thoughts and observations of a privacy, security and internet researcher, activist, and policy advisor

Wednesday, June 30, 2010

New SWIFT / TFTP Agreement still has Massive Weaknesses

The new agreement on the transfer of banking data from the EU to the US Department of Treasury's Terrorist Finance Tracking Programme (TFTP), informally called "SWIFT agreement", was adopted by Council on Monday 28 June 2010 at 10:00 in written procedure. Minor details: Even the German liberal Minister of Justice, who had fought the agreement wildly in November, gave in. So now, even Germany did not abstain (what they normally do when the coalition can not agree), but instead voted in favour. France abstained in Council, but only because they did not get the required consent from the national assembly in time.

The agreement was signed on the same day at 12:30 by the Spanish Homeland Minister Alfredo Pérez Rubalcaba, the EU Home Affairs Commissioner Cecilia Malmström, and the US Ambassador to the EU, William Kennard. Spain had pushed hard to achieve this during the last days of their EU Council presidency.

The agreement will now be rushed through the next EP plenary session in Strasbourg (5-8 July) with an extraordinary session of the LIBE committee there on Monday and the plenary vote on Wednesday or Thursday. EPP was long planning to accept it, and over the last few days S&D and ALDE have completely given in. They even try to sell it as a success, though there are no real substantial improvements compared to the agreement from November which the EP voted down in February. Only the Green and Left groups in the Parliament still stick to their principles and to previous EP resolutions on this matter and will vote against it.

All documents are already on Statewatch:

Main points of critique still remain:
  • Bulk data transfers of unsuspicious EU citizens still systematically built-in (the "tailored as narrowly as possible" is a joke, because they can only filter the data by a few criteria, such as country & day).
  • Retention periods still 5 years (probably in breach of the German Constitutional Court's decision on data retention inn march)
  • There is no clear sunset clause or conditioning of the agreement on data extraction on EU soil. The clause "EU shall consider whether to renew the agreement" if there is no extraction on EU soil after 5 years is a joke, because it automatically extends for one year each if nothing happens. It does not have to be renewed, it has to be actively terminated.
  • There is no binding legal redress mechanism. The US government guarantees that they will treat EU citizens equally in administrative procedures, but there is still a hole in the juridical redress, because the US Privacy Act court clauses only apply to US citizens and legal residents. The agreement is not conditioned upon the US changing their law here.
  • The role of Europol is a total mess on several levels:
    a) Europol is supposed to authorize data transfer requests from the US. This derogates from the demand of the EP in its May 2010 resolution to have a judicial authority do this.
    b) Europol can now itself request data searches from the US, which reduces their incentive to limit the transferred amount of data in the first place to exactly zero.
    c) UK, Ireland and Denmark have opt-in clauses on Europol. If they don't participate here, the whole agreement will not apply to their "territory". It's totally unclear what that means: Can SWIFT (based in BE, servers in NL and CH) still transfer data, even if it concerns citizens of these three countries? Is this happening with or without Europol then? Who would do the autorization instead if Europol would not do it?
    d) The consent of the EP to the agreement extends the mandate of Europol and might therefore imply a "Lisbonization" of the agency - which of course should be done under ordinary legislative procedure, not just by saying "yes" or "no". The Council explanations ("no Lisbonization") are not necessarily convincing. There may be a legal challenge based on this.
  • The fundamental issue of proportionality is still not solved: Just seeing the data as useful for police and intelligence work does not suffice to legitimate these massive data transfers. Instead, there has to be facts-based evidence that there is a clear and imminent danger to the lives and limbs of people or to the existence of the state which can not be fought with less intrusive and much narrower means. A general risk of terrorist activity is not sufficient to give up our civil liberties.
For the old agreement from 2009, see: SWIFT Agreement Not in Line with European Parliament 's Demands.