Q&A: US data deal with Europe
- Published
The US will be able to scrutinise European bank transactions again next month after Euro MPs approved a new deal to help anti-terror investigators.
The negotiations were tough because of data protection concerns. Here the BBC's Laurence Peter examines what the deal means for Europeans.
Why does the US think it needs access to Europeans' personal bank details?
US officials argue that the security of the US and Europe is seriously compromised if they are unable to track the funding of terror suspects.
The suicide attacks on the US in September 2001 led America to intensify efforts to foil similar plots and the treasury department was given the power to intercept militants' finances under the Terrorist Finance Tracking Programme (TFTP).
The US started receiving data from Swift, a money transfer system based in Brussels which handles millions of transactions daily. But the secret deal did not come to light until 2006.
US officials say the co-operation with Swift has given them many leads and helped foil a plot to blow up US-bound transatlantic airliners in 2006.
EU governments negotiated a deal to allow the US to continue receiving bulk data from Swift. But when the EU's Lisbon Treaty took effect in December 2009 the European Parliament used its new powers under the treaty to prevent that deal being renewed.
Despite intensive lobbying by high-ranking US officials, including Secretary of State Hillary Clinton, MEPs froze the deal in February.
A majority of MEPs demanded extra privacy safeguards to beef up a draft agreement presented by the European Commission. It was revised to take account of these concerns, and further negotiations with the US resulted in the new deal, approved by the parliament on 8 July.
Does this mean all Europeans' bank transactions will be open to US scrutiny?
No. Swift will transfer encrypted data to the US in bulk - the volume is so great that it cannot currently narrow it down to individual transactions. But US investigators will be able to conduct specific searches of that data if they convince the European police agency Europol that they need to do so.
It will also be Europol's job to ensure that the volume of data requested is as small as possible.
A supervisor appointed by the European Commission will monitor the US investigators' actions - an additional safeguard negotiated by the EU.
The US government says that under the TFTP, data searches "must identify the terrorism-related basis, which is systematically logged and auditable".
The European Commission says the data transferred under TFTP can include identifying information about the originator and/or recipient of the transaction, including name, address, national identification number and other personal data related to financial messages.
The Commission says "the essence of the TFTP is that each month a large volume of data is transferred".
How long will the US be able to keep the data?
Five years. The EU's Home Affairs Commissioner, Cecilia Malmstroem, said that in the negotiations, "the US produced analysis showing the high value of data that are between three to four and four to five years of age. We have agreed therefore to keep the five-year period".
The new agreement will be in force for five years, renewable year-by-year thereafter.
The EU plans to set up a European TFTP, which may be launched in a few years' time. If that happens, then Europeans' data will be filtered first before US investigators get access to it.
What if an EU citizen thinks his/her data has been misused?
The deal contains an assurance that aggrieved EU citizens will have the right to legal action in the US courts. This was something that MEPs demanded, but critics doubt its validity.
Some MEPs have voiced fears that the privacy protections enjoyed by American citizens under US law will still be greater than those of EU citizens.
The lobby group European Digital Rights (EDRI) says that "contrary to the flowery wording in the agreement, as an executive agreement it cannot be invoked in court in the US".
EDRI also fears that transfers of raw data to third countries - outside the EU and US - may still take place, despite a clause in the agreement ruling that out. EDRI says the transfer of "leads" in investigations is allowed - and "leads" may contain personal data.
Don't US officials already see our personal data when we fly to the US?
Yes, that is covered by a separate agreement - the transfer of air passenger data to the US and Australia, known as Passenger Name Records (PNR).
Like the TFTP, this system was brought in as a US response to the 9/11 suicide attacks in 2001. It obliges airlines and travel agents to transfer data on travellers to the US, including the passenger's itinerary, where the ticket was bought, the seat number and payment details.
The PNR system is currently under review in the EU, because MEPs are demanding more data protection safeguards. The Commission is drafting a "standard model" for PNR with third countries, which MEPs are expected to vote on later this year.