Category: 3.2 Data protection

The LIBE Committee discussed on 7 April 2010 the re-launch of negotiations on a SWIFT long term agreement.

It has to be recalled that following the European Parliament refusal to provide its consent on the US-EU SWIFT Interim Agreement last February a new draft-negotiating mandate has been indeed submitted by the College of Commissioners on 24 March 2010 to the Council, which in turn is expected to approve it on 22/23 April. According to the Commission the new agreement might be concluded at the beginning of June of this year.

Will the new agreement be founded on Judicial cooperation in penal matters or ….?

According to the Commission statement and the legal basis chosen for the new mandate (art. 82 of the TFUE) the future agreement will comply with the EP request  expressed already in September 2009 to build the EU US cooperation in this domain in a framework which could be consistent with the new EU Treaty the art. 8 of the European Charter of Fundamental rights and the request of some Constitutional Courts such as the German Court. To do so the draft mandate has foreseen the creation of  an European “Authority of  judicial nature” which could check the necessity and proportionality of the US request of SWIFT data .

Therefore during the debate Rapporteur Ms Jeanine Hennis Plasschaert (ALDE) enquired the European Commission on whether it would be possible to explore alternative legal frameworks from judicial cooperation in penal matters .

Mr Faull underlined that the Commission could not see any feasible short term alternative system to the mutual legal assistance framework, however this will not prevent the Commission to explore also other possibilities, following the requests from the Spanish Presidency and by taking in account the question posed by the Rapporteur. On the same logic to find alternative solution to judicial cooperation Ms Carmen Romero López (S&D) suggested to work within the framework of an anti-money laundering directive revised to include banking messaging companies.

Therefore according to Jan Philipp Albrecht (Greens/EFA) these “alternative” approaches would go against the European Charter on Fundamental Rights, the European Convention on Human Rights as well as the German Court (see recent judgment on data retention) with the risk, as pointed out “that Germany will feel impelled to reject this mandate on constitutional grounds”. To avoid possible “clashes” with European or national constitutional courts Mr Albrecht has then suggested then to request for the opinion of the EU Court of Justice on the compatibility of the draft agreement with the EU legislation, as foreseen by Article 218 §11 of the Treaty on the Functioning of the European Union.

The new draft negotiating mandate

The new draft negotiating mandate as agreed upon by the College of Commissioners on 24 March 2010 and upon approval of the Council foresees  -among others- the following elements:

• Safeguards to ensure the respect of the fundamental right to the protection of personal data;
• Transfer to third countries of only information derived from terrorism investigations (“lead information”);
• A judicial public authority in the EU with the responsibility to receive requests from the United States Department of the Treasury, verify if  the substantiated  request meets the requirements of the Agreement and if appropriate require the provider to transfer the data on the basis of a “push” system;
• Retention of personal data extracted from the TFTP database for no longer than necessary for the specific investigation or prosecution and non-extracted data retained for five years;
• Onward transfer of information obtained through the TFTP under the Agreement shall be limited to law enforcement, public security, or counter terrorism authorities of US government agencies or of EU Member States and third countries or Europol or Eurojust as well as Interpol.
• The Agreement shall provide for:

1) the right of individuals to information relating to the processing of personal data;

2) the right to access his/her personal data;

3) to the rectification, and

4) as appropriate erasure thereof.

Hence, it appears that the College of Commissioners has tried to address some of the past concerns addressed by the MEPs.

However, while demonstrating the willingness to explore grounds for a new agreement on the SWIFT data-sharing, some of the Members of the LIBE Committee, expressed a variety of concerns, most of which were already raised in the previous report of the European Parliament and that can be summarised as follows:

Proportionality

Members of Parliament still have concerns that the transfer of bulk data will not be addressed properly. According to Ms Sophie In’t Veld (ALDE) filtering should be done in the EU for financial data, PNR and telecommunications. Also Ms  Birgit Sippel (S&D) stressed that SWIFT should be able to individualise data ahead of a transfer.

In this regard it remains to be seen whether SWIFT has the technical ability but not the willingness to bare the costs derived from selecting and transferring  individual data instead of ‘data in bulk’.

According to Mr Faull it will not be possible to reduce the quantity of data transferred however he will work to reduce their size by removing the presumably non-useful data.

