6 Terrorist Finance Tracking Program
(a)
(31521)
(b)
(31700)
11048/10
(c)
(31714)
11173/10
COM(10) 317
(d)
(31720)
11172/10
COM(10) 316
|
Commission Recommendation to authorise the opening of negotiations for an agreement between the European Union and the United States of America to make available to the United States Treasury Department financial payment messaging data to prevent and combat terrorism and terrorist financing
Draft Agreement between the European Union and the United States of America on the processing and transfer of financial messaging data from the European Union to the United States for purposes of the Terrorist Finance Tracking Program
Draft Council Decision on the signature of the agreement between the European Union and the United States of America on the processing and transfer of financial messaging data from the European Union to the United States for purposes of the Terrorist Finance Tracking Program
Draft Council Decision on the conclusion of the agreement between the European Union and the United States of America on the processing and transfer of financial messaging data from the European Union to the United States for purposes of the Terrorist Finance Tracking Program
|
Legal base |
(a) and (b)
(c) Article 218(5) TFEU; ; QMV
(d) Article 218 (6) (a) TFEU; consent; QMV
|
Documents originated | (a) and (b)
(c) and (d) 15 June 2010
|
Deposited in Parliament |
(a)
(b) 14 June 2010
(c) and (d) 21 June 2010
|
Department | HM Treasury
|
Basis of consideration |
EM of 24 June 2010 and Ministers' letters of 21 April 2010, 5 May 2010, 21 June 2010, 24 June 2010, 8 July 2010 and 22 July 2010
|
Previous Committee Report |
None |
Discussion in Council |
(a) 10 May 2010
(b) None
(c) 28 June 2010
(d) Not yet known
|
Committee's assessment |
Politically important |
Committee's decision | (a) Cleared, (b)-(d) For debate in European Committee B
|
Background
6.1 Following the September 2001 terrorist attacks, the United
States Department of the Treasury developed a Terrorist Finance
Tracking Program (TFTP) to identify, track, and pursue terrorists
and their financial supporters. The TFTP used payment information
carried by SWIFT (the Society for Worldwide Interbank Financial
Telecommunications), a Belgian company, which is the world's main
system for passing international payment instructions between
financial institutions. This information was provided on the basis
of an administrative subpoena requiring that the US branch of
SWIFT should provide the US Treasury with specified financial
transaction record data, which were stored in the United States.
This data was held by the US Government in a highly secure database
and was used exclusively for terrorist finance tracking purposes.
6.2 These arrangements were disclosed in public in 2006, and concerns
were raised in the EU about the use made of the information by
the US and about the protection of personal data. To address these
concerns, the US Treasury gave a set of unilateral undertakings,
known as Representations, to the EU in June 2007. These specified
a series of commitments and safeguards to ensure the protection
of EU-originating personal data processed under the TFTP and that
the data would be used exclusively for counter-terrorism purposes.[22]
6.3 The EU appointed an "Eminent European Person", Judge
Bruguière, to oversee the use of EU-originated payment
information by the TFTP. In December 2008 Judge Bruguière
presented his first annual report on the processing of EU originating
personal data by the US Treasury. This report concluded that the
US Treasury has been vigilant from the outset in respecting the
safeguards included in the Representations and notably the strict
counter terrorism purpose limitation. Judge Bruguière's
report also concluded that the TFTP has generated since its implementation,
and continues to generate, significant value for the fight against
terrorism both in the USA and beyond. Moreover the US Government
has readily shared this intelligence with third countries
Member States being the principal non-US beneficiary of TFTP lead
information.[23]
6.4 Changes to the operation of the SWIFT system
from the beginning of 2010 placed most payment information outside
the scope of US administrative subpoenas, leading to such information
being unavailable to the TFTP and seriously impairing its scope
and coverage.
6.5 In November 2009 the previous Committee cleared
from scrutiny a draft Council Decision to authorise the signing,
but not the conclusion, of a temporary agreement (year-long, whilst
a permanent agreement was being negotiated), referred to as the
SWIFT Agreement, between the EU and the US in order to allow transfer
of SWIFT data to the US Treasury for the purposes of the TFTP.
The agreement would have made financial payment messaging data
stored in the EU available to the US, subject to strict compliance
with safeguards for the protection of personal data and was intended
to maintain the availability of data stored in the EU to the TFTP
and so ensure that the TFTP continued both to have coverage of
all regions and to support counter-terrorism authorities in the
US and EU. The agreement was to come into operation provisionally
on 1 February 2010, pending its entry into force, once "the
Parties have exchanged notifications indicating that they have
completed their internal procedures for this purpose."
