By EDRi

Frequently Asked Questions on the

Terrorist Finance Tracking Program / “SWIFT” Agreement

European Digital Rights has prepared a “frequently asked questions” document to explain the changes between the SWIFT agreement previously rejected by the European Parliament and the current text under discussion.

Q: Does the agreement meet the criteria set by Parliament in its resolutions of 17 September 2009 and 5 May 2010?

A: No. The European Data Protection Supervisor and the Article 29 Data Protection Working Party explain in their Opinions that several criteria set by Parliament have still not been met. For example, there is no prior judicial ruling required for transfer of data, the definition of “terrorism” is very broad and there is still no legal redress available for EU citizens in the US against data transfers or the possibly serious consequences thereof. Contrary to the flowery wording in the agreement, as an executive agreement it can not be invoked in Court in the U.S.

Q: How much data is actually transferred?

A: Still a great deal. Because of the technical set-up of SWIFT, the company can currently not limit data searches to specific individuals or single transactions. In effect, it will have to (and has in the past) transfer data about all transactions from a certain country or a certain bank on a certain date. There have been reports that the US Treasury has received up to 25% of all SWIFT transactions, which number in the billions each year. This is not proportionate to the purpose and also puts the EU in danger of economic espionage.

Q: But does Europol not ensure that the transfer requests are now tailored as narrowly as possible?

A. Europol is supposed to authorize data transfer requests from the US. This, first of all, ignores the demand of the Parliament in its May 2010 resolution to have a judicial authority responsible for this. Ironically, Europol is now authorized to request information from the US searches in the transferred data, which drastically reduces any incentive to limit the transferred amount of data in the first place.

Q: Does the agreement mean a change to more focused data transfers in the mid-term?

A: No. Contrary to what the Parliament had repeatedly asked for, there is no clear, binding twin-track approach for switching to the extraction and individual processing of bank data on EU soil within a binding time-frame. The Union is merely asked to “consider whether to renew” the agreement if this does not take place after 5 years.

Q: Is there a sunset clause?

A: No. There is no sunset clause, meaning that the agreement does not have to be renewed at all. It is initially in force for 5 years and then automatically extends for one year at a time. In order to terminate the agreement, one of the parties has to take an initiative. Even if it is terminated, all transferred data will remain at the disposal of US authorities.

Q: How long is the data stored?

A. The data provided to the American authorities will be subject to a retention period of 5 years. If extracted for purposes of judicial investigation, this data will be subject to a further retention period foreseen by American law, which is up to 90 years (and it has to be said that, due to technical reasons, the data extracted may include vast amounts of collateral information, for instance: the data on a country during a given month or year). Retention periods of five years are in conflict with the March 2001 decision of the German Constitutional Court on Data Retention.

Q: Does the agreement protect against onward transfers to 3rd countries?

A: No. The agreement excludes transfer of raw data to third countries or agencies, but allows transfer of “leads”. While “leads” is not an established legal term in the EU, this of course will contain personal information about EU citizens and residents, as well their business partners in other countries. The European Data Protection Supervisor and the Article 29 Working Party also express their worries stating that “the sharing of personal data with third countries is neither clearly defined nor subject to appropriate guarantees”. While the transfers of data on EU citizens or residents now theoretically has to be authorized by a police authority of the respective member state, there are broad exceptions.

Q: Does the agreement meet EU data protection and privacy standards?

A. No. The European Data Protection Supervisor and several other Data Protection Authorities have repeatedly published detailed analyses showing that the Agreement is very privacy-intrusive, since it interferes with the private life of potentially all Europeans. In order to justify such privacy-intrusive measures, evidence is needed that such measures are necessary and proportionate. This evidence is missing. It is not possible to see any added value of the Agreement since it overlaps with already existing EU and international instruments in this area.

Q: But are there security gains for the EU from the data transfer?

A: No. There are no clear gains from this Agreement: Financial data are unquestionably useful in the fight against terrorism, but the information can be obtained without the Agreement as well. The confidential reports by Judge Bruguière have not shown evidence that there has been one case of terrorism that was prevented or prosecuted based on the financial data alone. The reports even make false claims by e.g. referring to the German IJU case from 2007. The German Federal Criminal Police Office (BKA) has publicly confirmed that financial data was not needed at all in this case.

Q: What is the legal basis for Europol’s involvement?

A: This is completely unclear. First, UK, Ireland and Denmark have opt-in clauses on Europol. If they do not opt in to the TFTP agreement, it will not apply to their “territory”. It still is totally unclear what that means: Can SWIFT (based in Belgium with servers in the Netherlands and Switzerland) still transfer data, even if it concerns citizens of a country that has not opted in? Is this happening with or without prior authorization by Europol in such cases? Who would do the authorization instead if Europol were not doing it? These questions have not been answered yet. Second, the consent of the EP to the Agreement extends the mandate of Europol and might therefore imply a “Lisbonization” of the agency – which of course should be done under ordinary legislative procedure, not just by saying “yes” or “no”.

Q: What will happen to terrorist investigations if Parliament withholds its consent to the agreement?

A: There will be no security gap. US authorities will still be able to request data for specific investigations, on the basis of the Mutual Legal Assistance Agreement (MLAA) and national law. These national laws have transposed the European Convention on Human Rights, the Charter on Fundamental Rights, Council of Europe Convention 108 and will therefore have the right level of protection. The fight against terrorism, including investigation of terrorist-related financial operations, will not stop if Parliament withholds consent.

Q: What will happen to transatlantic relations if Parliament withholds its consent to the agreement?

A: The U.S. government will be able to negotiate another agreement with the EU. Any new agreement should be bound to the planned transatlantic framework agreement on data protection for law enforcement and judicial cooperation. It has to be based on mutual respect and shared values, while respecting the clear criteria repeatedly spelled out by Parliament. This will in effect strengthen Council’s negotiation position vis-à-vis the United States and ensure better protection for EU citizens.

Q: What will happen to EU inter-institutional relations if Parliament withholds its consent to the agreement?

A: Council and Commission will obliged to make sure that Parliament’s concerns have to be met in international negotiations under Lisbon rules. This will in effect ensure that inter-institutional relations are handled according to Art. 218 TFEU, providing full democratic legitimacy to future agreements.