Background

6.1 Following the September 2001 terrorist attacks, the United States Department of the Treasury developed a Terrorist Finance Tracking Program (TFTP) to identify, track, and pursue terrorists and their financial supporters. The TFTP used payment information carried by SWIFT (the Society for Worldwide Interbank Financial Telecommunications), a Belgian company, which is the world's main system for passing international payment instructions between financial institutions. This information was provided on the basis of an administrative subpoena requiring that the US branch of SWIFT should provide the US Treasury with specified financial transaction record data, which were stored in the United States. This data was held by the US Government in a highly secure database and was used exclusively for terrorist finance tracking purposes.

6.2 These arrangements were disclosed in public in 2006, and concerns were raised in the EU about the use made of the information by the US and about the protection of personal data. To address these concerns, the US Treasury gave a set of unilateral undertakings, known as Representations, to the EU in June 2007. These specified a series of commitments and safeguards to ensure the protection of EU-originating personal data processed under the TFTP and that the data would be used exclusively for counter-terrorism purposes.[22]

6.3 The EU appointed an "Eminent European Person", Judge Bruguière, to oversee the use of EU-originated payment information by the TFTP. In December 2008 Judge Bruguière presented his first annual report on the processing of EU originating personal data by the US Treasury. This report concluded that the US Treasury has been vigilant from the outset in respecting the safeguards included in the Representations and notably the strict counter terrorism purpose limitation. Judge Bruguière's report also concluded that the TFTP has generated since its implementation, and continues to generate, significant value for the fight against terrorism both in the USA and beyond. Moreover the US Government has readily shared this intelligence with third countries — Member States being the principal non-US beneficiary of TFTP lead information.[23]

6.4 Changes to the operation of the SWIFT system from the beginning of 2010 placed most payment information outside the scope of US administrative subpoenas, leading to such information being unavailable to the TFTP and seriously impairing its scope and coverage.

6.5 In November 2009 the previous Committee cleared from scrutiny a draft Council Decision to authorise the signing, but not the conclusion, of a temporary agreement (year-long, whilst a permanent agreement was being negotiated), referred to as the SWIFT Agreement, between the EU and the US in order to allow transfer of SWIFT data to the US Treasury for the purposes of the TFTP. The agreement would have made financial payment messaging data stored in the EU available to the US, subject to strict compliance with safeguards for the protection of personal data and was intended to maintain the availability of data stored in the EU to the TFTP and so ensure that the TFTP continued both to have coverage of all regions and to support counter-terrorism authorities in the US and EU. The agreement was to come into operation provisionally on 1 February 2010, pending its entry into force, once "the Parties have exchanged notifications indicating that they have completed their internal procedures for this purpose." [24]

6.6 In February 2010 the previous Committee considered a draft Council Decision to authorise conclusion of the SWIFT Agreement. Although it thought it likely, given its decision on the earlier draft Council Decision, that it would clear the new document it was greatly exercised about the limited time available for scrutiny of both the substance of the proposal and a Government decision to opt-in to it. The latter point was of particular concern because of Government assurances during passage of the legislation necessary to implement the Lisbon Treaty in the UK. In the event, on 11 February 2010, the European Parliament refused its necessary assent to the proposal — so the SWIFT Agreement was not concluded, the question of the UK's opt-in no longer arose and the document, being redundant, was cleared from scrutiny. However the Committee noted that it was possible that negotiations would now begin on a permanent agreement, which would be subject to scrutiny.[25]

The documents

6.7 The Commission Recommendation, document (a), was the basis for a Council Decision on a confidential negotiating mandate for a permanent agreement between the EU and the US on the processing and transfer of financial payment messaging data from the EU to the US for the purposes of the TFTP. The negotiating mandate set out the primary points for the EU in concluding an agreement with the US and was based on the failed interim agreement, taking into account the concerns raised by the European Parliament on data protection. The mandate allowed the Commission, accompanied by a specially designated Committee, to negotiate with the US on behalf of the EU. Given that they concerned a confidential negotiating mandate, neither the Recommendation nor the subsequent Council Decision have been published.

