Out-Law / Your Daily Need-To-Know

Commission told to re-negotiate controversial US bank data transfer

29 Apr 2010, 11:08 am

The European Commission has been given a fresh mandate to negotiate with the US on that country's access to European banking records. The last agreement was rejected by the European Parliament.

Whatever new deal the Commission and US authorities come to must be approved by a majority of EU states and by the Parliament.

Since terrorist attacks in the US in 2001 US authorities have had access to the records of inter-bank transfer body SWIFT (Society for Worldwide Interbank Financial Telecommunication). That activity only came to light in 2006, though, and caused significant controversy.

Data protection authorities in Europe said that the passing of personal banking data to US authorities broke data protection law and SWIFT stopped hosting material in the US, where US-issued subpoenas could order access to the data.

The Commission negotiated a new deal on the transfer to the US's Terrorist Finance Tracking Programme (TFTP) but the European Parliament objected in February.

"Parliament's right to consent should not be used as a retrospective tool", said UK MEP Timothy Kirkhope in that debate. "We are finally getting assurances from Council and Commission [on data protection issues] but we now need some time before proceeding further in our considerations."

"Council has not been tough enough on data protection" said Jeanine Hennis-Plasschaert, who was the Parliament's rapporteur on the issue. She said that "the rules on data transfer and storage provided for in the interim agreement were not proportionate to the security supposedly provided," according to a Parliament statement.

The Council has given the Commission a mandate to negotiate a new deal.

"While helping the US Treasury Department to identify, track and pursue suspected terrorists and their providers of finance, the final agreement must also grant the highest level of protection for EU citizens' personal data," said a Council statement.

"Under the proposal, the Brussels-based SWIFT Company would have to transmit to the US administration financial transaction record data relevant to terrorism investigations. Such data may contain identifying information about the originator or recipient of the transaction, including name, address, national identification number and other personal data related to financial messages," it said.

The Council said that the data must only be used for targeted searching, and not for open-ended data sweeps. There must be information leading to suspicion that the person whose data is being examined has links to terrorism of its financing, it said.

"The negotiating mandate provides for strong data protection safeguards, such as the right to administrative and judicial review; the right of access, rectification and erasure of data; and the requirement that data transfers must be approved by a public authority in the EU," said the Council statement.