Since the summer, a crisis has been building between the United States and the European Union over transatlantic data transfers, privacy and national security surveillance. Recent rulings from Europe’s highest court and its privacy regulators reflect an unwavering perception in Europe of U.S. surveillance as lacking in privacy protections for foreign persons. In late November, Adam Klein, chair of the U.S. government’s Privacy and Civil Liberties Oversight Board (PCLOB), added to the swirling debate. Klein penned a sharply worded statement intended to remind Europeans that U.S. government analysis of European data for counterterrorism purposes is done in a way that protects Europeans’ security as well as their privacy. On Dec. 3, the chair of the European Data Protection Board (EDPB) returned fire.
The escalation began in July, when the Court of Justice of the European Union (CJEU) ruled in Schrems II. The CJEU’s holding invalidated the U.S.-EU Privacy Shield and forced many companies to change the legal mechanism they use to protect data sent from the EU to the U.S. Companies had to shift quickly to using standard contractual clauses (SCCs) instead. While the ruling did not interrupt data flows at the time, the CJEU also insisted that companies bolster SCCs with additional safeguards to protect against the risk of foreign surveillance of transferred data.
On Nov. 10, the EDPB produced draft guidance recommending, among other things, that companies employing SCCs adopt safeguards in the form of end-to-end encryption of data. The EDPB pointed out that end-to-end encryption was not feasible for data transfers to cloud service providers, which require access to unencrypted data, or for transfers within a corporate group for shared business purposes such as human resources or customer service. If the EDPB guidance survives unchanged, companies would be legally unable to conduct these major types of transatlantic data transfers. The unexpectedly tough pronouncement added urgency to U.S. government efforts to pursue with the European Union a successor to the Privacy Shield that would resolve the surveillance issues for SCCs as well.
This backdrop helps explain Klein’s Nov. 19 public statement, which he issued in conjunction with the PCLOB’s completion of a review of the privacy practices of the Terrorist Finance Tracking Program (TFTP). Operated by the U.S. Treasury Department, the TFTP analyzes the global flow of transactions believed to be connected with the financing of terrorism. It relies on data collected by the Society for Worldwide Interbank Financial Telecommunication (SWIFT), a Belgium-based company that enjoys a near monopoly on messaging services for international financial transactions. Since 2010, a binding U.S.-EU agreement has governed the Treasury Department’s requests for large tranches of financial messaging data from SWIFT’s European databases.
Klein’s statement illuminated the substantial benefits that the TFTP agreement has yielded for European police and security services. More than 40 percent of the database searches performed by the Treasury Department during the three-year period examined by the PCLOB were on behalf of EU member states or Europol, the EU’s police intelligence organization. The EU and its members accounted for nearly 75 percent of all TFTP leads disseminated to foreign governments. And the 80,000 individual leads shared with Europe were related to some of the most notorious terrorist attacks on the continent in recent years, including the 2015 attacks in Paris and 2017 ones in Barcelona. After the 2011 massacre in Norway by Anders Breivik, TFTP information on the assailant’s funding sources assisted authorities in neighboring Finland in breaking up a similar planned attack.
As Klein points out, the TFTP “resembles an outsourcing arrangement, with the US Treasury Department effectively serving as an offshore service provider for the EU and European governments.” He unsparingly explains why the EU has “effectively deputized” the U.S. Treasury to perform counterterrorism searches of European data: The U.S. service is free and fast, and it yields actionable intelligence, all while avoiding the inevitable privacy law complications that would have limited the scale and effectiveness of a European version of the system.
When the EU reluctantly agreed to the TFTP agreement, there was a widespread sense of unease in Brussels about relying on the United States for counterterrorism analysis of data located on European soil. Indeed, the TFTP agreement itself cited “the possible introduction of an equivalent EU system allowing for a more targeted transfer of data.” In 2013, the European Commission dutifully prepared the ground for legislation, but a European TFTP never got off the ground. (As a U.S. Mission to the European Union official at the time, I can attest to the lack of enthusiasm among EU officials.)
Bringing up these uncomfortable truths about the TFTP now may be an effort to affect the EU’s priorities in the commercial data privacy negotiations, where privacy rights constituencies exert large influence. The U.S. government appears to be aiming to empower law enforcement and security voices within the Council of the European Union, the decision-making body made up of member state governments. These national governments—and not the EU itself—operate foreign surveillance programs, and better understand their security benefits and privacy trade-offs. “Transatlantic discussions about surveillance and privacy could be improved by greater candor about what each side is doing, and why,” as Klein writes.
Equally importantly, Klein’s intervention spotlights for the European audience the PCLOB’s existing role as an independent overseer of a sensitive U.S. intelligence analysis program built on European-located data. In Schrems II, the CJEU demanded that Europeans whose personal data is commercially transferred to the United States and subsequently acquired by the National Security Agency be guaranteed redress before an independent and impartial U.S. court. The PCLOB’s oversight work is already well respected in Brussels, and the agency has been floated in several expert proposals as a potential part of a future U.S. government solution with the EU on the redress question. A little bit of self-promotion probably can’t hurt.
But the bold tone of the Klein statement also entails some risk—and indeed, it already has stirred a reaction in European data protection circles. On Dec. 3, Andrea Jelinek, the chair of the EDPB, composed of the data protection authorities of all EU member states, published a letter questioning the sufficiency of the privacy protections in the TFTP agreement. Jelinek drew attention to the large scale of data transferred from SWIFT to the U.S. Treasury and to its “very problematic” retention for a period of up to five years. She ended with a call for a review of the entire agreement. It’s possible that the PCLOB chair’s vigorous public defense of the security benefits Europe quietly derives from the TFTP could end up endangering the program, inadvertently leading to an even more troubled overall transatlantic data transfer picture.