Same privacy concerns for the new SWIFT treaty

By EDRi · June 30, 2010

This article is also available in:
Deutsch: [Neues SWIFT-Abkommen: wieder die selben Privatsphäre-Bedenken |]

The agreement between the EU and USA on the transfer of bank data through
SWIFT was signed on 28 June 2010 after the Spanish Presidency of the Council
of Ministers has accepted some of the changes on the text proposed by MEPs,
but with no significant improvements from the Agreement rejected by the
European Parliament in February 2010.

The text of the new SWIFT Agreement will now probably be rushed through the
next European Parliament plenary session in Strasbourg (5-8 July).

After the draft agreement was initiated by Commissioner Cecilia Malmström on
10 June, MEPs asked for changes to the text concerning the bulk transfer of
data, the creation of an EU counterpart to the US Terrorist Finance Tracking
Programme (TFTP), and EU oversight of TFTP data-processing in the US.

Unfortunately, the new adopted text still allows for bulk data transfers.
The Parliament would have liked to replace bulk data with targeted searches
carried out by an EU-based authority but according to MEP Birgit Sippel, “We
cannot reduce the problem of bulk data for the moment as we do not have the
technical capability.”

The retention period is still 5 years and there is no real system in
place from the US on a binding legal redress. The US Privacy Act court
clauses only apply to US citizens and legal residents. Therefore there is
currently no right of judicial review for foreign citizens and residents
(including EU) under the US law.

Another key critique to the current text is the role of Europol that should
authorize the data transfer requests from the US. Besides the fact that
Europol is not a judicial authority, as requested by the European Parliament
in May 2010 Resolution, the incentive from this agency to limit the amount
of data being transferred is extremely reduced due to the fact that they can
actually request data searches from the US.

On 25 June, EDPS Peter Hustinx expressed his concerns related to the
transfer of bulk amounts of bank data to the U.S. authorities and pointed
out the key elements to be improved for data protection, especially as
regarding data retention periods, enforceability of the citizens’ data
protection rights, judicial oversight and independent supervision. “I am
fully aware that the fight against terrorism and terrorism financing may
require restrictions to the right to the protection of personal data.
However, in view of the intrusive nature of the draft agreement, which
allows transfers of data in bulk to the US, the necessity of such scheme
should first be unambiguously established, especially in relation to already
existing instruments. Would this be the case, other key elements should
however be improved in order to meet the conditions of the EU legal
framework for data protection.”

As MEP Alexander Alvaro told EurActiv, in terms of the agreement, the
European Commission will write a framework for the extraction of data on US
soil in order to set up an EU equivalent to TFTP and in case after five
years this is not in place, the Commission will have to renegotiate or
terminate the present agreement. But the present text automatically extends
for one more year if nothing happens. It does not have to be renewed, it
just has to be actively terminated.

EU, US sign SWIFT agreement (28.06.2010),-us-sign-swift-agreement/68367.aspx

EU wins concessions on US bank data-sharing deal (25.06.2010)

EU-US new draft agreement on financial data transfers: EDPS calls for
further data protection improvements (22.06.2010)

EDRi-gram: New SWIFT agreement as bad as the rejected one (16.06.2010)