A second review of the controversial Terrorist Finance Tracking Program (TFTP) has done little to allay European parliamentarians' fears of poor data security.
Last week an internal report by Europol, the European police force charged with overseeing the accord, sparked anger among Members of the European Parliament (MEPs) when it revealed that the written requests made by the US for European banking data were too vague to assess whether they meet European Union data standards. But Europol went ahead and rubber-stamped them anyway. Many members of the Parliament's civil liberties committee said they felt betrayed.
On Wednesday, Isabel Cruz, chairwoman of Europol's internal oversight unit, explained that additional oral information was provided to Europol staff by the US authorities, but that the content of that information is not known, again making it impossible to verify compliance with the TFTP agreement. Her report recommended that in the future, requests must contain more detailed information, specific to each request and the US authorities may need to provide certain additional information.
The TFTP (also known as the SWIFT agreement) came into force last August allows the transfer of European citizens' banking data to the US under certain conditions. One of these was that a high degree of data protection would be enforced and that Europol would oversee the implementation. Under Article 4 of the agreement Europol has the task of verifying US requests for data. However, "we always said it had to be a legal, judicial body to verify the legality of these requests. Europol has a role which is extremely confusing," said Cruz.
On Thursday, the first joint EU-US review of the agreement was presented but only the views and recommendations of the EU team were revealed. "All the relevant elements of the agreement have been implemented in accordance with its provisions, including the data protection provisions," claimed Home Affairs Commissioner Cecilia Malmström. However, even she conceded that there was a need "to implement increased transparency and more written information to Europol".
The report's main recommendation is that Europol receive as much information as possible from US authorities in written form. Further recommendations aim at increasing the transparency of the programme and further enhancing Europol's verification procedure so that US requests are substantiated in a more verifiable way. The EU review team also recommends that more feedback be sought on how much added value the agreement brings to counter-terrorism work, so that this can be followed up as part of future reviews.
"Where the implementation of this complex agreement can be made even more effective, Europol has already initiated relevant work with US colleagues and its own data protection specialists," said Rob Wainwright, director of Europol.
The report was drawn up by a team of three commission officials, two data protection experts and a judicial expert from Eurojust (an EU agency targeting organised crime), with contributions from US representatives and Europol. But parliamentarians are still concerned. Putting Europol in charge of data exchanges was like putting a fox in charge of the chicken coop, said British MEP Sarah Ludford on Wednesday.
The European Parliament only grudgingly agreed to the SWIFT accord last year, but many MEPs feel that efforts at safeguarding citizens' rights have been ignored. German MEP and member of the civil liberties committee, Alexander Alvaro, has called for another review of the agreement within three months. "If this review also delivers problematic results we will call on all available means to suspend the agreement," he said.
Other MEPs have warned they may block future data transfer deals with the US unless they see a change in the situation.