This document contains a draft Council Decision on the signing, on behalf of the EU, of the Agreement between the EU and the USA on the processing and transfer of Financial Messaging Data from the EU to the USA for purposes of the Terrorist Finance Tracking Program (TFTP).
The main contents of the Agreement are as follows:
Purpose of Agreement: the purpose of this Agreement is to ensure, with full respect for the privacy, protection of personal data, and other conditions set out in this Agreement, that:
a) financial payment messaging and related data stored in the territory of the EU by providers of international financial payment messaging services, that are jointly designated pursuant to the Agreement, are made available upon request by the U.S. Treasury Department for the purpose of the prevention, investigation, detection, or prosecution of terrorism or terrorist financing; and
b) relevant information obtained through the TFTP is made available to law enforcement, public security, or counter terrorism authorities of Member States, or Europol or Eurojust, for the purpose of the prevention, investigation, detection, or prosecution of terrorism or terrorist financing.
Data concerned: this Agreement applies to the obtaining and use of financial payment messaging and related data with a view to the prevention, investigation, detection, or prosecution of acts of a person or entity that involve violence, or are otherwise dangerous to human life or create a risk of damage to property or infrastructure, and which, given their nature and context, are reasonably believed to be committed with the aim of:
· intimidating or coercing a population;
· intimidating, compelling, or coercing a government or international organisation to act or abstain from acting; or
· seriously destabilizing or destroying the fundamental political, constitutional, economic, or social structures of a country or an international organisation.
Ensuring Provision of Data by Designated Providers: the EU must ensure that entities jointly designated by the Parties as providers of international financial payment messaging services ("Designated Providers") make available to the U.S. Treasury Department requested financial payment messaging and related data for the purpose of the prevention, investigation, detection, or prosecution of terrorism or terrorist financing ("Provided Data").
U.S. Requests to Obtain Data from Designated Providers: the U.S. Treasury Department will issue a request based on an ongoing investigation concerning a specific conduct referred to in the clause regarding conduct pertaining to terrorism or terrorist financing that has been committed or where there is a reason to believe that it could be committed. The request shall identify as clearly as possible data stored by a Designated Provider in the EU that are necessary to this end. Data may include identifying information about the originator and/or recipient of the transaction, including name, account number, address, national identification number, and other personal data related to financial messages. The request shall substantiate the necessity for the data and shall be tailored as narrowly as possible in order to minimize the amount of data requested, taking due account of geographic, threat and vulnerability analyses. The request will be transmitted by the U.S. Department of Justice to the central authority of the Member State either in which the Designated Provider is based or where it stores the requested data. The US will simultaneously transmit a copy of the request to the central authority of the other Member State , and also simultaneously transmit a copy of the request to the national members of Eurojust of those Member States. The request will be transmitted to the competent authority for its execution under the law of the requested Member State . The requested measure shall be executed as a matter of urgency. If the Designated Provider is not able to produce the specific data that would respond to the request because of technical reasons, all potentially relevant data shall be transmitted in bulk, subject to provisions here on safeguards applicable to the processing of provided data, to the competent authority of the requested Member State. The data that have been transmitted lawfully on the basis of this provision may be searched for the purpose of other investigations concerning the types of conduct covered by the Agreement with full respect for the safeguards.
Safeguards Applicable to the Processing of Provided Data: the U.S. Treasury Department shall ensure that Provided Data are processed in accordance with the provisions of this Agreement. The Agreement provides that the TFTP does not and shall not involve data mining or any other type of algorithmic or automated profiling or computer filtering. The U.S. Treasury Department shall ensure the protection of personal data by means of the 13 safeguards, described in the text, which shall be applied without discrimination, in particular on the basis of nationality or country of residence. These safeguards include the provision that all non-extracted data received prior to 20 July 2007 shall be deleted not later than five years after that date, and all non-extracted data received on or after 20 July 2007 shall be deleted not later than five years from receipt; subject to conditions.
Adequacy: subject to ongoing compliance with the commitments on privacy and protection of personal data, the U.S. Treasury Department is deemed to ensure an adequate level of data protection for the processing of financial payment messaging and related data transferred from the EU to the US. .
Spontaneous Provision of Information: the U.S. Treasury Department shall ensure the availability to law enforcement authorities of concerned Member States, and to Europol within the remit of its mandate, of information obtained through the TFTP that may contribute to the prevention, of terrorism in the EU or its financing. Any follow-on information that may contribute to the prevention of terrorism in the USA shall be conveyed back to the US on a reciprocal basis.
EU Requests for TFTP Searches: where a law enforcement authority of a Member State, or Europol or Eurojust, determines that there is reason to believe that a person or entity has a nexus to terrorism, such authority may request a search for relevant information obtained through the TFTP. The U.S. Treasury Department shall promptly conduct a search and provide relevant information in response to such requests. There are provisions in the Agreement for cooperation with future equivalent EU system.
Joint Review: this will normally take place after a period of six months of the implementation of this Agreement with particular regard to verifying the privacy, protection of personal data, and reciprocity provisions, and include a proportionality assessment of the Provided Data, based on the value of such data for the investigation, prevention, detection, or prosecution of terrorism or its financing.
Redress: any person has the right to obtain, following requests made at reasonable intervals, without constraint and without excessive delay or expense, confirmation from his or her data protection authority whether all necessary verifications have taken place within the EU to ensure that his or her data protection rights have been respected in compliance with the Agreement, and, in particular, whether any processing of his or her personal data has taken place in breach of this Agreement. Such right may be subject to necessary and proportionate measures applicable under national law, including for the protection of public security or national security or to avoid prejudicing the prevention, detection, investigation, or prosecution of criminal offences, with due regard for the legitimate interest of the person concerned. Any person who considers his or her personal data to have been processed in breach of the Agreement is entitled to seek effective administrative and judicial redress in accordance with the laws of the EU, its Member States, and the US, respectively.
The Agreement contains clauses on consultation, non-derogation and termination. Its duration is from 1 February 2010 to 31 October 2010.
As soon as the Treaty of Lisbon enters into force, the Parties will endeavour to conclude a long-term agreement to succeed the Agreement.