2.3.2018 |
EN |
Official Journal of the European Union |
C 81/209 |
Opinion of the European Economic and Social Committee on ‘Exchanging and Protecting Personal Data in a Globalised World’
[COM(2017) 7 final]
(2018/C 081/29)
Rapporteur: |
Christian PÎRVULESCU |
Consultation |
European Commission, 31.5.2017 |
Legal basis |
Article 304 of the Treaty on the Functioning of the European Union |
|
|
Plenary Assembly decision |
8.5.2017 |
|
|
Section responsible |
External Relations |
Adopted in section |
28.9.2017 |
Adopted at plenary |
18.10.2017 |
Plenary session No |
529 |
Outcome of vote (for/against/abstentions) |
175/1/3 |
1. Conclusions and recommendations
1.1. |
On the basis of its core values and constituent documents, the EU has a responsibility to become a global actor in promoting respect for fundamental rights and adequate protection of private life and personal data. In this respect, the EESC encourages the European Commission to be Proactive at bilateral and multilateral level in promoting the highest standard of personal data protection. |
1.2. |
The EESC finds the four key criteria to be taken into account by the Commission when assessing the countries with which a dialogue on adequacy should be pursued to be well-balanced and reasonable. It is important, however, to interpret these criteria in the light of a real commitment on the part of the governments, parliaments and courts in these countries to reach an equivalent and functional level of personal data protection. |
1.3. |
The EESC calls for more transparency and participation in the process of granting adequacy decisions. Representatives from the business sector, especially SMEs, together with consumer protection groups, civic groups and other civil society organisations, have to be involved and consulted. The EESC is open to facilitating the process of consultation. |
1.4. |
The EESC welcomes the dialogue started by the Commission with key trading partners in eastern and south-eastern Asia, including Japan and Korea, and possibly India, together with countries in Latin America and countries covered by the European neighbourhood policy which have expressed an interest in obtaining an ‘adequacy finding’. |
1.5. |
The EESC hopes that the Commission, the Council, the national governments and parliaments of the Member States and the US Government and Congress will welcome the proposals put forward in the European Parliament Resolution of 6 April 2017 on the adequacy of the protection afforded by the EU-US Privacy Shield. The European Parliament raises serious concerns in its Resolution, many of them indicating that the agreement and the current US legislative framework do not in practice protect the rights of EU citizens. |
1.6. |
Given the rapid technological advances and continuous expansion of ITC infrastructure, there is a need for close governmental oversight and monitoring. Even though adequacy decisions are evaluated every four years (see Article 45(3) of the General Data Protection Regulation (GDPR)), the EESC recommends a permanent contact between the Commission, data protection authorities (DPAs)and third country governmental authorities in order to identify new challenges in what is a very dynamic technological and economic environment. |
1.7. |
The EESC considers that promoting data protection standards through multilateral instruments should be a priority for the European Commission and that this commitment should be backed by resources, so that a real protection of human rights can be achieved a priori and, a posteriori, an effective legal remedy for prejudices. |
1.8. |
The Committee underlines that the Commission does not differentiate in the Communication various types and uses of the personal data, with the exception of criminal matters. |
1.9. |
Council of Europe Convention No 108 of 1981, with its additional Protocol of 1999, is the only binding multilateral instrument in the area of data protection. The instrument should be further developed and more third countries should be encouraged to join. |
1.10. |
Multilateral efforts within the OECD (Organisation for Economic Cooperation and development), the G20 and APEC (Asia-Pacific Economic Cooperation) should be further developed with a view to building a truly global multilateral system of data protection. Cooperation with the UN Special Rapporteur on the right to privacy should be solid and functional. |
1.11. |
With regard to personal data exchanges as part of the prevention, investigation and prosecution of criminal offences, the EESC is a strong supporter of creating robust data protection safeguards, but is also open to the introduction of adequacy findings in the criminal law enforcement sector. Data protection and the prevention, investigation and prosecution of criminal offences, including cybercrime and terrorism, must go hand in hand. |
1.12. |
The EESC recalls the importance of the protection of the personal, health and rehabilitation data of people with disabilities, as established in the article 22 of the UN Convention on the Rights of Persons with Disabilities. |
