A proposal to allow bulk transfer of bank data to the US for scrutiny by law enforcement agencies has been criticised by the European privacy watchdog Peter Hustinx.
"I am fully aware that the fight against terrorism and terrorism financing may require restrictions to the right to the protection of personal data," said Hustinx in a statement. "However, in view of the intrusive nature of the draft agreement, which allows transfers of data in bulk to the US, the necessity of such scheme should first be unambiguously established, especially in relation to already existing instruments."
The draft agreement — the Terrorist Finance Tracking Programme (TFTP) Agreement — was adopted by the European Commission on 15 June. At the time, the Commission said that the proposed deal would "increase the security of European citizens while at the same time fully respecting their rights to privacy and data protection".
It is intended to replace an interim agreement that was voted down by the European Parliament in February. The interim agreement, which allowed US investigators access to financial data held by the Swift banking network, was not proportionate, MEPs decided.
Hustinx noted on Tuesday that the US and Europe already have procedures in place to share financial information for law enforcement purposes, including an agreement on mutual legal assistance.
Even if bulk transfers of banking data are stricken from the draft US/EU data-sharing agreement, the draft still needs further work so it complies with EU protection law, he added.
Requests from the US Treasury for data should be entrusted to a public judicial authority, the privacy supervisor argued. Bulk transfer should be replaced with European filtering mechanisms, so that only relevant data is sent.
He also recommended that the storage period for data that has not been requested by the US should decrease, while independent oversight should increase.
Hustinx's criticisms come as the European Parliament is negotiating the transfer of Passenger Name Record (PNR) data to the US, to ensure that the transfer does not infringe data protection law. In addition, the European Commission is negotiating a data protection deal with US authorities.