Feb 11 2010

European Parliament rejects deal for US access to SWIFT financial data. Next on the agenda: PNR deal for access to travel data

Today the European Parliament voted 378 to 196 to reject an “agreement” negotiated between the Council of the European Union and the US Department of Homeland Security which would have created a new extrajudicial basis for the DHS to obtain records of bank transfers and payments made via the Society for Worldwide Interbank Financial Telecommunication (SWIFT).

Understanding today’s EP vote and its significance requires first an explanation of the EU decision-making process for US readers, and then an explanation of some of the parallels between SWIFT and US-based Computerized Reservation Systems (CRSs):

What has happened?

SWIFT dominates the market for “wire transfers” and electronic payments. When a bank or one of its customers transfers money from an account at one bank to an account at another, almost anywhere in the world, that transaction is typically accomplished through messages sent via SWIFT by way of its server cloud including mirror servers in the USA — even for transactions where none of the banks or account holders are located in the USA, such as transfers by European customers between banks within Europe.

In the absence of any legal protections governing such commercial data in the USA, SWIFT stores all this information indefinitely on its servers in the USA, and routinely makes this information available to US government agencies, without the knowledge or consent of the banks or their customers.

With respect to transactions involving banks or bank customers in the European Union, all of this flagrantly violates EU data protection law. When it was eventually revealed, it caused a major scandal in Europe.

SWIFT didn’t want to stop doing business with European banks and customers, and the DHS didn’t want to have to go through existing legal procedures (i.e get a court order) to get access to European (including intra-European) financial data. So the DHS cut a deal with the Council of the EU to create a new extrajudicial framework for DHS access to SWIFT data involving entities in the EU.

At the time that agreement with the DHS was concluded, the role of the European Parliament was limited to “consultation”.  However, under the Lisbon Treaty, which took effect in December 2009, such agreements — including agreements previously in force — now require the approval of the EP.  Today’s vote to reject the SWIFT agreement with the DHS was the first application of the EP’s new power.  As such, it is being hailed as a milestone in the introduction of electoral democracy into the heart of EU decision-making

Why does this matter? What happens next?

The European Parliament is already beginning to consider whether to ratify another, extremely similar, “agreement” with the DHS for access to European commercial records stored in the USA: Passenger Name Records (PNRs) containing airline reservations and other travel data.

In the past, the EP has recognized that SWIFT records of the movements of money and PNRs recording the movements of people raise similar issues, and they were even the subject of a joint workshop organized by the EP which we attended and to which we submitted testimony in 2007.  But as we noted at that time and on subsequent visits to Brussels, the similarities may be substantially greater than MEPs or the European public have yet realized.  These similarities give reasons to reject the PNR deal, and to take additional enforcement action against the commercial entities that are violating EU law in the ways they process PNR data, transfer it to the USA, and make it available to the US government (and other third parties in the USA and other countries):

  1. Like the SWIFT “agreement”, the PNR “agreement” is not binding on the US government.  It has no legal effect in the USA, and cannot be enforced by any US court.  It’s not even binding on the DHS itself. The DHS has no authority to conclude binding international agreements.  Under the US Constitution, the only valid treaties are those ratified by a 2/3 vote of the US Senate.  In effect, both the SWIFT and PNR agreements are no more than press releases, and calling either of them an “agreement” is an attempt to deceive Europeans who are unfamiliar with US Constitutional procedures. (The DHS, for example, has just finalized new rules that exempt much of the data in PNRs from disclosure, in violation of the “undertakings” on access given by the DHS as part of the basis for the PNR agreement.) It’s an insult to the European Parliament, and to all European citizens, to propose a deal that would be binding on Europeans and their governments, but that the US government would be free to ignore.  The EP should insist that any new proposal for a SWIFT agreement explicitly specify that it is a treaty that will take effect only upon ratification both by the European Parliament and by the US Senate.  Since it does not do this, the current PNR “agreement” or any proposal that takes the same non-treaty form should be rejected by the EP.
  2. Like SWIFT, Computerized Reservation Systems (CRSs) are intermediaries for transactions between consumer-facing entities around the world.  SWIFT connects banks. CRSs connect airlines,  travel agencies, hotels, and many other travel companies.  Like SWIFT, CRSs store records in the USA for transactions and messages between entities everywhere in the world.  As with SWIFT, CRS data is sent to, and stored in, the USA, even when the journey is between places in the EU and all parties to the transaction — the traveler, the travel agency, and the airline — are located in the EU.  Much of the outrage about SWIFT concerned US government access to data about intra-European money transfers. But the debate about PNR data, and the PNR “agreement”, are limited to PNRs that include flights between the US and the EU. There should be, but hasn’t yet been, similar outrage at the potential for US government access through US-based CRSs to PNRs for intra-European travel. Most airlines and travel agencies outsource hosting of their customer data to one of four major global CRSs. Three of those four CRSs are based in the USA, and each of them has operations and customers among airlines and travel agencies in the EU. If the travel agency, the airline, or any of the airlines with which the flight has a “codeshare” are hosted by a CRS based in the US, a copy of your PNR is stored in the US regardless of where you are located or traveling. Even if a PNR agreement for USA-EU flights were to be ratified by the EP (and even if it were in the form of a treaty also ratified by the US Senate), it would do nothing to legalize these ongoing transfers of records of intra-European flights and flights between the EU and the rest of the world to US-based CRSs, in flagrant violation of EU data protection laws. It’s not enough to reject the PNR agreement for US-EU flights.  EU authorities need to take action to enforce their data protection laws against transfers to US-based CRSs of PNR data for flights that don’t touch the USA. (If you want to find out whether your data for intra-EU flights has been stored in a US-based CRS, you have the right to demand a record of transfers or disclosures of your PNR data from the airline, travel agency, and/or CRS, and to make a complaint to your national data protection authorities if these travel companies are unable to provide you with an accounting for all disclosures and transfers of your PNR data.)
  3. As with SWIFT data, the PNR “agreement” would leave open the possibility that the same data could be obtained by the US government by other means outside of the agreement.  Questions were raised about this, quite properly, during yesterday’s lengthy debate (full 90-minute video archive) in the EP plenary about SWIFT.  Far fewer questions have been raised about “bypass” of the PNR agreement, perhaps because there is less widespread technical knowledge of where the data resides.  Once PNR data is sent to the US, most often to or by a US-based CRS, the US government can obtain access to that data from the CRS, within the USA, using a “national security letter” or other extra-judicial procedures.  The US government can order the CRS to keep secret from the airline, travel agency, traveler, and anyone else that the government has accessed this data.   This is exactly the situation, for example, that we faced when we tried to find out what had happened to PNRs and other records of flights on KLM Royal Dutch Airlines between Amsterdam and the USA. KLM told us that once this data was accessed by their codeshare partner Northwest  Airlines in the USA, KLM had no way to know who else (including the US government, other governments, or commercial third parties) might have obtained it from Northwest. This is typical of codeshare flights, but it’s also typical for any flight if the airline or the travel agency uses a US-based CRS to make the reservations.