2. Background/Introduction
2.1. |
The protection of personal data is part of Europe’s common constitutional fabric and is enshrined in Article 8 of the EU Charter of Fundamental Rights. It has been central to EU law for more than 20 years, from the Data Protection Directive of 1995 (‘the 1995 Directive’) to the adoption of the General Data Protection Regulation (GDPR) and the Police Directive in 2016. |
2.2. |
The reform of EU data protection legislation, adopted in April 2016, puts in place a system that ensures a strong level of protection both inside the EU and for the international exchange of personal data for commercial and law enforcement purposes. The new rules will come into force in May 2018. |
2.3. |
Having completed the EU’s data protection rules, the Commission is now setting out a strategy for promoting international data protection standards. The Communication presents the different tools to exchange personal data internationally, based on the reformed data protection rules, as well as its strategy for engaging with selected third countries in the future to reach adequacy decisions and promoting data protection standards through multilateral instruments. |
2.4. |
The 2016 General Data Protection Regulation offers a ‘toolkit’ of mechanisms to transfer personal data from the EU to third countries: adequacy decisions, standard contractual clauses, binding corporate rules, certification mechanisms and codes of conduct. The primary purpose of these mechanisms is to ensure that when the personal data of Europeans is transferred abroad, the protection travels with the data. While the architecture of international personal data transfers is similar to that under the 1995 Data Protection Directive, the reform simplifies and expands their use and introduces new tools for international transfers (e.g. codes of conduct and certification mechanisms). |
3. General comments
3.1. |
The EESC praises the efforts of the EU to protect the personal data of its citizens while remaining open and integrated in an increasingly interconnected world. |
3.2. |
On the basis of its core values and constituent documents, the EU has a responsibility to become a global actor in promoting respect for fundamental rights and a high level of protection of private life and personal data. In this respect, the EESC encourages the European Commission to be Proactive at bilateral and multilateral level in promoting the highest standard of personal data protection for its own citizens and for third country citizens. |
3.3. |
The EU should support the Global Personal Data Protection agenda and its core tenets: data protection is a fundamental right, and its protection is organised through adopting overarching legislation in this field, introducing enforceable individual privacy rights and setting up independent supervisory authorities. |
3.4. |
The highest possible protection of personal data is not only a legal responsibility but also a great opportunity. The digital economy, international flows of goods and services and e-government all benefit from the trust citizens have in the institutional and regulatory protections in place. Data protection and a fair international trade are both essential for the citizens and should not be considered as conflicting values. |
3.5. |
The EESC continues to support the general direction of EU data protection policy, as it has done it in its previous opinions, while nevertheless insisting on the need for higher levels of protection. In its SOC/455 Opinion on the General Data Protection Regulation, it gave some detailed examples in relation to a number of articles, helping to provide a better definition of rights, of stronger protection for the public in general and of workers in particular, of the nature of consent, of the lawfulness of processing and, in particular, of the duties of data protection officers and of data processing in the context of employment (1). |
3.6. |
Moreover, the EESC highlighted the right of persons, natural or legal, to express their consent with regard to their data. In its TEN/631 Protection of Personal Data Opinion, the EESC view is that ‘users must be informed, trained and remain cautious, because once their consent has been given, providers will be able to process content and metadata further in order to obtain as much effect and profit as possible (…) Priorities linked to this regulation [Regulation concerning the respect for private life and the protection of personal data in electronic communications] should include the education of users, teaching them to make use of their rights, as well as anonymisation and encryption’ (2). |
3.7. |
