52013DC0842

COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL A European terrorist finance tracking system (EU TFTS) /* COM/2013/0842 final */


COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL

A European terrorist finance tracking system (EU TFTS)

Following up the Communication of 13 July 2011 (COM (2011) 429) the aim of this Communication is to inform the European Parliament and the Council of the outcome of the analysis made with regard to the feasibility of the establishment of European Finance Tracking System (EU TFTS).

1. Context 1.1. Origin of the Request and definition

During the negotiations preceding the conclusion of the EU-US TFTP Agreeement[1], discussions took place on how best to protect personal data and respect  fundamental rights in the context of this Agreement. It was argued by some parties that extracting data on European soil would limit the amount of data transferred to the U.S. and would therefore ensure a higher level of data protection guarantees. Some Member States saw an added value in developing an independent European system for tracking terrorist finance in the longer term. The European Parliament asked the Council and the Commission to take all measures necessary to devise a durable, legally sound European solution to the issue of the extraction of requested data on European soil. The Council and the European Parliament, when agreeing to the EU-US TFTP, invited the Commission to submit, within one year of the date of entry into force of the Agreement, a legal and technical framework for extraction of data on EU territory and, within three years of the date of entry into force of the Agreement, to present a progress report on the development of an equivalent EU system[2]. Furthermore, Article 11 of the EU-US TFTP Agreement states that during the course of the Agreement, the Commission will carry out a study into the possible introduction of an equivalent EU system allowing for a more targeted transfer of data.

For the purpose of this Communication an equivalent EU system should be distinguished from a framework for extraction of data on  EU territory. A framework for extraction of data on EU territory is understood to be  a system allowing searches on the data currently provided by the EU to the U.S., to be conducted on EU soil. By contrast, an equivalent EU system would be an independent European system for tracking terrorist finance through access to, searches on and analysis of the data of Designated Provider(s). The establishment of any EU system would require a modification of the EU-US TFTP Agreement.

1.2. Steps taken

In December 2010 the Commission contracted a study which was extended in July 2011 to cover the additional option of a retention and extraction regime. In the course of this study the Commision held four expert meetings involving stakeholders such as Europol, the European Data Protection Supervisor, the TFTP Designated Provider[3] and many Member States' experts, representing interested ministries, law enforcement and intelligence agencies, and Data Protection Authorities.

On 13 July 2011 the Commission, in its Communication to the European Parliament and the Council ('2011 Communication') presented five possible options it had identified for an European terrorist finance tracking system ('EU TFTS'). Of these, three were deemed to be feasible. The objective of the 2011 Communication was to trigger a debate on the way forward and to feed into the Impact Assessement to be undertaken.

The issue was presented in October 2011 in the JHA Council and in the European Parliament Civil Liberties Committee.

As Member States and the European Parliament did not express a clear preference for any of the options it was decided to look at all of them in Commission's Impact Assessment, and to elaborate  on them by developing different sub-options. This Communication builds on the Impact Assessment[4].

2. Commission’s Core principles  and options identified 2.1. Principles of the Information Management Strategy adopted under the Swedish Presidency

In its analysis on the proposed way forward the Commission takes into account the core principles set out in the 2009 Information Management Strategy[5]  and later incorporated and further developed in the Commission Communications on the Overview of information management in the area of freedom, security and justice in 2010[6] and on the European Information Exchange Model in 2012[7] .

Paramount in this regard are the principles of safeguarding fundamental rights, necessity, proportionality and cost-effectiveness.

Safeguarding  fundamental rights as enshrined in the Charter of Fundamental Rights of the European Union, particularly the right to privacy and personal data protection, is a primary concern for the Commission when developing new proposals that involve the processing of personal data in the field of internal security. Articles 7 and 8 of the Charter proclaim everyone's right to 'respect for his or her private and family life' and 'the protection of personal data concerning him or her'. Article 16 of the Treaty on the Functioning of the European Union, which is binding on Member States, Union institutions, agencies, and bodies, reaffirms everyone's right to 'the protection of personal data concerning them'. According to Article 52 of the Charter, subject to the principle of proportionality, limitations on the exercise of the rights and freedoms recognised by the Charter may be made only if they are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others.

Interference with the right to privacy is considered necessary if it answers a pressing need, if it is proportionate to the aim pursued and if the reasons put forwards by the public authority to justify it are relevant and sufficient.

