Thursday 7 January 2010

Council agrees to financial data transfers to the US

The US Department of Treasury will be able to access, from February 2010, financial data held in the EU in order to combat terrorism, under an agreement (16110/09) the EU Council reached with the US on 30 November 2009. 

The agreement ensures that the Department of Treasury will continue to have access to financial information held by the Society for Worldwide Interbank Financial Telecommunications (SWIFT) - a financial communications platform - when it starts operating a centre in Switzerland. The Department of Treasury requests the data through its Terrorist Finance Tracking Program (TFTP).    

The agreement will make the 2007 unilateral commitments of the Department of Treasury to the EU legally binding. Breaches of any of the commitments - which include using the data for terrorism detection purposes only and retaining the data for five years - will entitle the EU to suspend or terminate the agreement. It also requires that a European judicial authority verify the legality of the US requests for data and authorise transfers. Strict obligations regarding data security will also be imposed, and data subjects whose personal data has been mishandled will be able to seek legal redress.   

The agreement was signed before the Lisbon Treaty - which increases the EU Parliament's power over international treaties, amongst others - came into force on 1 December 2009. 'To ensure that the European Parliament is able to exercise its new powers under the new Treaty in this regard, the agreement is for a maximum duration of nine months', it reads. 'The Commission will come forth with a new proposed mandate in early 2010 for a subsequent agreement based on the Lisbon Treaty.' 

"The agreement provides that there is to be full respect for data protection and privacy rules", said Francis Aldhouse, Consultant at Bird & Bird. "This is pure legal formalism. The US will have access to the data, and the considerable and costly efforts made by SWIFT in planning a new European server centre in order to follow the requirements of the data protection authorities have been rendered nugatory."   A statement from SWIFT read: '[We were] not involved in the EU-US discussions but are closely monitoring the next steps in the EU decision process. The legal framework must be sound and leave no room for ambiguity to ensure private companies have legal clarity to operate'.