The EESC supports the creation, as of May 2018, of a single pan-European set of rules as opposed to the 28 national laws in force today. The newly created one-stop shop mechanism will ensure that a single data protection authority (the ‘DPA’) will be responsible for the supervision of cross-border data processing operations carried out by a company in the EU. Consistency of interpretation of the new rules will be guaranteed. In particular, in cross-border cases where several national DPAs are involved, a single decision will be adopted to ensure that common problems receive common solutions. The EESC hopes that the new procedures not only ensure consistency of interpretation but also the highest possible level of data protection. |
3.8. |
The EESC takes note that the Communication and its key proposals are welcomed by Digital Europe, the organisation which represents the digital technology industry in Europe (3). The growing penetration of cloud computing poses new and complex challenges, which are meant to evolve due to the rapid pace of technological change. Legislation has to be adaptable so it can be brought in line with technological and market developments. |
4. Specific comments
4.1. |
Adequacy decisions taken by the Commission are currently the proper instrument to ensure data protection for EU citizens in relation to other countries and entities, both governmental and private. They are also a useful instrument for encouraging non-EU countries to aspire to a similar level of protection for their own citizens, and should be the preferred tool to protect the exchange of personal data. |
4.2. |
The EESC finds the four key criteria (4) to be taken into account by the Commission when assessing the countries with which a dialogue on adequacy should be pursued to be well-balanced and reasonable. It is important, however, to interpret these criteria in the light of the real commitment on the part of the governments, parliaments and courts in these countries, to reach an equivalent and function level of personal data protection. |
4.3. |
The EESC calls for more transparency and participation in the process of granting adequacy decisions. Representatives from the business sector, especially SMEs, together with consumer protection groups and civil society organizations have to be involved and consulted. The EESC is open to facilitating the process of consultation. |
4.4. |
The EESC welcomes the dialogue started by the Commission with key trading partners in eastern and south-eastern Asia, including Japan and Korea, and possibly India, together with countries in Latin America and countries covered by the European neighbourhood policy which have expressed an interest in obtaining an ‘adequacy finding’. |
4.5. |
The EESC considers that partial adequacy status for certain countries, which would have some sectors and territories included, is problematic because it does not ensure sufficient and consistent constitutional, procedural and institutional guarantees that personal data is protected. Partial adequacy could be a useful intermediary stage in which the EU and the respective countries find common ground and coordinate efforts. The aim in the long term is to reach a more solid and comprehensive agreement on the basis of existing frameworks in all the countries concerned (5). |
4.6. |
The EESC welcomes efforts to create a sound and functional bilateral framework with the United States of America. The recently adopted decision on the EU-US Privacy Shield, replacing the EU-US Safe Harbor framework, is a step forward. It is limited in scope, however, as it is based on voluntary sign-up, leaving out a large number of US organisations. |
4.7. |
The EESC hopes that the Commission, the Council, the national governments and parliaments of the Member States and the US Government and Congress will welcome the proposals put forward in the European Parliament Resolution of 6 April 2017 on the adequacy of the protection afforded by the EU-US Privacy Shield. The European Parliament raises serious concerns in the Resolution, many of them indicating that the agreement and the current US legislative framework do not in practice protect the rights of EU citizens (6). |
4.8. |
Similar concerns were raised by several civil society groups from the European Union and the United States (7). The EESC encourages all the EU institutions to take note of these concerns. |
4.9. |
The Committee, while recognizing the Commission’s desire to create a new dynamic, notes that its proposals maintain legal uncertainties for persons whose rights have been violated. There are several aspects which contribute to this end:
|
4.10. |
Monitoring following the adoption of an adequacy decision is essential to ensure that the agreements work in practice. Given the rapid technological advances and continuous expansion of ITC infrastructure, there is a need for close governmental oversight and monitoring. Even though adequacy decision are evaluated every four years (see Article 45(3) GDPR), the EESC recommends a permanent contact between the Commission, DPAs and third country governmental authorities in order to identify new challenges in what is a very dynamic technological and economic environment. |
4.11. |
The EESC encourages the Commission to work with stakeholders to develop alternative personal data transfer mechanisms adapted to the particular needs or conditions of specific industries, business models and/or operators. |
