On Thursday 7 July 2010, the European Parliament approved the new SWIFT-Agreement on bank data transfers to the United States for counter-terrorist purposes (see the press release of the European Parliament). The Draft Agreement provides for mass bank data transfers upon request by the US authorities with a view to identifying suspected terrorists. It is important to note though that only financial transactions to non-EU countries will be covered by the new agreement. Article 4 of the Draft Agreement specifically precludes transfers between EU member states.
The political debate in the run-up of the adoption of this agreement was highly controversial. In February, the European Parliament rejected the first version of the Draft Agreement, an impressive demonstration of the Parliament’s new competences on judicial and police cooperation under the Treaty of Lisbon (for further information see here). The main reasons for the rejection related to data protection, in particular the limitation of the data amount that may be transferred to the US and the prevention of abuse of the data transfers.
In this regard, the Parliament had come up with a number of conditions for its approval of a new Agreement. Among other things, transfers of unfiltered mass data, the so-called “bulk” data transfers should be prevented and the nature and the amount of data should be limited. Furthermore, the Parliament claimed that only persons that are qualified as terrorists by the EU should be covered by the Agreement. Also, the Parliament claimed that the decision to transfer the data to the EU should be subject to judicial control.
It seems that these concerns of the Parliament are hardly reflected in the new Draft Agreement. The transfer of “bulk data” is explicitly allowed. The only concession that the Parliament won in this regard is that the EU has to start working on a “Terrorism Finance Tracking Program” equivalent to that of the US that would eventually remove the need for bulk data transfers since the EU could then do the data analysis itself. However, it is unclear when this system would be established and there is no specific schedule indicated in the Agreement. If this system is not established within five years the Parliament may ask for denouncing the Agreement but it unclear whether the Parliament would make use of this power.
What is more, the US authorities decide how the data packages to be transferred are composed. The data request is not controlled by any judicial authority but by the EU authority for police cooperation (Europol). This entails various problems because Europol is not an independent judicial authority; rather it is mainly controlled by representatives of the Member States’ Governments, i.e. the executive. Some argue that even the prior solution, i.e. that the bank’s association SWIFT checks the data requests, would have provided more data security. The reason for this is that SWIFT had at least a certain economic interest in protecting its clients’ data while Europol crucially depends on the information and cooperation of the US authorities, and hence on their political goodwill.
US investigation authorities may safe the data obtained from the EU for five years. An EU official seconded to the US authorities is entrusted with supervising the correct application of the Agreement.
Given that the safeguards introduced into the new Draft Agreement are remarkably low and do not at all meet the conditions which the Parliament announced earlier, it is surprising that the Parliament did not block the Agreement a second time. Indeed, the situation has only marginally changed. Nonetheless, the Socialist, the Liberal and the Conservative group voted in favour of the Draft Agreement, with only the Green and the Left-wing group voting against. It may be suspected that overarching political considerations of counter-terrorist policy and the concern not to profoundly upset the United States may have contributed to the change of mind of the Members of Parliament.
That said, it seems that the dispute on the Agreement is not yet completely over. The Parliament’s Green Group is currently preparing a legal expert opinion on the legality of the Agreement. The focus is on whether the EU actually has the competence to conclude an agreement on the mass transfer of data. It may be suspected that also fundamental rights concerns may play a role in the legal assessment. Depending on the outcome of the legal analysis the Green Group may file a legal action against the Agreement before the European Court of Justice in order to obtain by means of legal recourse what they failed to achieve politically: the prevention of the Agreement’s application (for a statement of the Green Group see here, for further information see here, here and here).