EUROPEAN PARLIAMENT RESOLUTION ON THE FIRST REPORT ON THE IMPLEMENTATION OF THE DATA PROTECTION DIRECTIVE (95/46/EC) (COM(2003) 265 – C5-0375/2003 – 2003/2153(INI))


PROCEDURAL PAGE
By letter of 15 May 2003 the Commission forwarded to Parliament the First Report on the implementation of the Data Protection Directive (95/46/EC) (COM(2003) 265), which was referred to the Committee on Citizens' Freedoms and Rights, Justice and Home Affairs for information.
At the sitting of 4 September 2003 the President of Parliament announced that the Committee on Citizens' Freedoms and Rights, Justice and Home Affairs had been authorised to draw up an own-initiative report on the subject under Rules 47(2) and 163, and that the Committee on Legal Affairs and the Internal Market and the Committee on Industry, External Trade, Research and Energy had been asked for their opinions (C5-0375/2003).
The Committee on Citizens' Freedoms and Rights, Justice and Home Affairs appointed Marco Cappato rapporteur at its meeting of 9 September 2003.
The committee considered the draft report at its meetings of 22 January and 19 February 2004.
At the latter meeting it adopted the draft resolution unanimously.
The following were present for the vote: Jorge Salvador Hernández Mollar (chairman), Johanna L.A. Boogerd-Quaak (vice-chairwoman), Giacomo Santini (vice-chairman), Maurizio Turco (for Marco Cappato, rapporteur), Mary Elizabeth Banotti, Kathalijne Maria Buitenweg (for Patsy Sörensen), Michael Cashman, Carmen Cerdeira Morterero, Gérard M.J. Deprez, Adeline Hazan, Margot Keßler, Timothy Kirkhope, Eva Klamt, Luís Marinho (for Ozan Ceyhun), Marjo Matikainen-Kallström (for Charlotte Cederschiöld), Arie M. Oostlander (for Carlos Coelho), Elena Ornella Paciotti, Paolo Pastorelli (for Giuseppe Brienza), Hubert Pirker, Bernd Posselt, Olle Schmidt (for Baroness Ludford), Sérgio Sousa Pinto, Joke Swiebel, Anna Terrón i Cusí and Christian Ulrik von Boetticher.
The opinions of the Committee on Legal Affairs and the Internal Market and the Committee on Industry, External Trade, Research and Energy are attached.
The report was tabled on 24 February 2004



The European Parliament,
- having regard to the First Report on the implementation of the Data Protection Directive (95/46/EC) (COM(2003) 265 - C5-0375/2003),
- having regard to the texts that in international law protect the right to privacy, and notably Article 12 of the Universal Declaration of Human Rights of 10 December 1948, Article 17 of the International Covenant on Civil and Political Rights of 16 December 1966, Article 8 of the Convention for the Protection of Human Rights and Fundamental Freedoms of 4 November 1950, the Convention for the protection of individuals with regard to automatic processing of personal data of 28 January 1981 and the recommendations adopted by the Council of Europe,
- having regard to Article 6 of the TEU (respect for human rights and fundamental freedoms in the EU) and Article 286 of the EC Treaty, as well as Articles 7 (respect for private and family life) and 8 (protection of personal data) of the European Charter of Fundamental Rights,
- having regard to the EU laws that protect the right to privacy and to data protection, and notably Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector,
- having regard to other EU instruments concerning data protection in the field of the third pillar, and notably to the draft Greek Presidency working document on common rules for the protection of personal data within the framework of the third pillar, and having regard to the announcement made by Commissioner Vitorino that the Commission intended to propose a legal instrument on this issue in 2004 ,
- having regard to the opinions of the working party on privacy established by Article 29 of Directive 95/46/EC,
- having regard to the documents relating to the transfer of transatlantic passengers' personal data to the USA, with particular reference to: the opinions of the Article 29 Working Party, the Commission communications, the US Undertakings, the opinion of the Belgian Committee on the Protection of Privacy on complaints by some passengers, and the complaint lodged with the Commission regarding the violation of Regulation (EEC) No 2299/89,
- having regard to the Court of Justice judgment of 20 May 2003 in the Österreichscher Rundfunk and Others case,
- having regard to Rule 47(2) and Rule 163 of its Rules of Procedure,
- having regard to the report of the Committee on Citizens' Freedoms and Rights, Justice and Home Affairs and the opinions of the Committee on Legal Affairs and the Internal Market and the Committee on Industry, External Trade, Research and Energy (A5-0104/2004),
A. whereas the right to privacy is a fundamental human right, as set out in all the main legal instruments that guarantee citizens' freedoms and rights at international, European and national level,
B. whereas the EU has developed a legal regime aimed at guaranteeing citizens' privacy through a high standard of data protection in areas covered by the first pillar,
C. whereas, due to the current pillar structure of the EU, activities that fall within the remit of the second and third pillars are excluded from this legal regime and are partially subject to fragmented specific provisions; whereas the European Parliament is only partially consulted and informed and whereas the Court of Justice has limited powers in this area,
D. whereas Directive 95/46/EC charges the Commission with reporting to the Council and the European Parliament on the implementation of the directive and with proposing, if necessary, suitable amendments,
E. whereas, since the terrorist attacks of September 2001, measures aimed at increasing security by modifying privacy and data protection rights have been adopted or are planned at national, European and international level,