6.8 The draft agreement, document (b), is the outcome of the negotiation authorised by the Council Decision proposed in document (a). The purpose of the agreement is to maintain the availability of data stored in the EU to the TFTP and so ensure that the TFTP continues to have coverage of all regions and continues to support counter-terrorism authorities in the US and the EU.

6.9 The arrangement in the agreement for the transfer of data is a mechanism under which designated providers of international payment messaging services may be compelled to provide data to the US Treasury. The agreement provides:

• for designation of SWIFT as the provider;
• that, in order for data transfer to take place, the US must submit a request (a "production order") to the provider under US law;
• for Europol (the EU police cooperation agency) to verify that each request satisfies certain criteria — it must clearly identify the data necessary for preventing, investigating, detecting, or prosecuting terrorism or terrorist financing, it must substantiate the necessity of the data, it must be tailored as narrowly as possible in order to minimise the amount of data requested, it must take account of past and current terrorism risk analyses and it must not request any data relating to the Single Euro Payment Area;[26] and
• that, if Europol deems the request to be compliant with these criteria, the request will have binding legal effect in the EU and the US and the provider must submit the data requested to the US Treasury.

6.10 In order to ensure that any data transferred is adequately protected, the agreement stipulates a number of safeguards that the US Treasury must adhere to:

• the data may only be used for preventing, investigating, detecting or prosecuting terrorism or terrorist financing;
• the TFTP shall not involve data mining or any other type of algorithmic or automated profiling or computer filtering;
• data shall be held in a secure physical environment and access shall be limited to analysts investigating terrorism or its financing and to those involved in the technical support, management and oversight of the TFTP;
• data shall not be interconnected with any other database, or subject to any manipulation, alteration or addition;
• no copies shall be made other than for disaster recovery back-up purposes; and
• all searches of TFTP data held by the US Treasury shall be based upon pre-existing information or evidence which demonstrates a reason to believe the subject has a nexus to terrorism or its financing.

The agreement:

• places a five year limit on the period for which the data that has not been extracted for examination may be retained;
• limits the possibility for onward transfer of data to scenarios involving the investigation, detection, prosecution, or prevention of terrorism and terrorist financing; and
• provides for the appointment of an independent person to ensure that these safeguards are properly enforced.

6.11 In relation to EU access to TFTP data the agreement:

• requires the US to make data available to law enforcement, public security or counter terrorism authorities in Member States to assist in combating terrorism and terrorist financing;
• gives Member States, Europol and Eurojust (the EU judicial cooperation agency) the right to request a search for information obtained through the TFTP in situations where they have reason to believe that a person or entity has a nexus to terrorism or its financing; and
• requires, if the EU were to decide to establish its own system equivalent to the TFTP, the US to cooperate with, and provide assistance to, it.

6.12 For citizens' right of access to data and to means of redress the agreement provides that:

• any person has the right to obtain from their own data protection authorities confirmation that the data has been adequately protected;
• they may also request that use of their data be disclosed to them;
• disclosure may only be denied where there are reasonable legal limitations in place to safeguard activities to prevent, detect, investigate or prosecute terrorism or terrorist financing, or to protect public or national security; and
• any person who considers their personal data to have been processed in breach of the agreement is entitled to seek effective administrative and judicial redress in accordance with the laws of the EU, its Member States and the US.

6.13 The draft Council Decision, document (c), is to authorise the Commission to sign, on behalf of the EU, the agreement. After its adoption by the Council, the second draft Council Decision, document (d), to authorise conclusion of the agreement, would go to the European Parliament for it to consent to the Council adopting the Decision.

The Government's view

6.14 The then Exchequer Secretary to the Treasury (Sarah McCarthy-Fry) wrote twice about the draft Council Decision, document (a), to explain the then Government's intention to opt-in to the Council Decision. She said that it was regrettable that neither Parliament nor the Government would have the normal periods allowed them for consideration of an opt-in decision. But the Government felt it had no alternative, given the very real security gap in the EU created by the cessation of the TFTP, but to opt-in to and support the proposal. However she emphasised the attention the Government expected to be given to fully addressing data protection concerns in any agreement negotiated.

