Choose the experimental features you want to try

This document is an excerpt from the EUR-Lex website

Document 52010PC0317

Proposal for a Council Decision on the signature of the Agreement between the European Union and the United States of America on the processing and transfer of Financial Messaging Data from the European Union to the United States for purposes of the Terrorist Finance Tracking Program

/* COM/2010/0317 final - NLE 2010/0177 */

52010PC0317

Proposal for a Council Decision on the signature of the Agreement between the European Union and the United States of America on the processing and transfer of Financial Messaging Data from the European Union to the United States for purposes of the Terrorist Finance Tracking Program /* COM/2010/0317 final - NLE 2010/0177 */


[pic] | EUROPEAN COMMISSION |

Brussels, 15.6.2010

COM(2010) 317 final

2010/0177 (NLE)

Proposal for a

COUNCIL DECISION

on the signature of the Agreement between the European Union and the United States of America on the processing and transfer of Financial Messaging Data from the European Union to the United States for purposes of the Terrorist Finance Tracking Program

EXPLANATORY MEMORANDUM

- On 24 March 2010, the Commission adopted a Recommendation from the Commission to the Council to authorise the opening of the negotiations between the European Union and the United States of America to make available to the United States Treasury Department financial messaging data to prevent and combat terrorism and terrorism financing. On 11 May 2010, the Council adopted a Decision, together with negotiation directives, authorising the Commission to open negotiations on behalf of the European Union. On 10 May 2010, the European Parliament adopted a resolution on the Recommendation from the Commission to the Council to authorise the opening of the negotiations The Agreement was initialled by the Parties on 11 June 2010. The Agreement has a duration of 5 years.

- The TFTP has generated significant intelligence which has benefitted Member States' fight against terrorism. The purpose of the Agreement is to ensure the continuation of the TFTP by making available to the United States Treasury Department financial messaging data stored in the EU for the purposes of the Terrorist Finance Tracking Program (TFTP). Since the new systems architecture of the Society for Worldwide Interbank Financial Telecommunication –SWIFT- (hereinafter referred to as the "designated provider") became operational on 1 January 2010, a significant volume of the data which were previously received by the U.S. Treasury Department under the TFTP, have not been available, undermining the benefits of the TFTP not least for the European Union. This Agreement is therefore necessary to enable the functioning of the TFTP without the limitations derived from the designated provider's new systems architecture and ensure that the TFTP can produce EU - and wider global – security benefits .

****

- The TFTP has existed since end 2001, pursuant to which the United States Department of the Treasury served administrative subpoenas on the U.S. arm of the designated provider for the transfer to the Treasury Department of limited sets of financial messaging data which transit over the designated provider's financial messaging network.

- In early 2007 the Presidency of the Council of the European Union and the European Commission engaged in discussions with the U.S. Treasury Department concerning the latter's processing of EU-originating personal data accessed under the TFTP. As a direct consequence of these discussions, the Treasury Department made a series of unilateral commitments to the European Union in June 2007 ("the TFTP Representations").[1] The TFTP Representations expressly limit the Treasury's processing of EU-originating personal data accessed pursuant to the TFTP. Limitations include, for example, that data will be processed exclusively for counter terrorism purposes, that data can only be accessed if there is a pre-existing terrorism nexus (i.e. no data mining) and an obligation to delete data after a certain period. In addition, the TFTP Representations state that the Commission may appoint an "eminent European person" who will verify and report to the Commission on U.S. Treasury compliance with its commitments.

- In March 2008 the Commission announced that it had designated Judge Jean-Louis Bruguière as the TFTP "eminent European person" whose role would be to verify that the TFTP is implemented in accordance with the Representations. Judge Bruguière completed his first report in December 2008. The Report which was presented to the Justice and Home Affairs Council in February 2009 and to the European Parliament's Civil Liberties Committee in February and September 2009, finds that the U.S. Treasury Department complies with the commitments set out in the TFTP Representations. The Report further concludes that the TFTP has generated considerable value for Member State authorities' investigation of terrorism and that Member State authorities have been the main beneficiaries of TFTP-derived information[2]. There is currently no equivalent of the TFTP in the European Union.

- On 1 January 2010, the new "systems architecture" of the designated provider became operational. Under this new systems architecture, the designated provider retains its existing EU-based and U.S. servers and brings into operation a new operating centre in Switzerland. The net effect of this new arrangement is that a significant volume of the data which were received by the U.S. Treasury Department under the TFTP is no longer stored in the United States. In order to ensure that the TFTP continues to produce EU - and wider global – security benefits, it is necessary to put in place an international agreement that allows for data needed for the TFTP to continue to be made available to the U.S. Treasury Department.

