After some changes (Europol gained the role of verifying the compliance of US requests under the treaty for data) and heavy lobbying that included a vice-presidential visit to the European Parliament, the EP voted through a re-negotiated treaty. Since then it turns out that the negotiated safeguards are wholly inadequate, with general data covering a global area for an essentially unlimited time being provided to the US DHS.
Part of SWIFT II was that the US would help the EU establish its own system (Article 11), and the Commission has published a communication on the options on setting up a European Terrorist Financial Tracking System (PDF). A more targeted approach to data collection is one of the aims of a European system, so that these systems are less intrusive into the privacy of citizens.
The Communication doesn't pick a particular option, and there will be an Impact Assessment based on a study the Commission contracted out in 2010. The Communication also promises that the Impact Assessment will pay particular attention to the necessity and proportionality of a European system and its impact on fundamental rights - given the poor use of statistics in the PNR proposals, I can't say I've much confidence in the quality of impact assessments in the area of justice and home affairs.
Two main goals have been identified:
"• the system must provide an effective contribution to the fight against terrorism and its financing within the European Union;
• the system must contribute to limiting the amount of personal data transferred to third countries. The system should provide for the processing of the data required to run it on EU territory, subject to EU data protection principles and legislation."
A European TFTS could provide a useful extra tool in the fight against terrorism, and given the European basis of SWIFT (it's based in Belgium), designing a system that respects civil liberties and fundamental rights would have a positive knock-on effect in the EU's security relations with the US and other countries when it comes to finance tracking by ensuring that any transfers of data also comply with fundamental rights.
More specifically the system will cover:
"• preparing and issuing (legally valid) requests to the designated provider(s) of financial messaging services for the raw data to be provided to an authorised recipient or recipients. This involves determining the message categories to be requested, how often such messages should be sent, and maintaining contacts with the providers on these issues;
• monitoring and authorising requests to the designated provider(s) for such raw data. This involves verifying whether the request for the raw data have been prepared in accordance with the applicable limitations;
• receiving and storing (processing) the raw data from the designated provider(s), including the implementation of an adequate system of physical and electronic data security;
• running the actual searches on the data provided, in line with the applicable legal framework; on the basis of requests for such searches from authorities of the Member States, the U.S. or other third States on the basis of clearly defined conditions and safeguards, or on the own initiative of the authority (or authorities) entrusted with processing the data;
• monitoring and authorising the running of searches on the data provided;
• analysing the results of the searches, through combining these results with other available information or intelligence;
• distributing the results of the searches (without further analysis) or the results of the analyses to authorised recipients;
• implementing an appropriate data protection regime, including applicable retention times, logging obligations, handling requests for access, correction and deletion, etc."
Options (from page 9 onwards):
The Communication makes it clear that a hybrid solution is preferable to an exclusively national or exclusively centralised approach, so all of the options are designed along hybrid lines with differing degrees of (de)centralisation.
Option 1: A central EU TFTS unit as a coordination and analytical unit cooperating with national law enforcement authorities. Under this system most of the data work would be done at the European level with national requests to the central unit. Europol or Eurojust are possibilities for performing the central unit's role.
Option 2: EU TFTS extraction service option. This would be the same as option 1, but the central unit would not carry out analysis based on the extracted data for national requests (only for EU or third country requests), and requests would be verified at the national level.
Option 3: A Financial Intelligence Unit: there would be a European FIU platform which would request data from SWIFT and/or other data providers on the basis of national FIU needs. National FIUs would carry out the analysis, etc., for their Member State. The FIU Platform could deal with third country requests and for EU institutions.
The FIU model bears a striking resemblance to the Passenger Information Units envisaged by the current proposed Passenger Name Record Directive (PDF), so I'm guessing that something close to option three will be what we see in the draft law. going with this model will bring up a lot of issues regarding safeguards and oversight, and how data analysis is used, as well as what scope the FIU Platform will have for transfering data on to third countries. Some of these issues will also remain for the other options, but at first glance it looks like option 2 provides a system with clearer lines of responsibility that also ensures that the information is delivered to national experts who can then get on with the job.
Two key aspects for a European TFTS.
A European TFTS has to be a system of individualised searches. The processing of bulk data is essentially casting a wide net, with government rummaging through everything that's been dredged up, whether or not the data belongs to non-suspects. Developing a system capable of delivering individualised searches is necessary if the system is to be equipped with sufficient safeguards to protect civil liberties.
The second key aspect for a European TFTS is that searches need to be subject to judicial oversight in the Member States - law authorities should not be able to issue searches whenever they want, but they should have to get judicial permission (or an equivalent process in national law) for a search based on specific legal grounds. This would help prevent data mining (or similar practices such as what goes on under the current treaty) and ensure that there are strong safeguards. These aren't the only safeguards necessary - retention periods and how far analysis shifts into profiling are other issues that need to be considered when the studies and the legislative proposal come out - but they are necessary. If these basic elements are missing from any TFTS, then it should be rejected. (The Communication mentions that Europol as a possibility for a role in verifying requests for data under the system, despite not being a judicial authority by any stretch of the imagination).
The contracted study should be finished by the end of the year and I assume the impact assessment and proposal will be published in 2013.