ERU, Alm.del - 2009-10 - Bilag 306: Kopi af økonomi- og erhvervsministerens svar på Europaudvalgets spm. 11 + 12 ad KOM (2009) 0703 vedr. SWIFT-data

Mr.JuanFernandoLÓPEZAGUILARChairman of the Committee on CivilLiberties, Justice and Home AffairsEuropean ParliamentB-1047 BrusselsDear Mr. López Aguilar,We refer to our letter of 22 January 2010 in which the Article 29 Working Party and the WorkingParty on Police and Justice examined the Agreement between the European Union and theUnited States of America on the processing and transfer of Financial Messaging Data from theEuropean Union to the United States of America for the purposes of the Terrorism FinanceTracking Program (“TFTP 1 agreement”). Both Working Parties are pleased with the fact thatdata protection concerns played a big part in the no-vote against the TFTP1 agreement on 11February 2010.On 28 May 2010, the subgroup on financial matters of the Article 29 Working Party was briefedby the services of the European Commission, DG Justice, Liberty and Security. The members ofthe subgroup assessed the draft negotiating directives adopted in March 2010 to negotiate a newTFTP agreement (hereafter “draft negotiating directives TFTP2), and the document titled“Agreement between the European Union and the United States of America on the processingand Transfer of Financial Messaging Data From The European Union To The United States forPurposes of the Terrorist Finance Tracking program”, hereafter “TFTP2 Agreement”. Bothdocuments were published1.

This Working Party was set up under Article 29 of Directive 95/46/EC. It is an independent European advisory body on dataprotection and privacy. Its tasks are described in Article 30 of Directive 95/46/EC and Article 15 of Directive 2002/58/EC.The secretariat is provided by Directorate D (Fundamental Rights and Citizenship) of the European Commission, DirectorateGeneral Justice, Freedom and Security, B-1049 Brussels, Belgium, Office No LX-46 01/190.Website:http://ec.europa.eu/ justice_home/fsj/privacy/index_en.htmThe Working Party on Police and Justice was set up as a working group of the Conference of the European Data ProtectionAutorities. It is mandated to monitor and examine the developments in the area of police and law enforcement to face the growingchallenges for the protection of individuals with regard to the processing of their personal data.

Despite the additional attention that is clearly given to data protection, we are as yet unsure aboutthe outcome. Still, the European Data Protection Authorities (DPAs) feel compelled to convey toyou again what we see as important data protection issues that appear from our first reading ofthe TFTP2 Agreement.We hereby enclose our initial assessment carried out by the Article 29 Working Party and theWorking Party on Police and Justice. We trust that our point of view will continue to receive dueconsideration by the European Parliament in its future deliberations on the TFTP2 agreement. Ofcourse, we remain at your disposal for further information on this issue if so required by theParliamentFurthermore, both Working Parties plan to fully assess the TFTP2 agreement once signed by thenegotiating partners and made public by the European Commission. Should this lead to furtherconcerns, we will of course make those clear, either by letter or in a formal opinion.Yours sincerely,

AttachmentBackgroundThe Terrorist Finance Tracking (“TFTP”) Program is a US government program that allowsdifferent US authorities to access the SWIFT transaction database. The existence of this programwas revealed by the media in June 2006, and was followed by an Opinion of the WP292of 22November 2006.Since the beginning of 2010, SWIFT has implemented their “distributed architecture” wherebyintra-European messages are only processed and stored in their EU operational centres (in TheNetherlands and Switzerland), and no longer in the US.On 11 February 2010, the European parliament issued a negative vote on the Agreement betweenthe European Union and the United States of America on the processing and transfer of FinancialMessaging Data from the European Union to the United States of America for the purposes ofthe Terrorism Finance Tracking Program (“TFTP 1 agreement”).On 5 May 2010 the European Parliament adopted a Resolution on the recommendation from theCommission to the Council to authorise the opening of negotiations for an agreement betweenthe European Union and the United States of America to make available to UST financialmessaging data to prevent and combat terrorism and terrorist financing (TFTP2 Agreement). TheTFTP2 Agreement reaffirms new elements such as the possibility of an EU TFTP program3andthe possibility of extension from SWIFT to other providers of financial data4.Finally, despite the new distributed architecture of SWIFT, different EU authorities receivedearly 2010 the confirmation that at least one UST subpoena was issued over both US and EUdata, including messaging data related to SEPA transactions.

