Privacy versus security

For almost four decades, banks and other financial institutions have shared information and messages using the Society for Worldwide Interbank Financial Telecommunications, or SWIFT.

Without this organizational platform helping to manage financial transfers and other communication between banks, over 8,000 financial institutions that participate in - and fund - the SWIFT operation would not be able to operate. As of September 2010, SWIFT members were using the platform to exchange 15 million messages every day. These messages serve as the pivotal first step in moving assets around the world.

But should this information about the financial activities of people, businesses and other organizations be available for politicians or police to monitor? And if so, should it apply domestically or internationally? Should security services in the US be able to monitor the banking information of European citizens, for instance?

Those are the questions that have overshadowed SWIFT's otherwise mundane daily operations for the past five years. On June 23, 2006, three US newspapers published a series of articles revealing that the US Treasury Department and the CIA had established a program to access and monitor the SWIFT transaction database after the September 11, 2001 terrorist attacks.

Privacy versus security

The US government called it the Terrorist Finance Tracking Program; many in Europe called it an illegal invasion of privacy.

Five years on, the issue is far from resolved, and it's back on the table on Thursday at a meeting in Budapest between interior and justice ministers from Europe and the US.

Once the international monitoring of financial transactions became common knowledge, politicians on both sides of the Atlantic were forced to respond.

In February 2010, a deal struck between the EU and US facilitating this anti-terror surveillance was overwhelmingly rejected by the European Parliament, with MEPs voicing concerns over inadequate protection of the privacy of European citizens.

European parliamentarians secured a string of concessions designed to better filter what information was sent abroad before approving a revised version of the so-called SWIFT agreement, which came into force August 1, 2010. The prime mover in the new deal was a promise to ensure that each data request from the US was "tailored as narrowly as possible in order to minimize the amount of data requested."

Recent reports from the European Commission and the bloc's anti-terror agency Europol admit that many of these concessions are not being honored in practice.

"It is unquestionably correct that EU and US authorities fight against terrorism together," EU Justice Commissioner Viviane Reding said in an interview with Spiegel Online last month. "But we must finally speak the same language when it comes to data protection, as well."

Policy versus implementation

When requesting data, US authorities are supposed to explain their reasons to Europol. Early in March, however, Europol complained that the requests were too vague for them to properly ascertain their validity.

The chair of Europol's data protection watchdog, Isabel Cruz, told the European Parliament in March about four applications for data, which were "almost identical in nature and request - in abstract terms - broad types of data." Cruz said that only information provided orally to certain Europol staff by the US convinced the authorities to transfer the data; as this information was not common knowledge, she said, it was impossible to verify its validity.

In response to Cruz's explanation, British Liberal Democrat MEP Sarah Ludford said that asking Europe's anti-terror agency Europol to filter requests from the US anti-terror authorities was "like putting the fox in charge of the chicken coop."

The European Commission said later in March that it was aware of 27,000 requests for data, but that it couldn't name an instance where this transatlantic cooperation had directly contributed to preventing or monitoring terrorist activities.

"All searches of Provided Data shall be based upon pre-existing information or evidence which demonstrates a reason to believe that the subject of the search has a nexus to terrorism or its financing," the sixth subsection of Article 5 of the Swift agreement declares.

Another key concession for the European Parliament was included in Article 15 of the agreement, stipulating that "any person has the right to obtain … without constraint and without excessive delay, at least a confirmation … as to whether that person's data protection rights have been respected in compliance with the Agreement."

A member of the European Parliament from the German liberal FDP party, Alexander Alvaro, decided to test this principle. German authorities were not even able to tell him whether or not his data had been accessed by US investigators.

"Without immediate eradication of shortcomings like this, it will be necessary to suspend this arrangement," Alvaro said.

Maybe these apparent deficiencies help explain why Article 13 also stipulates that after six months, "the Parties shall jointly review the safeguards, controls and reciprocity provisions set out in this Agreement."

Author: Mark Hallam
Editor: Michael Lawton