Although it is difficult to assess all the costs of terrorism in financial terms, the principle of cost- effectiveness remains. A cost-effective approach takes account of pre-existing solutions to minimise overlap and to maximise possible synergies. An assessement is required as to whether it may be possible to accomplish a proposal's objectives through better use of existing instruments.

2.2. Approach

In light of the principles referred to above the Commission has examined whether an EU TFTS would be necessary and proportionate with regard to its costs, benefits and its impact on fundamental rights, as compared to the current situation.

In terms of benefits, an EU system could increase the EU's and its Member States' capacities to access relevant data and could strengthen their analytical capacities to track and identify terrorists through financial transactions. As financial transactions can yield valuable intelligence that may be unavailable from other sources this tool would have a particular value for detection of terrorist activitity and players involved. Therefore, an EU TFTS could represent an additional intelligence and investigation tool in the fight against terrorism and in enhancing security in the EU, in particular if such a system were to cover multiple financial data providers and types of transactions. The benefits of an EU TFTS need to be balanced with the estimated costs of introduction and maintaining of such a system, including the financial burden for the EU, the Member States, and for Designated Providers of the data in question. 

2.3. Presentation of the Options

A number of options for both the framework for extraction of data on EU territory and the EU equivalent system have been considered.

2.3.1. A framework for extraction of data on EU Territory

A framework for extraction of data on the EU territory could be implemented through a system of retention and extraction of data held by the Designated Provider by allowing direct access to data, which is currently provided to the U.S. under the TFTP. This direct access would be given to US analysts or experts mandated for that purpose.

Under this option, one possibility would be to retain data on the server of Designated Provider for a certain period of time and run searches directly on this server. However, the current Designated Provider under the EU-US TFTP Agreement has put in place strong data protection and security measures which do not allow for the identification of persons mentioned in message data content and so its current database does not permit searches based on personal data. Therefore the creation of a separate database would be required.

Alternatively, data could be extracted and held at a different secure location in the EU. The U.S. analysts or experts authorised to run the searches could either be physically located at the premises of the Designated Provider or could have remote access to the data. In all cases, and regardless of the location of data, comprehensive and solid safeguards would have to be put in place and tailored to the particular set-up of the system. 

2.3.2. An EU equivalent system

A range of options for an EU equivalent system (as outlined in the 2011 Communication) have been assessed, including a fully centralized system at the EU level, a decentralized system at Member States' level and three hybrid systems in which both the EU and Member States would play a role.

Under each option there are different possibilities regarding the scope of the EU system. There are choices to be made as to types of messages and Designated Providers which would be included. An EU equivalent system could stick to or go beyond the type of financial messages and Designated Provider currently covered by the EU-US TFTP Agreement.

· The option of a fully centralized system at the EU level would mean that a single EU body would perform all the key functions of the system: requesting extraction of data, storing data, searching, carrying out intelligence analysis, safeguarding and monitoring the system, and disseminating intelligence leads to Member States. This option is legally unsound as it would not respect Article 72 of the TFEU, which confirms that the primary responsibility for maintaining of law and order and the safeguarding of internal security lies with the Member States. Such a system would be neither feasible nor acceptable for Members States, as it would require the creation of some form of centralized intelligence capacity at EU level

· A fully decentralized system at Member States' level would mean that the system would be run by Member States' competent authorities, with no functions being performed at EU level.  This would mean that data could be transferred to and searched by all 28 Member States in parallel. This option would multiply data flows and have important cost implications.. It would also lead to an increased risk of inconsistent treatment of data, and the creation of uneven data protection mechanisms. Therefore this option is also not considered to be viable.

These two options have thus been excluded from a more detailed assessment.

The three remaining options for an EU equivalent system entail distributing the different functions between different organizations at the EU and national levels ('hybrid systems').

In all these hybrid systems, the data would have to be requested on an ongoing and iterative basis from the Designated Provider(s), extracted, and stored in a database in a secure location in the EU. The actual searches would be then run against this central database. Similarly for all the options, appropriate data protection safeguards would have to be set up.

· A) In the first hybrid system, the EU TFTS coordination and analytical service, an EU central unit would have to be created. This would be tasked with requesting data from the Designated Provider(s), running searches, analysing intelligence and distributing the results. The difference from a fully centralized system would be that the Member States would have direct access to the system and would be able to request searches to be run on their behalf by the central unit or by their own analysts.

