Under Article 34(1)3 of the Europol Council Decision, the JSB is tasked with reviewing Europol’s activities in order to ensure that individuals’ rights are not violated by the storage, processing or use of data held by Europol.
At its meeting of 11 October 2010, the JSB mandated a team to inspect Europol’s implementation of the TFTP Agreement, including all related items. The inspection took place in November 2010.
The inspection team found that some data protection requirements were not being met. The most important finding of the inspection was that the written requests Europol received were not specific enough to allow it to decide whether to approve or deny them. It was found that the US requests were too general and too abstract to allow proper evaluation of the necessity of the requested data transfers. Despite this, Europol approved each request it received. One of the JSB’s recommendations is, therefore, that Europol should contact the US Treasury Department to ensure that all future requests for SWIFT data comply with the criteria set out in the TFTP Agreement. The JSB concluded that proper verification of whether the requests are in line with the TFTP Agreement – on the basis of the available documentation – is impossible.
Europol advised that orally-provided information plays a role in its verification of each request. This information is provided to certain Europol officials with the stipulation that no record is made. This kind of procedure prevents JSB from checking whether Europol could have rightly come to its decisions. The JSB was therefore unable to evaluate whether the amount of data transferred to the US from SWIFT was proportionate and necessary, as required by the TFTP Agreement. The significant involvement of oral information renders proper internal and external audit, by Europol’s Data Protection Office and the JSB respectively, impossible.
The report was a cause of concern at the European Parliament. MEP Alexander Alvaro said:
As Members of Parliament we feel betrayed reading this report.We voted in favour [of this agreement last year] in the trust that both parties would apply the adopted agreement”, which “concerns the transfer of sensitive data belonging to our citizens”, he stressed, adding that “the credibility of Parliament and of this committee are being jeopardised. This is about trust and confidence of the public in what the EU did and is capable of doing here”.
MEP’s also criticized Europol’s role in supervising the agreement:
Entrusting this task to Europol “is like putting the fox in charge of the chicken coop” said Sarah Ludford (ALDE, UK). Several MEPs questioned Europol’s credibility, given that it transfers data in response to oral requests by the US authorities. MEPs asked that the Director of Europol to come to the committee to explain his views on this.
“Europol should not have been the body to oversee this – we all underlined at the time that Europol should not have been entrusted with this role”, said Stavros Lambrinidis (S&D, EL), adding that the fact that the agency only has 48 hours to answer requests would only make sense it they are “super duper”, which does not always seem to be the case.
Rui Tavares (GUE/NGL, PT), considered this a bad precedent for further agreements in this area. He stressed that Parliament must have access to the full report, including the classified sections. “We might have to engage in another battle for access to documents, but we are used to that”, he added.
National data protection commissioners weighed in as well. Here‘s German Federal Commissioner for Data Protection and Freedom of Information, Peter Schaar:
Even the very rudimentary public part of the inspection report confirms my fears. There are huge shortcomings. Political authorities at European and national level must immediately ensure that the shortcomings that were found will be eliminated. In Peter Schaar’s opinion, the findings of the inspection focus on the question already critically asked prior to the Agreement:Can and will Europol perform the assigned watchdog function properly at all?
One week later a second control mechanism seems to have failed. According to Article 15 of the SWIFT agreement, every EU citizen has the right to know if American authorities had access to personal banking data and if so, which authorities received that information.
For the past six months, Alexander Alvaro, a member of European Parliament from Germany’s Free Democrats, has been doing a test in an attempt to obtain the information entitled to him from German authorities. The result:
“The German authorities have not yet been able to find out whether data has been accessed at all. As such, the rights of EU citizens on correction, deletion or blockage of the data are being violated.”
Read the full story at Der Spiegel.
The always nuanced Steward Baker has another take on the issue though:
European Governments Screw Up; US To Suffer Consequences That seems to be the theme of this article from the ever-predictable Der Spiegel, which recites a bunch of alleged failures by the German government in implementing the SWIFT data agreement, then raises the prospect of suspending the agreement, thereby cutting off US access to some financial data and making the world safer for funders of terrorism.
All in all, it seems clear that Europol is not the main culprit in this case. Europol has discharged its responsibilities as foreseen by the TFTP Agreement and implemented the necessary provisions correctly. The key recommendation in the Final JSB Inspection Report seeks to motivate the US Department of the Treasury to provide even more written documentation to Europol to carry out its verification role under Article 4. This is very similar to the findings and recommendations recorded by the review team. Read the Commission’s full assessment here.