“Just last week, the Belgian and Dutch data protection authorities announced an inquiry into alleged unauthorised access to the SWIFT servers; I wholeheartedly welcome this,” said Dutch MEP, Sophie in’t Veld (D66, ALDE).
“The main server is located in the Netherlands, and SWIFT headquarters are based in Belgium,” said in’t Veld, adding: “The Dutch authorities have failed in their duty to investigate, despite our repeated calls. I’m sure if it hadn’t been the United States, as it is widely presumed to be, but some IT whizz-kid breaking into the SWIFT servers, our Minister of Justice would have had him arrested and locked up for years.”
The Belgian and Dutch Data Protection Authorities (DPAs) said they will be conducting an investigation into the security of SWIFT’s payment networks following international media reports on foreign intelligence services – possibly the NSA – allegedly having unlawful access under European law to financial messaging data at SWIFT.
The Dutch Data Protection Authority (CBP) and the Belgian Data Protection Authority (CPP) probe aims to determine whether third parties could gain unauthorized or unlawful access to European citizens’ bank data.
The investigation follows press reports that American security services have allegedly gained direct access, contrary to the privacy terms in the Terrorist Finance Tracking Program II Agreement (TFTP agreement) which SWIFT is subject to.
SWIFT handles international financial messaging for over 10,000 financial institutions from about 200 countries. SWIFT is regulated by the TFTP agreement, concluded in 2010 between the European Commission and the United States.
The TFTP agreement, on the exchange of bank data between the European Union and the United States, is supposed to operate in the context of the fight against terrorism, and enables the United States to request data on bank transactions through a special procedure. The agreement contains several terms on privacy, including how this data may be used and external oversight of this use.
However, at the time of its signing, the European Parliament expressed strong reservations regarding the agreement; In’t Veld, and others, having outlined concerns about its potential misuse. Though scorned by the Commission at the time, in’t Veld’s concerns are now accepted as prescient, and the narrative of her criticism has been greatly amplified by disclosures made by former NSA contractor Edward Snowden.
In’t Veld said: “In Europe, we tend to turn a blind eye when it’s our American friends. When we noted the Dutch authorities weren’t acting firmly, we called on Europol to investigate. However, Europol can only act upon the request of at least one Member State. Apparently, not a single one of the EU’s 28 Member States felt it was worth investigating.”
“This inaction contrasts rather strongly with the firm language of the proposed EU cyber security strategy, which is supposed to keep our systems safe.”
There are wider issues relating to Europe’s data governance. In’t Veld remarked: “As rapporteur for the EU-US Passenger Name Record (PNR) agreement, I recommended rejection of that agreement. Now, I have even more reason to call for its termination, or suspension at the very least. And, I would say, we should certainly use the Transatlantic Trade and Investment Partnership (TTIP) as leverage.”
She remarked: “I am a strong supporter of the free trade agreement. But we cannot sign up to just anything, until the spying and mass surveillance issue has been resolved. Strong data protection rules are not an obstacle to, but a precondition for, a free flow of data.”
Last week, European Justice Commissioner, Viviane Reding’s supposedly ‘off the cuff’ remarks about the need to create a European intelligence agency, by 2020, split opinions across the EU. In’t Veld’s view is that: “An EU intelligence agency is probably a good idea – eventually. There is an embryonic one body already, IntCen. However, first we have to get the oversight mechanism in place.”
Last Thursday, in’t Veld chaired the European Parliament’s tenth Civil Liberties Committee inquiry hearing on the electronic mass surveillance of EU citizens. The LIBE Committee considered the need to step up the security of EU information technology (IT) systems. Parliamentary oversight of intelligence services in Belgium and Denmark were also debated, and IT experts advised MEPs on possible technical measures to step up IT security in the EU institutions – in order to prevent, and remedy, unauthorised access and the disclosure or loss of information and personal data.
MEPs also continued their exploration of various national arrangements for parliamentary oversight of national intelligence activities, this time Belgium and Denmark were in the spotlight. The situation in Belgium was discussed with Vice-Chair of the Belgian Senate and member of the Intelligence Services Oversight Monitoring Committee, Armand De Decker, and Intelligence Services Oversight Committee Chair Guy Rapaille.
On Denmark, MEPs heard Karsten Lauritzen a member of the Legal Affairs Committee and spokesperson for Legal Affairs, of the Danish parliament (Folketing).
The inquiry’s preliminary findings, which will feed into its final report, will be set out in a working document to be tabled at the inquiry hearing, today, in Strasbourg. This document will focus on the democratic oversight of intelligence services. At this hearing, MEPs will also discuss court cases and complaints about national surveillance programmes, as well as the division of competences between member states and the EU on national security issues.