The European Parliament,

–  having regard to the European Convention on Human Rights, in particular Article 8 thereof,

–  having regard to the Charter of Fundamental Rights, in particular Articles 7 and 8 thereof,

–  having regard to Council of Europe Convention No 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data,

–  having regard to Article 6 TEU and Article 286 EC,

–  having regard to Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data,(1)

–  having regard to Regulation (EC) No 45/2001 of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data,(2)

–  having regard to the complaints filed by Privacy International to data protection and privacy regulators in 33 countries alleging that the SWIFT transfers were undertaken without regard to legal process under data protection law, and that the disclosures were made without any legal basis or authority,

–  having regard to Rule 103(2) of its Rules of Procedure,

A.  whereas European and US media have recently revealed the existence of the Terrorist Finance Tracking Program, put in place by the US administration, which has allowed US authorities to access all the financial data stored by SWIFT (Society for Worldwide Interbank Financial Telecommunications), a Belgian-based industry-owned cooperative which consists of more than 8 000 commercial banks and institutions in 200 countries, including a number of central banks,

B.  whereas the information stored by SWIFT to which the US authorities have had access concerns hundred of thousands of EU citizens, as European banks use the SWIFT messaging system for the worldwide transfer of funds between banks, and whereas SWIFT generates millions of transfers and banking transactions on a daily basis,

C.  whereas any transfer of data generated within EU territory that is to be used outside EU territory should as a minimum be subject to an adequacy assessment pursuant to Directive 95/46/EC on data protection,

1.  Recalls its determination to fight terrorism and believes in the need to strike the right balance between security measures and the protection of civil liberties and fundamental rights;

2.  Recalls that the European Union is based on the rule of law and that all transfers of personal data to third countries are subject to data protection legislation at national and European level, which provides that any transfer must be authorised by a judicial authority and that any derogation from this principle must be proportional and founded on a law or an international agreement;

3.  Believes that in applying Article 8 of the Convention on Human Rights, in the framework of Community law and having regard to Article 13 of Directive 95/46/EC, the Member States can derogate from the principle of data finality that justifies the storing of personal data by private parties and thereby reduce the level of data protection only when this is necessary, proportional and compatible with a democratic society;

4.  Notes the proposal for a regulation on information on the payer accompanying transfers of funds (COM(2005) 343), which may contribute to establishing a legal framework for the transfer of this information, but regrets that the European Parliament – contrary to the principle of loyal and constant cooperation between the Community institutions – has not been informed during negotiations by the other institutions and organisations, in particular the European Central Bank, of the existence of the SWIFT transfers;

5.  Requests that the European Commission, the Council and the European Central Bank explain fully the extent to which they were aware of the secret agreement between SWIFT and the US Authorities;

6.  Requests in this context that the role and functioning of the European Central Bank be clarified, and asks the European Data Protection Supervisor to verify as soon as possible whether, in accordance with Regulation (EC) No 45/2001 of 18 December 2000 on the protection of individuals with regard to the processing of personal data, the ECB was obliged to react to the possible violation of data protection which had come to its knowledge;

7.  Recalls that the ECB must guarantee that central banks have access to SWIFT only within a legal framework;

8.  Asks the Member States to ensure that there is no legal vacuum at national level and that the Community data protection legislation also covers central banks; asks the Member States to transmit the results of this verification to the European Commission, the Council and the European Parliament;

9.  Demands that the Council urgently examine and adopt the framework decision on data protection in judicial and police cooperation in order to ensure that European citizens enjoy a uniform and high level of data protection throughout the Union’s territory;

10.  Draws the Council’s attention in particular to Amendments 26 and 58 of Parliament’s report adopted on 14 June 2006 on the data protection framework decision,(3) which aim to regulate the treatment of data transferred to private parties in the public interest;

11.  Reiterates its disappointment with the Council’s unwillingness to overcome the current legislative situation, where, under either the first or the third pillar, two different procedural frameworks for the protection of fundamental rights apply; reiterates its demand for this dual framework to be abolished by activating the bridging clause provided for in Article 42 TEU;

12.  Instructs its President to forward this resolution to the Council, the Commission, the governments and parliaments of the Member States, the European Central Bank and the European Data Protection Supervisor.

(1) OJ L 281, 23.11.1995, p. 31. (2) OJ L 8, 12.1.2001, p. 1. (3) Minutes of that date, P6_TA-PROV(2006)0258.