[24]
6.6 In February 2010 the previous Committee considered
a draft Council Decision to authorise conclusion of the SWIFT
Agreement. Although it thought it likely, given its decision on
the earlier draft Council Decision, that it would clear the new
document it was greatly exercised about the limited time available
for scrutiny of both the substance of the proposal and a Government
decision to opt-in to it. The latter point was of particular concern
because of Government assurances during passage of the legislation
necessary to implement the Lisbon Treaty in the UK. In the event,
on 11 February 2010, the European Parliament refused its necessary
assent to the proposal so the SWIFT Agreement was not
concluded, the question of the UK's opt-in no longer arose and
the document, being redundant, was cleared from scrutiny. However
the Committee noted that it was possible that negotiations would
now begin on a permanent agreement, which would be subject to
scrutiny.[25]
The documents
6.7 The Commission Recommendation, document (a),
was the basis for a Council Decision on a confidential negotiating
mandate for a permanent agreement between the EU and the US on
the processing and transfer of financial payment messaging data
from the EU to the US for the purposes of the TFTP. The negotiating
mandate set out the primary points for the EU in concluding an
agreement with the US and was based on the failed interim agreement,
taking into account the concerns raised by the European Parliament
on data protection. The mandate allowed the Commission, accompanied
by a specially designated Committee, to negotiate with the US
on behalf of the EU. Given that they concerned a confidential
negotiating mandate, neither the Recommendation nor the subsequent
Council Decision have been published.
6.8 The draft agreement, document (b), is the outcome
of the negotiation authorised by the Council Decision proposed
in document (a). The purpose of the agreement is to maintain the
availability of data stored in the EU to the TFTP and so ensure
that the TFTP continues to have coverage of all regions and continues
to support counter-terrorism authorities in the US and the EU.
6.9 The arrangement in the agreement for the transfer
of data is a mechanism under which designated providers of international
payment messaging services may be compelled to provide data to
the US Treasury. The agreement provides:
- for designation of SWIFT as
the provider;
- that, in order for data transfer to take place,
the US must submit a request (a "production order")
to the provider under US law;
- for Europol (the EU police cooperation agency)
to verify that each request satisfies certain criteria
it must clearly identify the data necessary for preventing, investigating,
detecting, or prosecuting terrorism or terrorist financing, it
must substantiate the necessity of the data, it must be tailored
as narrowly as possible in order to minimise the amount of data
requested, it must take account of past and current terrorism
risk analyses and it must not request any data relating to the
Single Euro Payment Area;[26]
and
- that, if Europol deems the request to be compliant
with these criteria, the request will have binding legal effect
in the EU and the US and the provider must submit the data requested
to the US Treasury.
6.10 In order to ensure that any data transferred
is adequately protected, the agreement stipulates a number of
safeguards that the US Treasury must adhere to:
- the data may only be used for
preventing, investigating, detecting or prosecuting terrorism
or terrorist financing;
- the TFTP shall not involve data mining or any
other type of algorithmic or automated profiling or computer filtering;
- data shall be held in a secure physical environment
and access shall be limited to analysts investigating terrorism
or its financing and to those involved in the technical support,
management and oversight of the TFTP;
- data shall not be interconnected with any other
database, or subject to any manipulation, alteration or addition;
- no copies shall be made other than for disaster
recovery back-up purposes; and
- all searches of TFTP data held by the US Treasury
shall be based upon pre-existing information or evidence which
demonstrates a reason to believe the subject has a nexus to terrorism
or its financing.
The agreement:
- places a five year limit on
the period for which the data that has not been extracted for
examination may be retained;
- limits the possibility for onward transfer of
data to scenarios involving the investigation, detection, prosecution,
or prevention of terrorism and terrorist financing; and
- provides for the appointment of an independent
person to ensure that these safeguards are properly enforced.
6.11 In relation to EU access to TFTP data the agreement:
- requires the US to make data
available to law enforcement, public security or counter terrorism
authorities in Member States to assist in combating terrorism
and terrorist financing;
- gives Member States, Europol and Eurojust (the
EU judicial cooperation agency) the right to request a search
for information obtained through the TFTP in situations where
they have reason to believe that a person or entity has a nexus
to terrorism or its financing; and
- requires, if the EU were to decide to establish
its own system equivalent to the TFTP, the US to cooperate with,
and provide assistance to, it.
6.12 For citizens' right of access to data and to
means of redress the agreement provides that:
- any person has the right to
obtain from their own data protection authorities confirmation
that the data has been adequately protected;
- they may also request that use of their data
be disclosed to them;
- disclosure may only be denied where there are
reasonable legal limitations in place to safeguard activities
to prevent, detect, investigate or prosecute terrorism or terrorist
financing, or to protect public or national security; and
- any person who considers their personal data
to have been processed in breach of the agreement is entitled
to seek effective administrative and judicial redress in accordance
with the laws of the EU, its Member States and the US.