- The JHA Council of 30 November 2009 authorised the Presidency of the Council of the European Union to sign an interim agreement between the EU and the United States on the processing and transfer of Financial Messaging Data from the EU to the U.S. for purposes of the TFTP. The interim agreement, also signed on 30 November 2009, was to have a maximum duration of 9 months. However, on 11 February the European Parliament adopted its Resolution withholding consent for the TFTP Interim Agreement. A letter signed by the President of the Council was delivered to the US Secretary of State on 22 February 2010 stating that as a consequence of the Parliament's Resolution, the EU could not become a party to the Interim Agreement and terminating the provisional application of the Agreement. No data were ever transferred under the Interim Agreement.

- Following the termination of the provisional application of the Interim Agreement, data stored by the designated provider in its EU server remains inaccessible to the Treasury Department for the purposes of the TFTP. It is necessary to conclude this Agreement as rapidly as possible in order to make these data available to the United States Treasury Department for the purposes of preventing and combating terrorism and terrorist financing.

****

- In the longer-term, there is an ambition for the European Union to establish a system equivalent to the TFTP, which could enable the analysis of data held in the European Union to take place on the territory of the European Union. This possibility is expressly recognised within the Agreement, and the United States of America has committed to support this development in order to enable its successful establishment

- The Agreement aims at preventing and combating terrorism while respecting fundamental rights, and notably the protection of personal data. The Agreement between the European Union and the United States of America on the processing and transfer of Financial Messaging Data from the European Union to the United States for purposes of the Terrorist Finance Tracking Program aims to ensure full respect for fundamental rights enshrined in Article 6 (2), of the Treaty on European Union, in particular the right to privacy with regard to the processing of personal data as stipulated in Article 16 of the Treaty on the Functioning of the European Union and for the principles of proportionality and necessity regarding the right to respect for private and family life and the protection of personal data as set out in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union.

- The Agreement has secured significant safeguards for those whose data is processed by the designated provider within the European Union if it is transferred to the Treasury Department under this Agreement. Most notably, the Agreement provides for transparency of the use of data; access, blocking and rectification of data; as well as administrative redress on a non-discriminatory basis and the availability of a process for seeking judicial redress under U.S. law, regardless of nationality or place of residence. Where leads resulting from the data are shared with third parties, the Member State concerned will be consulted as appropriate. The Agreement offers a strengthened process for the European Union to review its functioning, and to monitor the independent oversight of the TFTP.

- Article 218(2) of the Treaty on the Functioning of the European Union states that the Council shall authorise the signing of international agreements.

****

- The Commission therefore proposes to the Council to adopt a decision signing the Agreement between the European Union and the United States of America on the processing and transfer of Financial Messaging Data from the European Union to the United States for purposes of the Terrorist Finance Tracking Program.

2010/0177 (NLE)

Proposal for a

COUNCIL DECISION

on the signature of the Agreement between the European Union and the United States of America on the processing and transfer of Financial Messaging Data from the European Union to the United States for purposes of the Terrorist Finance Tracking Program

THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty on the Functioning of the European Union, and in particular Articles 87(2)(a) and 88 (2), in conjunction with Article 218 (5) thereof,

Having regard to the proposal from the European Commission,

Whereas:

(1) On 11 May 2010, the Council adopted a Decision, together with negotiation directives, authorising the Commission to open negotiations on behalf of the European Union between the European Union and the United States of America to make available to the United States Treasury Department financial messaging data to prevent and combat terrorism and terrorism financing. The negotiations were successfully concluded by the initialling of the Agreement.

(2) The Agreement has not yet been signed. The procedures to be followed to that end by the European Union are governed by Article 218 of the Treaty on the Functioning of the European Union.

(3) The Agreement negotiated by the Commission should be signed, subject to its possible conclusion at a later stage.

(4) This Agreement respects the fundamental rights and observes the principles recognised in particular by the Charter of Fundamental Rights of the European Union, notably the right to private and family life, recognised in Article 7 of the Charter, the right to the protection of personal data, recognised in Article 8 of the Charter and the right to effective remedy and fair trial recognised by Article 47 of the Charter. This Agreement should be applied in accordance with those rights and principles.

(5) [In accordance with Article 3 of the Protocol 21 on the Position of the United Kingdom and Ireland in respect of the area of Freedom, Security and Justice annexed to the Treaty on European Union and the Treaty on the Functioning of the European Union, the United Kingdom and Ireland take part in the adoption of this Decision.]

(6) In accordance with Articles 1 and 2 of the Protocol 22 on the Position of Denmark annexed to the Treaty on European Union and the Treaty on the Functioning of the European Union, Denmark is not taking part in the adoption of this Decision and is not bound by the Agreement or subject to its application,

HAS ADOPTED THIS DECISION:

Article 1

The Commission is authorised to sign, on behalf of the European Union, the Agreement between the European Union and the United States of America on the processing and transfer of Financial Messaging Data from the European Union to the United States for purposes of the Terrorist Finance Tracking Program, and to designate the persons empowered to proceed to the signature.

The text of the Agreement to be signed is attached to this Decision.

Article 2

This Decision shall enter into force on the day of its adoption.

