Today the European Parliament voted 378 to 196 to reject an “agreement” negotiated between the Council of the European Union and the US Department of Homeland Security which would have created a new extrajudicial basis for the DHS to obtain records of bank transfers and payments made via the Society for Worldwide Interbank Financial Telecommunication (SWIFT).

Understanding today’s EP vote and its significance requires first an explanation of the EU decision-making process for US readers, and then an explanation of some of the parallels between SWIFT and US-based Computerized Reservation Systems (CRSs):

What has happened?

SWIFT dominates the market for “wire transfers” and electronic payments. When a bank or one of its customers transfers money from an account at one bank to an account at another, almost anywhere in the world, that transaction is typically accomplished through messages sent via SWIFT by way of its server cloud including mirror servers in the USA — even for transactions where none of the banks or account holders are located in the USA, such as transfers by European customers between banks within Europe.

In the absence of any legal protections governing such commercial data in the USA, SWIFT stores all this information indefinitely on its servers in the USA, and routinely makes this information available to US government agencies, without the knowledge or consent of the banks or their customers.

With respect to transactions involving banks or bank customers in the European Union, all of this flagrantly violates EU data protection law. When it was eventually revealed, it caused a major scandal in Europe.

SWIFT didn’t want to stop doing business with European banks and customers, and the DHS didn’t want to have to go through existing legal procedures (i.e get a court order) to get access to European (including intra-European) financial data. So the DHS cut a deal with the Council of the EU to create a new extrajudicial framework for DHS access to SWIFT data involving entities in the EU.

At the time that agreement with the DHS was concluded, the role of the European Parliament was limited to “consultation”.  However, under the Lisbon Treaty, which took effect in December 2009, such agreements — including agreements previously in force — now require the approval of the EP.  Today’s vote to reject the SWIFT agreement with the DHS was the first application of the EP’s new power.  As such, it is being hailed as a milestone in the introduction of electoral democracy into the heart of EU decision-making

Why does this matter? What happens next?

The European Parliament is already beginning to consider whether to ratify another, extremely similar, “agreement” with the DHS for access to European commercial records stored in the USA: Passenger Name Records (PNRs) containing airline reservations and other travel data.

In the past, the EP has recognized that SWIFT records of the movements of money and PNRs recording the movements of people raise similar issues, and they were even the subject of a joint workshop organized by the EP which we attended and to which we submitted testimony in 2007.  But as we noted at that time and on subsequent visits to Brussels, the similarities may be substantially greater than MEPs or the European public have yet realized.  These similarities give reasons to reject the PNR deal, and to take additional enforcement action against the commercial entities that are violating EU law in the ways they process PNR data, transfer it to the USA, and make it available to the US government (and other third parties in the USA and other countries):

1. Like the SWIFT “agreement”, the PNR “agreement” is not binding on the US government.  It has no legal effect in the USA, and cannot be enforced by any US court.  It’s not even binding on the DHS itself. The DHS has no authority to conclude binding international agreements.  Under the US Constitution, the only valid treaties are those ratified by a 2/3 vote of the US Senate.  In effect, both the SWIFT and PNR agreements are no more than press releases, and calling either of them an “agreement” is an attempt to deceive Europeans who are unfamiliar with US Constitutional procedures. (The DHS, for example, has just finalized new rules that exempt much of the data in PNRs from disclosure, in violation of the “undertakings” on access given by the DHS as part of the basis for the PNR agreement.) It’s an insult to the European Parliament, and to all European citizens, to propose a deal that would be binding on Europeans and their governments, but that the US government would be free to ignore.  The EP should insist that any new proposal for a SWIFT agreement explicitly specify that it is a treaty that will take effect only upon ratification both by the European Parliament and by the US Senate.  Since it does not do this, the current PNR “agreement” or any proposal that takes the same non-treaty form should be rejected by the EP.
2. Like SWIFT, Computerized Reservation Systems (CRSs) are intermediaries for transactions between consumer-facing entities around the world.  SWIFT connects banks. CRSs connect airlines,  travel agencies, hotels, and many other travel companies.  Like SWIFT, CRSs store records in the USA for transactions and messages between entities everywhere in the world.  As with SWIFT, CRS data is sent to, and stored in, the USA, even when the journey is between places in the EU and all parties to the transaction — the traveler, the travel agency, and the airline — are located in the EU.  Much of the outrage about SWIFT concerned US government access to data about intra-European money transfers. But the debate about PNR data, and the PNR “agreement”, are limited to PNRs that include flights between the US and the EU. There should be, but hasn’t yet been, similar outrage at the potential for US government access through US-based CRSs to PNRs for intra-European travel. Most airlines and travel agencies outsource hosting of their customer data to one of four major global CRSs. Three of those four CRSs are based in the USA, and each of them has operations and customers among airlines and travel agencies in the EU. If the travel agency, the airline, or any of the airlines with which the flight has a “codeshare” are hosted by a CRS based in the US, a copy of your PNR is stored in the US regardless of where you are located or traveling. Even if a PNR agreement for USA-EU flights were to be ratified by the EP (and even if it were in the form of a treaty also ratified by the US Senate), it would do nothing to legalize these ongoing transfers of records of intra-European flights and flights between the EU and the rest of the world to US-based CRSs, in flagrant violation of EU data protection laws. It’s not enough to reject the PNR agreement for US-EU flights.  EU authorities need to take action to enforce their data protection laws against transfers to US-based CRSs of PNR data for flights that don’t touch the USA. (If you want to find out whether your data for intra-EU flights has been stored in a US-based CRS, you have the right to demand a record of transfers or disclosures of your PNR data from the airline, travel agency, and/or CRS, and to make a complaint to your national data protection authorities if these travel companies are unable to provide you with an accounting for all disclosures and transfers of your PNR data.)
3. As with SWIFT data, the PNR “agreement” would leave open the possibility that the same data could be obtained by the US government by other means outside of the agreement.  Questions were raised about this, quite properly, during yesterday’s lengthy debate (full 90-minute video archive) in the EP plenary about SWIFT.  Far fewer questions have been raised about “bypass” of the PNR agreement, perhaps because there is less widespread technical knowledge of where the data resides.  Once PNR data is sent to the US, most often to or by a US-based CRS, the US government can obtain access to that data from the CRS, within the USA, using a “national security letter” or other extra-judicial procedures.  The US government can order the CRS to keep secret from the airline, travel agency, traveler, and anyone else that the government has accessed this data.   This is exactly the situation, for example, that we faced when we tried to find out what had happened to PNRs and other records of flights on KLM Royal Dutch Airlines between Amsterdam and the USA. KLM told us that once this data was accessed by their codeshare partner Northwest  Airlines in the USA, KLM had no way to know who else (including the US government, other governments, or commercial third parties) might have obtained it from Northwest. This is typical of codeshare flights, but it’s also typical for any flight if the airline or the travel agency uses a US-based CRS to make the reservations.