· B) The second hybrid system, the EU TFTS extraction service, would also involve the creation of an EU central unit. However, in this option the EU body would run searches at the request of Member States and would disseminate results to Member States without analysing the intelligence. However, the EU body would be able to run its own searches and to analyze the result of these searches.

· C) In the last hybrid system, the Financial Intelligence Unit[8] ('FIU') coordination service, an ad-hoc EU platform would be created. This would not be a permanent body but rather a group of financial intelligence experts participating in meetings. The FIU platform could be possibly upgraded for this purpose. Each Member State would nominate one representative who would act on its behalf. This ad-hoc authority would compile the requests from FIU's of each Member State and issue requests for data from Designated Provider(s) based on these Member State requests. Each Member State's representative would be responsible for running searches, carrying out analysis and managing results on behalf of its own Member State. It would then be up to Member States' competent authorities to make use of the intelligence leads and further disseminate them at national level.

2.3.3. Status quo: EU-US TFTP Agreement

At present the EU and the Member States can request searches to be run by the US under the EU-US TFTP Agreement governing the processing and transfer of Financial Messaging Data from the European Union to the United States for the purposes of the Terrorist Finance Tracking Program ('TFTP').

The TFTP is a counter-terrorism tool developed by the U.S. in the aftermath of the terrorist atttacks on 9/11. It is based on searching the data provided by the Designated Provider, including the data transferred from the EU.

The EU-US TFTP Agreement regulates thoroughly the process of requesting the data by the U.S. authorities. Europol verifies that the requests for data received from the U.S. are in conformity with the Agreement and, in particular, that they are as narrrowly tailored as possible in order to minimize the volume of data that is transferred. Numerous provisions cover secure handling, storage and deletion of the data. Provided data are held in a secure physical environment and stored separately from any other data. The Agreement prescribes a retention period of five years and an obligation to evaluate regularly the need to retain the data. The independent overseers located in the U.S. include two overseers selected by the EU. They exert a continous control on the way the system is run and they have a possibility to check every search conducted by the U.S. Treasury Department to ensure that a subject of a search has a nexus to terrorism or its financing. 

The Agreement also includes provisions on the rights of access to and rectification of personal data, and on redress procedures. The Agreement provides that any person who considers his or her personal data to have been processed in breach of the Agreement may seek effective administrative or judicial reddress in accordance with the laws of the EU, its Member states, and the United States, respectively. The Agreement provides for persons, regardless of nationality or country of residence, to have available under U.S. law a process for seeking judicial redress from an adverse administrative action.

Relevant statutes for seeking redress from an adverse Treasury Department administrative action in connection with personal data received pursuant to the Agreement include the Administrative Procedure Act and the Freedom of Information act. The Administrative Procedure Act allows persons who have suffered harm as a result of U.S. Government action to seek judicial review of that action. The Freedom of Information Act allows persons to utilize administrative and judicial remedies to seek government records. The existing uniform procedures for access to and/or rectification, erasure or blocking of personal data, agreed between the Commission, the U.S. and the Article 29 Working Party, aim to facilitate the exercise of these rights by the EU citizens.  The implementation of the Agreement and its safeguards and controls is subject to regular reviews under Article 13 of the Agreement. Two such reviews were carried out in 2011[9] and 2012[10], concluding that the Agreement had been properly implemented. A third review is foreseen for spring 2014. The Joint Report regarding the value of Provided Data prepared pursuant to Article 6 of the Agreement demonstrates the benefits of the TFTP in preventing and combatting terrorism and its financing and the use of the TFTP made by several Member States. The TFTP information and its accuracy enable the identification and tracking of terrorist and their support networks across the world. It sheds light on the existing financial structures of terrorist organisations and allows for the identification of new streams of financial support and the actors involved.

3. Assessment

When assessing  whether or not to propose the establishment of an EU TFTS the Commission has to reconcile the different views and expectations regarding the level of ambition of an EU system. EU TFTS goals are viewed differently by various stakeholders and decision makers. The Commission examined possibilities and implications of both scenarios against the principles for development and implementation of new policy initiatives detailed earlier. In particular, each option has been weighed in terms of necessity, proportionality and cost effectiveness. 