Done at Brussels,

For the Council

The President

ANNEX

AGREEMENT

BETWEEN THE EUROPEAN UNIONAND THE UNITED STATES OF AMERICAON THE PROCESSING AND TRANSFEROF FINANCIAL MESSAGING DATAFROM THE EUROPEAN UNION TO THE UNITED STATESFOR PURPOSES OF THETERRORIST FINANCE TRACKING PROGRAM

THE EUROPEAN UNION,

of the one part, and

THE UNITED STATES OF AMERICA,

of the other part,

Together hereinafter referred to as "the Parties",

DESIRING to prevent and combat terrorism and its financing, in particular by mutual sharing of information, as a means of protecting their respective democratic societies and common values, rights, and freedoms;

SEEKING to enhance and encourage cooperation between the Parties in the spirit of transatlantic partnership;

RECALLING the United Nations conventions for combating terrorism and its financing, and relevant resolutions of the United Nations Security Council in the field of fighting terrorism, in particular United Nations Security Council Resolution 1373 (2001) and its directives that all States shall take the necessary steps to prevent the commission of terrorist acts, including by provision of early warning to other States by exchange of information; that States shall afford one another the greatest measure of assistance in connection with criminal investigations or criminal proceedings relating to the financing or support of terrorist acts; that States should find ways of intensifying and accelerating the exchange of operational information; that States should exchange information in accordance with international and domestic law; and that States should cooperate, particularly through bilateral and multilateral arrangements and agreements, to prevent and suppress terrorist attacks and to take action against perpetrators of such attacks;

RECOGNISING that the United States Department of the Treasury's ("U.S. Treasury Department") Terrorist Finance Tracking Program ("TFTP") has been instrumental in identifying and capturing terrorists and their financiers and has generated many leads that have been disseminated for counter terrorism purposes to competent authorities around the world, with particular value for European Union Member States ("Member States");

NOTING the importance of the TFTP in preventing and combating terrorism and its financing in the European Union and elsewhere, and the important role of the European Union in ensuring that designated providers of international financial payment messaging services provide financial payment messaging data stored in the territory of the European Union which are necessary for preventing and combating terrorism and its financing, subject to strict compliance with safeguards on privacy and the protection of personal data;

MINDFUL of Article 6(2) of the Treaty on European Union on respect for fundamental rights, the right to privacy with regard to the processing of personal data as stipulated in Article 16 of the Treaty on the Functioning of the European Union, the principles of proportionality and necessity concerning the right to private and family life, the respect for privacy, and the protection of personal data under Article 8(2) of the European Convention on the Protection of Human Rights and Fundamental Freedoms, the Council of Europe Convention No. 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data, and Articles 7 and 8 of the Charter of Fundamental Rights of the European Union;

MINDFUL of the breadth of privacy protections in the United States of America (“United States”), as reflected in the United States Constitution, and in its criminal and civil legislation, regulations, and long-standing policies, which are enforced and maintained by checks and balances applied by the three branches of government;

STRESSING the common values governing privacy and the protection of personal data in the European Union and the United States, including the importance which both Parties assign to due process and the right to seek effective remedies for improper government action;

MINDFUL of the mutual interest in the expeditious conclusion of a binding agreement between the European Union and the United States based on common principles regarding the protection of personal data when transferred for the general purposes of law enforcement, bearing in mind the importance of carefully considering its effect on prior agreements and the principle of effective administrative and judicial redress on a non-discriminatory basis;

NOTING the rigorous controls and safeguards utilised by the U.S. Treasury Department for the handling, use, and dissemination of financial payment messaging data pursuant to the TFTP, as described in the representations of the U.S. Treasury Department published in the Official Journal of the European Union on 20 July 2007 and the Federal Register of the United States on 23 October 2007, which reflect the ongoing cooperation between the United States and the European Union in the fight against global terrorism;

RECOGNISING the two comprehensive reviews and reports of the independent person appointed by the European Commission to verify compliance with the data protection safeguards of the TFTP, concluding that the United States was complying with the data privacy protection practices outlined in its Representations and further that the TFTP has generated significant security benefits for the European Union and has been extremely valuable not only in investigating terrorist attacks but also in preventing a number of terrorist attacks in Europe and elsewhere;

MINDFUL of the European Parliament's resolution of 5 May 2010 on the Recommendation from the Commission to the Council to authorise the opening of negotiations for an agreement between the European Union and the United States of America to make available to the United States Treasury Department financial messaging data to prevent and combat terrorism and terrorist financing;

RECALLING that, to guarantee effective exercise of their rights, any person irrespective of nationality is able to lodge a complaint before an independent data protection authority, other similar authority, independent and impartial court or tribunal, to seek effective remedies;

MINDFUL that non-discriminatory administrative and judicial redress is available under U.S. law for mishandling of personal data, including under the Administrative Procedure Act of 1946, the Inspector General Act of 1978, the Implementing Recommendations of the 9/11 Commission Act of 2007, the Computer Fraud and Abuse Act, and the Freedom of Information Act;

