The European parliament adopted a resolution on the SWIFT data transfer negotiations. Here is why even the Parliament’s conditions are problematic.
The Parliament has issued a press release and the Sköne Oke blog commented it. I have also left my comments there (which I encourage you to read) but had not seen the full adopted text at that time. This is why I provide more information here. For background information on the SWIFT deal as such, please see my previous posts.
“I know this [bulk data] is a great concern for the European Parliament, but without it there would be no TFTP (Terrorism Finance Tracking Programme)” [Commission Malmström]
In principle the new conditions from the European Parliament (see adopted text below) go in the right directions. But there are a few points that make them in total worthless. Here is why:
- Point 12 clearly is the main problem: basically it says that if the Parliaments conditions cannot be met, then the Commission should still try to put as many safeguards as possible into the agreement. The Commission will be thankful for this point as it clearly allows them to ignore all other points. I wonder: has the Parliament not learned it’s lesson in February? Was it not clear that it can only win this negotiations if it clearly says no and doesn’t provide any whole in the conditions?
- Instead of requesting reciprocity it just explains what it would mean. Come one, powerful negotiation terms look different.
- The parts on judicial oversight (point 10) and redress (point 18) are very weak. No conditions are set in the text on how the MEPs want EU citizens to be able to act against their (potentially unlawful) processing of data.
Here is the full text which has been adopted by the European Parliament on 5 May 2010:
1. Welcomes the new spirit of cooperation demonstrated by the Commission and the Council and their willingness to engage with Parliament, taking into account their Treaty obligation to keep Parliament immediately and fully informed at all stages of the procedure; reiterates its openness to an agreement which would help both Europe and the United States strengthen their fight against terrorism in the interests of the security of their citizens, without undermining the rule of law;
2. Counts on a continuation of the commitment, spirit of constructive cooperation and fairness demonstrated by representatives of the US Government in the run-up to Parliament’s vote on 11 February 2010 and thereafter;
3. Recalls its strong determination to fight terrorism and its conviction that the framework of transatlantic cooperation for counter-terrorism purposes should be further developed and improved; believes, at the same time, that European legal requirements for the fair, proportionate and lawful processing of personal information are of paramount importance and must always be upheld;
4. Reiterates that the EU’s rules on the tracking of terrorist financing activities are based on the reporting of suspicious or irregular transactions by individual financial operators;
5. Emphasises that fundamental principles still need to be laid down by the EU stating how it will generally cooperate with the US for counter-terrorism purposes and how financial messaging data providers could be asked to contribute to this fight, or indeed more generally to the use in connection with law enforcement of data collected for commercial purposes;
6. Reiterates its emphasis on the ‘purpose limitation’ of the agreement in order to ensure that any exchange of information is strictly limited to that required for the purposes of combating terrorism and that this is done on the basis of a common definition of what constitutes ‘terrorist activity';
7. Stresses that the principles of proportionality and necessity are key to the envisaged agreement, and points out that the problem that financial messaging data providers are unable (for technical and/or governance reasons) to search the ‘content’ of the messages, leading to the transfer of data in bulk, cannot subsequently be rectified by oversight and control mechanisms, since basic principles of data protection law have already been compromised;
8. Reiterates its opinion that bulk data transfers mark a departure from the principles underpinning EU legislation and practice, and asks the Commission and Council to address this issue properly in the negotiations, bearing in mind that the TFTP is currently designed in such a way that it does not allow for targeted data exchange; solutions should include restricting the scope of the transferred data and listing the types of data that the designated providers are able to filter and extract, as well as the types of data which may be included in a transfer;
9. Considers that the Agreement on Mutual Legal Assistance is not an adequate basis for requests to obtain data for the purposes of the TFTP, in particular because it does not apply to bank transfers between third countries and because it would, in any case, require the prior identification of a specific bank, whereas the TFTP is based on targeted searches of fund transfers; future negotiations should focus on finding a solution to make one compatible with the other;
10. Takes this view that, once a mandate has been established, a judicial public authority should be designated in the EU with the responsibility to receive requests from the United States Treasury Department; points out that it is crucial that the nature of this authority and the judicial oversight arrangements should be clearly defined;
