Last year and in February, we watched as the EU balked at US demands for data-sharing under the SWIFT program. The Belgian cooperative in charge of the international money transfer database moved its servers to the EU, but the US still wanted the same access it had had when the servers were in the US. The US had tried to push through a last-minute deal before EU Parliament changed hands last year, but the Parliament rejected that deal. So now the EU is trying to decide what kind of data-sharing they’ll have with the US.
EFF links to a report from this week’s EU debate on SWIFT. The result? The Europeans passed a resolution stating that they’re not going to hand over to the US bulk downloads of data, and ultimately any data shared with the US should be extracted on EU soil, and should include reciprocity with the US.
On the issue of bank data transfers, Parliament argues in a resolution adopted by show of hands, that bulk data transfers infringe EU legislation. It urges the Council and Commission to “address this issue properly in the negotiations”. In addition, the new agreement should include “strict implementation and supervision safeguards, monitored by an appropriate EU-appointed authority” on the day-to-day extraction of and use by the US authorities of all such data. The maximum storage period must not exceed five years and the data may not be disclosed to third countries.
Any new agreement should be limited in duration and pave the way for arrangements to enable requested data to be extracted on European soil, say MEPs. They believe that “the option offering the highest level of guarantees” would be to allow for the extraction of data to take place on EU soil, in EU or joint EU-US facilities. In the medium term, an EU judicial authority should oversee the extraction of data in the EU. Meanwhile, select EU personnel should take part in the oversight of the extraction process in the USA.
Reciprocity would require the Americans to allow EU authorities to obtain and use data stored in servers in the US.
Parliament wants access to any documents that demonstrate the need for the scheme. It also wants to know whether the envisaged agreement will guarantee the same rights to European citizens as to Americans in the event of any abuse of the data: the rights guaranteed under the US Privacy Act can be invoked only by citizens and permanent residents of the United States.
The Europeans might yet put some limits on the US efforts to totally eliminate privacy in the name of counter-terrorism.