6.13 The draft Council Decision, document (c), is
to authorise the Commission to sign, on behalf of the EU, the
agreement. After its adoption by the Council, the second draft
Council Decision, document (d), to authorise conclusion of the
agreement, would go to the European Parliament for it to consent
to the Council adopting the Decision.
The Government's view
6.14 The then Exchequer Secretary to the Treasury
(Sarah McCarthy-Fry) wrote twice about the draft Council Decision,
document (a), to explain the then Government's intention to opt-in
to the Council Decision. She said that it was regrettable that
neither Parliament nor the Government would have the normal periods
allowed them for consideration of an opt-in decision. But the
Government felt it had no alternative, given the very real security
gap in the EU created by the cessation of the TFTP, but to opt-in
to and support the proposal. However she emphasised the attention
the Government expected to be given to fully addressing data protection
concerns in any agreement negotiated.
6.15 In his Explanatory Memorandum on the agreement
and the draft Council Decisions about its signature and conclusion,
documents (b)-(d), the Commercial Secretary to the Treasury (Lord
Sassoon) tells us that the Government is fully supportive of the
agreement. He continues that the TFTP is an extremely important
counter terrorist tool, noting that leads it has generated have
provided valuable contributions to a number of investigations,
including:
- the Bali bombing in 2002;
- the van Gogh terrorist-related
murder in the Netherlands in 2004;
- the plan to attack New York's John F. Kennedy
airport in 2007;
- an Islamic Jihad Union plot to attack Germany;
- the attacks in Mumbai in 2008; and
- the Jakarta hotel attacks in 2009.
Additionally, to date more than 1550 leads generated
by the TFTP have been shared with Member State governments.
6.16 The Minister then discusses a number of aspects
of the agreement, saying that:
- the agreement would increase
the effectiveness of the TFTP, as it imposes a binding requirement
on the US Treasury to search SWIFT data on request from Member
States that comply with the terms of the agreement and this should
benefit the EU's counter terrorism efforts;
- the agreement stipulates strict data provisions
to which the US Treasury must adhere, including proportionality
requirements, limitations on access to and onward transfer of
data; a five year limit on the period for which data may be retained
(consistent with global standards on money laundering and terrorist
financing) and mechanisms for independent oversight of the programme;
- the Government considers that these provisions
are sufficiently strong and are in line with existing EU data
protection law;
- the Government welcomes the provision for EU
citizens whose data is misused to seek independent redress in
the US;
- the Government has carefully considered the legal
basis for compelling SWIFT to transfer the data to the US to ensure
that it would not compromise the integrity of the UK's criminal
justice system;
- under the agreement, Europol is given legal responsibility
for ensuring the transfer of data from Belgium and the Netherlands
to the US this would extend the jurisdiction of the ECJ
over this particular task assigned to Europol;
- both the Council and the Commission legal services
have, however, stated that the ECJ's jurisdiction would not extend
any further than this task; and
- as none of this task would take place in the
UK, there would be no impact on the UK's criminal justice system.
6.17 In his letters the Minister first alerts us
to the conclusion of the negotiation of the new agreement, document
(a), and notes the probability of the process for signing and
concluding the agreement would be carried on quickly. Noting in
his second letter, of 24 June 2010, the probability that the Council
Decision to sign the agreement, document (c) would be adopted
on 28 June 2010, the Minister then announces the Government's
intention to opt-in to the Decision. He recognises that this is
before we (and the Lords EU Committee) have had the opportunity
to scrutinise the proposal. He tells us that there are, however,
compelling reasons behind this decision, explaining that:
- under the TFEU the UK is usually
entitled to a three-month period to consider whether it wishes
to opt-in to a Justice and Home Affairs measure;
- in this case, however, the Presidency indicated
that it would present the Council Decision for adoption on 28
June 2010;
- as a result of the very real security gap created
by the TFTP's lack of access to data, the Government has decided
that it would not be appropriate to insist on the full three-month
period being granted;
- the Government was therefore required to make
a rapid decision on whether to opt-in to the Decision to sign
the agreement or not;
- as stated in the Explanatory Memorandum, the
Government strongly supports the agreement itself;
- the TFTP has brought significant benefits to
the UK and the EU and the agreement would further increase its
effectiveness by further imposing a binding requirement on the
US Treasury to search financial data carried on the SWIFT payment
system on request from the Member States that comply with the
terms of the agreement;
- not opting-in prior to the decision to sign,
would put the agreement at risk, as the vote would be by qualified
majority basis; and
- the Government did not feel that it was appropriate
to run such a risk, in view of the significant benefits the agreement
would bring to the UK.
6.18 Finally, in this letter, the Minister comments
that Treasury Ministers take issues of parliamentary scrutiny
very seriously, that he regrets that, on this occasion, it has
not been possible to complete that scrutiny through the appropriate
mechanism and that he hopes we will agree that under the circumstances,
the Government's decision was the most appropriate one.