11. Urges the Council and Commission, therefore, to explore ways of establishing a transparent and legally sound procedure for the authorisation of the transfer and extraction of relevant data as well as for the conduct and supervision of data exchanges; emphasises that such steps are to be taken in full compliance with the principles of necessity and proportionality and the rule of law with full respect for fundamental rights requirements under EU law, by giving a role to a European authority, which would make it possible for relevant European legislation to become fully applicable;
12. Insists, if the above arrangements are not feasible in the short term, on a twin-track approach which differentiates between, on the one hand, the strict safeguards to be included in the envisaged EU-US agreement, and, on the other, the fundamental longer term policy decisions that the EU must address; emphasises once again that any agreement between the EU and the US must include strict implementation and supervision safeguards, monitored by an appropriate EU-appointed authority, on the day-to-day extraction of, access to and use by the US authorities of all data transferred to them under the agreement;
13. In this respect, points out that the option offering the highest level of guarantees would be to allow for the extraction of data to take place on EU soil, in EU or Joint EU-US facilities, and asks the Commission and the Council to explore, in parallel:
- ways to phase into a medium-term solution empowering an EU judicial authority to oversee the extraction in the EU, on behalf of Member States, after a mid-term parliamentary review of the agreement;
- ways to ensure, in the meantime, that EU select personnel – from EU organs or bodies, including for example, the EDPS, or joint EU-US investigation teams – with high clearance, joins SWIFT officials in the oversight of the extraction process in the US;
14. Underlines the fact that any agreement between the EU and the US, regardless of the implementing mechanism chosen, should be limited in its duration and provide for a clear commitment on the part of both the Council and Commission to take all the measures required to devise a durable, legally sound European solution to the issue of the extraction of requested data on European soil; the agreement should also provide for evaluations and safeguard reviews by the Commission at set times during its implementation;
15. Calls for the agreement to be terminated immediately if any obligation is not met;
16. Points out that true reciprocity would require the US authorities to allow both the EU authorities and competent authorities in the Member States to obtain and use financial payment messaging and related data stored in servers in the US on the same terms as apply to the US authorities;
17. Requests that all relevant information and documents, including the underlying intelligence, must be made available for deliberations in the European Parliament, in line with the applicable rules on confidentiality, in order to demonstrate the necessity of the scheme in relation to already existing instruments; asks the Commission, further, to report regularly on the functioning of the agreement and to inform Parliament fully about any review mechanism to be set up under the said agreement;
18. Asks to be provided with full and detailed information on the specific rights of European and US citizens (e.g. access, rectification, deletion, compensation and redress) and as to whether the envisaged agreement is to safeguard ‘rights’ on a non-discriminatory basis, regardless of the nationality of any person whose data are processed pursuant to it, and requests the Commission to submit an overview of the respective rights to Parliament;
19. Expresses concern that the commercial position of one specific financial messaging provider has been – and will continue to be – compromised if it continues to be singled out;
20. Emphasises that the envisaged agreement must ensure that personal data extracted from the TFTP database are kept on the basis of a strictly interpreted ‘necessity’ principle and for no longer than necessary for the specific investigation or prosecution for which they are accessed under the TFTP;
21. Points out that the concept of non-extracted data is not self-evident and should thus be clarified; calls for a maximum storage period to be established, which should be as short as possible and in any case no longer than five years;
22. Stresses the importance of the principles of non-disclosure of data to third states if no specific reasons are given for a request and of disclosure of terrorist leads to third states only subject to strict conditions and appropriate guarantees, including adequacy assessment;
23. Reiterates that a binding international agreement between the EU and the US on privacy and data protection, in the context of the exchange of information for law-enforcement purposes, remains of the utmost importance;
24. Instructs its President to forward this resolution to the Council, the Commission, the governments and parliaments of the Member States, the US Congress and the Government of the United States of America.Author : brusselsblogger