What basically everyone interested in these matters had already expected became true: despite the civil liberty concerns that it raises, the European Parliament approved the so-called SWIFT-agreement that would give the United States access to innocent European citizens' banking data in order to track money used for terrorist financing.
To give a brief recap (though I assume that everyone is at least somewhat familiar with the debate): Despite a moving speech by Vice-President Joe Biden to sweet-talk the European Parliament (EP), the EP had voted down the first draft agreement in February 2010 for insufficient data protection standards, thus forcing the European Commission (EC) to go back to the negotiating table with the US. A second draft-agreement was subsequently presented to the EP and the European Public which, as explained in my earlier post, did still not meet one of the most crucial requests that the EP had set as a condition for approving the agreement. Therefore, additional concessions had to be made, until the EP eventually felt comfortable with giving its consent to the SWIFT agreement on July 8th.
Yet, at a closer look it appears that most of their reasons are good enough for the uninformed public but not for someone who really bothers with the details of it. Hence, before the vote, I wrote three Members of the European Parliament (MEPs) to express my doubts regarding the agreement. The two immediate replies I received, namely from Manfred Weber (Christian-democrat/EPP) and Alexander Alvaro (Liberal/ALDE), both maintained that yet another rejection of the agreement could not be mandated. Unfortunately, they failed to give me an appropriate answer of why this was the case or to seriously dwell on my concerns.
Indeed, ignoring my arguments, the answer I got from them was simply that contrary to the draft rejected in February, European citizens' privacy and data protection rights were now more clearly regulated and that relevant civil liberty concerns had hence been sufficiently addressed to allow for the approval of the SWIFT agreement (whose very need for existence no one seems to question!): Whereas Mr. Weber just made a general statement, Mr. Alvaro was more specific and underlay its position by referring to article 16 (Right to Rectification, Erasure, or Blocking) and 18 (Redress) of the agreement to make his point. I would have hoped for more founded arguments, considering that, anticipating their answers, I had already indicated to them that I would not accept the enumerating of these articles as evidence that appropriate data protection was now accorded to Europeans in the US because, as I read the agreement, these articles have a merely symbolic meaning. (I hoped they would prove me wrong, but so far they haven't).
For those of you who are not very familiar with the agreement and the underlying context: It is true that article 16 and 18, as cited by Mr. Alvaro, generously name data protection rights. The one of special interest here is the one of article 18 as it is the one that should provide for the mechanism that is absolutely necessary for you to be able to enforce the rights accorded to you by article 16 against the US. Article 18 solemnly proclaims:
"Any person who considers his or her personal data to have been processed in breach of this Agreement is entitled to seek effective administrative and judicial redress in accordance with the laws of the European Union, its Member States, and the United States, respectively."
What is wrong with this is precisely the fact that effective judicial redress (for the rights embedded in article 16) in accordance with the laws of the United States is an empty promise if you hold the wrong citizenship or have the wrong residence. I can only repeat over and over again that without a green card or US citizenship, you only have "the right to request access to federal agency records or information" according to the US' Freedom of Information Act (FOIA). It is true that this right is enforceable by EU citizens in US Courts, and in that sense judicial redress is available. But as a European, in a US court judicial redress is not available to enforce the more meaningful
"right to request the amendment of records that are not accurate, relevant, timely or complete; and [..] the right of individuals to be protected against unwarranted invasion of their privacy resulting from the collection, maintenance, use, and disclosure of personal information[,]"
or to sue the government for violations of these rights because these rights are provided only to people that qualify as "individuals" under the US Privacy Act of 1974, in which "individuals" are defined as those people that either hold US citizenship or a green card. Hence, the rights generously mentioned under article 16 and 18 are empty promises because, even if the US might commit to granting Europeans these rights, no corresponding right to enforce them in a US court is provided under domestic US legislation, and neither article 16 nor 18 change this. Indeed, as article 20 of the agreement states,
"[t]his Agreement shall not create or confer any right or benefit on any person or entity, private or public."
Anyone who knows a little bit about international treaty law knows that this article can't be interpreted but to mean that the EU and the US explicitly exclude the possibility that the SWIFT agreement might be self-executing. That is, the SWIFT agreement does not create rights that are directly actionable by individuals, but only a promise given to the EU by the US that European citizens' data protection rights will be respected. Therefore, whereas the EU can now request the US to respect European citizens' data protection rights lest to revoke the SWIFT agreement, as an individual there is nothing I can do if the US denies me effective judicial redress to enforce my privacy rights enshrined in the agreement, since the US does not owe any obligation directly to me or any other EU citizen. (For some general free background reading on the direct applicability of treaties in domestic US law, see here for instance.)
