News & Events

Data Protection Update: EU and US reach interim deal

16 October 2006

With this summer's terrorism threats to UK airports, international attention has again focused on the tensions between individual freedoms and the need for effective anti-terrorism measures.

The successes of the anti-terrorism intelligence services in pre-empting terrorist action have put the issues of data retention and data protection at centre stage.

EU/US Passenger records

For a week in early October, the issue of transfer to US authorities of data regarding passengers travelling from the EU to the US threatened to throw air travel into chaos last. Brussels and Washington had put in place a Passenger Name Records agreement in 2004, under which air carriers were obliged to forward 34 types of information concerning their passengers, including credit card details, addresses, phone numbers and family links, to the US authorities fifteen minutes before the departure of US-bound flights. However, the European Court of Justice found in May of this year that the agreement was illegal on the grounds that it was a matter of public security, which falls outside the competence of the European institutions and the Commission had therefore exceeded its powers in approving it. For reasons of legal certainty, the Court allowed the agreement to run until 30^th September 2006. This deadline, however, passed without a fresh agreement being reached.

There followed a week of legal vacuum during which airlines faced the prospect of US authorities grounding flights which had not complied with the data transfer requirements on the one hand, and breaching EU data protection laws on the other hand, which require any transfer of personal data to be made in the framework of laws or a legal agreement offering certain minimum standards of data protection.

Negotiations finally bore fruit on Friday 6^th October, after 9 hours of vide-conference between EU and US representatives, when a revised agreement was adopted. Under the agreement, the EU will continue to transfer the 34 types of information, but under a slightly modified mechanism. The data will be available to more US counter-terrorism agencies than previously, but this access will be subject to a number of privacy protection safeguards. The agreement will last until the end of July 2007, at which time it is hoped the EU and US will have reached a more permanent agreement.

SWIFT: Background

It is not just airline travel which is the subject of this renewed attention given to data retention: controversy has also arisen in relation to data protection and international banking.

On 5^th July 2006 the European Parliament adopted a resolution on the recently publicised interception by the US secret services of bank transfer data from the Society for Worldwide Interbank Financial Telecommunications (SWIFT) system.   SWIFT is a Belgian-based industry-owned cooperative which processes financial transactions for more than 8000 commercial banks and institutions in 200 countries, including a number of central banks. 

On 23^rd June 2006, the New York Times and the Los Angeles Times published details of a private arrangement between SWIFT and the United States Government that involved the covert disclosure to the US of customer financial data. Neither the US Government nor SWIFT was prepared to provide details of the extent of the disclosures.

SWIFT processes money transfers for all the main Irish banks, including AIB, Bank of Ireland, EBS and National Irish Bank.  According to the SWIFT Annual Report for 2005, in that year alone there were 16,619,000 messages sent over the SWIFT system from 12 Irish banks and 77 Irish financial institutions.  The Irish Data Protection Commissioner has said he is concerned over the potential for abuse of the information.

This disclosure of data has been undertaken ostensibly on the grounds of counter-terrorism.  The disclosures involve the mass transfer of data from the SWIFT centre in Belgium to the United States, and possibly direct access by US authorities both to data held within Belgium and data stored in SWIFT centres worldwide.  In all cases the disclosures were made without the knowledge or consent of the individuals to whom the data related.  Customers’ names, bank account numbers, and other identifying information were compromised. 

Privacy International, a human rights group based in London, has lodged complaints in 32 countries, including all EU member states, and has stated that “to the best of our knowledge, the disclosure activity is ongoing. The scale of the operation, involving millions of records, places this disclosure in the realm of a fishing exercise rather than legally authorised investigation.  At this stage we do not have enough information to determine how many European nationals have been the subjects of these disclosures, but there is a probability that the SWIFT activities involve mass disclosure”.   The office of the Belgian Prime Minister confirmed that SWIFT had “received broad administrative subpoenas for millions of records".  An “administrative subpoena”, issued pursuant to the US International Emergency Economic Powers Act 1977, takes the form of a letter issued without judicial authority.