RECALLING that by law within the European Union customers of financial institutions and of providers of financial payment messaging services are informed in writing that personal data contained in financial transaction records may be transferred to Member States' or third countries' public authorities for law enforcement purposes and that this notice may include information with respect to the TFTP;

RECOGNISING the principle of proportionality guiding this Agreement and implemented by both the European Union and the United States; in the European Union as derived from the European Convention on Human Rights and Fundamental Freedoms, its applicable jurisprudence, and EU and Member State legislation; and in the United States through reasonableness requirements derived from the U.S. Constitution and federal and state laws, and their interpretive jurisprudence, as well as through prohibitions on overbreadth of production orders and on arbitrary action by government officials;

AFFIRMING that this Agreement does not constitute a precedent for any future arrangements between the United States and the European Union, or between either of the Parties and any State, regarding the processing and transfer of financial payment messaging data or any other form of data, or regarding data protection;

RECOGNISING that Designated Providers are bound by generally applicable EU or national data protection rules, intended to protect individuals with regard to the processing of their personal data, under the supervision of competent Data Protection Authorities in a manner consistent with the specific provisions of this Agreement; and

FURTHER AFFIRMING that this Agreement is without prejudice to other law enforcement or information sharing agreements or arrangements between the Parties or between the United States and Member States,

HAVE AGREED AS FOLLOWS:

ARTICLE 1

Purpose of Agreement

1. The purpose of this Agreement is to ensure, with full respect for the privacy, protection of personal data, and other conditions set out in this Agreement, that:

(a) financial payment messages referring to financial transfers and related data stored in the territory of the European Union by providers of international financial payment messaging services, that are jointly designated pursuant to this Agreement, are provided to the U.S. Treasury Department for the exclusive purpose of the prevention, investigation, detection, or prosecution of terrorism or terrorist financing; and

(b) relevant information obtained through the TFTP is provided to law enforcement, public security, or counter terrorism authorities of Member States, or Europol or Eurojust, for the purpose of the prevention, investigation, detection, or prosecution of terrorism or terrorist financing.

2. The United States, the European Union, and its Member States shall take all necessary and appropriate measures within their authority to carry out the provisions and achieve the purpose of this Agreement.

ARTICLE 2

Scope of ApplicationConduct Pertaining to Terrorism or Terrorist Financing

This Agreement applies to the obtaining and use of financial payment messaging and related data with a view to the prevention, investigation, detection, or prosecution of:

(a) Acts of a person or entity that involve violence, or are otherwise dangerous to human life or create a risk of damage to property or infrastructure, and which, given their nature and context, are reasonably believed to be committed with the aim of:

(i) intimidating or coercing a population;

(ii) intimidating, compelling, or coercing a government or international organization to act or abstain from acting; or

(iii) seriously destabilizing or destroying the fundamental political, constitutional, economic, or social structures of a country or an international organization;

(b) A person or entity assisting, sponsoring, or providing financial, material, or technological support for, or financial or other services to or in support of, acts described in subparagraph (a);

(c) A person or entity providing or collecting funds, by any means, directly or indirectly, with the intention that they should be used or in the knowledge that they are to be used, in full or in part, in order to carry out any of the acts described in subparagraphs (a) or (b); or

(d) A person or entity aiding, abetting, or attempting acts described in subparagraphs (a), (b), or (c).

ARTICLE 3

Ensuring Provision of Data by Designated Providers

The Parties, jointly and individually, shall ensure, in accordance with this Agreement and in particular Article 4, that entities jointly designated by the Parties under this Agreement as providers of international financial payment messaging services ("Designated Providers") provide to the U.S. Treasury Department requested financial payment messaging and related data which are necessary for the purpose of the prevention, investigation, detection, or prosecution of terrorism or terrorist financing ("Provided Data"). The Designated Providers shall be identified in the Annex to this Agreement and may be updated, as necessary, by exchange of diplomatic notes. Any amendments to the Annex shall be duly published in the Official Journal of the European Union.

ARTICLE 4

U.S. Requests to Obtain Data from Designated Providers

1. For the purposes of this Agreement, the U.S. Treasury Department shall serve production orders (“Requests”), under authority of U.S. law, upon a Designated Provider present in the territory of the United States in order to obtain data necessary for the purpose of the prevention, investigation, detection, or prosecution of terrorism or terrorist financing that are stored in the territory of the European Union.

2. The Request (together with any supplemental documents) shall:

1. identify as clearly as possible the data, including the specific categories of data requested, that are necessary for the purpose of the prevention, investigation, detection, or prosecution of terrorism or terrorist financing;

2. clearly substantiate the necessity of the data;

3. be tailored as narrowly as possible in order to minimize the amount of data requested, taking due account of past and current terrorism risk analyses focused on message types and geography as well as perceived terrorism threats and vulnerabilities, geographic, threat, and vulnerability analyses; and

4. not seek any data relating to the Single Euro Payments Area.

