In a Parliament debate on the transfer of SWIFT banking data and airline passengers’ personal data (PNR) to US authorities, speakers attacked the Commission and the Council for the institutions’ handling of the cases.
In a 31 January 2007 joint debate of the European Parliament on the two EU-US data protection issues, emotions were running high between MEPS and representatives of the Council and the Commission.
Justice and Security Commissioner Franco Frattini said in Parliament: "The negotiations for a new agreement with the United States on PNR data are a key priority for the Commission, and for me personally, and I understand from what the Presidency of the Council just said that it shares this view. I warmly welcome the close co-operation between the Commission and the Council Presidency, which is crucial if we want to succeed, if we want to speak with one voice. On my side, of course, as usual, I will keep Parliament informed as this work progresses. You know very well that, as it was in the past, for me it will be a political commitment, though this document – for example, the negotiating recommendations – once approved will be classified as EU-restricted."
German European Affairs Minister Günter Gloser told MEPs: "The negotiations on a new PNR agreement are likely to be extremely difficult. The United States shows absolutely no interest in enhancing data protection. There is in fact a high likelihood that it will be unwilling to renew its data-protection undertakings. The European Union sees the conclusion of an agreement as essential to ensure the required level of data protection. For, without an agreement, air carriers would come under great pressure to continue transferring passenger data even so, for fear of losing their landing rights in the United States. The German Presidency – with the support of the Commission – will spare no effort to achieve a solution that provides legal certainty and appropriate data protection, that fully addresses the concerns of passengers and air carriers and continues to ensure a high degree of security. This will also take into account the views of the European Parliament as expressed in its September PNR Resolution on data protection, combating terrorism and the protection of human rights."
Liberal MEP Jean-Marie Cavada, who is chairman of the Civil Liberties Committee and rapporteur for the Parliament's resolution on PNR, said: "Without doing you injustice, Mister Gloser, the least that can be said is that your speech on this issue was dramatically disappointing. I feel, therefore, compelled to remind you that you have a mandate of defending European sovereignty - something of which I can so far see hardly any trace. We are therefore, and you have well understood that I think, disappointed, and even more than that, alarmed."
PSE MEP Pervenche Berès, chairwoman of the Economic Affairs Committee, questioned Swift's present status: "SWIFT is a company under Belgian law, and so we are always being sent back to the Belgian State. That said, SWIFT is a company under Belgian law because we are facing a legal vacuum. It's obvious that SWIFT does a job that should be done by a European agency, under European oversight. Honourable Council representative, Commissioner, I think that is a field where you should also bring things forward. Once more, this Parliament is ready to discuss, but we cannot live with the current state of affairs."
On 1 February 2007, EU Privacy Commissioner Peter Hustinx issued an opinion also blaming the European Central Bank, along with other Banks who are Swift members, for neglecting its oversight of the co-operative: "Just as other banks, the ECB can not escape some responsibilities in the SWIFT case which has breached the trust and private lives of many millions of people. Secret, routine and massive access of third-country authorities to banking data is unacceptable. The financial community should therefore provide payment systems that do not violate European data protection laws".
In two recent cases, the personal data of millions of Europeans was made directly accessible to US security services. In both cases, the US applied economic pressure on industry sectors to make them stress EU privacy rules to their limit:
Airline Passenger Data (PNR)
Following the 11 September 2001 terrorist attacks, the United States requested access to the personal information that passengers provide when booking a ticket (Passenger Name Record; PNR). They threatened airlines which refused to provide the requested data with a withdrawal of their landing authorisation.
The terms of a first agreement, under which the US could access 34 different kinds of personal information, wer ruled illegal by the European Court of Justice in May 2006. The Court ruled that "neither the Commission decision finding that the data are adequately protected by the United States nor the Council decision approving the conclusion of an agreement on their transfer to that country are founded on an appropriate legal basis".
Since the US maintained their threat to non-compliant airlines, an intermediary scheme had to enter into force when the first agreement ended at the end of September 2006. This second agreement, which was under the same terms as the agreement already ruled illegal, will end on 31 July 2007.
Half a year before that date, negotations are about to start between the Commission and an US delegation. The US has already indicated that they will not settle for anything less - namely for better privacy standards - than in the previous agreements. Since these terms have been ruled illegal by the ECJ, an impasse in the middle of summer looms.
International Banking Data (SWIFT)
In June 2006, the New York Times revealed a scheme under which the non-profit Belgian international banking co-operative network Society for Worldwide Interbank Financial Telecommunication (SWIFT), granted the CIA access to data concerning millions of financial transactions involving €6 billion daily, in reaction to a request from US authorities. Most of the data concerns transactions outside the US, often involving one or two EU countries. Its transfer to a third-country government is a clear breach of EU privacy law. This was also confirmed by EU member states Privacy Officers, who convene in the so-called Article 29 Working Party.
- 31/01/07: Debate on PNR and Swift in EP plenary.
- 31/01/07: PNR negotiating mandate on Agenda of PermRep II.
- 12-13/02/07: GAERC Council.
- 13-14/02/07: German Foreign Minister Steinmeier in EP Plenary.
- 13/02/07: German Chancellor Merkel in EP Plenary.
- 15-16/02/07: Justice and Home Affairs Council.
- European Data Protection Supervisor:EDPS calls on ECB to ensure that European payment systems comply with data protection law [FR]
- Council Presidency (Minister of State Gloser):Speech at the European Parliament on the subject of Passenger Name Records [DE]
- Michael Chertoff, Secretary of Homeland Security:A Tool We Need to Stop the Next Airliner Plot(Commentary published in the Washington Post newspaper; 29 August 2006)
- Department of Homeland Security:US-VISIT: Keeping America's Doors Open and Our Nation Secure
NGOs and Think-Tanks
- InfoWorld:Europe preps for battle with U.S. over traveler data(1 February 2006)
- workpermit.com: European Union and United States discussions on traveler data, again(1 February 2006)
- Edward Hasbrouck's "The Practical Nomad": "Privacy and Travel" archives
- MEPs Jean Marie Cavada and Sophie in't Veld:Letter to the Pesident of the Council of the European Union(23 August 2006)
- Commission:European Commission / US Customs talk on Passenger Name Record (PNR) transmission
- Council:Decision on an International Agreement on PNR(17 May 2004)
- Eur-Lex:Council Directive on the obligation of carriers to communicate passenger data(2004/82/EC; 29 April 2004) [FR] [FR] [DE]