Tuesday 29 June 2010

SWIFT II: European Data Protection Supervisor's Report to Council

The European Data Protection Supervisor yesterday sent a report (PDF) on the SWIFT II agreement (or TFTP agreement) to the Council. Given the criticism of the agreement from Parliament (though there is recent news of some agreed compromise), the EDPS report is interesting.

For example, at paragraph 5, the EDPS notes that the proposal does not see Article 16 TFEU (on data protection) as a legal basis, though the agreement and proposal note the data protection concerns. The report tersely notes: "...the EDPS reiterates that this agreement not only relates to the exchange of personal data, but also to the protection of these data. Article 16 TFEU is therefore not less relevant as legal basis than Articles 82 and 87 TFEU relating to law enforcement cooperation that have been chosen as legal bases."

The scope for future agreements on data protection and for a general agreement between the US and EU on data protection is discussed as well, particularly in paragraph 8. The EDPS recommends that the current proposal (agreement) be amended so that if there's a general agreement on data protection, it will apply - or at least get an agreement that it would apply to TFTP circumstances.

The EDPS takes a look at the question of privacy rights and the security question through explicitly rights-based language (Para 15):

"15. Against this background, the Commission proposal highlights the usefulness of the TFTP Programme, as put forward by the US Treasury and by the eminent person's reports. However, the condition laid down by Article 8 ECHR in order to justify interference with private life is "necessity" rather than "usefulness"."

The report goes on to flag up the same concerns that the agreement's critics in Parliament have highlighted: the retention of data for up to 5 years regardless of whether it's been extracted or if there's a "proved link with a specific investigation or prosecution.", and bulk transfers are the big concerns. In fact, paragraph 20 urges for a transitional approach to bulk data if it is to be used at all:

"...EDPS believes that solutions should be found to ensure that bulk transfers are replaced with mechanisms allowing financial transaction data to be filtered in the EU, and ensuring that only relevant and necessary data are sent to US Authorities. If these solutions could not be found immediately, then the Agreement should in any event strictly define a short transitional period after which bulk transfers are no longer allowed."

Also worth higlighting is the whithering criticism for handing the judicial oversight role to Europol:

"25. Moreover, Europol has specific interests in the exchange of personal data, on the basis of the proposed agreement. Article 10 of the proposal gives Europol the power to request for relevant information obtained through the TFTP, if it has a reason to believe that a person or an entity has a nexus to terrorism. It is hard to reconcile this power of Europol, which may be important for the fulfilment of Europol's task and which requires good relations with the US Treasury, with the task of Europol to ensure independent oversight.

26. Furthermore, the EDPS wonders to which extent the current legal framework entrusts Europol - especially without changing its legal basis pursuant to the ordinary procedure established by the Lisbon Treaty - with the tasks and powers to make an administrative request coming from a third country "binding" (Article 4.5) on a private company, which will thus become "authorized and required" to provide data to that third country. In this context it is useful to note that it is under the present state of EU law not evident whether a decision of Europol vis-à-vis a private company would be subject to judicial control by the European Court of Justice."

The report also criticises some aspects of the personal rights under the agreement when it comes to the correction/deletion of information. (As it's already turning into a long post, I'll let you read it [paragraphs 28-33], but it raises questions over the ability of people to exercise these rights). The EDPS also urges the inclusion of a sunset clause in the agreement to help encourage sustained work towards improving data protection under its provisions.

Overall the report echoes the concerns of the critical EP voices, while welcoming the changes make since SWIFT I. How much of an impact will it have in the Council? It's hard to tell how wedded the Member States are to the agreement, though it's interesting to note that the report mentions that the German Constitutional Court (Bundesverfassungsgericht) considers the retention of data over 6 months to be excessive, so it is possible that some Member States could share worries over the diminution of privacy rights of their citizens. What will be the extent of any agreed amendments be? Hopefully these clear calls will have a positive impact.

No comments:

Post a Comment