F. whereas data transfers to third states and organisations are an area of concern, both because of disparities in the laws of the Member States, some of which are excessively permissive and other excessively rigid, and, above all, because the binding assessment of the adequacy of the protection provided by recipients for a fundamental right of European citizens comes within the remit of the executive body, the Commission, and not that of Parliament,
G. whereas negotiations are still underway between the EU and the US on the issue of the illegal transfer of transatlantic passengers' data to the US and whereas the EP has asked the Commission to take action pursuant to Article 232 of the EC Treaty,
H. whereas the Belgian Committee on the Protection of Privacy has ascertained that the personal data of some European transatlantic passengers - including a Member of the European Parliament - were transferred to the USA illegally, in violation of Belgian law and European directives,
I. whereas the Article 29 Working Party stated in its opinion on the transfer to the USA of data relating to transatlantic passengers that 'the progress made does not allow a favourable adequacy finding to be achieved', and whereas a large number of further issues need to be resolved before the Commission can take an adequacy decision,
J. whereas the EU, its institutions and the Member States are required to comply with the Charter of Fundamental Rights of the EU, particularly Article 8 thereof, the European Convention on Human Rights and Fundamental Freedoms and the general principles of international law, and whereas the current policies of data retention and data transfer to third countries are likely to result in their being seriously breached,
K. whereas the Commission and Member States and national privacy protection authorities are responsible for the effective implementation of national and European privacy laws and for punishing violations of those laws,
L. whereas national and European laws on the transfer of personal data to third countries have been flagrantly breached by the transfer of transatlantic passengers' personal data to the US law-enforcement authorities, and whereas the attitude of the Commission, the Member States and some privacy protection authorities - particularly those which under national law have the power to block data transfers - has been basically to connive at this violation of the law and of the principle of legality,
M. whereas in the Internet global information society context, solutions cannot be found within the EU only,
on the need for a comprehensive and trans-pillar European privacy and data protection regime
1. Deplores the extremely serious delays that have occurred within the Commission in this matter and urges it to propose within the first half of 2004, as announced, a 'legal instrument' on the protection of privacy in the third pillar; this instrument should be binding in nature and aimed at guaranteeing in the third pillar the same level of data protection and privacy rights as in the first pillar; it should harmonise, according to these high standards, the current rules on privacy and data protection concerning Europol, Eurojust and all other third-pillar organs and actions, as well as any exchange of data between them and with third countries and organisations;
2. Considers that, in the long term, Directive 95/46/EC should be applied, following the appropriate modifications, to cover all areas of EU activity, so as to guarantee a high standard of harmonised and common rules for privacy and data protection;
3. Believes that respect for privacy and data protection rules should be guaranteed by national supervisory authorities, a common EU authority, to which citizens will have the right to appeal, and the Court of Justice; maintains that Parliament should also be consulted on, and have decision-making powers in respect of, all proposals concerning or having an impact on the protection of privacy within the EU, such as international agreements involving its bodies, adequacy findings and so on;
4. Considers that immediate steps should be taken to facilitate enjoyment by citizens of their right to privacy and protection of their personal data (access to data, correction, amendment, deletion, etc.), involving the introduction of a single procedure for national privacy authorities regarding data stored in national and European databases coming under the first and third pillars;
5. Welcomes the fact that the Commission has conducted an open and in-depth consultation and debate with all interested parties (Member State governments and supervisory authorities, organisations, companies, citizens), on-line and off-line, on the implementation of the directive, and takes note of the results of this consultation;
on the implementation of Data Protection Directive 95/46/EC
6. Regrets the fact that some Member States did not implement the directive before the deadline for transposition of 24 October 1998, thereby obliging the Commission to take legal action on 11 January 2000 against France, Luxembourg, the Netherlands, Germany and Ireland, but notes that all Member States have now done so; calls on Ireland to immediately notify to the Commission its recent law of implementation; regrets the fact that the tardy implementation of the directive by the Member States and the continuing differences in the way in which it is applied at national level have prevented economic operators from drawing maximum benefit from it, and have blocked some cross-border activities within the European Union;
7. Calls on all the actors concerned, European institutions, Member States and data protection authorities, as well as economic and societal actors, to make their contribution and cooperate to ensure correct implementation of the data protection principles regulated by the directive;
