Top secret: Terrorist Finance Tracking Program agreement 2 years on
While in 2010 the European Parliament gave a green light to the EU-US TFTP agreement, recently MEPs critically questioned the Commission on its implementation. What went wrong with the banking data sharing deal?
On 24 October, members of the ALDE Group of the European Parliament critically questioned the Commission on the implementation of the EU-US Terrorist Finance Tracking Program (TFTP) agreement. More than 2 years since the agreement came into force, MEPs sounded much less enthusiastic than in July 2010, when they gave a green light to the deal. Criticism was expressed, inter alia, of Europol’s verification of the broad US requests for financial messaging data, combined with the overall lack of transparency in the implementation of the agreement.
The TFTP agreement presupposes transfers of data from Belgium-based SWIFT, the world’s biggest financial messaging service provider, to the US Department of the Treasury (USDT), and its subsequent processing and analysis, aimed at the investigation, detection and prevention of terrorist financing. In this context, the agreement provides several roles for Europol. First and foremost, under Article 4, it must verify whether the US requests for financial messaging data clearly identify the categories of data requested, substantiate the necessity of the data and are ‘tailored as narrowly as possible’, based, inter alia, on terrorism risk analysis. If these criteria are met, Europol will authorize SWIFT to provide the data to USDT.
What concerned MEPs was Europol’s approval of very broad US data requests under Article 4. Indeed, already eight months after the entry into force of the agreement, Europol stated, in its information note to the EP, that data were provided to the USDT every month, and acknowledged that US requests concerned as wide a geographical scope as the ‘list of countries’. Due to the architecture of transfers under the agreement (data are to be directly provided to USDT by SWIFT) Europol could not see or assess the actual volume of data transferred and had to base itself solely on the US-provided documentation, explaining why certain data categories and countries fell within the scope of the request. As it further appeared from the information note, as well the 2011 Europol Joint Supervisory Body (JSB) recommendations, annexed to it, written US requests provided little specific data allowing the assessment of the necessity of data on the case-by-case basis, and certain background information was provided to Europol in unrecorded oral briefings. A more recent letter from the Europol’s Director to the Chairman of EP’s LIBE Committee, as well as the JSB public statement on its 2012 report, suggest that those problems have persisted in 2012.
While the US documentation substantiating the necessity and scope of requests is not open to the public, based on the above documents it appears that Europol may not have had sufficient information to effectively assess the necessity of the data, as well as the proportionality of individual requests. Next, the above suggests a very wide scope of US data requests – it appears that, since the entry into force of the agreement, data related to everyday financial messages from entire countries have been transferred. It would hardly seem that such requests meet the proportionality requirement. Furthermore, the 2011 Europol information note provides that the US data request comprises both the reasons for selecting certain countries and data categories and ‘an overview of past and current terrorism investigations carried out by US authorities, mentioning targets of investigation’. One may wonder why financial messaging data relating to the whole countries are transferred, while the data sharing efforts could effectively focus on the suspects of terrorism financing. The transfer of large volumes of data may be necessary, should new patterns in terrorist financing be sought with the help of data mining techniques – however, Article 5(3) of the agreement explicitly states that the processing of TFTP data ‘shall not involve data mining or any other type of algorithmic or automated profiling or computer filtering’. More transparency on how the necessity of data and proportionality of Article 4 requests is determined would help clarify these issues.
The unclear scope and procedure for authorization of Article 4 requests is not the only point under the TFTP agreement which would have benefited from greater transparency. The 2011 Commission report on the joint EU-US review of the TFTP agreement identified the need to provide more precise information on the added value of the program, as well as inform the public of the technical (im)possibilities for rectification, erasure and blocking of data. While we are awaiting the 2012 Joint review report, more transparency and a greater public access to documents on the implementation of the TFTP agreement, such as the 2012 JSB report, would help clarify the above issues and increase public confidence in the necessity and value of the TFTP program.