pokaže da Ujedinjena Kraljevina više ne osigurava primjerenu razinu zaštite osobnih podataka naših građana.

Tu ne smije biti nikakvih iznimaka ili posebnih propusta. Mi u Europskom parlamentu nastavit ćemo kontinuirano nadzirati trendove zaštita osobnih podataka u trećim državama pa tako i Ujedinjenoj Kraljevini.

  Katarina Barley (S&D). – Mr President, personal data is the global currency of our times. Gathering as much as possible makes companies powerful and wealthy. On the other hand, if your personal data is in the hands of someone, you tend to risk becoming an object, not only of advertisement, but of manipulation. This is why the European Union takes pride in its achievements made concerning the protection of personal data.

The EU has turned out to be a role model in the world, and we are not willing to allow new loopholes. And we have plenty of reasons for this. Let me just mention three. The UK grants wide-ranging data protection exemptions in the area of national security and immigration, which now also apply to EU citizens who wish to stay or settle in the UK. Current UK legislation allows mass data access without suspicion of a crime and mass data retention, which the ECJ has found to be incompatible with the rights enshrined in the GDPR; and the UK’s agreements with the US open up the possibility of EU citizens’ data being shared with the USA. It has been mentioned several times today.

We therefore urge the Commission and the UK authorities to address the issues highlighted in the resolution. No adequacy decisions should be taken without a clear plan on how to address the problems.

PRZEWODNICTWO: EWA KOPACZ
Wiceprzewodnicząca

  Barbara Thaler (PPE). – Frau Präsidentin, sehr geehrter Herr Kommissar, liebe Frau Staatssekretärin, liebe Kolleginnen und Kollegen! Als Abgeordnete dieses Hauses und als langjährige Unternehmerin in der IT-Branche bin ich ehrlich gesagt wenig begeistert über die andauernde Nicht-Fisch-Nicht-Fleisch-Situation. Während wir in Europa nach innen die Einführung der Datenschutz-Grundverordnung mit viel Mühe und viel Kraft umgesetzt haben, brachen außerhalb der Europäischen Union die Rechtsgrundlagen weg. Das Safe Harbour-Abkommen wurde gekippt und vor einem Jahr dann auch noch die Nachfolgeregelung, das Privacy Shield. Übriggeblieben ist, dass unsere Unternehmen wieder die Risiken auf sich nehmen müssen und die potenziellen Grauschattierungen auf keine Farbkarte mehr passen. Zugleich weiß auch jeder Bürger, der selbst – zum Beispiel in einem kleinen Verein – ordnungsgemäß die DSGVO befolgt, dass seine Aktivitäten im Internet, seine persönlichen Daten außerhalb Europas von Geheimdiensten und Drittstaaten abgegriffen werden können. Max Schrems hat das nun zweimal erfolgreich aufgezeigt.

Ich erwarte mir, dass die Kommission bis 2024 nicht nur 82 Gesetzesvorschläge zur Dekarbonisierung des Verkehrswesens vorlegt, sondern in Bälde auch ein Abkommen, das unseren Unternehmen Rechtssicherheit bietet und die Daten von unseren Bürgerinnen und Bürgern nach außen genauso schützt wie innerhalb der Europäischen Union.

  Bettina Vollath (S&D). – Frai Präsidentin! Max Schrems kämpft seit Jahren für Datenschutz. Er selbst kann hier nicht reden, also bin ich heute als Abgeordnete im besten Sinne sein Sprachrohr, und mit seiner Botschaft identifiziere ich mich auch zu hundert Prozent.

Zitat Max Schrems: „Danke an das EP für diese wichtige Resolution. Wir sehen, dass die DSVGO zu schwach durchgesetzt wird. Damit wird riskiert, dass dieser große Wurf des europäischen Gesetzgebers in der Praxis nicht gilt. Bei fast allen grenzüberschreitenden Verfahren haben wir auch nach drei Jahren keine Entscheidung. Behörden weisen Beschwerden reihenweise ohne Untersuchung ab. Die Grundrechte der BürgerInnen bestehen damit nur auf dem Papier, nicht aber in der Realität. Daher möchte ich heute betonen, dass Beschwerden von BürgerInnen umgehend untersucht und entschieden werden müssen. Am Ende gibt es aber wohl Behörden und Mitgliedstaaten, die einfach ihre Arbeit nicht tun. Da müssten dann Vertragsverletzungsverfahren greifen. Denn die DSVGO ist auch dank dem Europäischen Parlament geltendes europäisches Recht, das wir verteidigen müssen und werden.“

Danke, Max Schrems, für den Einsatz!

