Brussels Blogger

The EU justice and home affairs minister are about to agree on a large-scale banking data sharing plan with the United States. The agreement will have a massive impact on the privacy of banking data of European businesses and citizens.

Background of the deal

It’s everything about SWIFT, a company that handles the bank transactions for thousands of bank, inluding most European banks. SWIFT is based in Belgium but has also a branch in the USA. Under the TFTP programme the US government forced the US branch (which mirrors all data based in Belgium) to allow government access to all these bank transactions in order to help anti-terrorism operations.

SWIFT is now moving all its data centers outside the EU and the US, to Switzerland. In order to continue allowing the US authorities accessing all banking data a high level agreement between the EU and the USA is currently being negotiated. It is likely to be agreed on in the EU council of minister meeting next Monday, 30 November 2009.

Why is the SWIFT deal dangerous?

The move of SWIFT the data server to Switzerland would be an excellent opportunity to stop the nearly unlimited access of US authorities on EU bank transactions. But EU justice and interior minister are apparently keen agree a deal as soon as possible, on 30 November. Why 30 November? Because one day later, on 1 December 2009, the EU’s Lisbon Treaty will be in force and would allow the European Parliament to play a major role in the negotiations of the deal with the USA. A deal one day before will be a slap in the face of democracy in the EU.

SWIFT handles 15 mio bank transactions daily for more than 9000 banks worldwide. Nearly every transnational bank transaction within the EU is recorded in the SWIFT data centers, including amount, sender, recipient, and transaction comments. The agreement will even allow to transmit “other personal data”.

This will allow US authorities to establish a huge data mining database, allowing to query every substantial business link within the EU. No question that the United States will never admit that openly. But data protection agreements should not be based on hope but on principles. The current draft is based on hope.

Is there no opposition to the deal?

When German media reported about the deal about 2 weeks ago some opposition to the deal was raised. Germany, France and Austria seem to had important data protection concerns. Finally it was reported that Germany would even block the deal. Two weeks later all the opposition apparently has disappeared and Germany will now abstain from the vote on Monday, paving the way for the agreement coming into force.

MEPs in the European Parliament have raised concerns as well, but if the deal is agreed before 1st December, there will be no way for them to have a say.

No reciprocity

The most suprising fact related to the EU negotiations with the US is the missing demand of reciprocity. In other words: while the US will be able to access EU banking data no access to US banking data by EU auhtoirties is being foreseen.

Open questions

It is unclear to me what exact legal form the agreement with the United States will have. To my knowledge it will probably not require any ratification by national parliaments. It needs to be seen whether procedures against the deal will be able to be launched at the European Court of Justice. They could potentially be based on the EU’s current, rather strict data protection legislation.


I am very interested in your opinion on this topic. Please use the comments below.

Update: See also this follow-up article before the vote of the MEPs on 11 February 2010.


Thursday 26 Nov at 14:00: Pressure grows on opponents of bank transfer data deal (European Voice)

Thursday 26 Nov at 22:00: Facebook group against SWIFT data transfer deal

Friday, 27 Nov at 09:00: Follow-up post: 5 reasons why the SWIFT deal is very bad for Europe

Author :


  1. I find this totally outrageous. I’ve already contacted the finnish media about this and also tipped BBC, the Guardian and Telegraph from UK. Don’t know if they have the guts to intervene but atleast I’ve done my effort. Every european should do the same so this would get full media coverage before it’s too late.

  2. Not so fast..

    In order to do that with a system that is installed in Swiss soil you’d need the Swiss to collaborate as such a system would otherwise run under both bank secrecy and data protection, and Google has already discovered that Switzerland takes those laws very seriously – especially after the UBS affair.

    You could indeed ask another question: why exactly is the EU going to collaborate with a nation who is in any form a competing economic entity? What about all those data protection laws?

    Or are they just as flexible as the laws on stolen goods, which was broken by Germany when it bought (and resold) stolen Liechtenstein data?

