TELOSscope: The Telos Press Blog

US Screening International Financial Transactions

Thursday is book day at Telos. We use this time and space for posts about books, authors, and all sorts of writing, considered in light of the sorts of questions that are at home at Telos. As with all our blogs, you are invited to post a comment. If you have a book review that you’d like to post here, or some other comment on the worlds of writing, drop a line to us at

Jean-Claude Paye is the author of Global War on Liberty, available here from Telos Press Publishing. This text was translated by Christine Pagnoulle.

As in the case of the agreement between the European Union and the United States on screening European passengers, signed in June 2007, this new agreement on screening financial transactions gives legitimacy to a de facto situation that the US created. In both cases, the US administration illegally seized European citizens’ personal data before the EU sanctioned this right of intrusion and changed the law accordingly.

On June 23, 2006, the New York Times brought up the CIA’s sifting of international bank transactions. The paper exposed the fact that since the 9/11 attacks the Belgian company Swift (Society for Worldwide Interbank Financial Communications) had provided the US Treasury Department with several million records that included confidential data on its clients’ transactions.

A US company under Belgian law, Swift monitors the international transactions of some eight thousand financial institutions located in 208 countries. It transfers data related to payments or securities, including international currency transactions, but does not transfer actual money.

Exchange data are stored on two servers, one in Europe, the other in the United States. All data are stored on both. Interbank messages on the Swift network include personal information protected by Belgian and European law.

The company is also ruled by US law, since its second server is located on US territory. So the company chose to breach European law in order to comply with orders received from the US executive power. Even though breaches against Belgian and EU law have been documented on several occasions, the Belgian authorities have so far refused to sue the Swift company.

We have to keep in mind that, thanks to the ECHELON network and to the NSA surveillance system, it is perfectly possible for US intelligence to capture all sorts of electronic information in real time, including Swift FIN data. Reading them is all the easier as the three encoding systems (DES, 3DES, and AES) used for data related to global transactions between banks are patented in the US. The US executive thus asks for data it can easily access otherwise. What they want is to compel private companies to breach European law and coax the EU political authorities into modifying what is legal and what is not. The US executive does not just wish to set up a real-time screening system of international financial transactions but to force European authorities to make it legal.

An interruption of transfers to US customs has never been considered. Transmission of data has not stopped after the indiscretion was exposed. In 2007, in order to formally comply with the Data Protection Directive, Swift adhered to the Safe Harbor principles, which are supposed to guarantee that data stored in the US server are protected by standards similar to those applied in the EU.

Adherence to the Safe Harbor principles proceeds from a self-certification by the adhering company, which is expected to provide guarantees as to the possibility of calling upon independent authorities. However, the independence of those authorities is ill-defined. Safe Harbor leaves the people concerned pretty helpless. They have to establish whether the US body that processes data conforms to requirements, and they have to find and call upon the independent control authority that is liable to examine the issue. If, in spite of such hurdles, an individual or a company manages to establish a breach in procedure and can further start a lawsuit, the US administration can still retreat behind the notion of state secrets to prevent any legal action.

The part of the June 2007 agreement that grants the US the right to capture personal data amounts to a unilateral commitment by the United States. It is not a bilateral agreement, as the European Parliament had hoped, but a text that can be modified without both parties agreeing on the change. The US administration can change its commitments without even consulting the other party, depending on changes in US legislation or merely on its wish to formulate new demands.

The Treasury Department grants purely formal guarantees as to how these data will be used. It claims that it will only use them or pass them on to other states or agencies in order to fight terrorism. However, the definition of terrorism is so loose that it can apply to any individual or organization targeted by the administration.

Sleeping data will be kept for five years after they are received. This leaves plenty of time for US agencies to use them at will.

As a guarantee that confidentiality will be respected, the US party insists on there being several independent levels of control. The text mentions “other independent official administrations” as well as an “independent auditing cabinet.” The fact that an administration should define another administration in the same country as an independent institution says a lot about how merely formal such autonomy may be. The same can be said about independent auditing. When the Swift affair was revealed in June 2006, the US government had already stated that data could not be abused since access was controlled by an “external” private company, the Booz Allen group. The latter is one of the major companies having signed contracts with the US government. Confusion between the private and the public spheres is organic. Yet it is this very company that is presented as being independent of the US executive power. This is a telling comment on the flimsiness of what guarantees European negotiators could get.

The recent agreement exposes an imperial political structure in which the US executive has the role of chief instructor and European institutions merely give some legitimacy in the eyes of their populations. In fact, this is not an agreement between two sovereign powers. There is only one party in it, the US administration, which asserts again its right to have access to European citizens’ personal data. By way of compensation, in a unilateral approach, it grants formal guarantees that can be unilaterally changed or cancelled. The US executive thus directly exerts its sovereignty over people on both sides of the Atlantic.

It had been anticipated as early as June 2007 that inter-European SWIFT data would not be transferred to the US but stored on a second European server center. At the end of March 2008, the Swift company leaked the information that it would be located in the Zurich area and would be operational by the end of 2009. This new procedure is closer to what is requested by the EU data protection directive than the Safe Harbor principles. However, the directive includes exceptions for police operations and still makes it possible for US authorities to access EU citizens’ financial data. The agreement will simply have to be adapted accordingly. The latter can be constantly modified. It is devised so as to be able to respond to new US demands. Let us remember that US customs has direct access to data about air passengers via terminals on EU territory. Whether through such a system or, as is more likely, through ad hoc demands, US authorities will still be in a position to receive European financial data. Since the alibi of a US server will no longer be available, the result will be to further reinforce US sovereignty over EU territory. Which is the whole point.

Jean-Claude Paye is the author of Global War on Liberty, available here from Telos Press Publishing.

Comments are closed.