Out-Law News 3 min. read

EU plan to share bank data with US is 'wholly unbalanced', says expert

The European Commission has agreed with the US the terms on which it will allow that country's authorities access to the banking details of EU citizens. But a privacy law expert said the plan gives US authorities freedom to make sweeping demands for data.

The agreement must be approved by the European Parliament and Council before coming into force. Privacy expert Dr Chris Pounder is urging MEPs to reject the deal.

US authorities have had access to transactions processed by European inter-bank agency SWIFT since the terrorist attacks in the US in 2001. Controversy surrounded the programme when it came to light in 2006.

The European Parliament has rejected subsequent attempts to agree the terms on which information can be transferred. The Parliament last rejected a deal as recently as February, insisting that the European Commission win more protection for Europeans' personal information.

The Commission has published details of its new proposed deal. It includes the stipulation that Interpol officers must approve requests for information but critics claim that it is still lop-sided, granting US authorities more power over EU records than EU authorities have over US data.

"The draft Agreement is a substantial improvement as compared with the rejected Interim Agreement. It takes account of the key issues raised by the European Parliament and Council. I call now on the Council and the European Parliament to take the necessary steps to allow the Agreement to enter into force a soon as possible," said Cecilia Malmström, EU Commissioner for Home Affairs.

"The draft Agreement significantly strengthens data protection guarantees concerning transparency, rights of access, rectification and erasure of inaccurate data," said a Commission statement. "The Agreement guarantees non-discriminatory rights of administrative redress and ensures that any person whose data are processed under the Agreement will have rights to seek judicial redress in the United States from any adverse administrative action."

The Commission said that the requirement that a security officer would have to approve requests for data would provide a safeguard against abuse.

"Under the Agreement a European public authority, namely Europol, will assess whether the data requested in any given case are necessary for the fight against terrorism and its financing," the Commission statement said. "Europol will also have to verify that each and every request is tailored as narrowly as possible in order to minimise the amount of data requested. If a request for data does not meet these conditions, no data can be transferred under the Agreement."

Chris Pounder, director of Amberhawk Training and formerly of Pinsent Masons, the law firm behind OUT-LAW.COM, disagreed. In a blog post, he said that that requirement is no barrier to excessive information transfer. "The Draft Agreement appears to be wholly unbalanced," he said.

"Article 4 allows the US Treasury to obtain 'Data' on request," he said. "All the Treasury need do is specify the categories of data it wants as being necessary in connection with terrorism, get the formal approval of fellow security officers in Europol, and then the personal data can be transferred. Note there is no judicial warrant needed in relation to requests which could involve considerable amounts of personal data."

"However, when the EU want data from the USA, Article 10 requires them to identify 'a person or entity that there is reason to believe has a nexus to terrorism or its financing'. The difference between the two approaches is profound," said Pounder.

"The Draft Agreement allows the USA to say to the EU, for example, 'give us a range of data about transactions in a certain region' as we are investigating terrorism," he said. "By contrast, a Member State of the European Union has to say to the USA something like 'give us the data on this known entity or specific individual' in relation to terrorism. Put in these terms, it is easy to see that the USA can make general requests for 'data' whereas the EU has to make specific targeted requests about individuals or entities."

"The Agreement is unbalanced and will result in a one-way data traffic flow – from EU financial institutions to the USA. No explanation has been given as to why the USA cannot follow the EU States and make targeted requests for personal data," said Pounder.

Pounder said that the European Parliament should reject the draft agreement.

"The EU and the USA want wide-ranging powers to follow the terrorist money trail; most people support that objective," he said. "However, the absence of a definition of 'terrorism', the provision of a weak regulatory regime to act as a counter-balance to wide ranging data sharing powers, the deliberate exclusion of the Europe’s Data Protection Commissioners, means that this Agreement should not progress in its current form."

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.