New SWIFT agreement as bad as the rejected one

By EDRi · June 16, 2010

This article is also available in:
Deutsch: [Neues SWIFT-Abkommen so schlecht wie das alte |]

The EU Commission adopted on 15 June 2010 the new agreement with the US
Department of Treasury (DoT) on the transfer of data to the DoT’s
Terrorist Finance Tracking Programme (TFTP), informally called “SWIFT
agreement” because it relies on data from the Society for Worldwide
Interbank Financial Telecommunication. It had been negotiated since 11
May, after the Council of Ministers adopted a new mandate. The text
of the agreement was made public by Statewatch and several MEPs. It is
significantly longer than the previous one which had been rejected in
February by a large majority of the European Parliament because of
privacy concerns. A lot of the new text contains non-binding wording on
data protection principles and legal safeguards, obviously written to
persuade the reader to think there are real improvements.

On substance though, there are not many changes. The agreement is still
based on the transfer of “bulk data”, i.e. millions of data-sets of all
transactions of banks of specific countries for a given time period.
These are received by the DoT and stored for five years, just as before.
The data can later be searched for specific individuals, account numbers or
related information. The transfers now have to be authorized by EU
police authority Europol which, according to the text, has to check if
the requests are to “be tailored as narrowly as possible”. Article 10 of
the agreement, on the other hand, gives Europol the right to request
data searches in the transferred data from DoT, which will in practice
seriously conflict with any incentive the police agency might have in
the first place to limit data transfers. While the agreement speaks of
legal safeguards and redress options for EU citizens when their data is
transferred and processed in the U.S., there are no binding obligations
for the U.S. side to introduce the needed changes in their laws, such as
in the Privacy Act. The agreement does not contain a sunset clause.

The Commission will now send the Agreement to the Council of Home
Affairs Ministers, who, after adopting it, will ask the European
Parliament for consent. In the Council, there are rumours that some
member states are questioning the extension of the mandate of Europol.
UK, Denmark and Ireland have opt-out clauses here, so the agreement may
actually not apply to them. Many Parliament Members have already
voiced criticism, especially over the bulk transfers, the retention
periods and the function of Europol, as the EP had asked for a
judicial authority to authorize data transfers, not a police agency. A
majority for a rejection is not at all clear yet, though. Commissioner
Malmström is currently doing heavy lobbying in the Parliament and is
talking to individual political groups and members.

There also seem to be some legal issues around the Europol function,
because a consent of the Council and Parliament would imply that Europol
then operates under the provisions of the Lisbon Treaty. This is
normally done under co-decision procedures, where both institutions have
options to change the legislative proposal. In an international
agreement such as this, they can only say “yes” or “no”. The bulk data
transfers and retention periods may also be in conflict with the March
ruling of the German Constitutional Court on data retention.

TFTP / SWIFT Agreement (14.06.2010)

Statewatch: Comparative Chart of the draft agreement (6 June) and the
text agreed by the European Commission – with Commentary (15.06.2010)

EU Commission: MEMO/10/258. Terrorist Finance Tracking Programme –
Comparison of Council Mandate with draft EU-US Agreement (15.06.2010)

European Parliament: Resolution on SWIFT/TFTP Negotiations (5.06.2010)

EDRi-Gram: European Parliament needs to reject the SWIFT deal (10.02.2010)

(Contribution from Ralf Bendrath, EDRi-member NNM- Germany)