In the next few weeks the European Parliament will receive several international agreements in the field of police and judicial cooperation negotiated or signed -albeit not yet ratified by the European Council- before the entry into force of the Lisbon Treaty.
Among these, special attentions deserve the two agreements signed with the United States concerning access to personal data to fight against terrorism.
The first one concerns personal data managed by airline companies when they conclude a transport contract which has as a destination or point of transition the United States (EU-USA Agreement on access to Passenger Name Record- PNR).
The second one, recently published in the Official Journal, concerns the access to personal and financial data exchanged via interbanking messages and processed worldwide, in almost their totality, by a specific society called SWIFT .
Their access is regulated by the Terrorist Finance Tracking Program (TFTP) on the basis of which the USA Treasury Department may request via an administrative mandate (“subpoena”) to access personal and financial data to prevent and fight terrorism.
The advantage of interbanking messages relies on their fast and easy accessibility compared to financial information, whose access is regulated by the prevention programmes for combating Money Laundering and Terrorist Financing. In fact, on the basis of these measures applied worldwide, it is a bank’s responsibility to signal suspicious transactions to the National Financial Intelligence Unit (FIU) which in turn transmits the information to the FIU of the countries involved in terrorist investigations.[1]
On the contrary TFTP access is direct, avoiding delays, risks of incomprehension and non-cooperative banks around the globe.
Even if available data are limited (such as clients generalities and amounts of transferred money) they become essential once they are cross-checked with information coming from other sources related to judicial, police and intelligence investigations.
This is obviously an extraordinary instrument also for the USA. This authorisation is based on exceptional powers granted to the President of the United States on a temporary basis by the Emergency Economic Powers Act (50 USC, sections 1701-1706). The President immediately used them after the 9/11 attacks and since then the Congress has renewed its authorisation every year.[2]
The TFTP programme remained secret up to 2006 when the USA press[3] published a series of articles and the Society SWIFT released a few statements after obtaining more restrictive measures to the access of data by the USA Treasury Department.
This took place despite the fact that the TFTP is exceptionally not covered by the Privacy ACT of the United States and neither by the general norms laid down to protect privacy in financial transitions.
The debate triggered at the European Union level resulted in a series of hearings and resolutions of the European Parliament[4], it set off an investigation of the CE Commission, an opinion of the data protection national authorities Working Group and an investigation carried out by the Belgian authorities ,who are the one responsible for the control of the activities carried onby the company SWIFT.
The conclusions of these discussions pointed out that the management of these data – although illegal in the EU territory- is legal in the USA territory on condition that:
-the company SWIFT adheres to the voluntary programme “SAFE HARBOR” to protect its clients[5] and
– American authorities respect a series of self-imposed limitations to limits data access; Furthermore, the constant presence of SWIFT employees when data are collected should be granted and a periodical review by an independent authority nominated in a concerted way by the USA and the EU takes place.
This complex jurisdictional construction was – and still is- based on the principle that these data are in the USA territory and therefore under jurisdiction of the American authorities.
However, things chaged when the company SWIFT restructured the systems architecture of the financial messaging network in 2007 and its global data centres. Becasue of this, SWIFT decided that the data coming from interbanking transactions outside the USA territory were all relocated exclusively within the European territory no longer allowing a mirror copy of these data in the American servers.
Based on the argument that retained data are crucial to the fight against terrorism, American authorities asked to keep on accessing these data also once they would have been relocated to the EU territory (and under EU legislation), with the guarantee that in case of a terrorist threat these data would have been transmitted back to the EU.
This ofer was mainly made on the basis that the majority of the European states are not equipped to use and process the data gathered in the TFTP. Therefore, in this way not only the United States but also the European Union would have benefit from the programme.
On the basis of this reasoning, negotiations started before summer 2009 and have been carefully followed by the European Parliament which in its resolution in September 2009 listed the minimum conditions to be applied to make sure that the use of data of TFTP is compatible with European standards. These indications refer to data protection as well as judicial protection standards, given that these are information that can be used for counter terrorism activities.
Against this background two agreements have been put forward: a first transitional agreement of the limited duration of 9 months and a second longer one whose negotiations should start in the next few weeks.
The “transitional” text of the first agreement has now been published in the Official Journal and will enter into force on 1st February 2010; it recalls some of the concerns of the European Parliament, not last the one concerning the need to anchor the implementation of this agreement to that on judicial cooperation in criminal matters between the EU and the USA concluded in Washington on 28 October 2009.[6]
It is too early to predict what the European parliament will do. One should not give for granted the outcome of the parliamentary scrutiny and its final vote since the Treaty of Lisbon (Article 16 TFEU) and the now binding Charter of Fundamental Rights[7] have introduced even stricter standard in terms of data protection.
EDC
[1] See GAFI recommendations such as the VII financial provision to gather data concerning transfer above 1.000 $ in Europe (3.000 $ in the USA) and to make them available to the authorities; see also Communitarian Directives on money laundering and Communitarian Regulations in this field (such as Regulation (CE) No 1781/2006 of the European Parliament and the Council of 15 November 2006 on information on the payer accompanying transfers of funds)
[2] CRF Presidential Executive Order 13224 issued by the President George Bush on 23 September 2001.
[3] See Wikipedia reconstruction: http://en.wikipedia.org/wiki/Terrorist_Finance_Tracking_Program
[4] See resolution of 6 July 2006 on the interception of bank transfer data from the SWIFT system by the US secret services (OJ C 303 E, 13.12.2006, p. 843) and Resolution of 14 February 2007 on SWIFT, the PNR agreement and the transatlantic dialogue on these issues (OJ C 287 E, 29.11.2007, p. 349).
[5] The Commission CE assessed that Safe Harbor guaranteed a sufficient level of data protection back in 2001.
[6] Processing of EU originating Personal Data by United States Treasury Department for Counter Terrorism Purposes – “SWIFT” (OJ C 166, 20.7.2007, p. 18).
[7] See also the European Convention on Human Rights, in particular Articles 5, 6, 7 and 8 thereof, the Charter of Fundamental Rights, in particular Articles 7, 8, 47, 48 and 49 thereof, Council of Europe Convention No 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data, Directive 95/46/EC and Regulation (EC) No 45/2001.
European Area of Freedom Security & Justice 
One thought on “The EU-USA Provisional Agreement on Interbank Financial data access (SWIFT) under European Parliament scrutiny”