Additional guaranteesThe WP29 and WPPJ welcome the fact that the TFTP2 Agreement contains additionalsafeguards regarding data protection. These safeguards enhance amongst others the data quality5.The agreement provides for “administrative redress on a non-discriminatory basis and theavailability of a process for seeking judicial redress under U.S. law, regardless of nationality orplace of residence”6, and a data retention scheme. Also, Article 13.3 states that The EuropeanUnion joint review delegation shall include representatives of two data protection authorities, atleast one of which shall be from a Member State where a Designated Provider is based.Additional concernsHowever, in addition to the points raised in their joint letter of 22 January 2010, the WP29 andWPPJ would like to express a number of points that, as they understand, are not (yet) sufficientlydealt with in the TFTP2 Agreement. Despite recent assessments in official press releases fromEU side that refer to “significant data protection provisions”7under the TFTP2 Agreement, theWP29 and WPPJ are of the opinion that these open points still imply serious data protectionrisks.1. Scope of the agreement: unclear status of protection of SEPA data in EUoperational centers, retroactive application to data subject to subpoenas before theentry into force of TFTP2Since WP29 and WPPJ received confirmation that (SEPA and other) data in EU operationalcenters fall under the competence and scope of UST subpoenas8, we question why article 4.2 (d)of the TFTP2 Agreement contains the explicit statement that ““The Request (together with anysupplemental documents) shall: (…) (d) not seek any data relating to the Single Euro PaymentsArea”. The WP29 and WPPJ assume this statement is either a misrepresentation or aconfirmation of the intention to exclude the SEPA data in EU operational centers from the scopeof US Subpoenas.In order to have an agreement that provides real and effective data protection, the WP29 andWPPJ find that it is the most privacy compliant option to exclude SEPA data from USSubpoenas via a clear US commitment to exclude SEPA data. However, the WP29 and WPPJare also aware that today such data fall under the power of the UST to issue subpoenas, andtherefore, as a minimum data protection and privacy compliance requirement, the purpose of theTFTP2 Agreement should be at least to protect all data that is contained in the EU operationalcenters of all financial payment messages providers that could (in the future) fall under theTFTP2 Agreement.The WP29 is of the opinion that the status of the data received and still stored under subpoena’sthat were issued before the entry into force of the TFTP2 Agreement should be addressed.Retroactive application of the TFTP2 Agreement to cover subpoenas served before the date of5

entry into force of TFTP2 should be excluded, as the TFTP2 agreement only provides a legalbasis for data obtained under subpoenas that were issued after a valid EU legal basis andadequate data protection guarantees were put in place. Such was clearly not the case for olderdata received under the previous EU-US arrangements (representations and TFTP1 Agreement).However, data that were obtained under the TFTP1 Agreement are still taken aboard under theTFTP2 Agreement, and made subject to a retroactive application of the five year data retentionmechanism. This may – de facto – go beyond the 5 year time limit (see article 6.3).2. Necessity and proportionality : the transfer of bulk data continues and legalalternativesAs put forward in our letter of 22 January, we stress the fact that, for technical reasons, thedesignated provider is not able to identify and produce specific data in reply to UST subpoenas.Even though the categories of data would now be specified under the TFTP2 Agreement9, thedata is still transferred in bulk to the US.In our view, technical difficulties are not a sufficient justification of bulk transfers of data of EU-and non-EU-citizens.The TFTP2 Agreement fails to justify why the combined application of existing cooperationmechanisms between EU and US for the intended purposes are inadequate, such as via theEgmont Group and the mutual legal assistance between the European Union and the UnitedStates of America of 25 June 200310, that entered into force on 1 February 2010.Also, even if data would be grouped in categories like in the PNR file, bulk transfers createadditional problems such as increased problems of correct extraction of data, the increase of thebacklogs to properly control and assess the accuracy of all data that is transferred and extracted(often controls are limited to samples or ad hoc controls due to understaffing of the control oraudit departments), and a lack of timely compliance with access or rectification requests. Suchproblems in processing operations for antiterrorism purposes were already publicly reported byUS authorities such as DHS11and the US Department of Justice12. Therefore, bulk transfers caneasily undermine the effective realisation of the purposes under the TFTP2 Agreement.9

