Tuesday, 17 July 2012

“I feel that we’ve been had!” – Report on the SWIFT Agreement

Blow to civil liberties as PNR deal passes

 BY CC greenefa.

In 2010 the EU ratified an agreement with the US called the SWIFT Agreement (or more technically: the “Terrorist Financial Tracking Programme” – PDF), after the first agreement was vetoed by the Parliament, and despite privacy concerns remaining for the second agreement. The SWIFT Agreement permits the transfer of financial transaction information to the US government for the purpose of counter-terrorism. The problem is that you can’t ask for someone’s transaction information, but data is transferred in bulk to the US, where they search through the information to see if they can find out anything relevant to counter-terrorism. As a check, the second agreement stipulates that Europol must check that requests for transfers are in compliance with the agreement. Given that Europol could gain from any leads from the information, it’s not exactly the impartial check of a judicial body.

The LIBE Committee debated the Second Report on the role of Europol by the Joint Supervisory Body on 21/6/2012 (you can watch it here). The first report (PDF) found some serious failings, including:

- Due to the abstract nature of transfer requests, proper verification of whether the requests are in line with the conditions of the Agreement is impossible.
 - Information provided orally to Europol affects their decision making, but cannot be reviewed by the JSB. Whether the deficiency in information in the requests is remedied by oral information is impossible to verify.
- Significant involvement of oral information renders proper internal and external audit impossible.


- Inform the JSB on the results of the review in policies and procedures for Europol’s role. - Ensure the ability of the Europol Data Protection Officer to carry out his role.
- Ensure hard-deletion of Article 4 data (data to the US where Europol has to verify their requests), which where inputted into some of Europol’s information processing systems before the upgrading of the security level.
- Contact the US Treasury Department and ensure that adequate information is provided with requests.
- Ensure verifications by Europol are made based on written requests, along with any supplemental documents, in order to allow for proper internal and external audit.

The Second Report notes that all US data requests to date have been approved and that some of the reasons are too generic. Many of the request applications included “copy and paste” texts and the information provided was out-of-date and already in the public domain, and oral information is still being provided to Europol in order for it to make decisions. Also, there is no geographic limitation to these requests (data concerning the whole world is requested), and the requests submitted on a monthly basis for a month in duration (so effectively data transfer is ongoing all year round with little limitation).

The JSB concluded that 2 of its recommendations from its previous report have been implemented, while progress is ongoing for the other 3. The EU and US have signed an agreement for a second person to be posted from the EU to the US Treasury Department to oversee the operation of the agreement. The Overseer currently in place has been involved in intensive on-the-job training, and has been in US Treasury briefings. Clearly continuous information is being provided on generic and incomplete information with little restriction, so it’s hard to see how the current system provides adequate safeguards.

The full report however is not publically available or even available to the MEPs on the LIBE Committee – when the Committee requested access to the report, the JSB said it had no objections, and that there was nothing sensitive in the report that would prevent it from being disclosed. However, Europol stated that disclosure would threaten operational interests, so the report has not been disclosed. You can find the JSB’s public statement here: PDF.

Sophie in’t Veld and Jan Albrecht weren’t impressed (Veld: “I feel that we’ve been had!”). Veld highlighted that the EP was assured that there would be no data mining, but that the current procedure – of continuous and almost unlimited access – is much worse and goes further than what Parliament had expected. Veld objected to the secrecy of the report, saying that the Committee cannot fulfil its role of scrutinising Europol and the Agreement properly on the basis of a “3 page summary”. Albrecht said that the demands of MEPs have not been met after 2 years of the agreement, adding that if we have a functional fundamental rights jurisdiction, we could get this taken down in court.

While the role of the Europol Data Protection Officer seems to have been strengthened, it hardly seems like there are any safeguards on the flow of financial transaction data to the US. Without a sunset clause on the agreement, the European Parliament is in a fairly weak position to act against the treaty or to demand amendments. We seen the trend of PNR treaties on passenger information lead to a bad proposal for EU PNR, and soon the Commission will propose a TFTS for the EU. We need to make sure that we don’t throw away our civil liberties for little or no security gain simply because law enforcement authorities want our information and data.

1 comment:

  1. To agree to something like this with limited or no safeguards for data protection, all at the behest of security agencies, is just disgusting and frightening. 1984 anyone?