8. Shares the view of the Commission that, since implementation of the directive has been slow and experience with it is still very limited, the directive should not be amended for the time being (except as indicated in paragraph 16), and that current shortcomings in the implementation of the directive should be overcome by actions taken at the European and national level by Member States and data protection authorities following the programme announced in the Commission's communication;
9. Points out that the completion of the internal market is conditional upon guaranteed data protection; accordingly, calls on the Commission to highlight the areas in which diverging interpretations of the directive are hampering the smooth operation of the internal market, and to report on this to the European Parliament;
10. Shares the Commission's view that, if after a deadline of six months this cooperation does not produce the results expected, it will bring those Member States failing or refusing to comply with the directive to Court; considers, in this connection, that the Commission should show particular vigilance and determination as regards the proper application of legal exceptions to privacy laws, so as to ensure compliance with the ECHR and the related case law;
on data transfers to third states or organisations
11. Welcomes the intention of the Commission of simplifying the regulatory framework for enterprises as regards requirements for international transfers of data;
12. Recalls that no exception should be allowed to the principle that first-pillar-related data can only be transferred to third countries and organisations if the data protection level is similar to that of the EU;
13. Points out, notably to Europol, Eurojust and other third-pillar organs, that law enforcement-related data can only be transferred on a case-by-case basis to countries or organs that respect human rights and fundamental freedoms, democracy, the rule of law and European data protection standards, such as the data protection principles laid down by Council of Europe Recommendation R (87) 15 on the use of data of a personal nature in the police sector; asks, furthermore, to be consulted before - and receive reports after - such transfers take place; urges Europol and Eurojust to clarify and make available to citizens and to Parliament the necessary information on the exchange of data, whether personal or not, with third countries and organisations;
14. Reiterates that, as stated in the opinion of the Belgian Committee on the Protection of Privacy, the opinions of the Article 29 Working Party and the report of the EU network of experts on human rights, EU data protection standards are seriously infringed when personal data are, without informing and obtaining the consent of the data subject, transferred or accessed directly and systematically by a third state party or law-enforcement authority, notably when data are collected for another purpose and without judicial authorisation, as in the case of US authorities accessing transatlantic passenger data collected in the EU by airline companies and electronic reservation systems;
15. Agrees with the Article 29 Working Party's opinion on the inadequacy of the current privacy arrangements in the United States and on the latest version of the Undertakings, as well as on the remaining problem areas; considers the progress made in this connection during a year of negotiations between the Commission and the US authorities to be totally inadequate;
16. Proposes that the directive be amended so as to make the assessment of the adequacy of the protection provided for the personal data of European citizens by a third country to which such data are to be transferred subject to Parliament's approval;
17. Calls for the agreements currently being negotiated or already negotiated which entail the transmission of personal data between the EU and third countries or bodies to guarantee an adequate level of data protection and, in any case, to maintain the level guaranteed in Directive 95/46/EC;
on exceptions to privacy laws
18. Believes that Member States' laws providing for the wide-scale retention of data related to citizens' communications for law-enforcement purposes are not in full conformity with the European Convention on Human Rights and the related case law, since they constitute an interference in the right to privacy, falling short of the requirements of: being authorised by the judiciary on a case-by-case basis and for a limited duration, distinguishing between categories of people that could be subject to surveillance, respecting confidentiality of protected communications (such as lawyer-client communications), and specifying the nature of the crimes or the circumstances that authorise such an interference; believes, furthermore, that serious doubts arise as to their necessity within a democratic society and - as specified by Article 15 of Directive 2002/58/CE - as to their appropriateness and proportionality;
19. Asks the Commission to produce a document on the right to privacy and the conditions for exceptions to be legal, on the basis of the European Convention on Human Rights, the related case law and EU data protection directives and urges the EU institutions to launch an open and transparent debate on the basis of this document;
other concerns
20. Asks the Member States to respect criteria of legal clarity and legal security for better regulation when implementing the directive in order to avoid any unnecessary burden on enterprises and particularly on SMEs;
21. Stresses that the free movement of personal data is vital for the smooth operation of virtually all Union-wide economic activities; it is therefore necessary to resolve these differences of interpretation as soon as possible, to enable multinational organisations to frame pan-European data protection policies;
