A second review of the controversial Terrorist Finance Tracking Program (TFTP) has done little to allay European parliamentarians' fears of poor data security.
Last week an internal report by Europol, the European police force charged with overseeing the accord, sparked anger among Members of the European Parliament (MEPs) when it revealed that the written requests made by the U.S. for European banking data were too vague to assess whether they meet European Union data standards. But Europol went ahead and rubber-stamped them anyway. Many members of the Parliament's civil liberties committee said they felt betrayed.
On Wednesday, Isabel Cruz, chairwoman of Europol's internal oversight unit, explained that additional oral information was provided to Europol staff by the U.S. authorities, but that the content of that information is not known, again making it impossible to verify compliance with the TFTP agreement. Her report recommended that in the future, requests must contain more detailed information, specific to each request, and the U.S. authorities may need to provide certain additional information.
The TFTP (also known as the Swift agreement) came into force last August and allows the transfer of European citizens' banking data to the U.S. under certain conditions. One of these was that a high degree of data protection would be enforced and that Europol would oversee the implementation. Under Article 4 of the agreement Europol has the task of verifying U.S. requests for data. However, "we always said it had to be a legal, judicial body to verify the legality of these requests. Europol has a role which is extremely confusing," said Cruz.
On Thursday, the first joint E.U.-U.S. review of the agreement was presented, however only the views and recommendations of the E.U. team were revealed. "All the relevant elements of the agreement have been implemented in accordance with its provisions, including the data protection provisions," claimed Home Affairs Commissioner Cecilia Malmström. However, even she conceded that there was a need "to implement increased transparency and more written information to Europol."
The report's main recommendation is that Europol receive as much information as possible from U.S. authorities in written form. Further recommendations aim at increasing the transparency of the program and further enhancing Europol's verification procedure so that U.S. requests are substantiated in a more verifiable way. The EU review team also recommends that more feedback be sought on how much added value the agreement brings to counter-terrorism work, so that this can be followed up as part of future reviews.
"Where the implementation of this complex agreement can be made even more effective, Europol has already initiated relevant work with U.S. colleagues and its own data protection specialists," said Rob Wainwright, director of Europol.
The report was drawn up by a team of three Commission officials, two data protection experts and a judicial expert from Eurojust (an E.U. agency targeting organized crime), with contributions from U.S. representatives and Europol. But parliamentarians are still concerned. Putting Europol in charge of data exchanges was like putting a fox in charge of the chicken coop, said British MEP Sarah Ludford on Wednesday.
The European Parliament only grudgingly agreed to the SWIFT accord last year, but many MEPs feel that efforts at safeguarding citizens' rights have been ignored. German MEP and member of the civil liberties committee, Alexander Alvaro, has called for another review of the agreement within three months. "If this review also delivers problematic results we will call on all available means to suspend the agreement," he said.
Other MEPs have warned they may block future data transfer deals with the U.S. unless they see a change in the situation.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.