Data storage period

MEPs expressed concerned over the five years data storage as foreseen by the new text despite the attempts of Mr Faull to reassure the Committee stating that five years was not “unreasonable” given data’s useful lifespan in counter-terrorism.

Access, rectification, compensation and redress outside the EU

Mr Stavros Lambrinidis (S&D) enquired whether there was no other way for the bulk transfer of data and if it was not possible to impose some prior European check when the US wants to transfer the data to third countries.

Furthermore MEPs expressed the need to ensure the right to appeal to European citizens in front of American authorities in case of personal data abuse/misuse.

In this respect Mr Busutill asked to ensure equal rights between US and EU citizens and Mr Faull replied that the Privacy Act is indeed discriminatory and therefore does not guarantee the same rights to EU and US citizens.  However the Privacy Act does not apply to the TFTP , hence asking to apply the same right of US citizens to the European ones means not having any rights at all.

No evidence on the effectiveness

There still is no evidence that cases of terrorism have been prevented or prosecuted based exclusively on the financial data.

Procedural concerns

The fact that the EU is planning to conclude an executive agreement on exchanges of data before negotiating the general agreements on rules governing the data protection raise additional concerns. Indeed, the acceleration of the envisaged SWIFT II agreement will limit the margin of maneuver for negotiators on the overarching transatlantic agreement on data sharing and data protection. In other words, it will force the latter to simply accept praxis established before the development of the general principles governing data protection.

Also the Commission -using the words of the Director General of DG JLS Mr Jonathan Faull- is of the opinion that “in an ideal world” general norms should be established before specific ones. However, no sufficient reasons have been provided to explain why the European Union is accelerating the negotiations on the SWIFT agreement instead of giving precedence to the establishment of overarching general framework on EU-US data protection and exchange.

In conclusion, the European Union is engaging in a delicate exercise trying to define at the same time internal, external, specific and general data protection norms. This would have been possible -in theory- if the European Union had clear objectives and points of reference. However, following the LIBE Committee debate on 7 April this seems far from being the case.

L.B.

In the next few weeks the European Parliament will receive  several international agreements in the field of police and judicial cooperation negotiated or signed -albeit not yet ratified by the European Council- before the entry into force of the Lisbon Treaty. 

Among these, special attentions deserve the two agreements signed with the United States concerning access to personal data to fight against terrorism.

The first one concerns personal data managed by airline companies when they conclude a transport contract which has as a destination or point of transition the United States (EU-USA Agreement on access to Passenger Name Record- PNR).

The second one, recently published in the Official Journal, concerns the access to personal and financial data exchanged via interbanking messages and processed worldwide, in almost their totality, by a specific society called SWIFT .

Their access is regulated by the Terrorist Finance Tracking Program (TFTP) on the basis of which the USA Treasury Department may request via an administrative mandate (“subpoena”) to access personal and financial data to prevent and fight terrorism.

The advantage of interbanking messages relies on their fast and easy accessibility compared to financial information, whose access is regulated by the prevention programmes for combating Money Laundering and Terrorist Financing. In fact, on the basis of these measures applied worldwide, it is a bank’s responsibility to signal suspicious transactions to the National Financial Intelligence Unit (FIU) which in turn transmits the information to the FIU of the countries involved in terrorist investigations.[1]  

On the contrary TFTP access is direct, avoiding delays, risks of incomprehension and non-cooperative banks around the globe.

Even if available data are limited (such as clients generalities and amounts of transferred money) they become  essential once they are cross-checked with information coming from other sources related to judicial, police and intelligence investigations.

This is obviously an extraordinary instrument also for the USA. This authorisation is based on exceptional powers granted to the President of the United States on a temporary basis by the  Emergency Economic Powers Act (50 USC, sections 1701-1706). The President immediately used them after the 9/11 attacks and since then the Congress has renewed its authorisation every year.[2]

The TFTP programme remained secret up to 2006 when the USA press[3] published a series of articles and the Society SWIFT released a few statements after obtaining more restrictive measures to the access of data by the USA Treasury Department. 

This took place despite the fact that the TFTP is exceptionally not covered by the Privacy ACT of the United States and neither by the general norms laid down to protect privacy in financial transitions.

