Terrorism: agreement on bank data transfers with US - briefing
24 March 2010by eub2 -- last modified 24 March 2010
Adoption of a proposal for a mandate for negotiating an agreement on bank data transfers with the United States government under the Terrorist Financing Tracking Programme
Advertisement
What is the Terrorist Finance Tracking Programme (TFTP)?
Under the Terrorist Finance Tracking Programme (TFTP) the United States Department of the Treasury (U.S. Treasury Department) seeks to identify, track and pursue suspected terrorists and their providers of finance.
As part of the TFTP the U.S. Treasury Department would require by law SWIFT to transfer to it identified sets of financial messaging data relevant to terrorism investigations.
Which events led the Commission to put forward a new proposal?
On 11 February the Plenary adopted its Resolution withholding consent for the TFTP Interim Agreement. A letter signed by the President of the Council was delivered to the US Secretary of State on 22 February stating that as a consequence of the Parliament's Resolution, the EU cannot become a party to the Interim Agreement and terminating the provisional application of the Agreement.
In order to avoid security gaps as relevant data are only kept for 124 days by SWIFT, the Commission is putting forward a new proposal which should meet the European Parliament concerns.
What kinds of data are to be covered by the agreement? How would they be processed?
The data transferred under the TFTP are financial transaction record data. Such data may include identifying information about the originator and/or recipient of the transaction, including name, address, national identification number and other personal data related to financial messages.
Under the TFTP, requests for data are narrowly tailored based on past analyses of relevant message types, geography and perceived terrorism threats. General data sets would be transferred to the Treasury Department under the TFTP. However these data would not be subject to open-ended searching, but instead to specific searches based on pre-existing information demonstrating a reason to believe that the subject of the search is connected to terrorism or its financing. Data not subject to a specific search would be kept anonymous.
While the data requested under the TFTP represent only a small fraction of all SWIFT "FIN" messages, the essence of the TFTP is that each month a large volume of data is transferred. When Treasury Department request data, they do not know the identity of the terrorists who may plot an attack 6 months later. So the request for data is necessarily broader than suspects already under criminal investigation.
What safeguards for the protection of personal data are proposed in the draft mandate?
Personal privacy is guaranteed since the data on the TFTP database are effectively anonymous unless there is a reason to believe that a person is engaged in terrorism – in which case that person's data can be extracted and seen.
The draft mandate provides for significantly greater data protection safeguards than under the Interim Agreement. These include:
* Effective rights of administrative and judicial redress on a non-discriminatory basis;
* Rights of access, rectification and erasure of data;
* Greater monitoring involving not only an EU review process but also regular reporting by the Commission to the Parliament covering issues such as the quantity of messages processed, the sharing of TFTP-derived information and the number of cases where TFTP information has been used for counter terrorism purposes.
* Transfers of data must be approved by a judicial authority.
The draft mandate includes significant data protection guarantees such as a strict counter terrorism purpose limitation, an absolute prohibition on transfers on bulk data to third countries (only leads on terrorists derived from the analysis can be transferred) , and the EU will have the right to terminate the Agreement in the event of breach of any of the data protection safeguards.
In line with EU law, the mandate will propose a general maximum data retention period of 5 years.
Is the TFTP important for European security?
More than 1450 TFTP-generated leads have been passed to date to European governments from January to September 2009. Concrete examples of the benefits of TFTP-derived information include:
* TFTP information provided substantial assistance to European governments during investigations into the Al-Qa'ida-directed plot to attack transatlantic airline flights travelling between the EU and the United States. TFTP information provided new leads, corroborated identities and revealed relationships among individuals responsible for this terrorist plot. In mid-September 2009 three individuals were convicted in the UK, and each was sentenced to at least 30 years in prison;
* In early 2009 TFTP was used to identify financial activity of a Europe-based Al-Qa'ida individual who played a role in the planning of an alleged attack on aircraft. The information was passed to the governments of European and Middle Eastern countries;
* In summer 2007 the TFTP was used to identify financial activities of members of the Islamic Jihad Union (IJU) in Germany. This information contributed to the investigation and eventual arrest of IJU members plotting to attack sites in Germany. The TFTP continued to provide additional useful information to German authorities following the arrests. The persons subsequently confessed.
Does the mandate foresee a EU Review Process?
The mandate provides for regular reviews of the safeguards, reciprocity provisions and proportionality of the TFTP. It seeks to ensure a balanced representation in the EU review team of counter terrorism and data protection experts. It leaves open the detail of who would participate in this team.
What is the timeframe?
With concerns running high about the security gap, we envisage that a new agreement should be signed this summer.
Source: European Commission