3. Upon service of the Request on the Designated Provider, the U.S. Treasury Department shall simultaneously provide a copy of the Request, with any supplemental documents, to Europol.

4. Upon receipt of the copy, Europol shall verify as a matter of urgency whether the Request complies with the requirements of paragraph 2. Europol shall notify the Designated Provider that it has verified that the Request complies with the requirements of paragraph 2.

5. For purposes of this Agreement, once Europol has confirmed that the Request complies with the requirements of paragraph 2, the Request shall have binding legal effect as provided under U.S. law, within the European Union as well as the United States. The Designated Provider is thereby authorized and required to provide the data to the U.S. Treasury Department.

6. The Designated Provider shall thereupon provide the data (i.e., on a “push basis”) directly to the U.S. Treasury Department. The Designated Provider shall keep a detailed log of all data transmitted to the U.S. Treasury Department for the purposes of this Agreement.

7. Once the data have been provided pursuant to these procedures, the Designated Provider shall be deemed to have complied with this Agreement and with all other applicable legal requirements in the European Union related to the transfer of such data from the European Union to the United States.

8. Designated Providers shall have all administrative and judicial redress available under the laws of the United States to recipients of U.S. Treasury Department Requests.

9. The Parties shall jointly coordinate with regard to the technical modalities necessary to support the Europol verification process.

ARTICLE 5

Safeguards Applicable to the Processing of Provided Data

General Obligations

1. The U.S. Treasury Department shall ensure that Provided Data are processed in accordance with the provisions of this Agreement. The U.S. Treasury Department shall ensure the protection of personal data by means of the following safeguards, which shall be applied without discrimination, in particular on the basis of nationality or country of residence.

2. Provided Data shall be processed exclusively for the prevention, investigation, detection, or prosecution of terrorism or its financing;

3. The TFTP does not and shall not involve data mining or any other type of algorithmic or automated profiling or computer filtering.

Data Security and Integrity

4. To prevent unauthorized access to or disclosure or loss of the data or any unauthorised form of processing:

5. Provided Data shall be held in a secure physical environment, stored separately from any other data, and maintained with high-level systems and physical intrusion controls;

6. Provided Data shall not be interconnected with any other database;

7. Access to Provided Data shall be limited to analysts investigating terrorism or its financing and to persons involved in the technical support, management, and oversight of the TFTP;

8. Provided Data shall not be subject to any manipulation, alteration, or addition; and

9. No copies of Provided Data shall be made, other than for disaster recovery back-up purposes.

Necessary and Proportionate Processing of Data

5. All searches of Provided Data shall be based upon pre-existing information or evidence which demonstrates a reason to believe that the subject of the search has a nexus to terrorism or its financing.

6. Each individual TFTP search of Provided Data shall be narrowly tailored, shall demonstrate a reason to believe that the subject of the search has a nexus to terrorism or its financing, and shall be logged, including such nexus to terrorism or its financing required to initiate the search.

7. Provided Data may include identifying information about the originator and/or recipient of a transaction, including name, account number, address, and national identification number. The Parties recognize the special sensitivity of personal data revealing racial or ethnic origin, political opinions, or religious or other beliefs, trade union membership, or health and sexual life (“sensitive data”). In the exceptional circumstance that extracted data were to include sensitive data, the U.S. Treasury Department shall protect such data in accordance with the safeguards and security measures set forth in this Agreement and with full respect and taking due account of their special sensitivity.

ARTICLE 6

Retention and Deletion of Data

1. During the term of this Agreement, the U.S. Treasury Department shall undertake an ongoing and at least annual evaluation to identify non-extracted data that are no longer necessary to combat terrorism or its financing. Where such data are identified, the U.S. Treasury Department shall permanently delete them as soon as technologically feasible.

2. If it transpires that financial payment messaging data were transmitted which were not requested, the U.S. Treasury Department shall promptly and permanently delete such data and shall inform the relevant Designated Provider.

3. Subject to any earlier deletion of data resulting from paragraphs 1, 2, or 5, all non-extracted data received prior to 20 July 2007 shall be deleted not later than 20 July 2012.

4. Subject to any earlier deletion of data resulting from paragraphs 1, 2, or 5, all non-extracted data received on or after 20 July 2007 shall be deleted not later than five (5) years from receipt.

5. During the term of this Agreement, the U.S. Treasury Department shall undertake an ongoing and at least annual evaluation to assess the data retention periods specified in paragraphs 3 and 4 to ensure that they continue to be no longer than necessary to combat terrorism or its financing. Where any such retention periods are determined to be longer than necessary to combat terrorism or its financing, the U.S. Treasury Department shall reduce such retention periods, as appropriate.

6. Not later than three years from the date of entry into force of this Agreement, the European Commission and the U.S. Treasury Department shall prepare a joint report regarding the value of TFTP Provided Data, with particular emphasis on the value of data retained for multiple years and relevant information obtained from the joint review conducted pursuant to Article 13. The Parties shall jointly determine the modalities of this report.

