EU-US Agreement on SWIFT bank data transfer

europeonthestrand |

By Claudia Hillebrand

On Monday night, a contested transatlantic counter-terrorism agreement jumped another hurdle. In an extraordinary meeting in Strasbourg, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE Committee) accepted a recommendation suggesting that the plenum of the European Parliament (EP) should approve the revised EU-US Agreement on SWIFT bank data transfer. This Agreement has been one of the most contested transatlantic counter-terrorism tools. The LIBE Committee accepted the recommendation provided by rapporteur Alexandro Alvaro. Alvaro’s recommendation to the Committee members was to give consent to the Agreement, though he pointed to a few points which “should still be clarified when the precise modalities are chosen”. The committee approved with 42 votes in favour, 8 against and 2 abstentions.

The Society for Worldwide Interbank Financial Telecommunication (SWIFT) is a financial messaging company based in Belgium which operates a vast network containing personal information of thousands of financial institutions, mainly banks. Soon after the 9/11 attacks, the US Treasury Department introduced its Terrorist Financing Tracking Program (TFTP) and started using data processed via SWIFT’s network in order to identify terrorist suspects, allow targeted searches for counter-terrorism investigations and pursue their providers of finance. SWIFT had some of its data mirrored on a server based in the US and the Treasury accessed data using subpoena powers. Since the end of 2009, all information concerning the European Economic Area and Switzerland remains stored in Europe. Thus, in order to ensure continuous access to SWIFT data, an agreement with the EU became necessary.

Within the EU, the Agreement quickly became subject to a power struggle between the Council and the EP. The Council agreed to an interim agreement with the US Treasury on the 30th of November 2009 – one day before the Lisbon Treaty entered into force, which would have required including the EP in the decision-making procedure. The EP was then asked to give its consent to this Agreement in February 2010. However, the EP had serious concerns about the inadequate level of data protection. In addition, it felt pressured by the Council and Commission to give its consent. As a consequence, the EP flexed its muscles, withholding its consent on 11 February 2010. In his recommendation this week, Alvaro emphasised this point suggesting that the new Agreement marks “a new step in Parliament’s powers, ensuring European democratic oversight over international agreements.”

The inadequate level of data protection was a crucial concern for many MEPs. In particular, the EP criticised the SWIFT Agreement for providing an exchange of ‘bulk’ data rather than specific information. During the negotiation process this spring, the EP was granted that an EU body similar to the American ‘Terrorism Finance Tracking Program’ will be established within 12 months, which will allow the body to send only more specific, previously analysed data to US authorities.

The new agreement – the ‘EU-US Agreement on the processing and transfer of financial messaging data for purposes of the US Terrorist Finance Tracking Programme’ (TFTP) was signed by Spain’s Minister of the Interior – on behalf of the EU – and by the current Chargé d’affaires of the US Mission to the EU – on behalf of the US – on the 28th of June. The Agreement is based on a Council decision and related declarations.

The plenum of the EP will discuss this week whether to agree to this draft Agreement which was negotiated by the Council of Ministers, the European Commission, the US Treasury and the European Parliament in the last couple of months. If the EP votes in favour of the Agreement – only a simple majority of votes is necessary, the Agreement will enter into force on 1 August 2010, for an initial period of five years.

The new agreement provides for a surprising role for the European Police Office (Europol), which has been well described by Peter Hustinx, the European Data Protection Supervisor, in his recent Opinion concerning the Agreement. To ensure independent oversight, the Agreement calls for a judicial public authority which “should have the responsibility to receive the requests from the US Treasury, assess their compliance with the agreement and, where appropriate, require the provider to transfer the data on the basis of a ‘push’ system.” However, it turns out that the Agreement allocates those tasks to Europol “which is an EU Agency for the prevention and combat of organised crime, terrorism and other forms of serious crime, affecting two or more Member States. It is obvious that Europol is not a judicial authority.”

Neither is Europol an ‘independent’ body in this context. Under Article 10 of the Agreement, it “may request the US Treasury to carry out a TFTP search when there is reason to believe that a person or entity has a nexus to terrorism or its financing” under Article 10 of the Agreement.” Hence, Europol will be able to make use of the very same mechanism that it is supposed to oversee. That oversight of the handling of such sensitive personal data is left to an executive body stands in stark contrast to the Lisbon Treaty’s commitment to more democracy and accountability in the EU.