  3. Wow, this generating 3 concerned replies. Good like to you guys fighting this on Twitter. May I suggest you also grab some pitchforks, for good measure?

  4. @Peter It is all very confusing: in fact it seems like SWIFT is keeping its data centers in the Netherlands too.

    What is very much surprising in all the story: why has nobody brought legal action against SWIFT in Belgium so far? Even the Belgian government declared that the SWIFT practice with the USA in in breach of European and Belgian data protection laws.

  5. @Mark Klamberg:

    Yes, there seems to be no “automatic” provision of all data. But requests will likely be limited only by geographic region (i.e. all transfers going to or coming to a specific country) and the agreement defines also that if the EU authority (SWIFT?) is not able to provide the specfically requested data a bulk transfer of data will be done.

    Please read especially article 5 (h): “Information obtained through this Agreement shall only be shared with law enforcement, public security, or counter terrorism authorities in the United States, European Union, or third states to be used for the purpose of the investigation, prevention, or prosectution of terrorism or its financing.

    This means data can be transferred to Pakistan, Afghanistan or whatever country cooperating on anti-terrorism.

    Please note also that nowhere in the document it is noted that data must be treated according to EU data protection legislation.

  6. I think your article somewhat misrepresents the actual draft text.

    Firstly, this is in the context of combatting the financing of terrorism, and is treated with more respect to private data and reciprocity than you seem to suggest. There is first a clause of reciprocity within the draft decision, I quote

    “relevant information obtained through the TFTP, is made available to law enforcement, public security or counter terrorism of MEmber States, or Europol or Eurojust, for the purpose of the prevention, investigation, detection or prosecution of terrorism or terrorist financing”

    The TFTP is the U.S Treasury’s Tracking and Financing Tracking Program.
    The EU not having an equivalent TFTP (yet), it is to the M-S that the TFTP shares information, while the Member States here identify actors of interbank financial telecommunications and ask THEM to grant relevant information. Article 9 of this same Decision however states that the TFTP will fully and on reciprocal basis cooperate with ‘Future Equivalent EU system’

    Finally, the granting of information is on a case by case basis, and limited to the people or entities jointly identified as suspicious. It is not a green light into EU finances.

  7. Shocking? Shocking? It’s been more of the same for ages. Think identity papers with chips carrying full personal data dumps in them. Think airline passenger data. The US is big on hoardding data ohne ende, for 75 or was that 99 years, and not giving anything back. It’s been happening for ages, nobody stirred a fuss. Why would banking data be more important than everything they already get for free, with nothing in return requested?

    The US state department is big on “reciprocity” *IT* says, but if it was we’d get something back. We don’t. Recall McKinnon? He can be extradited under a “reciprocal” treaty the US has conveniently forgotten to ratify. There are plenty more treaties where that one came from.

    If Europe had any balls we’d demand reciprocity collectively: We’d fingerprint and swab for DNA every single American air passenger, demand copies of his birth certificate a week before he even enters the plane. We’d demand full access to all banking transactions in, with, or passing through the US before they even happen.

    But we don’t. We give in. Shocking? Psah, I say. We’re asleep at the wheel and liking it.

  8. @Cpangratis

    On data protection: as long as EU data protection rules for EU data are not guaranteed (and they are NOT, in the agreement) and as long as the data can be given to third countries that cooperate on terrorism investigations (Pakistan?) the protection is very very weak.

    On reciprocity: Article 9 is very vage. “Cooperation” is promised. In a proper agreement such cooperation would be clearly defined. Also I am very aware that the US will share some of the findings with EU authorities. But what happens with the raw data is not said. We need to keep in our mind that such data access and sharing does not even happen within the EU. So why with the US?

    In general: I am questioning the whole thing. How can you possibly track down terrorists by watching financial transactions? But if you already know the terrorist that you should simply freeze their bank accounts. So what is the point of the data transfer?

  9. Nice article having so much informative content specially those who follow or relate with financial market also it helps me in my subject.

    Thanks for sharing such nice article with us.

Comments are closed.