Brussels, 28 June2007
Vice President Frattini, Commissioner responsible for Justice, Freedom and Security, stated: "The EU will have now the necessary guarantees that US Treasury processes data it receives from Swift's mirror server in USA in a way which takes account of EU data protection principles. I welcome the United States' Treasury Department's unilateral representations and the opportunity the Treasury has given the European Union to have its views and concerns duly reflected in the representations. As well as SWIFT joining the Safe Harbour and its compliance with the Safe Harbour privacy principles, we now look to SWIFT and to the financial institutions which use its services to ensure that they fully comply with their information obligations under European data protection law. We urge them to take all the necessary steps to ensure their quick compliance with European data protection law".
Today the Commission and the Council of the European Union have taken note of the "Representations" of the United States Treasury Department regarding their handling of EU personal data received from SWIFT.
The text of the Representations, that the Commission considers to be adequate, was finalised by the U.S. Treasury following discussions between the U.S. Treasury on the one hand and the Council Presidency and the European Commission on the other. The Representations take account of EU concerns about the protection of EU originating personal data which may be subpoenaed in the United States by the U.S. Treasury under the U.S. Treasury's "Terrorist Finance Tracking Program".
The Representations include the following important safeguards:
• Commitments by the U.S. Treasury to use any data received from SWIFT exclusively for counter terrorism purposes – an obligation which applies also where such data are shared with other U.S. agencies and with third countries. Any other use of SWIFT data is therefore excluded, including for example use of those data for commercial or industrial purposes.
• The U.S. Treasury commit to analyse data subpoenaed from SWIFT on an on-going basis in order to identify and delete any data which are not necessary for counter terrorism investigation.
• The Representations impose strict data retention obligations, namely to retain dormant data (i.e. data subpoenaed by US Treasury which have not been identified as necessary for counter terrorism purposes) for no more than five years from the date of receipt of data or, in the case of data received before publication of the Representations, to retain those data for no more than five years from the date of publication of the representations. This means for example that if the Representations are published on 1st September 2007, data that might be received on 15th September 2007 and which remain dormant would have to be deleted by no later than 15th September 2012.
• The Representations further provide for appointment of an "eminent European" who will carry out annual oversight of the U.S. Treasury commitments contained in the Representations. The eminent person will be appointed by the Commission in consultation with the President of the Committee of Permanent Representatives and of the European Parliament's Civil Liberties Committee. The eminent person will report to the European Commission which will report to Parliament and Council.
• To ensure transparency and legal certainty the Representations, together with U.S. and EU letters of transmission and receipt, will be published in the Official Journal of the European Union in all official languages. In the United States the Treasury Department will endeavour to ensure publication of the Representations in the U.S. Federal Register.
The U.S. Treasury's unilateral Representations will be transmitted by the Under Secretary of the U.S. Treasury Department to the Council Presidency and to the European Commission. The Commission, and the Council Presidency, will jointly reply to the Treasury to acknowledge receipt of the Representations.
The Representations constitute one of three main components to address the infringement of European data protection law due to SWIFT's transfer of data to the United States and possible access to some of those data by the U.S. Treasury under the Terrorist Finance Tracking Program on the basis of subpoenas served by the U.S. Treasury on SWIFT. To make lawful the transfer of SWIFT data for commercial purposes to its server in the United States, SWIFT is in the final stages of discussions with U.S. authorities regarding entry into the "Safe Harbour". SWIFT and the financial institutions which use SWIFT's services are working to ensure that bank customers will be properly informed, including that their personal data will be transferred to the U.S. and could be accessed by U.S. Treasury under the "Terrorist Finance Tracking Program".
The EU letter of reply to the U.S. Treasury notes that, if the necessary information obligations are met by SWIFT and the financial institutions which use its services, and if SWIFT respects the Safe Harbour principles, SWIFT and the financial institutions which use its services will be in compliance with their respective obligations under European data protection law. The European Commission considers that the legal framework resulting from the above mentioned elements is sufficient to guarantee respect for and the enforcement of European data protection rights.
To find out more about Vice President Frattini's work please visit his website: http://www.ec.europa.eu/commission_barroso/frattini/index_en.htm