Terrorism in Europe: The decade-long struggle over European banking data and a policy paradox

After the terrorist attacks on Charlie Hebdo and the Paris attacks of 13 November, the demand to reconsider the creation of a European equivalent of the US Terrorist Finance Tracking Program (TFTP) – an investigative tool using international banking data to trace terrorists (financiers) and prevent future attacks– resurfaced. In response to these demands, the EU’s latest Action Plan on strengthening the fight against terrorism financing (February 2016) states that by the end of 2016 an assessment will be made on the feasibility of a European Terrorist Finance Tracking System. Given the renewed attention for this allegedly ‘vital’ tool in the fight against terrorism, this article aims to bring back into memory the contested history of the EU-US TFTP agreement, the central role of the European Parliament in European discussions on the program and the paradoxical outcomes of 10 years of political debate.

‘Enough is enough’: political outrage in the European Parliament

The Terrorist Finance Tracking Program was created immediately after 9/11 in the furious search for tools to go after the perpetrators of the terrorist attacks. It entailed the massive transfer of financial transaction data held by a major Belgian financial messenger service provider called SWIFT (Society for Worldwide Interbank Financial Telecommunications) to the US Treasury in order to be analyzed by financial investigators of the CIA. The first objective of the program was to identify and track who the 9/11 hijackers were and to map their networks. Yet, the program continued much longer than some initially anticipated as it took up a broader mission of proactively preventing future terrorist attacks by tracing global money flows.

Afbeelding2In June 2006 the New York Times, followed by media outlets worldwide, was the first to publish on the TFTP. Despite the initial reactions of the European Commission, the Council and the ECB that this was not a European affair, a large part of the European Parliament was outraged by this news. In the words of liberal MEP and then President of the Parliament’s civil liberties committee Jean-Marie Cavada: “we now learn that, friend of ours though it may be, a power in alliance with ourselves has been rooting around in our bank accounts. What will happen next? Emphatically, enough is enough. Parliament really does need to put a stop to this type of thing” (2006). Although the disclosures made by Edward Snowden in 2013 were yet to come, MEPs related the revelations to reports of other once hidden programs such as the CIA rendition flights and the secret prisons.

The two months following the public disclosure of the program can be understood as what Slovenian philosopher Slavoj Žižek calls ‘a moment of openness’. In the European Parliament the TFTP is debated in relation to a wide range of issues including: privacy rights, data protection laws, legal competence, the possibility of economic espionage, transatlantic relations, the relation between liberty and security, the desirability of the program, and the wider context and philosophy of the War on Terror. As we now know, these concerns have become even more justified and urgent in the post-Snowden era.

Ad hoc solutions to fix issues of privacy and legality

This moment of free debate was however progressively narrowed down to two political problems that needed to be fixed. Between July and December 2006, national and European data protection agencies investigated the potential violation of European privacy law and the legal requirements needed to continue the transfer of European data to the US. The Belgian Privacy Commission (BPC -CBPL/CPVP) that led the investigations in Europe published three separate reports, two in 2006 and one in 2008. The first two reports were very critical. The BPC stated amongst others that ”SWIFT should have realized that the exceptions under American law could hardly justify a secret, systematic and large scale violation of the basic European principles of data protection which went on for years” and it accused the company of serious misjudgments in the light of European privacy and data protection law. However, the investigations of the various data protection agencies did not lead to an end of the data transfers of which the vital interest was still not clearly proven. In fact, they were rather used to legitimize and continue the program as the integration of the suggested privacy and data protection recommendations would ensure compliance with European law.

In the period between January 2007 and November 2009, the political debate became more depoliticized as ad hoc ‘solutions’ were adopted to improve the legality of the program. First, SWIFT joined the Safe Harbor Principles. The European Commission promoted these principles since 2000 to facilitate the transfer of personal data from Europe to the US, ensuring an adequate level of data protection according to European law. It has been pointed out however that this framework was designed for American companies (notably Microsoft, Google and Facebook ) and that as a Belgian company SWIFT should simply comply with European law.[1] A second initiative was the adoption of a set of unilateral commitments the so-called ‘representations’ by the US Treasury. Thirdly, an ‘eminent European person’ – former French counter-terrorism judge Jean-Louis Bruguière – was appointed to review the TFTP leading to two oversight reports published in December 2008 and in January 2010. These three initiatives were all taken in an improvised manner, outside conventional frameworks of international cooperation. Although thoroughly discussed and sometimes criticized in the European Parliament, they contributed to a temporary political solution for the transatlantic struggle over financial data and aimed at rendering the TFTP acceptable.