7. Information extracted from Provided Data, including information shared under Article 7, shall be retained for no longer than necessary for specific investigations or prosecutions for which they are used.

ARTICLE 7

Onward Transfer

Onward transfer of information extracted from the Provided Data shall be limited pursuant to the following safeguards:

(a) Only information extracted as a result of an individualized search as described in this Agreement, in particular Article 5, shall be shared;

(b) Such information shall be shared only with law enforcement, public security, or counter terrorism authorities in the United States, Member States, or third countries, or with Europol or Eurojust, or other appropriate international bodies, within the remit of their respective mandates;

(c) Such information shall be shared for lead purposes only and for the exclusive purpose of the investigation, detection, prevention, or prosecution of terrorism or its financing;

(d) Where the U.S. Treasury Department is aware that such information involves a citizen or resident of a Member State, any sharing of the information with the authorities of a third country shall be subject to the prior consent of competent authorities of the concerned Member State or pursuant to existing protocols on such information sharing between the U.S. Treasury Department and that Member State, except where the sharing of the data is essential for the prevention of an immediate and serious threat to public security of a Party to this Agreement, a Member State, or a third country. In the latter case the competent authorities of the concerned Member State shall be informed of the matter at the earliest opportunity;

(e) In sharing such information, the U.S. Treasury Department shall request that the information shall be deleted by the recipient authority as soon as it is no longer necessary for the purpose for which it was shared; and

(f) Each onward transfer shall be duly logged.

ARTICLE 8

Adequacy

Subject to ongoing compliance with the commitments on privacy and protection of personal data set out in this Agreement, the U.S. Treasury Department is deemed to ensure an adequate level of data protection for the processing of financial payment messaging and related data transferred from the European Union to the United States for purposes of this Agreement.

ARTICLE 9

Spontaneous Provision of Information

1. The U.S. Treasury Department shall ensure the availability, as soon as practicable and in the most expedient manner, to law enforcement, public security, or counter terrorism authorities of concerned Member States, and, as appropriate, to Europol and Eurojust, within the remit of their respective mandates, of information obtained through the TFTP that may contribute to the investigation, prevention, detection, or prosecution by the European Union of terrorism or its financing. Any follow-on information that may contribute to the investigation, prevention, detection, or prosecution by the United States of terrorism or its financing shall be conveyed back to the United States on a reciprocal basis and in a reciprocal manner.

2. In order to facilitate the efficient exchange of information, Europol may designate a liaison officer to the U.S. Treasury Department. The modalities of the liaison officer's status and tasks shall be decided jointly by the Parties.

ARTICLE 10

EU Requests for TFTP Searches

Where a law enforcement, public security, or counter terrorism authority of a Member State, or Europol or Eurojust, determines that there is reason to believe that a person or entity has a nexus to terrorism or its financing as defined in Articles 1 to 4 of Council Framework Decision 2002/475/JHA, as amended by Council Framework Decision 2008/919/JHA and Directive 2005/60/EC, such authority may request a search for relevant information obtained through the TFTP. The U.S. Treasury Department shall promptly conduct a search in accordance with Article 5 and provide relevant information in response to such requests.

ARTICLE 11

Cooperation with Future Equivalent EU System

1. During the course of this Agreement, the European Commission will carry out a study into the possible introduction of an equivalent EU system allowing for a more targeted transfer of data.

2. If, following this study, the European Union decides to establish an EU system, the United States shall cooperate and provide assistance and advice to contribute to the effective establishment of such a system.

3. Since the establishment of an EU system could substantially change the context of this Agreement, if the European Union decides to establish such a system, the Parties should consult to determine whether the Agreement would need to be adjusted accordingly. In that regard, U.S. and EU authorities shall cooperate to ensure the complementariness and efficiencies of the U.S. and EU systems in a manner that further enhances the security of citizens of the United States, the European Union, and elsewhere. In the spirit of this cooperation, the Parties shall actively pursue, on the basis of reciprocity and appropriate safeguards, the cooperation of any relevant international financial payment messaging service providers which are based in their respective territories for the purposes of ensuring the continued and effective viability of the U.S. and EU systems.

ARTICLE 12

Monitoring of Safeguards and Controls

1. Compliance with the strict counter terrorism purpose limitation and the other safeguards set out in Articles 5 and 6 shall be subject to independent monitoring and oversight. Such oversight, subject to appropriate security clearances, shall include the authority to review in real time and retrospectively all searches made of the Provided Data, the authority to query such searches and, as appropriate, to request additional justification of the terrorism nexus. In particular, independent overseers shall have the authority to block any or all searches if it appears that one or more searches have been made in breach of Article 5.

2. The independent oversight shall also include the ongoing monitoring of compliance with and reporting on all safeguards set out in Articles 5 and 6.