General reference to categories of data in article 4.2. (a) regarding the request. Nonetheless, it also has to be noted that,according to the negotiating directives for TFTP2 Agreement, anexhaustive list of categories of data affected by therequestshould have been previouslyindicated in the Annex of the TFTP2 Agreement(point 2, second sentence, of thenegotiating directives, stating that “The Annex should contain an exhaustive list of categories of data affected by therequest”). Contrary to the mandate, Article 3 of the TFTP2 lays down that “The Designated Providers shall be identified inthe Annex to this Agreement”, without mentioning (categories of) Provided Data.Considered the purpose of the Agreement (including investigation and prosecution for alleged terrorism and/or terrorismfinancing), it is of paramount importance to provideexact, clear and strict definitionsof the scope of“financialpaymentmessaging and related data”. The concern is even more alarming if we take into account that, pursuant to art. 5.7, such datamay include sensitive data, and that the TFTP2 does not provide specific safeguards for such data, apart a declaration that“the US Treasury Department shall protect such data in accordance with the safeguards and security measures set forth inthis Agreement and with full respect and taking due account of their special sensitivity.”Official Journal, 19 July 2003, L 181/34ThePrivacy Office of the U.S. Department of Homeland Security (DHS) released in the second part of December 2008 areport regarding the Passenger Name Record (PNR) information from the EU-US flights. This report referred to a backlogand stated that therequests for PNR took more than one year to process and were inconsistent in what information wasredacted. Seepage 26 of the report published onhttp://www.dhs.gov/xlibrary/assets/privacy/privacy_pnr_report_20081218.pdf)See the US Department of justice, Office of the Inspector General, Audit Division, Audit Report 07-41 of September 2007(follow-up audit of the Terrorist Screening Center, hereafter “TSC”) that relates to the TSC’s consolidated terroristscreening database (TSDB). The summary of the report (page 3) indicated inaccurate watchlist records and continued

The WP29 and the WPPJ conclude that it still remains to be assessed whether the bulk transfer ofdata via specified categories under a new legal instrument can comply with the necessity andproportionality requirements.3. Gaps in the existing independent oversight and control mechanisms by EU dataprotection authorities and EU judicial authoritiesAccording to article 28 of the Directive 95/46/EC, authorities should be completely independentwith full powers vis-à-vis all aspects of data protection operations. This standard was recentlyupheld by the European Court of Justice13.The TFTP2 Agreement should not limit the supervisory competence and powers of dataprotection authorities, which are competent for the supervision of data processing. Howeverinstead, TFTP2 Agreement contains several limitations to the above standard and principle.First, the independent, full power of oversight and control of DPAs and judicial authorities is notfully implemented under the TFTP2 agreement. Some of the existing oversight competencesunder article 28 of the Directive 95/46/EC are instead separated and transferred to other levels.These competences concern different powers of DPA’s (1) to obtain all relevant information, (2)to independently assess such information of (3) full data protection compliance and,subsequently, (4) the possibility to either give binding legal effect to data transfers from nationalprocessing operations under a UST subpoena on EU territory, or where necessary, to order theblocking of such transfers :(1)the possibility to give binding legal effect to such order related to national dataprocessing operations,or, where deemed necessary, to block such data transfer basedon national data processing operation is replaced by an European verification andassessment mechanism (article 4.4. of the Agreement).(2) the power to makea full data protection assessmentin the light of all requirements ofthe Directive 95/46/EC is not foreseen. Instead, article 4.4. of the Agreement provides fora limited data protection assessment by Europol of the production order (“request”) in thelight of a limited number of criteria mentioned in article 4.2(3) the power to make an independent assessment is not implemented. Europol is notrequired to becompletely independent,and may even lack concern in the matter of dataprotection.(4) In the absence of a fully independent US DPA14, the exercise of thefull investigativepower to request all information(amongst others related to handling access andrectification requests or to exercising the other tasks) is not granted to DPAs. Instead,article 15.3 of the Agreement states that the “Privacy Officer of the U.S. TreasuryDepartment”,(…) “shall make all necessary verifications pursuant to the request”. TheEU DPA’s are to simply pass on the request of the data subject to the UST. Hence, animportant level of assessment of access requests remains with the UST andweaknesses in data management due to different interconnected databases and significant increase in (also duplicate) recordsthat have to be verified. Ie. There is a proven link between risk for inaccuracy of data andCase C-518/07,Commission of the European Communities v Germany,delivered on 22 October 2009It might be sufficient if such power was granted to a fully independent DPA in the US, which would then collaborate withEU DPAs. Since this is not the case, strong safeguards on US side and extensive competence of EU DPAs appear necessary.