The European Parliament ready to fight a second round

Parallel to the short term fixes mentioned above, the European Council and the European Commission had also been negotiating a more comprehensive longer term agreement with the US. As a result of SWIFT’s decision to review its global messaging system, European data would not be automatically accessible to the US and to obtain these data an explicit legal agreement was necessary. The adoption of this new EU-US Agreement led to a serious power struggle between the European Parliament and the US as well as among the European institutions.

Sophie in ‘t Veld (middle) and Jeanine Hennis-Plasschaert (right) celebrating the EP’s “victory” against the initial 2010 agreement

Angry and disappointed that it had been actively sidelined from the negotiations by the Council and the Commission, the European Parliament sought to influence the adoption of the agreement by rejecting the negotiated text as a whole early 2010. Interesting to note was the broadening of issues and ideas that were discussed in the parliamentary debates preparing the vote on the EU-US agreement. In addition to privacy issues and data protection safeguards, MEPs again questioned the effectiveness and the desirability of the program and its potential for economic espionage.

In the new negotiations after the rejection of the TFTP agreement, the European Commission and the European Council demonstrated a new spirit of cooperation. American officials made sure to pay careful attention not to ‘belittle’ the European Parliament and sent Vice-President Joe Biden on a charm offensive to convince Europeans of the need for both the TFTP and the respect for privacy in the fight against terrorism. After addressing most of its concerns into the new legal text (but not the key issue of avoiding bulk data transfers), the EP gave its consent to the new agreement on 3 July 2010 and it entered into force by August.

The adoption of the agreement however didn’t lead to the end of the political controversy over the TFTP. The European Parliament continues to closely scrutinize the implementation of the TFTP agreement and every year since 2010 there have been new scandals that brought the program back to the front pages. Just after the conclusion of the Agreement, parliamentary questions were raised regarding the fact that the identity of the interim and permanent overseer of the TFTP, a EU public official was held confidential for security, privacy and integrity reasons. In 2011, press articles revealed that Europol violated the data protection rules set out in the Agreement. A year later the European Court of Justice ruled on a complaint filed by Dutch MEP Sophie in t Veld that certain classified documents related to the TFTP must be partly disclosed. In 2013, following the revelations of a series of secret NSA programs by Edward Snowden, the European Parliament threatened to suspend the TFTP agreement. It expressed a firmer call for suspension when in September various newspapers stated that the NSA had access to SWIFT data outside the framework of the EU-US TFTP Agreement. Although the potential breach of the agreement has not been established (nor extensively investigated). Early 2014 the Moraes report that investigated the different NSA surveillance programs reiterated the recommendation for suspending the EU-US agreement. Finally, the latest row regarding the TFTP is the American refusal to let neither the EU’s Ombudsperson Emily O’Reilly nor other EU law makers and officials scrutinize a document on the implementation of the TFTP written by Europol’s own internal data protection committee, the Joint-Supervisory Body (JSB) and thereby prevent sound democratic oversight in the EU.

The call for a European System: a policy paradox?

The decade-long struggle over the transfer of European banking data to the US tends to remain somewhat below the radar in debates on combating terrorism in Europe. Yet it is a fascinating example of how the European Parliament – more than politicians in most member states – stood up for the privacy and data protection rights of European citizens and asked some fundamental questions on the tools that have been developed in the War on Terror.

In the light of this contested history of the TFTP and the resistance against the program in the European Parliament, it seems therefore remarkable and even paradoxical that one of the demands of the EP in 2010 and after the Paris attacks was precisely to create a European equivalent to the TFTP. In response to the adoption of the US–EU SWIFT agreement in May 2010, MEP Cavada stated: ‘the true problem remains the incapability of the European Union to equip itself with a computer analysis tool for the analysis of data exchanges similar to that of the United States’. Hence the political problem of the data transfer in the context of the TFTP was reframed as one of equality within the transatlantic alliance. The EU had to be ‘a true counterpart of the US’ and avoid the outsourcing of its security policies. However, the European Commission concluded in 2013 that none of the three initiatives it had developed were satisfying and that ‘the case to present at this stage a proposal for an EU TFTS is not clearly demonstrated’.

In 2016 the demand for a European System is on the political agenda again. This time, the issue is not to rebalance the EU-US relations but to step up the fight against terrorism by complementing the existing EU-US TFTP agreement by tracing intra-European transactions that are excluded under the current agreement. A final assessment is planned for the last quarter of 2016 but given the renewed urgency of fighting terrorism in Europe, the redefinition how such a European System would add value and the increased competencies and manpower within Europol due to the newly established Counter Terrorism Centre, it seems increasingly feasible that one of the outcomes of 10 years of controversy will paradoxically be a European TFTP.

This article was written by Mara Wesseling, PhD

[1] In October 2015 the European Court of Justice ruled that the Safe Harbor Agreement had to be suspended as the revelations made by Edward Snowden showed that personal data of European citizens – the court case was especially about Facebook content – was insufficiently protected in the US.