3. The oversight described in paragraphs 1 and 2 shall be subject to ongoing monitoring, including of the independence of the oversight described in paragraphs 1 and 2, by an independent person appointed by the European Commission, with the modalities of the monitoring to be jointly coordinated by the Parties. The Inspector General of the U.S. Treasury Department will ensure that the independent oversight described in paragraphs 1 and 2 is undertaken pursuant to applicable audit standards.

ARTICLE 13

Joint Review

1. At the request of one of the Parties and at any event after a period of six (6) months from the entry into force of this Agreement, the Parties shall jointly review the safeguards, controls and reciprocity provisions set out in this Agreement. The review shall be conducted thereafter on a regular basis, with additional reviews scheduled as necessary.

2. The review shall have particular regard to (a) the number of financial payment messages accessed, (b) the number of occasions on which leads have been shared with Member States, third countries, and Europol and Eurojust, (c) the implementation and effectiveness of the Agreement, including the suitability of the mechanism for the transfer of information, (d) cases in which the information has been used for the prevention, investigation, detection, or prosecution of terrorism or its financing, and (e) compliance with data protection obligations specified in this Agreement. The review shall include a representative and random sample of searches in order to verify compliance with the safeguards and controls set out in this Agreement, as well as a proportionality assessment of the Provided Data, based on the value of such data for the investigation, prevention, detection, or prosecution of terrorism or its financing. Following the review, the European Commission will present a report to the European Parliament and the Council on the functioning of the Agreement, including the areas mentioned above.

3. For purposes of the review, the European Union shall be represented by the European Commission, and the United States shall be represented by the U.S. Treasury Department. Each Party may include in its delegation for the review experts in security and data protection, as well as a person with judicial experience. The European Union review delegation shall include representatives of two data protection authorities, at least one of which shall be from a Member State where a Designated Provider is based.

4. For purposes of the review, the U.S. Treasury Department shall ensure access to relevant documentation, systems, and personnel. The Parties shall jointly determine the modalities of the review.

ARTICLE 14

Transparency – Providing Information to the Data Subjects

The U.S. Treasury Department shall post on its public website detailed information concerning the TFTP and its purposes, including contact information for persons with questions. In addition it shall post information about the procedures available for the exercise of the rights described in Articles 15 and 16, including the availability of administrative and judicial redress as appropriate in the United States regarding the processing of personal data received pursuant to this Agreement.

ARTICLE 15

Right of Access

1. Any person has the right to obtain, following requests made at reasonable intervals, without constraint and without excessive delay, at least a confirmation transmitted through his or her data protection authority in the European Union as to whether that person's data protection rights have been respected in compliance with this Agreement, after all necessary verifications have taken place, and, in particular, whether any processing of that person's personal data has taken place in breach of this Agreement.

2. Disclosure to a person of his or her personal data processed under this Agreement may be subject to reasonable legal limitations applicable under national law to safeguard the prevention, detection, investigation, or prosecution of criminal offences, and to protect public or national security, with due regard for the legitimate interest of the person concerned.

3. Pursuant to paragraph 1, a person shall send a request to his or her European national supervisory authority, which shall transmit the request to the Privacy Officer of the U.S. Treasury Department, who shall make all necessary verifications pursuant to the request. The Privacy Officer of the U.S. Treasury Department shall without undue delay inform the relevant European national supervisory authority whether personal data may be disclosed to the data subject and whether the data subject's rights have been duly respected. In the case that access to personal data is refused or restricted pursuant to the limitations referred to in paragraph 2, such refusal or restriction shall be explained in writing and provide information on the means available for seeking administrative and judicial redress in the United States.

ARTICLE 16

Right to Rectification, Erasure, or Blocking

1. Any person has the right to seek the rectification, erasure, or blocking of his or her personal data processed by the U.S. Treasury Department pursuant to this Agreement where the data are inaccurate or the processing contravenes this Agreement.

2. Any person exercising the right expressed above shall send a request to his or her relevant European national supervisory authority, which shall transmit the request to the Privacy Officer of the U.S. Treasury Department. Any request to obtain rectification, erasure, or blocking shall be duly substantiated. The Privacy Officer of the U.S. Treasury Department shall make all necessary verifications pursuant to the request and shall without undue delay inform the relevant European national supervisory authority whether personal data have been rectified, erased, or blocked, and whether the data subject's rights have been duly respected. Such notification shall be explained in writing and provide information on the means available for seeking administrative and judicial redress in the United States.

ARTICLE 17

Maintaining the Accuracy of Information

1. Where a Party becomes aware that data received or transmitted pursuant to this Agreement are not accurate, it shall take all appropriate measures to prevent and discontinue erroneous reliance on such data, which may include supplementation, deletion, or correction of such data.

2. Each Party shall, where feasible, notify the other if it becomes aware that material information it has transmitted to or received from the other Party under this Agreement is inaccurate or unreliable.

