Opinion of the European Data Protection Supervisor on the proposal for a Council Decision on the
conclusion of the Agreement between the European Union and the United States of America on the processing and transfer of Financial Messaging Data from the European Union to the United States for purposes of the Terrorist Finance Tracking Program (TFTP II)
In his Opinion, the EDPS welcomes the fact that he is consulted and recommends that his Opinion is mentioned in the recitals of the proposal. He also notes that, further to the decision of the European Parliament of 11 February 2010 to withhold its consent with regard to the interim agreement signed on 30 November 2009, the new draft aims at addressing in particular the concerns with regard to the protection of personal data, a fundamental right which after the entry into force of the Lisbon Treaty has acquired even more relevance in the legal framework of the European Union.
The EDPS considers, however, that there are several some open questions to address and states as follows :
The EDPS acknowledges that this proposal envisages certain substantial improvements with respect to the interim TFTP I agreement, such as the exclusion of SEPA (Single Euro Payments Area) data, a more limited definition of terrorism, and more detailed provisions on data subjects’ rights. He notes however, that an essential prerequisite to the assessment of the legitimacy of a new TFTP agreement should be met. The necessity of the scheme must be established in relation to already existing EU and international instruments.
There are key elements to improve in order to meet the conditions of the EU legal framework on the protection of personal data, such as:
· ensuring that bulk transfers are replaced with mechanisms allowing financial transaction data to be filtered in the EU, and ensuring that only relevant and necessary data are sent to US Authorities;
· considerably reducing the storage period for non- extracted data;
· entrusting the task to assess the requests of the US treasury to a public judicial authority, in line with the negotiating mandate and the current EU legal framework;
· ensuring that the data subjects’ rights conferred by the proposal are clearly stated and effectively enforceable also in the US territory ;
· enhancing the independent oversight and supervision mechanisms, by:
· ensuring that the tasks and role of both the person appointed by the European Commission and the representatives of European data protection authorities are well defined and that they are put in a position to act independently and to effectively carry out their supervisory tasks;
· ensuring that joint reviews take place regularly and that their outcome is linked to the duration of the agreement through a sunset clause;
· extending the information available to independent overseers and data protection authorities;
· avoiding that the agreement limits the powers of European data protection authorities.