The original US-EU deal over SWIFT banking data created a European data haven for terrorist transactions, ensuring that European transactions would not be subject to US examination. It appears that the EU has agreed to give the US access to the data that it pulled out of US jurisdiction in the last deal.
This arrangement is being heavily criticized by members of the European Parliament, which is apparently feeling disrespected. Which, for some reason, made me think of this story.
UPDATE: In my original post, I unfairly conflated the European Commission, which did the SWIFT deal, with other European officials. Here's the broader story.
In 2006-2007, SWIFT
was subjected to a bitter European campaign for cooperating with US
measures to identify terrorist financing. The campaign included an
irresponsible Belgian criminal investigation that was ultimately shut
down once the Belgian government had the facts. As a result, an EU-US
deal was negotiated that imposed limits on the US antiterrorism
program. That deal was reached in June 2007.
While the deal resolved the
US-EU diplomatic dispute, that didn't solve the legal problems faced by SWIFT, which was still under
Belgian criminal investigation and being criticized heavily by the
assembled data protection authorities of Europe, a group known as the
Article 29 Working Party.
Pressed on these fronts, in October of the same year, SWIFT announced that it had decided to create a separate Swiss operations center that would handle European transactions. It would not be sending data from this center through the US, so terrorists were free to conduct intraEuropean financing transactions free from US scrutiny. This triumph of privacy doctrine over good sense was hailed by the Article 29 Working Party: "The new structure foresees by the end of 2009 the creation of a new operation centre in Switzerland" the group said with evident satisfaction. "This means personal data in intra-European transactions will no longer be processed in the US operating centre." The Belgian data protection authority also cited the new Swiss center favorably when it announced in early 2008 that SWIFT actually hadn't broken Belgian law. Coincidence? Nope. SWIFT admitted that pressure from the data protection authorities was one of them: "Distributed architecture will improve resilience, add capacity, control long-term average message costs, and alleviate European data protection concerns."
In short, it's pretty clear that SWIFT was forced to create a safe haven for European terrorist financing, and the pressure came from European government officials.
But, to be fair, it wasn't the European Commission that insisted on a Swiss safe haven, and indeed the whole point of the 2009 agreement was to mitigate the consequences of the privacy campaigners' insistence on a safe haven. That is, it restores some US scrutiny of intraEuropean transactions for indicia of terrorist financing.
On the one hand, I suppose this could be seen as a good new precedent, since the European Commission is actually proposing to give the US access to data located in Europe for antiterror purposes. More realistically, it is the adults on the Commission coming in to clean up a mess left by Europe's privacy bureaucrats, since at best the deal will restore the status quo ante -- "giving" the US access to data that it had access to before the privacy agencies decided to declare SWIFT guilty before trial.
What's remarkable, though not surprising, is that the Commission's action is provoking criticism in the European Parliament.
Comments