4.12. |
The EESC considers that promoting data protection standards through multilateral instruments should be a priority for the Commission and that this commitment should be backed by resources. |
4.13. |
Council of Europe Convention No 108, with its additional Protocol, is the only binding multilateral instrument in the area of data protection. The instrument should be further developed and more third countries should be encouraged to join. |
4.14. |
The multilateral efforts within the OECD, the G20 and APEC should be further developed with a view to building a truly global multilateral system of data protection. Cooperation with the UN Special Rapporteur on the right to privacy should be solid and functional. |
4.15. |
Enhancing cooperation with relevant national privacy enforcement and supervisory authorities in third countries should be a priority. Even though it does not create legally binding obligations, the OECDs Global Privacy Enforcement Network (GPEN) can promote law enforcement cooperation by sharing best practices in addressing cross-border challenges and supporting joint enforcement initiatives and awareness raising campaigns (8). |
4.16. |
With regard to personal data exchanges as part of the prevention, investigation and prosecution of criminal offences, the EESC is a strong supporter of creating robust data protection safeguards, but is also open to the introduction of adequacy findings in the criminal law enforcement sector. Data protection and the prevention, investigation and prosecution of criminal offences, including cybercrime and terrorism, must go hand in hand. |
4.17. |
The EU-US Data Protection Umbrella Agreement concluded in December 2016 is a good example of how data protection rights and obligations in line with the EU acquis can be built into bilateral agreements. The same procedures can also work in different policy areas, such as competition policy or consumer protection. The EESC encourages the Commission to explore the possibility of concluding similar framework agreements with its important law enforcement partners. |
4.18. |
The Committee is looking forward to the results of the first annual review of the EU-US Privacy Shield this year and hopes that it will a be thorough and participatory exercise. The EESC hopes that both EU and US will remain committed to work together towards a higher level of protection of personal data. |
Brussels, 18 October 2017.
The President of the European Economic and Social Committee
Georges DASSIS
(1) EESC opinion on the General Data Protection Regulation, 23 May 2012 (OJ C 229, 31.7.2012, p. 90).
(2) EESC Opinion on the Protection of personal data, 5 July 2017 (OJ C 345, 13.10.2017, p. 138).
(3) Letter to the European Commission regarding its recent International Data Transfers Communication, DIGITALEUROPE, 12 May 2017, accessed 1 August: http://www.digitaleurope.org/Press-Room/Latest-News/News-Story/newsID/623
(4) The key criteria are: 1. The extent of the EU’s (actual or potential) commercial relations with a given third country, including the existence of a free trade agreement or ongoing negotiations; 2. The extent of personal data flows from the EU, reflecting geographical and/or cultural ties; 3. The pioneering role the third country plays in the field of privacy and data protection that could serve as a model for other countries in its region; 4. The overall political relationship with the third country in question, in particular with respect to the promotion of common values and shared objectives at international level.
(5) The Commission encouraged the US to pursue efforts towards a comprehensive system of privacy and data protection, allowing for convergence between the two systems in the longer term. See Communication from the Commission to the European Parliament and the Council, Transatlantic Data Flows: Restoring Trust through Strong Safeguards, COM(2016) 117 final, 29.2.2016.
(6) European Parliament Resolution of 6 April 2017 on the adequacy of the protection afforded by the EU-US Privacy Shield: The EP ‘[d]eplores the fact that neither the Privacy Shield Principles nor the letters of the US administration providing clarifications and assurances demonstrate the existence of effective judicial redress rights for individuals in the EU whose personal data are transferred to a US organisation under the Privacy Shield Principles and further accessed and processed by US public authorities for law enforcement and public interest purposes, which were emphasised by the CJEU in its judgment of 6 October 2015 as the essence of the fundamental right in Article 47 of the EU Charter’, paragraph 26.
(7) Coalition of Civil Liberties Organisations call for EU Lawmakers to Push for US Surveillance Reform to Ensure a Right-respecting Framework for Non-US persons, 28 February 2017, accessed 1 August: https://www.accessnow.org/cms/assets/uploads/2017/02/Section702CoalitionLetter1.pdf
(8) See also the OECD Primacy Framework, OECD, 2013.