6.19 In his third letter, of 8 July 2010, the Minister
reports further developments. First, on 25 June 2010 the UK opted
into the Council Decision, document (c), to sign the agreement,
the final text of which contained one minor change. This is to
give the Commission the right to appoint a person to be part of
the team of independent overseers to monitor the implementation
of the safeguards. The Minister comments that the Government believes
that this is a further strengthening of the data protection safeguards
and therefore welcomes it.
6.20 Secondly, the Minister tells us that the agreement
was signed between the EU and the US on 28 June 2010 and on the
same day a revised draft Council Decision to conclude the agreement
was published.[27] This
differs from the previous version, document (d):
- to reflect the Commission appointment
of an independent overseer; and
- by inviting the Commission to submit a proposal
for establishing an EU system to extract financial data on EU
territory.
In an accompanying declaration the Commission undertakes
to develop a proposal in the near future.[28]
The Minister comments that this builds on an existing provision
in the agreement, that the Government believes that there is merit
in this scoping exercise, and as such supports the provision,
but that the details of the Commission proposal will require careful
scrutiny.
6.21 The Minister says that in addition to publication
of the revised Council Decision the Council issued two declarations.[29]
In the first the Council undertakes to review the agreement once
an EU-US agreement on data protection has been finalised. In the
second it undertakes, together with the Commission to establish
the technical basis for Europol to verify US requests before the
agreement comes into force. He comments that the Government supports
both objectives.
6.22 Finally in this letter the Minister tells us
that:
- on 8 July 2010 the European
Parliament voted to give consent to conclusion of the agreement;
and
- the Council is likely to adopt the draft Decision
to conclude the agreement, document (d), at a forthcoming Council
meeting.
He reminds us that if the Government wishes the UK
to be bound by the agreement it must opt into that Decision.
6.23 In his final letter, of 22 July 2010, the Minister
tells us that the Decision was adopted at the ECOFIN on 13 July
2010that the Government opted into the Decision and that the UK
will therefore be bound by the terms of the agreement. He adds
that by opting into the Decision UK law enforcement and counter
terrorism authorities will be able to request targeted searches
of the TFTP database where they have reason to believe that a
person or entity has a nexus to terrorism or its financing and
that this will be of great security benefit to the UK. And he
again expresses regret that there was not opportunity for scrutiny
of these issues.
Conclusion
6.24 Although the security benefits of the TFTP
seem plain we think the agreement is sufficiently important, and
its predecessor, the rejected agreement, sufficiently controversial,
as to warrant the three documents concerned with it, (b)-(d),
being debated. So we recommend that there should be a debate in
European Committee B, even though the draft Council Decisions
have already been adopted. Amongst the matters that might be explored
with the Government in that debate are:
- its view of the apparent
intention to establish the EU's own TFTP; and
- whether possible data protection risks arising
from the agreement are too heavier a price to pay for the security
benefits.
6.25 As for the scrutiny breach in relation to
the documents for debate, both in terms of the normal scrutiny
of the substance and of the special scrutiny of opt-in proposals,
we note the Minister's explanation and understand the timetabling
problems the Government faced. However we are concerned that it
appears that fast moving business may often, as in this case,
negate the Government's right to have three months to consider
an opt-in decision. And equally threatened is the Government's
commitment to Parliament to allow an eight-week period for scrutiny
of such a decision. So we suggest that this matter also be addressed
in the debate we are recommending.
6.26 Turning to the Council Decision about opening
negotiations on the agreement, document (a), since this was not
published, and was therefore not depositable for scrutiny, we
clear it.
22 For the exchange of letters about the representations
see http://eur-lex.europa.eu/JOHtml.do?uri=OJ:C:2007:166:SOM:en:HTML
pages 17-27. Back
23
The report has not been published. But for a Commission announcement
about its findings see http://europa.eu/rapid/pressReleasesAction.do?reference=IP/09/264&format=HTML&aged=0&language=EN&guiLanguage=en.
Back
24
(31170): see HC 5-ii (2009-10), chapter 16 (25 November 2009). Back
25
(31305) 17702/09: see HC Deb, 4 February 2010, cols. 455-61,
HC 5-x (2009-10), chapter 3 (9 February 2010) and HC 5-xi (2009-10),
chapter 10 (24 February 2010). Back
26
See http://www.ecb.int/pub/pdf/other/sepa_brochure_2009en.pdf.
Back
27
See http://register.consilium.europa.eu/pdf/en/10/st11/st11222.en10.pdf.
Back
28
See http://register.consilium.europa.eu/pdf/en/10/st11/st11350-re02.en10.pdf.
Back
29
Ibid. Back
|