EU official says US data-sharing deals functioning well, but will be kept under scrutiny

US government says it has not breached the terms of the TFTP agreement

Europe's Home Affairs Commissioner said on Wednesday that she would be keeping a close eye on data-sharing deals with the U.S.

On the same day that she announced that the European Commission would not suspend the E.U.-U.S. safe harbor data privacy agreement, Commissioner Cecilia Malmström presented reviews of two other transatlantic data sharing deals -- the Terrorist Finance Tracking Programme (TFTP) and the Passenger Name Record (PNR).

The TFTP agreement allows the U.S. Treasury to access some data stored in Europe by international bank transfer network Swift. However, allegations of possible U.S. access to Swift financial data outside the scope of the TFTP agreement enraged politicians last month.

Documents leaked by former U.S. National Security Administration contractor Edward Snowden and reported by The Washington Post indicate the NSA spied on Swift. The company is included in an NSA training manual for new agents on how to target private computer networks, according to the documents.

Malmström, however, said she has received written assurances from the U.S. government that it has not breached the TFTP agreement and will continue to respect it fully. Nonetheless another review of the functioning of the agreement will be conducted in spring 2014, sooner than expected.

Over the last three years, in response to 158 requests made by the E.U., 924 investigative leads were obtained from the TFTP. Most recently, TFTP-derived information has been used to investigate the April 2013 Boston Marathon bombings, threats during the London Olympics and E.U.-based terrorists training in Syria, Malmström said.

Under the agreement, non-extracted data can be kept for no longer than five years and information extracted from the data can only be retained for as long as is strictly necessary for specific investigations or prosecutions.

The current E.U.-U.S. PNR agreement entered into force on July 1, 2012. According to the review presented on Wednesday, the U.S. authorities have been implementing the agreement in accordance with the standards and conditions it contains.

PNR data is collected by airlines and the current agreement with the U.S. uses information on passengers traveling between Europe and the U.S. to target, identify and prevent potential terrorists and terrorist weapons from entering the U.S.

PNR data is stored in airlines' reservation and departure control databases. It contains several different types of information, such as travel dates, travel itineraries, ticket information, contact details, the travel agent with which the flight was booked, the means of payment used, seat numbers and baggage information.

PNR data can only be used to fight terrorism and serious transnational crimes that are punishable by at least three years of imprisonment under U.S. law. According to the Commission, this excludes minor crimes, while allowing PNR to be used to tackle serious crimes such as drug or human trafficking.

The data collected under the PNR agreement can be retained for 15 years for terrorist-related offenses and for 10 years transnational crime. However it must be "depersonalized," with identifying information removed from the data, after just six months and moved to a dormant database with stricter controls after five years.

The next review of the agreement is due to take place during the first half of 2015.

The European Commission had proposed a similar plan for passengers traveling within the E.U. But last month the European Parliament delayed voting on it. Commissioner Malmström also said on Wednesday that any plans for an E.U.-wide TFTP had been shelved.

Follow Jennifer on Twitter at @BrusselsGeek or email tips and comments to

Join the CSO newsletter!

Error: Please check your email address.

Tags regulationeuropean commissionsecuritygovernmentprivacy

More about European CommissionEuropean ParliamentNSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jennifer Baker

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place