Last week, the European Commission approved a draft agreement setting out the terms on which the details of millions of daily transactions of 8,000 banks in 200 countries could be obtained by US authorities in their fight against terrorism. The draft agreement has still to be approved by both the European Parliament and the Council before it can come into force.
The need for an agreement arose after it was exposed by the New York Times in 2006 that, since the terrorist attacks on the US on 11 September 2001, US authorities had secretly been accessing transactions processed by the Society for Worldwide Interbank Financial Telecommunications (SWIFT).
In response to data protection concerns, it was considered necessary to put a formal agreement in place between the EU and the US regulating the use by the US of the banking data of millions of Europeans. The European Parliament has, until now, rejected all draft agreements. In particular, a draft proposed by the US in February of this year was rejected by the Parliament on the basis of privacy concerns.
The latest draft agreement is significantly longer that the previous draft, however has been criticised as no different in substance to the rejected previous draft. It still allows the "bulk" transfer of data which may be stored by US authorities for a period of up to five years.
In terms of the new and approved draft agreement, Europol will have the discretion to assess whether data requested by the US authorities is "necessary for the fight against terrorism" and whether the request is "tailored as narrowly as possible" in order to minimise the amount of data transferred. If the data requested does not satisfy these two conditions, it cannot be transferred.
Whilst on the face of it these conditions seem to limit the scope of the data that will be transferred to the US, the approved draft agreement has been criticised for being remarkably similar in substance to the draft agreement which was rejected in February and therefore not going far enough to limit the amount of data that can be transferred in order to protect the privacy rights of Europeans.
In addition, the provisions of the approved agreement are somewhat more lenient than the counterpart provisions imposed on the EU when requesting data from the US. The EU has to identify a specific person or entity that there is reason to believe has a nexus to terrorism or its financing before the US will provide requested information, whereas in contrast, requests from the US to the EU contain no such identification requirements – it is sufficient for the US authorities to provide the vague assertion that the data it requests is necessary in connection with terrorism.
The EU's privacy watchdog, the European Data Protection Supervisor (EDPS), remains uneasy with the approved agreement, and various bodies are urging the European Parliament to once again reject the draft agreement. The outcome of the ongoing negotiations and debates remains to be seen.
Disclaimer
The material contained in this article is of the nature of general comment only and does not give advice on any particular matter. Recipients should not act on the basis of the information in this e-update without taking appropriate professional advice upon their own particular circumstances.
