18 February 2009

Subpoenaed SWIFT message data is adequately protected

Eminent European person confirms UST controls and safeguards

Vice-President Barrot, in charge of Justice, Liberty and Security at the European Commission has confirmed that the United States Treasury (UST) has from the outset, respected the safeguards in the handling of personal data obtained from SWIFT under subpoena following the attacks of 9/11.
In March 2008, the European Commission announced it had designated Judge Jean-Louis Bruguière to undertake a review on behalf of the European Union in respect of the procedures governing the handling, use, and dissemination of personal financial data from the EU that is carried over the SWIFT network and obtained by the UST pursuant to the Terrorist Finance Tracking Programme (TFTP). Judge Bruguière presented his first report to the European Commission in January 2009, which the Commission presented to the European Parliament's Civil Liberties Committee on 16 February 2009.

The report finds that the UST has been vigilant from the outset in respecting the safeguards in the handling of personal data included in the TFTP Representations and notably the strict counter terrorism purpose limitation. The report further finds that the TFTP has generated significant value in the fight against terrorism, notably in Europe.

This is testimony to SWIFT’s determination to protect its customers’ data in any circumstance. In December 2008, the Belgian data protection commission (Commission belge de la Protection de la Vie Privée) had already concluded that SWIFT complied with all applicable Belgian data protection legislation.

This is the full EU announcement

EU Review of the United States ‘Terrorist Finance Tracking Programme’ confirms privacy safeguards

In March 2008, the European Commission announced a review on behalf of the European Union in respect of the procedures governing the handling, use, and dissemination of financial transaction records from the EU which are carried over the SWIFT network and obtained by the U.S. Treasury Department pursuant to subpoenas issued in support of the Terrorist Finance Tracking Programme (TFTP). Judge Bruguière, designated by the Commission to undertake the review, prepared a first report to Vice-President Barrot.

Vice-President Barrot, in charge of Justice, Liberty and Security, presented today the findings to the European Parliament's Civil Liberties Committee and declared: "I am pleased to confirm that the United States Treasury Department has been vigilant from the outset in respecting the safeguards in the handling of personal data included in the TFTP Representations which we were able to negotiate with them back in 2007 and notably the strict counter terrorism purpose limitation. The TFTP has generated significant value in the fight against terrorism, notably in Europe".

The review focused particular attention on the core undertakings set out in the TFTP Representations, namely that SWIFT data are used exclusively for counter terrorism purposes; that the Treasury ensures that subpoenas are narrowly focused; that searches against the TFTP database are targeted and designed to minimise extraction of data; that appropriate measures are in place to identify and delete data which are no longer considered necessary for the fight against terrorism; and that necessary physical and logical systems exist to ensure the security of subpoenaed data.

The Report demonstrates that the United States Treasury Department has implemented significant and effective controls and safeguards which ensure respect for the protection of personal data subpoenaed for the purpose of the TFTP. Following his review of the TFTP and its surrounding privacy-related safeguards, Judge Bruguière formulated a series of recommendations to ensure that these measures are continued and, where possible, enhanced.

As a result of the information Judge Bruguière has had access to during discussions with the Treasury Department, it can be concluded that the TFTP has generated since its implementation and continues to generate, significant value for the fight against terrorism in the United States, in Europe and beyond.

After the 11 September 2001 terrorist attacks the U.S. Treasury Department developed the TFTP for the investigation, prevention and prosecution of terrorism. Under the TFTP the Treasury Department has served administrative subpoenas on the Society for Worldwide Interbank Financial Telecommunication (SWIFT). These subpoenas require SWIFT in the U.S. to transfer a limited subset of message data held on its U.S. server to the Treasury Department where they may be used for counter terrorism purposes regarding suspected individuals or entities. In June 2007 the Treasury Department gave a set of unilateral commitments ("Representations") to the European Union regarding the controls and safeguards governing the handling, use and dissemination of data under the TFTP.

The Representations address EU data protection concerns and were published in the Official Journal in July 2007[1] and in the U.S. Federal Register in October 2007. The Representations allow the Commission to designate an "eminent European person" to assess whether the U.S. Treasury Department is implementing the TFTP in accordance with its Representations. The Commission announced the designation of Judge Bruguière for this purpose in March 2008.

It had to be confirmed whether the TFTP is implemented consistent with the Treasury Department’s representations for the purpose of verifying the protection of EU-originating personal data. The TFTP Representations state that an annual report will be delivered to the European Commission which in turn will present the findings of the report to the European Parliament and Council.