The new SWIFT agreement (or the "Terrorist Finance Tracking Programme") has been reached between the Commission and the US, and the agreement has been sent to the Council and Parliament for assent. Green MEP Jan Albrecht has written about the new agreement and uploaded a PDF of it here. Statewatch also released a PDF of the agreement here.
So does the new agreement address the concerns of the Parliament? Privacy is the central issue, and the long preamble to the deal takes care to highlight the tradition of privacy rights and protection in each jurisdiction (though MEPs tend not to see US privacy laws in the most flattering of lights), but a few new changes have been introduced to try and reassure Parliament.
Elements of the deal include: some oversight by Europol; that the data, if relevant to tackling terrorism by European authorities, will be forwarded to them; data providers can seek redress; citizens can request the erasure, correction or blocking of their information; the deal can be paused or cancelled upon notification after the first 6 months (though the cancellation would take place 6 months after notification); after the deal expires, it is automatically renewed each year for a year unless cancelled; there are provisions for passing on the data to third parties in some cases.
The safeguards are unlikely to fill the EP will a lot of confidence. Europol is an agency to aid work against organised crime, etc. in the EU - and therefore more likely to have a "police" outlook rather than a more impartial judge's outlook on how legal the transfer of data is. Having Eurojust look at the transfer of data to ensure that it complies would be better, as it would have more legal expertise, but a specialised legal review board would be better, in my opinion. In any case, despite the constant references in the deal that applications for data will be on specific data, the net will be quite wide in reality, since Swift only deals with bulk packages of data, and cannot separate them out.
If the data being transferred is bulk data, then it devalues the oversight - some private data will be transferred anyway, so there will already be a high tolerance for its transfer. There would presumably have to be quite a big breach of the agreement for Europol to stop a transfer (though my understanding is that they check that the application is correct, rather than going through the data itself - I doubt they have the resources to do that). The US have undertaken to delete data irrelevant to the deal's purpose, but effective safeguards are what the EP's after.
It's hard to see how effective the citizen's right to erasure, etc. would be. It would be rare that people would discover that data concerning them has been transferred, so how often can these rights be expected to be exercised? Effective safeguards before transfer are vital under these circumstances. Ideally there would be an application to a judicial panel for specific information, which would then be passed on if it complied with the deal.
Jan also brings up the question of how long the data would be retained for in his post. 5 years is too much, though if it was an exceptional period for an exceptional investigation and subject to rigorous safeguards and scrutiny, then such retention may be justifiable. Clearly such conditions aren't satisfied here.
Will it pass in Parliament? I hope not, and there are plenty of reasons here for the EP to reject it. However, there may be pressure to accept it to prevent the US from making bilateral deals and circumventing the EP altogether (though the US would have to consider how that could sour relations with the EP on matters that it cannot circumvent them).
On L'Europe en Blogs, there's an interview with the Commissioner for Home Affairs (whose department this falls under) here.