«EUROPEAN COMMISSION Brussels, 13.7.2011 COM(2011) 429 final COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL A European ...»
COM(2011) 429 final
COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN
PARLIAMENT AND THE COUNCIL
A European terrorist finance tracking system: available options
COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN
PARLIAMENT AND THE COUNCILA European terrorist finance tracking system: available options
1. INTRODUCTION When the Council agreed to the conclusion of the Agreement between the European Union and the United States of America on the processing and transfer of Financial Messaging Data from the European Union to the United States for the purposes of the Terrorist Finance Tracking Program (EU-US TFTP Agreement)1, it also invited the Commission to submit to the European Parliament and the Council within one year after the date of entry into force of the Agreement (1 August 2010), "a legal and technical framework for extraction of data on EU territory".2 The European Parliament has also consistently asked that in the longer term a durable, legally sound European solution to the issue of the extraction of requested data on European soil be envisaged.3 The Communication "The EU Internal Security Strategy in Action: Five steps towards a more secure Europe" also already stated that the Commission will develop a policy for the EU to extract and analyse financial messaging data held on its own territory in 2011.4 Given the proven effectiveness of the US TFTP, a European system is expected to contribute significantly to efforts to cut off terrorists' access to funding and materials and follow their transactions. Reference can also be made to Article 11 of the EUUS TFTP Agreement, which states that during the course of the Agreement, the European Commission will carry out a study into the possible introduction of an equivalent EU system allowing for a more targeted transfer of data. This Communication is the first stage of the Commission’s response to this Article and the Council's invitation. It describes the different steps the Commission has taken to move towards establishing such a “legal and technical framework”, and presents the different options under consideration for achieving this goal. It does not at this stage indicate one preferred option – it does however present the relevant points to take into consideration with respect to the options considered. Given the political importance of the issue and its legal and technical complexity, the Commission wishes to inform the Council and the European Parliament of the state of play, and trigger a debate. The Commission considers such further debate useful before presenting, on the basis of an Impact Assessment, concrete proposals.
In this context, it should be stressed that this Communication does not prejudge the proposal that the Commission will put forward. Any future proposal will take into account the discussions mentioned above and the Impact Assessment, which will be based on a study which the Commission has contracted out in the second half of 2010. Given the impact a legislative proposal would have on fundamental rights, and in particular on data protection, the Impact Assessment will pay particular attention to the necessity and proportionality of any measures which the Commission may propose. To that end the Commission will follow the
In addition, the Impact Assessment will provide the necessary technical background material, as well as a detailed assessment of all available options. These issues have already been discussed with many stakeholders in this area, including Member States authorities, data protection authorities, Europol and the designated provider. The final results of the study mentioned above will be available only by the end of this year. To support the preparation of an Impact Assessment, the European Commission has organised three expert meetings with the same stakeholders, as well as the U.S. authorities involved in running the TFTP. The options discussed in this Communication build on the preliminary results of the study and the discussions in these expert meetings.
2. GOALS OF ESTABLISHING AN EU TERRORIST FINANCE TRACKING SYSTEM
There are two main reasons for establishing an EU terrorist finance tracking system (TFTS):
• the system must provide an effective contribution to the fight against terrorism and its financing within the European Union;
• the system must contribute to limiting the amount of personal data transferred to thirdcountries. The system should provide for the processing of the data required to run it on EU territory, subject to EU data protection principles and legislation.
In the United States, the Terrorist Finance Tracking Programme (TFTP) has proven to present significant added value to the fight against terrorism and its financing, benefitting not only U.S. authorities, but also the authorities of the Member States of the European Union and third countries. The recent review of the EU-US TFTP Agreement6 confirmed that since the establishment of the TFTP in the U.S., more than 2500 reports have been shared with the authorities of third countries, the overwhelming majority of which (1700) have been shared with the European Union. The effectiveness of the U.S. programme and its value for combating terrorism and its financing have also been confirmed in the two reports presented by Judge Bruguière, who was appointed by the European Commission in 2008 to review the programme. The TFTP derived information which was provided to EU authorities included significant leads in relation to a number of high profile (attempted) terrorist attacks, such as the Madrid and London attacks, the 2006 plot to bring down transatlantic flights using liquid explosives, and the 2007 attempted attack on U.S. interests in Germany. The EU Review Team also concluded that it had been provided with “convincing indications of the added value of TFTP to the fight against terrorism and its financing”. Given these experiences, there are solid grounds for believing an EU TFTS will also provide significant added value to the efforts of the EU and the Member States to combat terrorism and its financing.
Whilst the effectiveness of the U.S. TFTP for combating terrorism and its financing is not in doubt, serious concerns have been raised in relation with its consequences on the fundamental rights of citizens. These concerns are mainly centred around the fact that the implementation of the EU-US TFTP Agreement entails the provision of large amounts of personal data (“bulk data”) to U.S. authorities - the vast majority of this data concern citizens who have nothing to COM(2010) 573 final, 19.10.2010.
