Today, the European Data Protection Supervisor (EDPS) issued an opinion on the European Commission's draft Agreement with the United States on the Terrorist Financing Tracking Programme (TFTP) to allow US authorities access to European based financial data managed by the Belgian company SWIFT in cases of anti-terrorism investigations (*). Further to the decision of the European Parliament to veto the interim agreement in mid-February, the new draft aims in particular at addressing the concerns with regard to privacy and data protection.
The EDPS welcomes certain significant improvements over the interim agreement, such as the exclusion of data relating to the Single Euro Payments Area, a more limited definition of terrorism, and stronger guarantees on citizens' data protection rights. He however stresses that the necessity of the proposed agreement should be unambiguously established, mainly compared to other less privacy-invasive existing instruments (**). The EDPS expresses his concerns about the plan to allow the transfers of massive amounts of bank data to the U.S. authorities ("bulk transfers"). He further points out the key elements that should be improved from a data protection perspective, in particular as regards data retention periods, enforceability of the citizens' data protection rights, judicial oversight and independent supervision.
Peter Hustinx, EDPS, says: "I am fully aware that the fight against terrorism and terrorism financing may require restrictions to the right to the protection of personal data. However, in view of the intrusive nature of the draft agreement, which allows transfers of data in bulk to the US, the necessity of such scheme should first be unambiguously established, especially in relation to already existing instruments. Would this be the case, other key elements should however be improved in order to meet the conditions of the EU legal framework for data protection."
In addition to that, the EDPS mainly recommends the negotiators to:
(*) The Commission's proposal is triggered by the changes in the architecture of SWIFT, which as from 1 January 2010 ensures that SWIFT financial data that are internal to the European Economic Area and Switzerland will remain within the European zone - as different from the transatlantic zone - and will no longer be mirrored in the US operating centre.
(**) See for instance the agreement on mutual legal assistance between the EU and the U.S. which allows the exchange of banking and financial information between law enforcement authorities.