ARTICLE 18

Redress

1. The Parties shall take all reasonable steps to ensure that the U.S. Treasury Department and any relevant Member State promptly inform one another, and consult with one another and the Parties, if necessary, where they consider that personal data have been processed in breach of this Agreement.

2. Any person who considers his or her personal data to have been processed in breach of this Agreement is entitled to seek effective administrative and judicial redress in accordance with the laws of the European Union, its Member States, and the United States, respectively. For this purpose and as regards data transferred to the United States pursuant to this Agreement, the U.S. Treasury Department shall treat all persons equally in the application of its administrative process, regardless of nationality or country of residence. All persons, regardless of nationality or country of residence, shall have available under U.S. law a process for seeking judicial redress from an adverse administrative action.

ARTICLE 19

Consultation

1. The Parties shall, as appropriate, consult each other to enable the most effective use to be made of this Agreement, including to facilitate the resolution of any dispute regarding the interpretation or application of this Agreement.

2. The Parties shall take measures to avoid the imposition of extraordinary burdens on one another through application of this Agreement. Where extraordinary burdens nonetheless result, the Parties shall immediately consult with a view to facilitating the application of this Agreement, including the taking of such measures as may be required to reduce pending and future burdens.

3. The Parties shall immediately consult in the event that any third party, including an authority of another country, challenges or asserts a legal claim with respect to any aspect of the effect or implementation of this Agreement.

ARTICLE 20

Implementation and Non-derogation

1. This Agreement shall not create or confer any right or benefit on any person or entity, private or public. Each Party shall ensure that the provisions of this Agreement are properly implemented.

2. Nothing in this Agreement shall derogate from existing obligations of the United States and Member States under the Agreement on Mutual Legal Assistance between the European Union and the United States of America of 25 June 2003 and the related bilateral mutual legal assistance instruments between the United States and Member States.

ARTICLE 21

Suspension or Termination

1. Either Party may suspend the application of this Agreement with immediate effect, in the event of breach of the other Party’s obligations under this Agreement, by notification through diplomatic channels.

2. Either Party may terminate this Agreement at any time by notification through diplomatic channels. Termination shall take effect six (6) months from the date of receipt of such notification.

3. The Parties shall consult prior to any possible suspension or termination in a manner which allows a sufficient time for reaching a mutually agreeable resolution.

4. Notwithstanding any suspension or termination of this Agreement, all data obtained by the U.S. Treasury Department under the terms of this Agreement shall continue to be processed in accordance with the safeguards of this Agreement, including the provisions on deletion of data.

ARTICLE 22

Territorial Application

1. Subject to paragraphs 2 to 4 of this Article, this Agreement shall apply to the territory in which the Treaty on European Union and the Treaty on the Functioning of the European Union are applicable and to the territory of the United States.

2. The Agreement will only apply to Denmark, the United Kingdom, or Ireland if the European Commission notifies the United States in writing that Denmark, the United Kingdom, or Ireland has chosen to be bound by the Agreement.

3. If the European Commission notifies the United States before the entry into force of the Agreement that it will apply to Denmark, the United Kingdom, or Ireland, the Agreement shall apply to the territory of such State on the same day as for the other EU Member States bound by this Agreement.

4. If the European Commission notifies the United States after the entry into force of the Agreement that it applies to Denmark, the United Kingdom, or Ireland, the Agreement shall apply to the territory of such State on the first day of the month following receipt of the notification by the United States.

ARTICLE 23

Final Provisions

1. This Agreement shall enter into force on the first day of the month after the date on which the Parties have exchanged notifications indicating that they have completed their internal procedures for this purpose.

2. Subject to Article 21 paragraph 2, this Agreement shall remain in force for a period of five (5) years from the date of its entry into force and shall automatically extend for subsequent periods of one (1) year unless one of the Parties notifies the other in writing through diplomatic channels, at least six (6) months in advance of its intention not to extend this Agreement.

Done at …… this day …… of …… 2010, in two originals, in the English language. This Agreement shall also be drawn up in the Bulgarian, Czech, Danish, Dutch, Estonian, Finnish, French, German, Greek, Hungarian, Italian, Latvian, Lithuanian, Maltese, Polish, Portuguese, Romanian, Slovak, Slovenian, Spanish, and Swedish languages. Upon approval by both Parties, these language versions shall be considered equally authentic.

ANNEX

Society for Worldwide Interbank Financial Telecommunication (SWIFT)

[1] The TFTP Representations, were acknowledged by the European Union by letter of 29 June 2007. The TFTP Representations and EU letter of acknowledgement were published in the Official Journal OJ C 166/18 of 20.7.2007 and OJ C 166/26 of 20.7.2007.

[2] The "eminent European person" Report of December 2008 contains various examples of where TFTP-derived intelligence has been shared with EU Member State services in connection with the investigation, prevention and prosecution of terrorism in the European Union. The Report further states that United States authorities have shared approximately 1400 TFTP-derived leads with Member States since 2002.

Top
  翻译: