How the US and Europe quietly share data to prevent terrorist attacks

Since the Second World War, our alliance with the democratic nations of Europe has been the fulcrum of America’s global security posture. Intelligence and counterterrorism cooperation form an important part of this partnership.

My agency, the U.S. government’s Privacy and Civil Liberties Oversight Board, recently concluded a three-year review of a program that fits squarely within this tradition of intelligence cooperation: the Terrorist Finance Tracking Program, known as TFTP.

The program relies on data from SWIFT, which provides secure financial messaging services to banks around the world. Much of TFTP’s SWIFT data comes from U.S. sources. Some, however, comes from Europe.

Understanding why requires a bit of background on SWIFT’s geographic arrangements. Normally, SWIFT messages for EU banks would stay in Europe, at data centers in the Netherlands and Switzerland. TFTP is an exception. Under a U.S.-EU agreement, SWIFT provides some European data to the U.S. Treasury.

What happens next illustrates the cooperative arrangement at the heart of TFTP. Europol, the EU police agency, sends terrorism-related search requests to Treasury. Treasury runs those searches against the SWIFT data and sends back the results.

The searches that Treasury runs for European partners are a major element of TFTP. A review of searches over a recent 35-month period found that more than 40 percent of the total number of searches were run in response to requests from Europol or EU member states.

TFTP searches have proven very useful for counterterrorism in Europe. From 2016 to 2018, Treasury shared more than 80,000 individual TFTP leads with EU authorities. Leads have been shared in response to many of the most infamous terrorist plots against European countries in recent memory, including the 2015 attacks in Paris and the 2011 attacks in Norway.

After the Norway attacks, TFTP information helped European investigators identify, within hours, the channels through which the attacker moved the funds used for the attacks. Based on that intelligence, Finnish authorities were able to identify and arrest a person pursuing similar goals before he was able to strike.

The bottom line is that TFTP, though funded and operated by the United States, provides a steady stream of valuable intelligence to EU member states. This sharing advances both sides’ interests and helps defend our shared values.

The program also includes various privacy safeguards. One in particular bears mention: An EU official, known as a “scrutineer,” is posted to the U.S. Treasury, where the scrutineer reviews TFTP searches and can block any that he or she believes violate the program’s rules. This level of access and authority for a foreign official illustrates the depth of cooperation built into TFTP.

Despite TFTP’s successes, however, EU officials have repeatedly raised concerns about the program’s effect on privacy. Some members of the European Parliament have called for the program to be scrapped. Their criticisms align with other efforts to end transfers of European data to the United States.

Privacy questions surrounding TFTP are legitimate and important. Our Board chose to conduct a multi-year review of this program because we agree that this type of collection requires robust privacy safeguards.

The problem is that the tenor and direction of some criticisms imply that TFTP is a unilateral American project. Not so. The program’s unusual structure — with the U.S. Treasury operating the program, but running European-provided search terms against European-provided data — should not obscure that TFTP is a truly cooperative arrangement that works well for both sides.

EU officials, to their credit, have recognized this. In 2013, the EU Commissioner for Home Affairs concluded that replacing TFTP with an EU system “would be expensive and demanding on resources to put in place and maintain.” An EU replacement for TFTP — which would have kept the European data in Europe, the goal of many privacy campaigners — never made it to the drawing board. Successive reviews conducted by the EU have acknowledged the program’s benefits for public safety.

TFTP illuminates much that transatlantic debates over data privacy too often obscure. Both sides seek to balance security and privacy, even if our legal systems describe the results of that balancing differently. Both sides care about privacy, but neither treats it as absolute: European governments, like the United States, collect and use data to protect public safety. Finally, both sides agree that programs like TFTP require rigorous, independent oversight.

TFTP also suggests that new forms of cooperation offer the best path forward for resolving transatlantic disputes about data privacy. At a time when privacy debates are roiling transatlantic commerce, TFTP is a needed reminder of the rewards of working together.

Adam Klein is chairman of the Privacy and Civil Liberties Oversight Board, an independent executive branch agency tasked with ensuring that efforts to protect the U.S. from terrorism appropriately safeguard privacy and civil liberties.