The European Parliament discusses today, and votes tomorrow on, the transatlantic deal the US Government and the EU Council brokered last year. It is an interim agreement (called the “FDMA” or “Agreement between the European Union and the United States of America on the processing and transfer of Financial Messaging Data from the European Union to the United States for purposes of the Terrorist Finance Tracking Program (“TFTP”)”) that was agreed between both parties last November. It will enter into force as soon as the EP votes on it, on 11 February, and last until 31 October 2010. The EP’s consent is required under the provisions of the recent Lisbon Treaty to make the agreement enter into force. The European Parliament can only give its consent or refuse it.
The European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE Committee”) issued last week a Recommendation with respect to how the EP should vote on the FDMA.
What is at stake?
A bit of history is required to understand the stakes of the current vote. In her report on behalf of the LIBE Committee, the Rapporteur, Jeanine Hennis-Plasschaert, states that each agreement that the EU and the US have negotiated on justice and home affairs issues since 11 September 2001 features many of the same problems in relation to personal data and legal protection. To overcome these difficulties, the EP has required since 2003 the definition of a coherent EU data protection legal framework as well as negotiations for a transatlantic binding agreement on this issue.
In 2006, it was revealed that the US government had obtained access since 2001 to all of SWIFT‘s data – including European bank customers’ financial information that was originally stored on servers based in the United States. This news story led to a storm of protest in the EU – in particular as regards the TFTP’s perceived lack of compatibility with the obligations under the EU Data Protection Directive (95/46/EC) as well as Member States’ laws implementing that Directive.
The LIBE Committee’s report argues that:
“As far as the TFTP is concerned, it must be considered as a departure from European law and practice in how law enforcement agencies would acquire individuals’ financial records for law enforcement activities, namely individual court-approved warrants or subpoenas to examine specific transactions instead of relying on broad administrative subpoenas for millions of records.” [...]
“[W]hat might have kicked off as an urgent temporary measure (in reply to 9/11) became de facto permanent without specific approval or authorisation by EU authorities or a real transatlantic evaluation of its impact and forward looking transatlantic negotiations covering at the same time security, judicial cooperation and data protection impact.”
The LIBE Committee’s report is critical of the FDMA and calls for the EP to withhold its consent on 11 February for the following reasons:
“[T]he current debate is not about SWIFT as such but about how Europe could cooperate with the US for counter-terrorism purposes and how financial messaging data providers are requested to contribute to this fight, or indeed more generally the law enforcement use of data collected for commercial purposes.” [...]
“[I]t is not difficult to imagine that accepting the proposed FMDA (as it stands) could lead down the slippery slope of accepting other requests for commercial data with (f.e.) Skype, PayPal and other companies in the information-telecommunication field being potentially interesting for law enforcement purposes.”
EP Committee argues the deal violates EU data protection rules
Among the most crucial legal considerations that the LIBE Committee report highlights are:
- Violation of the principle of proportionality: when it receives a US government’s request to produce data related to e.g. an individual, SWIFT is not able to produce that specific data because of technical reasons. The only data it could provide is ‘data in bulk’, which may contain personal data such as the name or address of an individual, and not be limited to the specific purpose for which US authorities may need information for counter terrorism purposes.
This shows that if SWIFT has to transfer most of its data to the US Government it will not be able to comply with the EU Data Protection Directive’s principles of necessity and proportionality. “This cannot be subsequently rectified by mechanisms of oversight and control,” writes Rapporteur Jeanine Hennis-Plasschaert.
- Violation of the principle requiring prior judicial authorisation – Uncertainty regarding onwards data transfers to third countries: The FMDA does not provide that transfer requests be limited in time and be subject to prior judicial authorisation. Neither does it does define enough the conditions under which the US Government plans on sharing TFTP data with third countries. The public control and oversight of the access to SWIFT data by US authorities is not defined either.
- Undefined retention time: The FMDA provides that all non-extracted SWIFT data will be erased after a specified period but does not provide any length of time.