  Pablo Arias Echeverría (PPE). – Señora presidenta, señor comisario, señora secretaria de Estado, todos conocemos lo que dice la sentencia Schrems II. No he venido aquí para comentar la actualidad; he venido para compartir tres mensajes muy claros sobre la importancia de proteger a nuestros ciudadanos y sus datos personales.

Primero, el ciudadano tiene que estar y sentirse protegido. Desde las instituciones, debemos garantizar la protección de sus datos, tanto dentro como fuera de nuestras fronteras.

Segundo, para ello necesitamos transparencia. Tenemos que saber qué, quién y para qué recopila y utiliza nuestros datos, independientemente de donde los utilicen.

Y tercero, quiero reivindicar que no podemos permitir que, dentro de unos años, los tribunales vuelvan a decirnos que los datos de los ciudadanos europeos no están suficientemente protegidos, tal y como plantea el RGPD.

Cualquier empresa es bienvenida en la Unión Europea, pero debe cumplir con nuestras normas y nuestro estilo de vida. Tenemos que reforzar la transparencia sobre el uso de nuestros datos para asegurarnos la confianza de los ciudadanos. De otro modo, no confiarán en el ámbito digital, y la Unión Europea no avanzará en la carrera digital global adecuadamente.

  Michiel Hoogeveen (ECR). – Voorzitter, de brexit was een democratische beslissing. Maar voor een groot deel van dit Parlement is en blijft de brexit een onaanvaardbare realiteit. Vandaag spreken we over de goedkeuring van een regeling die doorgifte van persoonsgegevens tussen het Verenigd Koninkrijk en de EU mogelijk maakt. Normaal gesproken geen controversieel onderwerp. De Britten hebben tenslotte zeer hoge standaarden op het gebied van databescherming, vaak nog strikter dan de EU zelf, maar toch slaagt een aantal van mijn ambtsgenoten erin dit onderwerp te gebruiken om hun minachting voor het besluit van het VK te botvieren. Kinderachtige schoolpleinpolitiek. Voorzitter, democratie smaakt soms bitter, maar in een professionele en volwassen omgang met ongewenste uitkomsten toont zich de ware democraat. Daarin hebben sommigen in het Parlement nog een hoop te leren.

  Didier Reynders, Member of the Commission. – Madam President, first of all I want to thank you for this debate and I also want to answer to the remarks about the fact that UK data protection law allows exemptions to the rights of individuals, and I will take maybe the example of immigration control.

In EU law, as in UK law, data protection rights just like many other fundamental rights are not absolute. They can be balanced against all the objectives of public interest. Article 23 of the GDPR allows EU Member States to introduce exceptions to the data protection rights if they are necessary and proportionate for important objectives of general public interest.

It is under that provision that the UK immigration exemption was introduced while the UK was still a Member State. Effective immigration control is an important objective of general interest. According to UK law, this exemption can be relied on, on a case-by-case basis, only if at a certain moment in time, the application of certain data protection provisions can prejudice, the maintenance of effective immigration control.

It is also important to recall that the scope of this exemption is limited to certain rights and obligations. For instance, the right to rectification is not a right which can be restricted under this exemption. Like any other provision of UK data protection law, the use of this exemption can be challenged by the concerned individuals before the Data Protection Authority and courts.

We have not limited our assessment of this exemption to what is written in the law. We have also looked at how it has been interpreted and applied. Both UK courts and the UK Data Protection Authority confirmed that this exemption is subject to the strict requirements of necessity and of proportionality, which prevent it to be used in a generalised or abusive manner. In particular, while the UK was still an EU Member State, the UK High Court assessed whether the immigration exemption was in line with the requirements of the GDPR and the charter, and it came to the conclusion that this is the case.

More specifically, the High Court concluded that the exemption can only be invoked in a specific case if otherwise there would be a very significant and ready chance of prejudice to the public interest at stake in this specific case. This is clearly a high standard developed by consolidated case law in the UK. It means in particular that a mere impact on immigration control is not sufficient to rely on the exemption. Moreover, the UK Data Protection Authority has assured detailed guidance for the use of the immigration exemption, making clear that it cannot be used in a blanket manner and that it must be carefully considered and the documented in each and every case.

It is difficult to understand why such a provision that has not been changed since the UK left the EU would now need to be considered as not meeting the test of essential equivalence. The UK authorities have also shared some figures on how these limitations on the use of this exemption are reflected in practice.

For example, the exemption was never applied in the context of the issuance of so-called settled status to more than 4 million EU citizens who were residing in the UK before the end of the transition period. When considering all immigration cases concerning European Economic Area citizens, the cases in which the exception was used in 2020 amount to 2.8 percent of such cases.