6.15 In his Explanatory Memorandum on the agreement and the draft Council Decisions about its signature and conclusion, documents (b)-(d), the Commercial Secretary to the Treasury (Lord Sassoon) tells us that the Government is fully supportive of the agreement. He continues that the TFTP is an extremely important counter terrorist tool, noting that leads it has generated have provided valuable contributions to a number of investigations, including:

• the Bali bombing in 2002;
• the van Gogh terrorist-related murder in the Netherlands in 2004;
• the plan to attack New York's John F. Kennedy airport in 2007;
• an Islamic Jihad Union plot to attack Germany;
• the attacks in Mumbai in 2008; and
• the Jakarta hotel attacks in 2009.

Additionally, to date more than 1550 leads generated by the TFTP have been shared with Member State governments.

6.16 The Minister then discusses a number of aspects of the agreement, saying that:

• the agreement would increase the effectiveness of the TFTP, as it imposes a binding requirement on the US Treasury to search SWIFT data on request from Member States that comply with the terms of the agreement and this should benefit the EU's counter terrorism efforts;
• the agreement stipulates strict data provisions to which the US Treasury must adhere, including proportionality requirements, limitations on access to and onward transfer of data; a five year limit on the period for which data may be retained (consistent with global standards on money laundering and terrorist financing) and mechanisms for independent oversight of the programme;
• the Government considers that these provisions are sufficiently strong and are in line with existing EU data protection law;
• the Government welcomes the provision for EU citizens whose data is misused to seek independent redress in the US;
• the Government has carefully considered the legal basis for compelling SWIFT to transfer the data to the US to ensure that it would not compromise the integrity of the UK's criminal justice system;
• under the agreement, Europol is given legal responsibility for ensuring the transfer of data from Belgium and the Netherlands to the US — this would extend the jurisdiction of the ECJ over this particular task assigned to Europol;
• both the Council and the Commission legal services have, however, stated that the ECJ's jurisdiction would not extend any further than this task; and
• as none of this task would take place in the UK, there would be no impact on the UK's criminal justice system.

6.17 In his letters the Minister first alerts us to the conclusion of the negotiation of the new agreement, document (a), and notes the probability of the process for signing and concluding the agreement would be carried on quickly. Noting in his second letter, of 24 June 2010, the probability that the Council Decision to sign the agreement, document (c) would be adopted on 28 June 2010, the Minister then announces the Government's intention to opt-in to the Decision. He recognises that this is before we (and the Lords EU Committee) have had the opportunity to scrutinise the proposal. He tells us that there are, however, compelling reasons behind this decision, explaining that:

• under the TFEU the UK is usually entitled to a three-month period to consider whether it wishes to opt-in to a Justice and Home Affairs measure;
• in this case, however, the Presidency indicated that it would present the Council Decision for adoption on 28 June 2010;
• as a result of the very real security gap created by the TFTP's lack of access to data, the Government has decided that it would not be appropriate to insist on the full three-month period being granted;
• the Government was therefore required to make a rapid decision on whether to opt-in to the Decision to sign the agreement or not;
• as stated in the Explanatory Memorandum, the Government strongly supports the agreement itself;
• the TFTP has brought significant benefits to the UK and the EU and the agreement would further increase its effectiveness by further imposing a binding requirement on the US Treasury to search financial data carried on the SWIFT payment system on request from the Member States that comply with the terms of the agreement;
• not opting-in prior to the decision to sign, would put the agreement at risk, as the vote would be by qualified majority basis; and
• the Government did not feel that it was appropriate to run such a risk, in view of the significant benefits the agreement would bring to the UK.

6.18 Finally, in this letter, the Minister comments that Treasury Ministers take issues of parliamentary scrutiny very seriously, that he regrets that, on this occasion, it has not been possible to complete that scrutiny through the appropriate mechanism and that he hopes we will agree that under the circumstances, the Government's decision was the most appropriate one.