3.1. A framework for extraction of data on EU Territory

As described in section 2.3.1. the option of a retention and extraction regime would serve as a way to collect, store and run searches on data, which are currently transferred to the U.S. under the EU-US TFTP Agreement, on EU soil. Thus it would not generate additional intelligence benefits for the EU or the Member States, compared to the present situation. On the contrary, with the TFTP data stored in the U.S. and the EU, fragmentation of searches, which currently run against one set of TFTP data, may have a negative impact on the quality and number of intelligence leads and worsen the overall efficiency of the TFTP. It may also significantly slow down the process of analysis, as different consecutive searches on the TFTP data stored in two locations could be necessary to further follow up an intelligence lead. Speed is often essential in terrorist investigations.

The extraction of the data on European soil instead of in the U.S. would not guarantee better protection of personal data per se. Protection of access to data is key to ensuring proper handling of data, regardless of its location. To this end, a set of robust safeguards would need to be put in place which would guarantee the compliance of data processing and handling with the necessary requirements. The system would have to be equiped with a control function responsible for verifying the requests for searches  and their justifications. The role of independent overseers would be crucial in ensuring that the data is used for the limited purposes defined in any establishing Agreement. Measures would have to be taken to prevent unauthorised access to or disclosures of the data such as a maintaining the data in a secure physical environment. Procedures for access to and rectification of personal data and relevant redress procedures would have to be built in. An external audit would have to be commissioned to ensure the correct functioning of the system.

Under the EU-US TFTP Agreement the U.S. does not have access to all data of the Designated Provider but only to the sets of data which the U.S. requested as approved by Europol on the basis of past and current terrorism risk analyses. Unless a similar mechanism of initial narrowing of data requests is put in place, allowing direct searches to be run on all data of the Designated Provider would further increase the data exposure and the impact on data protection rights. This would require significant remodeling of the way the Designated Provider works and how its data are stored. Currently the financial messages which are subject to the Agreement are kept in a form that does not allow idenfication of persons mentioned in message data content. Each financial message is encrypted and searchable only by the metadata, i.e. the date the message was sent, the type of message and the sending and receiving banks involved. The Designated Provider has put in place strong data protection and security measures in order to protect the data of its custumers worldwide. Therefore, in order to enable searches to be run directly on the current Designated Provider server, all these messages would have to be first decrypted. Doing so would be excessive and disproportionate as the Designated Provider server contains more messages than those required for the purpose of combatting terrorism financing. Moreover, a direct access for search purposes would be prohibitively intrusive for the daily operations of the Designated Provider and would create significant operational, security and systemic risks. Therefore, this would require creation of a separate database on EU soil for holding the necessary data of the Designated Provider. 

Important investment would be needed to put the system in place and to guarantee its full compliance with the security safeguards. The premises of the Designated Provider or another secure location would have to be adjusted to the specific requirements, IT and technical solutions would have to be developed and maintained, and well qualified staff who would manage and oversee the system would have to be employed and trained.

In this option the EU and the Member States would bear all inconveniences and costs of a mechanism set up only to serve the TFTP, an instrument owned by a third country. At present,  this option does not appear to be necessary, proportional, or cost effective as it would not bring additional intelligence benefits, would be be costly and demanding to set up and could create risks to personal data protection.

3.2. An EU equivalent system

A fully centralised EU TFTS was excluded from more detailed assessment due to the lack of a legal base and the small chance that Member States would accept an EU centralised role in what is an area of Member State competence. A fully decentralised system was excluded on the basis that it would have had severe costs implications and a multiplied impact on data protection rights. The three hybrid systems assessed would allow varying degrees of  Member State control over the searches that are carried out by them and by the centralised EU body.

Extending  the scope of an EU equivalent system to cover Automated Clearance Houses, e-money, and other non-FIN data would provide intelligence benefits by increasing the EU’s ability to track intra-EU payments, and could create a more ‘future-proof’ system than one dealing only with FIN messaging. However, each addition of a Designated Provider would increase the risk of infringements of data protection rights, and would therefore require a rigid set of conditions, safeguards, and control measures. This would also increase the administrative burden placed on Designated Providers. Adding multiple data providers and messages to create such a complex, organizationally and technically demanding system would also increase costs substantially.

As a consequence of this analysis, any feasible EU TFTS would use only FIN message data, as the Commission believes that the added benefits of using multiple data types and providers do not outweigh the significant cost to private companies and damage to privacy and data protection rights that such a system would entail. Thus, as the EU system would cover only the same Designated Provider and the message type as the TFTP, the quality and quantity of intelligence leads received as well as the data exposure would be comparable to the EU- US TFTP.

As outlined above, there are three options for this EU equivalent system: A) the EU TFTS Coordination and Analytical Service, B) the EU TFTS Extraction Service, and C) the FIU Coordination Service.

