EUR-Lex Access to European Union law

Back to EUR-Lex homepage

This document is an excerpt from the EUR-Lex website

Document 52019DC0342

REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL On the joint review of the implementation of the Agreement between the European Union and the United States of America on the processing and transfer of Financial Messaging Data from the European Union to the United States for the purposes of the Terrorist Finance Tracking Program

COM/2019/342 final

Brussels, 22.7.2019

COM(2019) 342 final


On the joint review of the implementation of the Agreement between the European Union and the United States of America on the processing and transfer of Financial Messaging Data from the European Union to the United States for the purposes of the Terrorist Finance Tracking Program

{SWD(2019) 301 final}

On 1 August 2010, the Agreement between the European Union and the United States of America on the processing and transfer of Financial Messaging Data from the European Union to the United States for the purposes of the Terrorist Finance Tracking Program ('TFTP') entered into force 1 .

Procedural aspects

Article 13 of the Agreement provides for regular joint reviews of the safeguards, controls, and reciprocity provisions to be conducted by review teams from the European Union and the United States, including the European Commission, the U.S. Treasury Department (hereinafter “the Treasury”), and representatives of two data protection authorities from EU Member States, and may also include security and data protection experts and persons with judicial experience.

This report concerns the fifth joint review of the Agreement since it entered into force and covers a period of thirty-five months between 1 January 2016 and 30 November 2018. The first joint review of the Agreement conducted in February 2011 2 covered the period of the first six months after the entry into force of the Agreement (1 August 2010 until 31 January 2011) and the second joint review conducted in October 2012 3 covered the subsequent period of twenty months (1 February 2011 until 30 September 2012). The third joint review conducted in April 2014 covered a period of seventeen months (1 October 2012 until 28 February 2014) 4 . The fourth joint review conducted in March 2016 covered a period of twenty-two months (1 March 2014 until 31 December 2015) 5 . On 27 November 2013, the Commission adopted the Communication on the Joint Report from the Commission and the Treasury regarding the value of TFTP Provided Data pursuant to Article 6 (6) of the Agreement 6 .

In line with Article 13 (3) of the Agreement, for the purposes of the review, the European Commission represented the European Union, and the Treasury represented the United States. The EU review team was headed by a senior Commission official and in total consisted of two members of Commission staff, as well as representatives from two data protection authorities.

The fifth joint review was carried out in two main stages: on 15 January 2019 in The Hague at Europol's premises and on 31 January and 1 February 2019 in Washington at the Treasury.

This report is based on the information contained in the written replies that the Treasury provided to the EU questionnaire sent prior to the review, information obtained from the discussions with Treasury personnel and members of the U.S. review team, as well as information contained in other publicly available Treasury documents. In addition, the report takes into account information provided by Europol staff during the review, including submissions by Europol’s Data Protection Officer. To complete the information available, the Commission also met and received information from the Designated Provider and organised a meeting on 3 April 2019 to receive feedback from Member States on the reciprocity provisions of the Agreement.

Recommendations and conclusion

On the basis of the information and explanations received from the Treasury, Europol, the Designated Provider and the independent overseers, verification of relevant documents and of a randomly selected sample of the searches run on the TFTP provided data, the Commission is satisfied that the Agreement and its safeguards and controls are properly implemented.

Europol is accomplishing its verification tasks in full compliance with Article 4 on the basis of detailed and regularly updated supporting documentation received from the Treasury. The oversight mechanism is functioning smoothly and is effective in ensuring that the processing of data complies with the conditions laid down in Article 5. All non-extracted data is deleted at the latest five years from receipt, in accordance with Article 6 (4) of the Agreement.

The TFTP remains a key instrument to provide timely, accurate and reliable information about activities associated with suspected acts of terrorist planning and financing. It helps to identify and track terrorists and their support networks worldwide. During the current review period, the EU has continued to significantly benefit more from the TFTP. It has become an increasingly important tool with the increase in the number of terrorist attacks since 2015. In some cases, the information provided under the Agreement has been instrumental in bringing forward specific investigations relating to terrorist attacks on EU soil.

In terms of potential for further improvement, the Commission suggests that the Treasury, in the annual evaluation of its Article 4 Requests, assesses the message types and geographic regions that are the most and least responsive to TFTP searches. The outcome of such an assessment should be included and taken into account in subsequent Article 4 requests. This could result in a more narrowly tailored request to minimise the amount of data requested from the designated provider, in line with Article 4 (2). The Commission further suggests that the Treasury should improve its mechanisms to review the necessity of retaining so-called “extracted data” to ensure that this data is only retained for as long as necessary for the specific investigation or prosecution for which they are used (Article 6 (7)). In this context, the Commission also requests Member States to inform Europol as a Single Point of Contact (SPoC) for subsequent information of the Treasury when a case has been finally disposed of, which should in principle lead to the deletion of extracted data relating to that case. Particular attention should also be provided to extracted data that is viewed by the Treasury analysts but not, due to considerations of relevancy, disseminated further in the context of a specific investigation.

Furthermore, Member States should provide regular feedback to Europol, for onward sharing with the Treasury as appropriate, on the added value of the TFTP leads received from the Treasury which could further improve the quality and the quantity of information exchanged under Articles 9 and 10. The Commission appreciates and encourages Europol to continue its efforts to actively promote awareness of the TFTP and to support Member States seeking its advice and experience in devising targeted Article 10 requests.

The Commission notes that the procedures to process requests from persons whether their data protection rights have been respected in compliance with the Agreement appear to function efficiently. However, the Commission suggests that the Treasury ensures that such verifications cover all relevant rights under the Agreement, including that data has only been searched where there is pre-existing information or evidence which demonstrates a reason to believe that the subject of the search has a nexus to terrorism or its financing.

The Commission welcomes the continued transparency of the U.S. authorities in sharing information illustrating the value of the TFTP in international counter-terrorism efforts. The detailed information about how the TFTP Provided Data can and is being used and concrete cases thereof provided in the Joint Value Report and in the context of this review clearly explain the functioning and the added value of the TFTP.

The U.S. authorities have extensively made use of the possibility under Article 9 of the Agreement to spontaneously provide information from the TFTP to EU authorities. In addition, Europol has proactively initiated a series of requests under Article 10 of the Agreement in the period under review. This has helped raise awareness of the TFTP among EU authorities, resulting in an increased use of the TFTP by those authorities. EU authorities submitted that the leads provided on paper by the Treasury could be more efficiently processed if they are provided digitally. The Commission invites the Treasury and Europol to consider ways to facilitate the processing of leads, in compatibility with the security arrangements of the TFTP.

A regular review of the Agreement is essential to ensure its proper implementation, to build up a relationship of trust between the contracting parties and to provide reassurances to interested stakeholders on the usefulness of the TFTP instrument. The Commission and the Treasury agreed to carry out the next joint review according to Article 13 of the Agreement in the beginning of 2021.

The functioning of the Agreement, the joint review process, its outcome and recommendations are described in detail in the Staff Working Document attached to this Report.


     OJ L 195/5 of 27.7. 2010.


     SEC(2011) 438 final.


     SWD(2012) 454 final.


     COM (2014) 513 final and SWD (2014) 264 final of 11.8.2014.


     COM (2017) 31 final and SWD (2017) 17 final of 19.1.2017.


     COM (2013) 843 final of 27.11.2013.