Implementation of the SWIFT agreement under review

By EDRi · April 20, 2011

This article is also available in:
Deutsch: [Umsetzung des SWIFT-Abkommens auf dem Prüfstand |]

A review prepared by the EU delegation of the joint review team on the
implementation of the SWIFT (TFTP) agreement concluded that “all of the
relevant elements of the Agreement have been implemented in accordance with
its provisions, including the data protection provisions”. The report has
been accepted by EU Justice and Home Affairs Council.

The agreement, which was signed on 28 June 2010, foresees the transfers to
the USA of financial payment messages held by Society for Worldwide
Interbank Financial Telecommunication (SWIFT), to be used in the Terrorist
Finance Tracking Program (TFTP).

Europol is the body which has the specific task to check whether requests
from the US Treasury Department for SWIFT data comply with the terms of the
TFTP Agreement, while the Europol Joint Supervisory Body (JSB) is to review
Europol’s activities. An inspection mandated by the JSB to check Europol’s
implementation of the TFTP Agreement has revealed a lack of audit of the
data transfers in a report published in March 2011.

The four requests made during the inspection were made in abstract terms,
for broad types of data, which makes impossible compliance with Article 4(2)
of the TFTP Agreement (which says that requests must be tailored as narrowly
as possible). The JSB recommended that the requests had to contain more
detailed information, specific to each request, and that the US authorities
might need to provide certain additional information.

Moreover, it has come out that there is a lot of information provided orally
by the US Treasury Department to Europol staff with no written requests to
allow the proper verification of compliance with the data protection

MEPs have shown their concerns related to the findings of the German report
and expressed their disagreement to Europol’s activity. “As Members of
Parliament we feel betrayed reading this report (…) We voted in favour
(of this agreement last year) in the trust that both parties would apply the
adopted agreement” which “concerns the transfer of sensitive data belonging
to our citizens”, said Alexander Alvaro (ALDE, DE), Parliament’s rapporteur
on the TFTP agreement.

Although the joint review prepared by the EU delegation had a different
conclusion, it included recommendations contradicting its findings. Thus,
the EU review team recommended “more publicly accessible information on the
way the program functions, in as far as this is possible (…) in
particular, the overall volume of data provided to the U.S. authorities and
the number of financial payment messages accessed.” It also suggested
“further enhancing the Europol verification procedure referred to in Article
4,” and “more verifiable statistical information on the added value of TFTP
derived information to efforts to combat terrorism and its financing in
order to further substantiate the added value of the program.” It also
recommended “improving some aspects of the provision of information to the
general public on the rights accorded to them under the Agreement.”

As MEPs had asked the director of Europol to answer to their concerns,
Europol issued an information note to the European Parliament on 8 April
2011. According to the information note, Europol had taken into
consideration the JSB’s recommendations and “comprehensively reviewed the
process. A revised version was adopted and introduced in March 2011.”

“The procedural steps involved in the process include specific actions to
assess the validity of the US request in terms of its compliance with the
criteria established in Article 4, including a record of the verification
officer’s operational judgement and a record of the advice given by the
Legal Affairs Unit and Data Protection Office (DPO). The DPO has seen every
request since the Agreement entered into force, but following observations
made by the JSB, Europol decided to make certain practical enhancements to
the process to ensure a more efficient involvement of the DPO.

As part of the process, a standard template is used as a formal record of
the advice from each party and of the authorising officer’s final decision,”
says the information note.

Europol fails to audit the transfer of SWIFT financial data to the USA

Report on the inspection of Europol’s implementation of the TFTP agreement,
conducted in November 2010 by the Europol Joint Supervisory Body (1.03.2011);jsessionid=AB0454AACD783E1B1130F7FD9201BBB9.1_cid136?__blob=publicationFile

EU Council: Report on the joint review of the implementation of the
Agreement between the European Union and the United States of America on the
processing and transfer of Financial Messaging data from the European Union
to the United States for the purposes of the Terrorist Finance Tracking
Program (17-18.02.2011)

Europol Activities in Relation to the TFTP Agreement
Information Note to the European Parliament (8.04.2011)

Committee on Civil Liberties, Justice and Home Affairs Press release- SWIFT
implementation report: MEPs raise serious data protection concerns