Option A would be likely to have a positive impact on the prevention of terrorism and enhancement of security in the EU. Having both EU and Member State teams running searches and analysing results would go some way to ensuring that the specific intelligence requirements of the EU and Member States are fully taken into account and that the system is geared towards the specific “EU threat”. However, this improvement is contingent on an increasing willingness and ability of Member States to share information and analysis in the medium to long term. It is unclear to what extent this increased flow of information can be relied upon. Additionally, as Member States would retain the capacity to request searches from the US under the TFTP, this system would need significant Member State buy-in and cooperation if it were to provide a more coherent EU picture.

Option B could have some positive impact on preventing terrorism and enhancing security in the EU. The system would be more responsive to EU threat analyses, as the searches would be run according to the specific intelligence requirements of Member States. However, the role of the centralised EU body would be limited to conducting searches and transfer of responding data to the requesting Member State; it would act more as a gatekeeper than anything else. As a result of this, there would be no EU-level analysis, and the system would be wholly reliant on Member States sharing analyses with one another, outside the system, if a coherent EU intelligence picture were to be created. The inability of the system to guarantee a uniform approach to definitions of searches would increase the risk of false positives, thereby impinging on data protection and privacy rights.

Option C would be responsive to specific intelligence needs of Member States, and so would have some positive impact on preventing terrorism and enhancing security. However, as national FIUs would be responsible for the searches and analyses of their Member States, this option suffers from the same drawbacks as Option B – a clear picture could only be achieved with the enhanced cooperation of Member States, outside the system. Furthermore, FIUs focus on financial intelligence only, and the divide between this information and the broader intelligence landscape could make it more difficult to see links and spot terrorist financing. There is also a very low level of EU involvement in this option, and capacity would be enhanced primarily at the national level.

All these options would entail significant cost for the EU, Member States and the Designated Provider including, inter alia, the cost of development of IT infrastructure, secure facilities and the cost of tens, if not hundreds, of staff responsible for the management of the system and for the implementation of safeguards and controls. However, each of these possible systems has the potential to contribute to an enhanced European security situation, as they would use threat assessments specific to European needs.

An independent intelligence and investigation tool on European soil would remove the requirement for transfering data to the US. But any EU TFTS would still require extensive data protection safeguards and controls similar to those already in force under the EU-US TFTP Agreement and in any event complying with the EU and Member States' data protection acquis. Any requests for searches on data in EU systems would need to be checked for conformity with the strict purpose limitation to fighting terrorism and its financing, including whether the transfer of data is justified. In particular, qualified independent overseers would be required to verify that each EU and each Member State search was properly authorised and was required for the purpose of fighting against terrorism and its financing. Secure handling and storage of the data would have to be ensured and unathorized access to the data prevented. An external audit of the proper functioning of the system and all its safeguards would be necessary. All necessary procedures for access to and rectification of personal data and relevant redress procedures would have to be embedded in the system.

In conclusion, in line with the requests from the European Parliament and the Council, the Commission has assessed the possible options for for an EU TFTS, including an extraction and retention regime.

This assessment takes into account the principles enshrined in the Information Management Strategy that was adopted under the Swedish Presidency. Any system set up must be  necessary, proportionate, and cost-effective, and must respect fundamental rights. The analysis carried out by the Commission, as detailed above and in the Impact Assessment, shows that each of the feasible options has advantages and disadvantages. The Commission has however disregarded those options that are not feasible, as explained.

In light of the information gathered, the case to present at this stage a proposal for an EU TFTS is not clearly demonstrated.

The Commission welcomes the views of the European Parliament and of the Council on this Communication.

[1] OJ L 195, 27.7.2010, p.5

[2] Council Decision of 13 July 2010, OJ L 195, 27.7.2010, p.3

[3] Society for Worldwide Interbank Financial Telecommunication (SWIFT)

[4] SWD 2013 (xx) of

[5] Council conclusions Council Conclusions of 30 November 2009 on an Information Management Strategy for EU internal security 16637/09

[6] COM (2010) 385 of 20 July 2010

[7] COM(2012) 735 of 7 December 2012

[8] Council Decision of 17 October 2000 concerning arrangements for cooperation between financial intelligence units of the Member States in respect of exchanging information

[9] SEC (2011) 438 of 30 March 2011

[10] SWD (2012) 454 of 14 December 2012