SWIFT Executives have been uneasy at times about their secretive role, according to Belgian government and industry officials.  By 2003, the executives told American officials they were considering pulling out of the arrangement, which began as an emergency response to the 9/11 attacks.  Worried about potential legal liability, the SWIFT executives agreed to continue providing data only after senior officials intervened to ensure that new controls were introduced.  Among these controls is an outside auditing firm that verifies that the data searches are based on intelligence leads about suspected terrorists.

The statement from SWIFT asserts that “all of these actions have been undertaken with advice from international and US legal counsel,” but the statement makes no mention of arrangements being made or notification given to EU Members States.

All transfers of personal data from the EU to third countries are subject to data protection legislation at national and European level, which provides that any transfer must be authorised by a judicial authority and that any derogation from this principle must be proportional and founded on a law or on an international agreement.

SWIFT: European Parliament Resolution

The European Parliament, in its resolution of 5^th July 2006, expressed concern at the fact that a climate of deteriorating respect for privacy and data protection is being created, and regretted that it had not been informed by the other institutions, in particular the European Central Bank, of the existence of the SWIFT transfers, contrary to the principle of loyal and constant cooperation between the Community institutions.  It demanded that the European Commission, Council and Central Bank explain fully the extent to which they were aware of the secret agreement between SWIFT and the US.

The Commission demanded further that the role of the ECB in this context be clarified, and asked the European Data Protection Supervisor to verify as soon as possible whether, in accordance with Regulation (EC) No 45/2001 of December 2000 on the protection of individuals with regard to the processing of personal data, the ECB was obliged to react to the possible violation of data protection which had come to its knowledge.  The Commission also asked its Committee on Civil Liberties, Justice and Home Affairs, together with the Committee on Economic and Monetary Affairs, to hold a joint hearing of the ECB, the Commission, the Council, the European Data Protection Supervisor and other parties that are involved in the affair in order to uncover what information they may have had.  It requested that the Commission undertake an evaluation of all adopted EU anti-terrorist legislation and strongly urged the Commission and Council to consider what measures should be taken to avoid future repetitions of such serious privacy breaches. 

Belgium has launched an investigation to see if the Brussels-based SWIFT broke Belgian Law by passing the data to the CIA. 

On 26^th September, the Article 29 Working Party, an independent European advisory body on data protection and privacy, issued a press release regarding the SWIFT case in which it expressed immediate concerns about the lack of transparency which had surrounded the arrangements under which SWIFT made the information available to the US authorities.

On 4^th October, SWIFT finance chief Francis Vanbever stated that he remained convinced that SWIFT had conformed with European laws. He explained that the data transfers were protected by strict safeguards on use set out in a secret “memorandum of understanding” with the US. This prompted calls by MEPs for the secret memorandum to be made public.

An Irish action

The recent activities of Digital Rights Ireland (“DRI”), a privacy watchdog group, have also made the headlines. On 14^th September 2006, following the expiry of an ultimatum to the Minister for Justice, Equality and Law Reform, the Minister for Communications, the Marine and Natural Resources and the Garda Commissioner, the DRI announced that it had launched an action before the High Court to challenge the constitutionality of the Criminal Justice (Terrorist Offences) Act, 2005 and to ask the High Court to refer the Data Retention Directive to the European Court of Justice for a ruling as to its validity.

The legislation allows for the retention of electronic data on individuals who either use a mobile phone or a landline in Ireland. This includes the physical locations of every mobile phone in Ireland and the numbers dialled from every mobile and landline.  DRI argues that the measures amount to a disproportionate invasion of citizens’ right to privacy. Furthermore, they argue that the costs of retaining the data will be passed on to consumers.

Though DRI is the only group, thus far, to have initiated an action against these provisions in Europe, its action is supported by a number of international privacy rights groups.

The above developments show the increasing importance of the issue of the regulation of data retention laws, and the need for companies to keep abreast of the rapid changes in the law. 

Attribute to Jeanne Kelly, Partner, Mason Hayes & Curran.

Jeanne Kelly is a partner in the commercial department of Mason Hayes & Curran. For more information, please contact Jeanne at jkelly@mhc.ie or + 353 1 614 5000. The content of this article is provided for information purposes only and does not constitute legal or other advice. Mason Hayes & Curran (www.mhc.ie) is a leading business law firm with offices in Dublin, London and New York.

© Copyright Mason Hayes & Curran 2006. All rights reserved..