By “non-extracted data”, the FDMA refers to the data US law enforcement authorities have not needed for terrorism-related investigations. Only if such data is “no longer necessary to combat terrorism or its financing” (Article 5 (i)) will the US authorities not keep the data for longer than 5 years after their receipt (Article 5 (l)). For all data that might be necessary “to combat terrorism or its financing”, or for data that is extracted but found not to contain usable information, the duration of retention is not indicated in the Agreement. This implies that the US Government could legally keep that data for up to 100 years. (See “Representations of the United States Government”.) The same retention issue occurred during the negotiation of the EU-US PNR (“Passenger Name Record”) Agreement that the EU Council, the Commission and the US Department of Homeland Security negotiated between 2003 and 2004. In that case, the US Government had used a 100-year retention period as the regular duration period to keep such PNR data.
- Undetermined provisions on access, rectification, compensation and redress outside the EU: these rights are not defined adequately in the FDMA.
The EP report states:
“The FMDA does not guarantee European citizens and companies the same rights and guarantees under US law as they would enjoy in the territory of the EU. Furthermore, the FMDA does not indicate under what circumstances an individual or company outside the territory of the US is to be informed of the fact that an unfavourable administrative decision has been taken against him/it.”
What happens next?
If Parliament refuses consent on Thursday 11 February, the FMDA will not enter into force and its provisional application would terminate upon notification by the EU to the US authorities. In such case, the US-EU Agreement on Mutual Legal Assistance of 2003 (“MLAT”, or Mutual Legal Assistance Treaty) and bilateral agreements on mutual legal assistance between the US and certain EU Member States would provide the framework pursuant to which future financial data exchanges would have to be pursued. This MLAT includes, but is not limited to, terrorist offences. Not only does it greatly limit the scope of data requests to investigations of specific individuals or companies “suspected of or charged with a criminal offence”, but the transfer of data to the US is also governed by the domestic law of the Member State(s) concerned. The request for information must identify the person (legal or natural), indicate the grounds for suspecting he/she has committed a crime, and show how the information relates to the criminal investigation or proceeding.
- Agreement on mutual legal assistance between the European Union and the United States of America (19 Jul. 2003)
- “Representations of the United States Government” about the rules regulating the processing of SWIFT financial data: Terrorist Finance Tracking Program: Representations of the United States Department of the Treasury regarding the Processing of EU originating Personal Data by United States Treasury Department for Counter Terrorism Purposes (‘SWIFT’) (20 Jul. 2007) [pdf]
- “SWIFT Agreement”: Agreement between the European Union and the United States of America on the processing and transfer of Financial Messaging Data from the European Union to the United States for purposes of the Terrorist Finance Tracking Program (13 Jan. 2010) [pdf]
- European Parliament’s Legal Service’s opinion on the SWIFT Agreement (2 Feb. 2010) [pdf]
- European Parliament’s Legislative Observatory: SWIFT Agreement, procedure file
- European Parliament’s Dossier on SWIFT and press release (Feb. 2010)
- European Parliament, live debate about SWIFT in Strasbourg (9-10 Feb. 2010); press release (10 Feb. 2010); full 90-min. video archive on the SWIFT debate (10 Feb. 2010)
- European Digital Rights (“EDRi”) (European human rights organization): press release and links to news stories; EDRi’s public letter to Members of Parliament: FAQ – “Why should the ‘SWIFT’ Interim Agreement be rejected by the Parliament?” (9 Feb. 2010) [pdf]; French translation [pdf]
- Questions & comments on the SWIFT Agreement with answers by the LIBE Committee’s Rapporteur Jeanine Hennis-Plasschaert on Facebook (Feb. 2010)
- Comments: Ralf Bendrath, “Bank data deal under heavy fire from EU Parliamentarians” (2 Feb. 2010)
- Comments: Edward Hasbrouck (The Identity Project), “European Parliament rejects deal for US access to SWIFT financial data. Next on the agenda: PNR deal for access to travel data” (11 Feb. 2010)