6.19 In his third letter, of 8 July 2010, the Minister reports further developments. First, on 25 June 2010 the UK opted into the Council Decision, document (c), to sign the agreement, the final text of which contained one minor change. This is to give the Commission the right to appoint a person to be part of the team of independent overseers to monitor the implementation of the safeguards. The Minister comments that the Government believes that this is a further strengthening of the data protection safeguards and therefore welcomes it.

6.20 Secondly, the Minister tells us that the agreement was signed between the EU and the US on 28 June 2010 and on the same day a revised draft Council Decision to conclude the agreement was published.[27] This differs from the previous version, document (d):

• to reflect the Commission appointment of an independent overseer; and
• by inviting the Commission to submit a proposal for establishing an EU system to extract financial data on EU territory.

In an accompanying declaration the Commission undertakes to develop a proposal in the near future.[28] The Minister comments that this builds on an existing provision in the agreement, that the Government believes that there is merit in this scoping exercise, and as such supports the provision, but that the details of the Commission proposal will require careful scrutiny.

6.21 The Minister says that in addition to publication of the revised Council Decision the Council issued two declarations.[29] In the first the Council undertakes to review the agreement once an EU-US agreement on data protection has been finalised. In the second it undertakes, together with the Commission to establish the technical basis for Europol to verify US requests before the agreement comes into force. He comments that the Government supports both objectives.

6.22 Finally in this letter the Minister tells us that:

• on 8 July 2010 the European Parliament voted to give consent to conclusion of the agreement; and
• the Council is likely to adopt the draft Decision to conclude the agreement, document (d), at a forthcoming Council meeting.

He reminds us that if the Government wishes the UK to be bound by the agreement it must opt into that Decision.

6.23 In his final letter, of 22 July 2010, the Minister tells us that the Decision was adopted at the ECOFIN on 13 July 2010that the Government opted into the Decision and that the UK will therefore be bound by the terms of the agreement. He adds that by opting into the Decision UK law enforcement and counter terrorism authorities will be able to request targeted searches of the TFTP database where they have reason to believe that a person or entity has a nexus to terrorism or its financing and that this will be of great security benefit to the UK. And he again expresses regret that there was not opportunity for scrutiny of these issues.

Conclusion

6.24 Although the security benefits of the TFTP seem plain we think the agreement is sufficiently important, and its predecessor, the rejected agreement, sufficiently controversial, as to warrant the three documents concerned with it, (b)-(d), being debated. So we recommend that there should be a debate in European Committee B, even though the draft Council Decisions have already been adopted. Amongst the matters that might be explored with the Government in that debate are:

• its view of the apparent intention to establish the EU's own TFTP; and
• whether possible data protection risks arising from the agreement are too heavier a price to pay for the security benefits.

6.25 As for the scrutiny breach in relation to the documents for debate, both in terms of the normal scrutiny of the substance and of the special scrutiny of opt-in proposals, we note the Minister's explanation and understand the timetabling problems the Government faced. However we are concerned that it appears that fast moving business may often, as in this case, negate the Government's right to have three months to consider an opt-in decision. And equally threatened is the Government's commitment to Parliament to allow an eight-week period for scrutiny of such a decision. So we suggest that this matter also be addressed in the debate we are recommending.

6.26 Turning to the Council Decision about opening negotiations on the agreement, document (a), since this was not published, and was therefore not depositable for scrutiny, we clear it.

23   The report has not been published. But for a Commission announcement about its findings see http://europa.eu/rapid/pressReleasesAction.do?reference=IP/09/264&format=HTML&aged=0&language=EN&guiLanguage=en.  Back

24   (31170): see HC 5-ii (2009-10), chapter 16 (25 November 2009). Back

25   (31305) 17702/09: see HC Deb, 4 February 2010, cols. 455-61, HC 5-x (2009-10), chapter 3 (9 February 2010) and HC 5-xi (2009-10), chapter 10 (24 February 2010). Back

26   See http://www.ecb.int/pub/pdf/other/sepa_brochure_2009en.pdf.  Back

27   See http://register.consilium.europa.eu/pdf/en/10/st11/st11222.en10.pdf.  Back

28   See http://register.consilium.europa.eu/pdf/en/10/st11/st11350-re02.en10.pdf.  Back

29   Ibid. Back