misrepresentations cannot be controlled by DPAs. It is unclear why indirect access rightscannot be granted, as is the current standard in several EU members for the verificationby DPAs of police and intelligence processing operations, including processingoperations for antiterrorism and anti money laundering purposes. In any case, EU DPAsare under this procedure unable to independently establish whether or not the conditionsof the TFTP2 Agreement are fulfilled and give full guarantees to the individual makingthe request.The quality of oversight “in real time” is determined by UST15and there is no independentoversight by judicial EU authorities in accordance with European data protection standards16.Data handling would continue to be mainly verified “in real time” by the existing “SWIFT”scrutinizers, that would now only be controlled from time to time by the EuropeanCommission17.The WP29 and WPPJ are of the opinion that only an independent EU public authority could meetthe current EU oversight standard and therefore can fulfil the different roles of oversight andcontrol as foreseen in the TFTP2 Agreement. Currently, control by an independent judicial EUauthority appears to be an essential requirement to offer adequate guarantees for the respect ofdata protection principles set out in the Directive 95/46/EC.The choice for EU police authorities such as Europol is deemed inadequate for effective dataprotection and without legal basis at EU and national level. Indeed, the current EuropolDecision18does not cover tasks of mutual legal assistance on behalf of the EU such as the controlof EU data prior to their possible communication to third countries.On the other hand, in the current European framework, a possibility exists under the EurojustDecision to assess TFTP requests at Eurojust level, and to have those requests validated andexecuted19.Taking into account the abovementioned lack of full powers of access of DPAs to all availableinformation, the new task of confirmation to the data subjects that his/her rights have beenrespected under the TFTP2 Agreement20is not a task that the DPAs are in a position to fulfil.Also, DPAs cannot be appointed to a mere messaging task for UST assessments subsequent toEU data subjects' access or rectification requests.Instead of such limited role of “UST mailbox”, DPAs can only work in accordance with thestandard set by article 28 Directive 95/46/EC, and provide independent compliance assessments.This implies that they can inform data subjects of the EU procedure that will be establishedunder the TFTP2 Agreement and that could be followed for the exercise of rights, but withoutany guarantee of result and without declaration that this approach meets the applicable dataprotection requirements and principles.

Article 12.3 of the Agreement statesArticle 12.2 refers to “independent oversight” but does not explain how this independence would be assessed in relation tothe European standard set by article 28 of Directive 95/46/EC.Reference to “ongoing monitoring” in article 12.3 “by an independent person appointed by the European Commission, withthe modalities of the monitoring to be jointly coordinated by the Parties”.Council Decision of 6 April 2009 establishing the European Police Office (Europol), O.J., L 121/37Based on the combined reading and application of the articles 9 quarter and 9 sexies of the Eurojust Decision; i.e. to includethe national members of Belgium and Holland executing in their competence of national competent authority.Included in Article 15.1 of the TFTP2 Agreement

4. Onward transfers – lack of any guarantees for the respect of several data protectionprinciples and change from the current standard set by the Egmont principles forsuch transfersToday, the principal mechanism for dealing with flows of financial intelligence is the EgmontGroup, the international coordinating body of 106 FIUs, in accordance with the EgmontStatement of Principles of Information Exchange Best Practice21and using the Egmont SecureWeb. Within the EU, FIUnet, an IT system linking most Member States' FIUs facilitatescooperation by allowing them to make enquiries and exchange certain information.The WP29 and WPPJ are of the opinion that Egmont principles 11 and 12 offer a minimumbenchmark of data protection that can and should be adequate and acceptable for the onwardtransfers under the TFTP2 Agreement. Egmont principle n� 11 addresses the requirement ofpurpose limitation. Egmont principle n� 12 provides the requirement of FIU consent for anyfurther use (including onward transfers).Even though the US Financial Intelligence Unit (FINCIN22), appears to be a part of the UST, andthe Egmont Principles should therefore be deemed applicable to the UST, the WP29 and WPPJfail to understand why the EU negotiating directives contain a lower level of protection thandescribed in the Egmont principles n� 11 and 12.The following data protection principles are not (identically or clearly) applied on onwardtransfers:•the data retention limitation, including the retention mechanism of five years23.•the statement on the lack of involvement of data mining, manipulation or otherwiseinterconnection with other databases24•the application of the purpose limitation principle / prohibition of incompatible use, asdescribed in a stricter way in Egmont principle n� 1125.