SEC (2011) 438 final, 30.3.2011 EN EN do with terrorism or its financing. The data is provided in bulk (on the basis of relevant data categories) rather than on an individual basis (in response to a request concerning one or more individuals), due to the fact that the provider of these data does not have the technical capacity to provide the data on an individualised basis. In addition, in order for the provider to release such data on an individualised basis, it would need to set up a dedicated search and analysis function, which is not required by its business processes, and would entail significant resource implications. Also, requesting data on an individualised basis would mean that the provider would in effect be made aware of which individuals are investigated in the context of terrorism investigations and their financial relationships. This could have an impact on the effectiveness of such investigations.
To compensate for the provision of bulk data, significant safeguards have been put in place to ensure that no misuse of the data can take place, including that the provided data may only be searched and used for combating terrorism and its financing. The recent review of the EU-US TFTP Agreement has confirmed that these safeguards are indeed implemented in accordance with the provisions of the Agreement.
Nevertheless, arguments have been made that the provision to a third State of such large amounts of personal data constitutes an unwarranted infringement of the fundamental rights of these citizens, taking the necessity and proportionality of this infringement into consideration. This is the reason why the Council invited the Commission to present proposals for establishing a “system for the extraction of data to take place on EU territory” – the overall aim is to ensure that the processing of such data would take place in accordance with EU data protection legislation and principles, and in accordance with the EU Charter of Fundamental Rights. In this context, it should be noted that the collection and processing of financial data by public authorities affects the right to the protection of personal data, which is enshrined in Article 16 TFEU and Article 8 of the Charter.
In accordance with Article 52(1) of the Charter, any limitation of these fundamental rights must be provided by law, with the necessary precision and quality to provide foreseeability, and respect the essence of those rights. It must be limited to what is necessary and proportional to meet a legitimate objective recognised by the Union. These principles must therefore be taken into consideration not only when taking the decision whether or not an EU TFTS should be established, but also with respect to the different available options for implementing the system. Therefore, these principles equally affect the choices to be made with respect to such issues as the scope of the system, the applicable retention periods, rights of individuals with respect to access and deletion etc. These issues are not dealt with in detail in the current Communication. They will need to be analysed fully in the Impact Assessment.
Naturally, the possible establishment of a system for extracting the data on EU territory would have consequences for the existing EU-US TFTP Agreement, as recognised in Article 11 (3) of the Agreement which states that since the establishment of an EU system could substantially change the context of this Agreement, the Parties should consult to determine whether the Agreement would need to be adjusted if the European Union decides to establish such a system. All options would therefore also have an impact on the future implementation and consequent re-adjustment of the existing EU-US TFTP Agreement.
3. MAIN FUNCTIONS OF AN EU TERRORIST FINANCE TRACKING SYSTEMOne of the first issues to emerge from the discussions with stakeholders referred to above is that these stakeholders are overwhelmingly of the opinion that if an EU terrorist finance tracking system (EU TFTS) is to be established, it should be established in the interest of providing security to EU citizens. The system should not be set up just to provide relevant information to U.S. authorities – the authorities of the Member States have a real interest in the results of such a system as well. This approach also implies that whilst the U.S. TFTP could certainly provide inspiration as to how such a system could be set up, a European equivalent system would not necessarily have to copy all elements of the U.S. TFTP. Also, an EU system should be set up taking the specificity of the EU legal and administrative framework into consideration, including the respect of applicable fundamental rights as indicated above.
However, any system aimed at tracking terrorist financing in accordance with the main goals
outlined above would need to foresee the implementation of the following core functions:
• preparing and issuing (legally valid) requests to the designated provider(s) of financial messaging services for the raw data to be provided to an authorised recipient or recipients.
This involves determining the message categories to be requested, how often such messages should be sent, and maintaining contacts with the providers on these issues;
• monitoring and authorising requests to the designated provider(s) for such raw data. This involves verifying whether the request for the raw data have been prepared in accordance with the applicable limitations;
• receiving and storing (processing) the raw data from the designated provider(s), including the implementation of an adequate system of physical and electronic data security;
• running the actual searches on the data provided, in line with the applicable legal framework; on the basis of requests for such searches from authorities of the Member States, the U.S. or other third States on the basis of clearly defined conditions and safeguards, or on the own initiative of the authority (or authorities) entrusted with processing the data;
• monitoring and authorising the running of searches on the data provided;
• analysing the results of the searches, through combining these results with other available information or intelligence;
• distributing the results of the searches (without further analysis) or the results of the analyses to authorised recipients;
• implementing an appropriate data protection regime, including applicable retention times, logging obligations, handling requests for access, correction and deletion, etc.
These core functions would need to be laid down in appropriate legal instruments at the EU level, at the national level, or at both levels, depending on the option chosen.
In addition to considerations with respect to the core functions outlined above, the choice between the available options will depend to a large extent on the way in which they deliver on a number of key issues, which are currently considered in the Impact Assessment and discussed further below.
The expected effectiveness of the different options in meeting the core goal of combating terrorism and its financing is a key factor. Options which increase possibilities for data sharing and analysis at the international level should be favoured from this perspective, since such data sharing and analysis will increase the effectiveness and provide more added value.