That doesn’t mean that the situation can never change. We of course recognise the importance of this issue, that goes to the very heart of EU citizen rights when they travel to work or reside in the UK. And this is why following EDPB opinions and exchanges in the Committee on Civil Liberties, Justice and Home Affairs (LIBE Committee), we have specifically strengthened the monitoring clause of our draft decisions in that respect.

The application of the immigration exemption and its impact on the effective exercise of individual rights in the UK is expressly identified as one of the areas that we will monitor very closely and an area where a lowering of protection would lead to launching the suspension or termination or amendment to our schedule.

Madame la Présidente, Mesdames et Messieurs les députés, je crois que nous avons vraiment tenu à vérifier non seulement la situation légale en Grande-Bretagne, mais aussi la manière dont ces textes sont interprétés et appliqués – je viens d’en donner un exemple.

Cependant, il ne fait aucun doute que les données personnelles des citoyens européens doivent être protégées de manière adéquate lorsqu’elles sont transférées en dehors de l’Union européenne. L’arrêt Schrems II de la Cour européenne de justice rappelle les défis auxquels nous sommes confrontés pour garantir la protection des droits fondamentaux dans un monde numérique interconnecté et sans frontières, où un transfert de données peut avoir lieu en un seul clic.

Les entreprises doivent pouvoir s’appuyer sur des mécanismes de transfert solides, juridiquement sûrs et prévisibles. C’est ce à quoi les entreprises européennes s’attendent à juste titre, car elles sont amenées à transférer des données non seulement vers le Royaume-Uni ou les États-Unis, mais également vers de nombreuses autres destinations dans le monde, dans le cadre de leurs opérations quotidiennes.

C’est en travaillant avec des partenaires internationaux ayant des approches similaires que l’Union peut être en mesure de façonner les règles du jeu au niveau global. Ceci est encore plus important lorsque d’autres acteurs internationaux avancent un agenda différent, basé sur des valeurs fondamentalement différentes des nôtres.

En ce qui concerne plus spécifiquement les décisions d’adéquation avec le Royaume-Uni, je pense que notre approche doit s’inspirer de celle suivie avec succès par mon ancien collègue, Michel Barnier, lors des négociations relatives au Brexit: à la fois calme et objective, préparée à tous les scénarios possibles et déterminée à défendre les valeurs et principes de l’Union avec la plus grande fermeté.

  Ana Paula Zacarias, Presidente em exercício do Conselho. – Senhora Presidente, Senhor Comissário, agradeço as detalhadas informações que nos forneceu. Senhoras e Senhores Deputados, as vossas intervenções de hoje demonstram a convergência com o Conselho quanto à importância de haver normas rigorosas de proteção de dados quando se trata de transferir dados pessoais dos cidadãos da União Europeia para países ou territórios terceiros.

Por outro lado, mostram também a necessidade de continuar a permitir essas transferências, de forma segura, em especial para os nossos parceiros próximos, como os Estados Unidos ou o Reino Unido.

Tal como referi no início, o Conselho não faz formalmente parte do processo de decisão sobre estas decisões de adequação, mas atribui grande importância a estes instrumentos que são uma componente essencial do quadro jurídico que permite o fluxo de dados pessoais de e para os nossos parceiros, mantendo, simultaneamente, um elevado nível de proteção de dados para os nossos cidadãos.

No que diz respeito ao Reino Unido, em particular, é essencial sublinhar dois pontos: primeiro, a necessidade de uma solução dentro do prazo previsto pelo acordo de comércio e cooperação; segundo, a Comissão concluiu que o Reino Unido manteve a sua proteção alinhada com as regras da União Europeia e que serão implementadas medidas para fazer face a eventuais alterações do enquadramento legal no Reino Unido. Isto é importante para a salvaguarda dos direitos e interesses dos cidadãos e das empresas, mantendo um olhar vigilante sobre a implementação da legislação.

  Przewodnicząca. – Zamykam debatę łączną.

Głosowania nad poprawkami odbędą się dzisiaj, tj. 20 maja 2021 r.

Jeśli chodzi o projekty rezolucji w sprawie Data Protection Commissioner przeciwko Facebook Ireland Limited, Maximillian Schrems (“Schrems II”) - Sprawa C-311/18, głosowanie końcowe odbędzie się dzisiaj.

Jeśli chodzi o projekty rezolucji w sprawie odpowiedniej ochrony danych osobowych przez Zjednoczone Królestwo, odbędzie się ono jutro, tj. 21 maja 2021 r.