Sunday, 6 December 2009

EU - transfer of financial messages data to the USA - interim agreement

Background: the global financial messaging intermediary SWIFT, used behind the scenes by anyone who transfers funds between banks, had a data centre in the USA. SWIFT secretly gave the US government access to banking customers' data mirrored in SWIFT's US data centre as part of the US's Terrorist Finance Tracking Program but there was a big fuss when it became known, with various EU member states saying that this was in breach of EU privacy and data protection laws. [Edit: see also the EU Article 29 Working Party's views on the SWIFT situation.]

As a result SWIFT decided to set up a data centre in Switzerland, which once it is operational in early 2010 will deprive the USA of the information it was getting from the US data centre. So, since July 2009 the US have been discussing with the EU how to get the info anyway, and they recently concluded an interim agreement to allow it.

Here are links to some of the original documents.

Press release on 2979th Council meeting, 30 November and 1 December 2009 - main results including (p.12) on EU-US agreement on financial messaging data for counter-terrorism investigations (adopting the Decision referenced below; emphasis added):

"The agreement aims to continue to allow the US Department of the Treasury to receive European financial messaging data for counter-terrorism investigations, while ensuring an adequate level of data protection. Requests by the US have to be verified by the competent authority of the relevant EU member states, they have to substantiate the necessity for the data and they have to be tailored as narrowly as possible. The agreement also provides for a joint review procedure, redress possibilities as well as a suspension clause.

The agreement is temporary. It will be provisionally applied as from 1 February 2010 and expire on 31 October 2010, at the latest. The European Parliament must consent to the formal conclusion of this temporary agreement in the coming months.

Any long-term agreement for the time after 31 October 2010 must be negotiated and concluded under the rules of the Treaty of Lisbon. These provide that the European Parliament must be fully informed at all stages of the negotiations and must give its consent to the formal conclusion of an agreement.

Concerning that follow-up agreement for the time after 31 October 2010, a Council declaration calls upon the Commission to submit as soon as possible, and at any rate no later than February 2010, a recommendation to the Council for the negotiation of a long-term agreement. It also states that the current agreement is without prejudice to any provisions in that long-term agreement.

In a second declaration, the Council and the Commission commit themselves to the Lisbon rules, i.e. to inform the Parliament immediately and fully at all stages during negotiations.

The negotiations on the provisional agreement adopted today, started in July 2009 and responded to a decision by one of the major providers of international financial payment messaging services to store its European financial messaging data no longer in a database located in the US, but only in Europe."

The background note for the meeting notes that:

"A report by the former French investigating judge Jean-Luis Brugière, commissioned by the Commission, concluded in December 2008 that the TFTP had generated considerable intelligence value also to the EU member states.

SWIFT is a Belgium-based company which operates a worldwide messaging system used to transmit, inter alia, bank transaction information. It has been estimated that SWIFT handles 80% of the worldwide traffic for electronic value transfers."

COUNCIL DECISION on the signing, on behalf of the European Union, of the Agreement between the European Union and the United States of America on the processing and transfer of Financial Messaging Data from the European Union to the United States for purposes of the Terrorist Finance Tracking Program (TFTP 16110/09), as at 27 November 2009 but adopted at the meeting above - it contains the text of the EU/US Agreement and a declaration that EU member states are to implement the agreement provisionally.

FAQ - in an Information Note by the Council's General Secretariat on EU-US agreement on the processing and transfer of financial messaging data for purposes of the US Terrorist Finance Tracking Programme (TFTP) - Questions and Answers, November 2009

And also of related interest see, on information exchange and data sharing for more general law enforcement purposes, my blog post on Reports by the High Level Contact Group (HLCG) on information sharing and privacy and personal data protection.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.