As published onhttp://www.egmontgroup.org/library/egmont-documents“11. Information exchanged between FIUs may be used only for the specific purpose for which the information was soughtor provided.12. The requesting FIU may not transfer information shared by a disclosing FIU to a third party, nor make use of theinformation in an administrative, investigative, prosecutorial, or judicial purpose without the prior consent of the FIU thatdisclosed the information. “http://www.fincen.gov/The current wording of the TFTP2 Agreement provides inadequate clarity and certainty to the question if and to what extentthe data retention period is applicable to onward transfers in and outside the USThe wording of Article 5.3 of the TFTP2 Agreement contains the simple statement “The TFTP does not and shall notinvolve data mining or any other type of algorithmic or automated profiling or computer filtering “. The correctness of thisstatement is difficult to verify. The statement is clearly not a firm commitment, nor an obligation that is applicable toonward transfers andother US or foreign programs, such as at the level of the Federal Bureau of Investigation that ispartially a police and partially an intelligence service.The (implicit) purposes linked to the tasks of the general categories of addressees for the ongoing transfers “lawenforcement, public security, or counter terrorism authorities in the United States, Member States, or third countries, orwith Europol or Eurojust, or other appropriate international bodies, within the remit of their respective mandates”in article7 (b) of the TFTP2 Agreement are defined much wider than the purpose for the initial transfer/ request in article 4.2. (a) ofthe TFTP2 Agreement (“the purpose-of the prevention, investigation, detection, or prosecution of terrorism or terroristfinancing …). This is also much wider than the Egmont principle n� 11 for ongoing transfers (“used only for the specificpurpose for which the information was sought or provided”).

The consent of the authority that disclosed the information is a traditional precondition to limitincorrect or unlawful processing in onward transfers, and to protect the required data qualitystandards for antiterrorism and anti money laundering purposes. It can be found in Egmontprinciple n� 12 and should be already applicable to the UST. Instead, article 7 (d) of the TFTP2Agreement provide possible exceptions if (the UST ?) deems that“the sharing of the data isessential for the prevention of an immediate and serious threat to public security of a Party tothis Agreement, a Member State, or a third country“26. Such wide exception to the principle ofconsent is unknown under the existing Egmont principles and the necessity of such exception isnot demonstrated.5. Assessment of the “adequate” level of data protectionArticle 8 of the TFTP2 Agreement contains the statement that “the U.S. Treasury Department isdeemed to ensure an adequate level of data protection for the processing of financial paymentmessaging and related data transferred from the European Union to the United States forpurposes of tins Agreement”. This statement is clearly inaccurate in light of current EUstandards. As explained in our letter of 22 January 2010, “Traditionally, adequacy is assessed bya thorough comparison of the level of protection provided by a specific country or entity with EUstandards.” Since such an independent assessment has not yet taken place and is not foreseen inthe (near) future, the level of protection offered by an agreement or the UST cannot beconsidered as adequate.6. Joint ReviewTaking into account the experiences with the US PNR agreement, the review mechanism shouldcover the whole term of the agreement (and should for instance specify that a review has to takeplace every year during the 5 year term of the agreement). There should also be a clearconsequence (for instance the suspension or termination of the agreement) if no review isobtained, in case of misrepresentations or in case of repeated failure to comply with the basicdata protection principles that is not remedied by the UST.As set out in our letter of 22 January 2010, the effectiveness of the oversight powers of DPA’sand the Joint Review stands or falls with the accessibility of all relevant information for allmembers of the review committee, including the representatives of the data protection authoritiesof the Member States.However, DPAs are in particular concerned on the unknown modus operandi and in particularthe limitations that might be required of the DPA’s that will be called upon to be part of the jointreview team27. In any event, DPAs can and should not be imposed to sign non disclosureagreements or meet other expectations that would appear to be conflicting with the requirementsset out under article 28 of Directive 95/46/EC. In particular, the obligations to inform and beaccountable to their national parliaments of the outstanding data protection issues under theTFTP2 agreement should be taken into account.

7. Lack of effective redressA conflict appears between the articles 18.2 (redress mechanism) and 20.1 (no change in laws) ofthe TFTP2 agreement. The WP and the WPPJ understand that TFTP2 Agreement has no directeffect in the respective legal systems and that this agreement does not change in itself therespective legal systems of US, EU or national member states28. Today, the access and redressrights even differs from US agency to US agency and US law does not provide any rights to non-US citizens.Since no rights for EU and non-EU citizens are created with direct effect under the TFTP2Agreement, the WP29 and the WPPJ seriously question the effectiveness of the redressmechanism under US law as set out in article 18.2.We trust that the aforementioned concerns will continue to receive due consideration by theEuropean Parliament in its follow-up of the TFTP2 Agreement and remain at the Parliament’sdisposal for further information.