The debate triggered at the European Union level resulted in a series of hearings and resolutions of the European Parliament[4], it  set off an investigation of the CE Commission, an opinion of the data protection national authorities Working Group and an investigation carried out by the Belgian authorities ,who are the one responsible for the control of the activities carried onby the company  SWIFT.

The conclusions of these discussions pointed out that the management of these data – although illegal in the EU territory-  is legal in the USA territory on condition that:

-the company SWIFT adheres to the voluntary programme “SAFE HARBOR” to protect its clients[5] and

– American authorities respect a series of self-imposed limitations to limits data access; Furthermore,  the constant presence of SWIFT employees when data are collected should be granted and a periodical review by an independent authority  nominated in a concerted way by the USA and the EU takes place.

This complex jurisdictional construction was – and still is-  based on the principle that these data are in the USA territory and therefore under jurisdiction of the American authorities.

However, things chaged when the company SWIFT restructured the systems architecture of the financial messaging network in 2007 and its global data centres.  Becasue of this, SWIFT decided that the data coming from interbanking transactions outside the USA territory were all relocated exclusively within the European territory no longer allowing a mirror copy of these data in the American servers.

Based on the argument that retained data are crucial to the fight against terrorism, American authorities asked to keep on accessing these data also once they would have been relocated to the EU territory (and under EU legislation), with the guarantee that in case of a terrorist threat these data would have been transmitted back to the EU.

This ofer was mainly made on the basis that the majority of the European states are not equipped to use and process the data gathered in the TFTP. Therefore, in this way not only the United States but also the European Union would have benefit from the programme. 

On the basis of this reasoning, negotiations started before summer 2009 and have been carefully followed by the European Parliament which in its resolution in September 2009 listed the minimum conditions to be applied to make sure that the use of data of TFTP is compatible with European standards. These indications refer to data protection as well as judicial protection standards, given that these are information that can be used for counter terrorism activities.

Against this background two agreements have been put forward:  a first transitional agreement of the limited duration of 9 months and a second longer one whose negotiations should start in the next few weeks.

The “transitional” text of the first agreement has now been published in the Official Journal and will enter into force on 1st February 2010;  it recalls some of the concerns of the European Parliament, not last the one concerning the need to anchor the implementation of this agreement to that on judicial cooperation in criminal matters between the EU and the USA concluded in Washington on 28 October 2009.[6]

It is too early to predict what the European parliament will do. One should not give for granted the outcome of the parliamentary scrutiny and its final vote since the Treaty of Lisbon (Article 16 TFEU) and the now binding Charter of Fundamental Rights[7] have introduced even stricter standard in terms of data protection.

EDC

---

[1] See GAFI recommendations such as the VII financial provision to gather data concerning transfer above 1.000 $ in Europe (3.000 $ in the USA) and to make them available to the authorities; see also Communitarian Directives on money laundering and Communitarian Regulations in this field (such as  Regulation (CE) No 1781/2006 of the European Parliament and the Council of 15 November 2006 on information on the payer accompanying transfers of funds)  

[2] CRF Presidential Executive Order 13224 issued by the President George Bush on 23 September 2001.

[3] See Wikipedia reconstruction: http://en.wikipedia.org/wiki/Terrorist_Finance_Tracking_Program

[4] See resolution of 6 July 2006 on the interception of bank transfer data from the SWIFT system by the US secret services (OJ C 303 E, 13.12.2006, p. 843) and Resolution of 14 February 2007 on SWIFT, the PNR agreement and the transatlantic dialogue on these issues (OJ C 287 E, 29.11.2007, p. 349).

[5] The Commission CE assessed that Safe Harbor guaranteed a sufficient level of data protection back in 2001.

[6] Processing of EU originating Personal Data by United States Treasury Department for Counter Terrorism Purposes – “SWIFT” (OJ C 166, 20.7.2007, p. 18).

[7] See also the European Convention on Human Rights, in particular Articles 5, 6, 7 and 8 thereof, the Charter of Fundamental Rights, in particular Articles 7, 8, 47, 48 and 49 thereof, Council of Europe Convention No 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data, Directive 95/46/EC and Regulation (EC) No 45/2001.