Moreover, the way the agreement is phrased means that the US' current legal framework is already enough to ensure the automatic compliance of the US with the obligations it owes to the EU. Indeed, the above-cited article 18 continues:
"For this purpose and as regards data transferred to the United States pursuant to this Agreement, the U.S. Treasury Department shall treat all persons equally in the application of its administrative process, regardless of nationality or country of residence. All persons, regardless of nationality or country of residence, shall have available under U.S. law aprocess for seeking judicial redress from an adverse administrative action." [emphasis mine]
The difference in the wording of "its administrative process" and "a process for seeking judicial redress" is crucial. As I see it, it can only be interpreted in the sense that no discrimination is permissible in granting administrative redress to data subjects, but that discrimination in the application of judicial redress is acceptable, as long as Europeans are granted some other type of judicial redress mechanism even if it is not the one granted to US citizens. In that sense, the US legal framework as defined by the FOIA and the Privacy Act does live up to the promise contained in article 18 of the SWIFT agreement, in that domestic US law provides for some judicial redress mechanism for the data protection rights of EU citizens. No article anywhere defines what characteristics such a mechanism should foresee or what rights should be enforceable with it to meet the article 18 requirement: To say it once again, the FOIA might foresee a judicial redress mechanism accessible by EU citizens, but only for the rights granted by that legislation which are absolutely insufficient for enforcing effective privacy and data protection safeguards. The more far-fetching privacy rights that US citizens are granted under the Privacy Act, most importantly the right to sue the US government for an unwarranted invasion of one's privacy, are still not accessible by Europeans.
Admittedly, one might spot a positive sign indicating that the US might consider changing its domestic privacy legislation in what results from a comparison between an earlier June draft of the SWIFT-agreement and the one that was eventually submitted to the EP for approval: whereas the earlier draft specifically stated that "[t]his Agreement is not intended to and shall not derogate from or amend the laws of the United States…", this has now been removed from the agreement which now says that "[e]ach Party shall ensure that the provisions of this Agreement are properly implemented. Maybe this gives some hope that the US might finally be willing to move towards recognizing the human right to privacy also of non-American human beings by extending the scope of its Privacy Act, or that the EU might at least informally require the US to adjust its legal framework. This might also be seen in the fact that the EP, when giving its consent to the conclusion of the agreement, explicitly instructed
""its President to enter into inter-parliamentary dialogue with the Speaker of the United States House of Representatives and the President pro tempore of the United States Senate on the future framework agreement on data protection between the European Union and the United States of America."
Yet, as MEP Jan Albrecht pointed out, by approving the SWIFT agreement without a general data protection framework agreement having been concluded between Europe and the US, or without requiring changes to US domestic legislation as a necessary prerequisite for the SWIFT agreement's entry into force, the European Parliament has lost much of its leverage it could have had on the US Congress and government to amend the Privacy Act. The hope that the US might nevertheless remove the current discrimination thus seems illusionary, also because it would probably result in the illegality of many of the procedures with which the US is generally treating foreigners (US-VISIT just to mention one example).
At this point, faced with a European Parliament that did not live up to its expectations of being a guarantor of EU citizens' interests and fundamental rights, all that there remains is to hope that my predictions are wrong and that despite the huge legal costs that this would involve, some European will make the effort to bring a lawsuit all the way up to the European Court of Justice to have the SWIFT agreement declared null and void for breaches of Europeans' fundamental freedoms and EU privacy laws. Hope dies last, so let's lean back and wait. And I will keep you posted on it.
[Comment: I met MEP Weber at a recent privacy event on September 15th, 2010. I don't think he connected my name to the email, but I approached him to ask if he knew why the US did not want to change the US Privacy Act to encompass every person in its scope independent from nationality or residence. His reply was that the US cannot afford higher protection standards to EU citizens than it does to US citizens, which would happen if the US agreed to grant Europeans European protection standards. (European data protection standards are commonly seen as more demanding than the corresponding US standards.) While from a US perspective this is a justified position, it does not explain however why the US refuses to apply the standards it already grants to US citizens also to Europeans, and why the EP did not insist on this issue. And this was all I was asking for. Even though demanding the US to adopt EU data protection standards for the handling of EU data should be mandatory, I would settle for less: What an easy request to fulfill for the US to just extend the Privacy Act's scope to every human being! Is that a too high price to pay for widespread access to European data?]