thoughts and observations of a privacy, security and internet researcher, activist, and policy advisor

Wednesday, November 25, 2009

European Parliament on Privacy vs Security and the "Balance" Metaphor

The European Parliament has adopted its resolution on the Stockholm Programme today. The Stockholm Programme is a political document that lays out the priorities for EU justice and home affairs policy for the years 2010 to 2014. It will be adopted by the Council of Ministers next Monday - therefore the Parliament's opinion on this was very timely. There were a lot of amendments, separate votes and split votes, so we have to wait a few days for the final consolidated text. Overall, it's a mixed bag, but that is a looong story.

What I want to point out here is only one amendment that was adopted - but it was an extremely crucial one:

The European Parliament
"... stresses that the EU is rooted in the principle of freedom. Security, in support of freedom, must be pursued through the rule of law and subject to fundamental rights obligations. The balance between security and freedom is to be seen in that perspective"
I think this is one of the most important official contributions to the "freedom vs security" debate in the last few years. And it is the official opinion of Europe's directly elected representatives now.

Please help spreading the word and establishing this clarification firmly in the public discourse.

Wednesday, November 18, 2009

SWIFT Agreement Not in Line with European Parliament 's Demands

Update, 25 January 2010: The agreement has been signed, but not yet concluded, by the Council on 30 November 2009. Here is the final text. It will be voted on in the European Parliament on 10 or 11 February 2010. The only change to my analysis below (beyond some re-numbering of paragraphs) is the transfer of data to third countries or agencies, which is now limited to "leads", not raw data. The remainder of the criticism still stands.

The draft agreement on bank data transfer between the EU and the US for anti-terrorism purposes ("SWIFT Agreement") was leaked on 11 November. It stirred a heavy debate in the media, even made front-page news in Germany, and resulted in members and staff of the European Parliament and of the Committee of Permanent Representatives of EU member states (COREPER) having hectic phone calls. Background on the SWIFT deal is available elsewhere.

I want to focus here on the conformity of the draft with the demands of the European Parliament. The EP adopted a resolution on the SWIFT agreement in September, which was not too strong, but clearly spelled out some substantial and procedural criteria.

There are rumours that the Council and the Commission are trying to get an informal confirmation (whatever that means) from the Parliament that the current draft meets the demands of the Parliament. The following quick analysis shows that this is clearly not the case.

1) Definition of Terrorism

The EP demands in paragraph 7(a)
"that data are transferred and processed only for the purposes of fighting terrorism (...), and that they relate to individuals or terrorist organisations recognised as such also by the EU".
The draft agreement has a definition of terrorism in article 2 and also refers to the EU definition on this, but spells out no procedure on who would make such a decision and how.

2) Judge Approval

The EP demands in paragraph 7(c) that data transfers have to be
"subject to judicial authorization".
The draft agreement does not mention this at all. It only describes a procedure in article 4 where requests by the US government are scrutinized by an ominous "central authority" in the EU member state where the financial service provider concerned is located. I assume this will be agencies like the Federal Criminal Police Agency (BKA) in Germany and the likes. Not exactly what is meant by an independent judge.

3) Judicial Review

The EP demands in paragraph 7(d) that
"legality and proportionality of the transfer requests should be open for judicial review in the US"
and in paragraph 7(e) that
"transferred data are subject to the same judicial redress mechanisms as would apply to data held within the EU".
The draft only has a meaningless clause on this in article 11(3). There is an annex to the draft that lists a number of U.S. laws and codes that allegedly provide for judicial redress, but none of these actually does so. In detail:

- The Administrative Procedure Act of 1946 only states that
"a person suffering legal wrong because of agency action, or adversely affected or aggrieved by agency action within the meaning of a relevant statute, is entitled to judicial review thereof".
The problem: The US Privacy Act offers protection against unlawful data processing by government agencies, but only for US citizens and residents.

- The Inspector General Act of 1978 only establishes the powers of inspector generals, of the various agencies and departments for auditing and investigations. There is no option for citizens to demand judicial review. Quite the contrary:
"the Secretary of the Treasury may prohibit the Inspector General of the Department of the Treasury from carrying out or completing any audit or investigation".
- The Implementing Recommendations of the 9/11 Commission Act of 2007 establishes the Privacy and Civil Liberties Oversight Board in the Department of Homeland Security. But the PCLOP is not really independent, has very few rights and can not pursue independent investigations. There is no option for citizens to demand judicial review. Quite the contrary - the act establishes even more possibiliites for data-sharing among government agencies, e.g. through the "State, Local, and Regional Fusion Center Initiative".

- The Computer Fraud and Abuse Act criminalizes unauthorizes and authority-exceeding use of computers. But this is not what the SWIFT agreement s about - the US government could theoretically send a carrier pidgin to the Europeans with the message demanding specific data. A computer is not abused or even broken into here - otherwise every corruption, libel or other white-collar-crime case where a computer was used would be sanctionable under this act, too. Ridiculous.

- Freedom of Information Act (FOIA): Any possible right to access information is immediately annulled by the exception clauses in article 11 of the draft agreement.

- Standards for Ethical Code for Employees of the Executive Branch: This code includes no option for citizens to demand judicial review. It only foresees the option of disciplinary measures in case of wrongdoing by executives.

4) Purpose Binding

The EP demands in paragraph 7(f) that transfers of data are limited to investigations about "terrorism financing". The draft agreement includes "prevention, investigation, detection, or prosecution of terrorism or terrorist financing". This means that the US can ask for data that is not related to terrorism financing at all, as long as they make the case that it is somehow related to terrorism or may help its "prevention" (which is a broad and unclear clause anyway).

5) Onward Data Transfers

The EP demands in paragraph 7(f) that
"the transfer of such data to third parties other than the public authorities in charge of the fight against terrorism financing is also prohibited".
The draft agreement allows the onward transfer of bank data to third countries, not just third parties within the US. The parliament clearly meant the latter in its resolution and did not foresee any transfer to third countries. This would be the major hole in the agreement where all the other criteria (judicial review, purpose binding etc.) would be annulled even if they existed.

6) Scope

The EP demands in paragraph 9 that
"batches and large files such as those concerning transactions relating to the Single European Payment Area (SEPA) fall outside the scope of the data".
The draft agreement in article 4(6) allows for the transfer of "bulk data" if the service provider can not identify the specific data requested. A slightly newer version of the agreement, according to German press reports, explicitly excludes SEPA data. But the parliament explicitly mentioned SEPA only as an example, as is clear by the word "such as". The draft agreement does not exclude all batches and large files.


7) Procedural Aspects

The EP demands in paragraph 13 that
"the European Parliament and all national parliaments will be given full access to the negotiation documents and directives".
This has repeatedly not happened. Neither has the parliament received the text of the draft agreement, not was it even informed about its very existence. It only learned about it from the press reports.

Conclusion

The current draft agreement on bank data transfers is clearly in breach of the criteria established by the European Parliament - on substance as well as on procedures.

It would be a clear affront by the Council of Ministers if they adopted and signed the agreement at their next meeting on 30 November - one day before the Lisbon Treaty will enter into force and the European Parliament will get full veto powers in the area of justice and home affairs.