12 thoughts on “European Parliament rejects deal for US access to SWIFT financial data. Next on the agenda: PNR deal for access to travel data

  1. I think we should clear things up a little bit:

    1. SWIFT is a Belgium based company … not a US based company.
    2. For many years, one of the datacenters (or Operating Center as they call it) of SWIFT was located at one of their US dependences. SWIFT mirrored all the intra-European transactions at their US based Operating Center.
    3. In 2006 the NYT and other newspapers unveiled, that the Bush administration got access to those data trasnactions … without any court order.
    4. The scandal reached the European public opinion … and as the US activities violated European laws on privacy and data protection SWIFT decided to stop mirroring the intra-European transactions to their US Operating Center and opened up a new Operating Center in Switzerland for mirroring the transaction and protect the data.
    5. The US administration and the European commission (which is not elected directly by the EU citizens) reached a secret agreement on giving US authorities full access to all SWIFT data.
    6. The European Parliament (which is directly elected by the EU citizens) got broader competences by the new EU Lisbon treaty … now the SWIFT agreement is within their competences to pass or reject this agreement.
    7. The European Commission tried to trick the EU-Parliament and signed the agreement one day before the Parliament got their new competences.
    8. The EU Parliament is very concerned about the arising privacy and data protection issues … which arise from the agreement.
    9. And today the EU Parliament made clear … that they care for the people and their concerns … and that they sand up for the civil rights of the EU citizens.

  2. Pingback: Peter Withe Column: Indonesia And Australia Have Problems With World Cup Bids (Goal.com) | Sports Headlines Today

  3. Pingback: Papers, Please! » Blog Archive » Travelport becomes first CRS to claim it complies with EU privacy law

  4. Pingback: Papers, Please! » Blog Archive » DHS using ICAO again for policy laundering

  5. Pingback: Papers, Please! » Blog Archive » DHS shifting from national origin to ID-based passenger profiling

  6. Pingback: Papers, Please! » Blog Archive » European Parliament hands DHS a setback on access to PNR data

  7. Pingback: Papers, Please! » Blog Archive » Two-faced Biden speech on “privacy” and surveillance

  8. What’s the matter of rejecting the deal to access, when US can simply go to datacenter, and set there rsync of all transactions info to their servers? i actually don’t understand why European parliamant set the law to store all data in Europe? that’s quite stupid of them! Thnx for the article, US is invading the world! Beware!

  9. It is exactly those extra teritorial powers claimed by the US government, that gets everybodys back up! I am Not a muslim, I am an ateist, but, I have come to understand over the last few years where muslims(a faith I consider obnoxious) come from! America making laws that they claim to apply world wide! Sorry, I live in Ireland, I do not have a Vote in the USA! I also have no grievance with ayone there. (I Don’t even Know anyone there). I do not consider it right that the US Government may pass laws which directly impend on citizens of the UK
    :)

  10. Pingback: Papers, Please! » Blog Archive » Can the US be a “safe harbor” for travel surveillance?

Leave a Reply

Your email address will not be published. Required fields are marked *