22. Stresses the need for the Member States and the European institutions to adopt an equivalent level of protection of fundamental rights and protection of individuals in applying both Directive 95/46/EC and Regulation (EC) No 45/2001 on data protection;
23. Calls on the Commission to adopt an approach seeking to harmonise this directive with other legislative provisions, such as the proposal for a European Parliament and Council directive for the approximation of laws, regulations and administrative provisions of the Member States concerning consumer credit, in order to avoid inconsistencies between such proposals;
24. Calls on Member States and supervisory authorities to create a less complex and burdensome environment for data controllers and agrees with the Commission on the need to avoid imposing requirements that could be dropped without any detrimental effects for the high level of protection guaranteed by the directive;
25. Stresses that the management and protection of data are nowadays a critical factor of success for companies;
26. Agrees with the Commission on the need for improvements to be made in order for economic operators to have a wider choice of standard contractual clauses in the field of data protection and that these should possibly be based on clauses submitted by business representative associations;
27. Calls on Member States to ensure that data protection authorities are provided with the necessary means to comply with the tasks foreseen by Directive 95/46/EC, and that they are independent and autonomous from national governments; considers that data protection authorities should keep enhancing their efficiency and effectiveness and play a more active role at national and European level in the framework of the Article 29 Working Party, for instance in helping to implement the programme proposed by the Commission and in ensuring that the law is implemented;
28. Regrets that seven Member States - Belgium, Germany, Greece, France, Luxembourg, the Netherlands and Portugal - have not respected the deadline for implementation of Directive 2002/58/EC set for 31 October 2003, and calls on them to take the necessary measures;
29. Calls on the Commission, the Member States and national privacy authorities to carry out annual assessments of compliance with national and international privacy laws, irrespective of the pillar concerned, and, where appropriate, to submit amendments to legislation, to forward these amendments to the relevant bodies - particularly parliamentary bodies - and to make them publicly available, inter alia on the Internet;
30. Expresses concern at the development of SIS and the Council plans under which SIS II should allow new categories of alerts (persons and objects) and new sectors to be added, alerts to be inter-linked, the period during which alerts may be stored to be changed, biometric data (especially photographs and fingerprints) to be registered and transferred, and access to be provided to new authorities, namely Europol, Eurojust and national judicial authorities, where necessary, for purposes other than those originally laid down, such as the transmission of European arrest warrants; deplores, furthermore, the legal confusion created by the fact that SIS covers both first and third pillar matters, with different levels of privacy protection;
31. Expresses concern at the general approach taken by the Council to proposals seeking to incorporate biometric data (digital photographs and fingerprints) into visas and residence permits using an electronic chip, particularly because such data can easily be copied into centralised databases when checks are carried out; is concerned that new developments in the field of data protection, such as the possible use of biometrics, will put more demands on the supervisory authorities that are currently 'under-resourced for their wide range of tasks' ; calls on the Member States to make additional resources available for the data protection supervisory authorities to ensure the effective functioning of the system;
32. Calls on the Member States and national and European authorities to ensure that privacy legislation is not misused intentionally or unintentionally to undermine the right of access to documents, administrative transparency and institutional advertising, or to make it excessively difficult for individuals to exercise their 'right to be known'; calls on the Commission to submit a report, based on an opinion of the Article 29 Working Party, on this type of abusive conduct and to put forward guidelines and, where appropriate, legislative measures with a view to guarding against such practices;
33. Calls on the Commission to continue to monitor the issue of video surveillance, not least in the light of national judicial rulings, and awaits the submission of the proposal on the protection of privacy at the workplace, of which advance notice has been given;
34. Urges Eurojust to state exactly which national and European provisions it has been and is implementing, given that there is much confusion and some serious doubts surrounding this matter;
35. Believes that self-regulation is a good means of avoiding excessively detailed legislation and calls on the business community to create a European code of conduct on personal data protection;
36. Asks for an additional effort towards internationally agreed principles to be made at the national, European and international level in order to improve the application of OECD guidelines and the Council of Europe Convention;
37. Points out that privacy and personal data protection should be part of the educational curriculum related to computers and the Internet; asks the Member States and the Commission to promote citizens' awareness in the field of data protection rights;
38. Instructs its President to forward this resolution to the Council and the Commission, the governments and parliaments of the Member States, the national privacy authorities, Europol and Eurojust and the United States Government.