The European Parliament,

–   having regard to the European Convention for the Protection of Human Rights and Fundamental Freedoms (the ECHR), in particular Article 8 thereof,

–   having regard to the Charter of Fundamental Rights of the European Union, in particular Articles 7 and 8 thereof,

–   having regard to Council of Europe Convention No 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data,

–   having regard to Article 6 of the EU Treaty and Article 286 of the EC Treaty,

–   having regard to Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data(1),

–   having regard to Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data(2),

–   having regard to the proposal for a regulation on information on the payer accompanying transfers of funds (COM(2005)0343),

–   having regard to the complaints filed by Privacy International to data protection and privacy regulators in 33 countries alleging that the SWIFT transfers were undertaken without regard to legal process under data protection law, and that the disclosures were made without any legal basis or authority,

–   having regard to Rule 103(4) of its Rules of Procedure,

A.   whereas European and US media have recently revealed the existence of the Terrorist Finance Tracking Program, put in place by the US administration, which has allowed US authorities to access all the financial data stored by SWIFT (Society for Worldwide Interbank Financial Telecommunications), a Belgian-based industry-owned cooperative which consists of more than 8 000 commercial banks and institutions in 200 countries, including a number of central banks,

B.   whereas the information stored by SWIFT to which the US authorities have had access concerns hundred of thousands of EU citizens, as European banks use the SWIFT messaging system for the worldwide transfer of funds between banks, and whereas SWIFT generates millions of transfers and banking transactions on a daily basis,

C.   whereas any transfer of data generated within EU territory that is to be used outside EU territory should as a minimum be subject to an adequacy assessment pursuant to Directive 95/46/EC,

D.   whereas access to data managed by SWIFT makes it possible to detect not only transfers linked to illegal activities, but also information on the economic activities of the individuals and countries concerned, and this could give rise to large-scale forms of economic and industrial espionage,

1.  Recalls its determination to fight terrorism and believes in the need to strike the right balance between security measures and the protection of civil liberties and fundamental rights; expresses its serious concern at the fact that a climate of deteriorating respect for privacy and data protection is being created;

2.  Stresses that the European Union is based on the rule of law and that all transfers of personal data to third countries are subject to data protection legislation at national and European level, which provides that any transfer must be authorised by a judicial authority and that any derogation from this principle must be proportional and founded on a law or an international agreement;

3.  Believes that only by applying Article 8 of the ECHR, acting in the framework of Community law and having regard to Article 13 of Directive 95/46/EC, can the Member States – in the interests of state security, public order and safety – derogate from the principle of data finality whereby the onward forwarding of commercial data is prohibited, which principle is the only legitimate basis for the storing of personal data by private parties, and thereby reduce the level of data protection only when this is necessary, proportional and compatible with a democratic society;

4.  Notes the abovementioned proposal for a regulation, which may contribute to establishing a legal framework for the transfer of this information; regrets that the European Parliament – contrary to the principle of loyal and constant cooperation between the Community institutions – has not been informed during negotiations and trialogues by the other institutions, in particular the European Central Bank, of the existence of the SWIFT transfers;

5.  Demands that the Commission, the Council and the European Central Bank (the ECB) explain fully the extent to which they were aware of the secret agreement between SWIFT and the US government;

6.  Demands in this context that the role and functioning of the ECB be clarified, and asks the European Data Protection Supervisor to check as soon as possible whether, in accordance with Regulation (EC) No 45/2001, the ECB was obliged to react to the possible violation of data protection which had come to its knowledge;

7.  Recalls that the ECB is supposed to guarantee that central banks access SWIFT only within a legal framework;

8.  Demands that the Member States check whether and ensure that there is no legal lacuna at national level and that the Community data protection legislation also covers central banks; asks the Member States to transmit the results of that check to the Commission, the Council and the European Parliament;

9.  Demands that the Council urgently examine and adopt the proposal for a framework decision on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters (COM(2005)0475) in order to ensure that European citizens enjoy a uniform and high level of data protection throughout the Union's territory;

10.  Draws the Council's attention in particular to Amendments 26 and 58 of Parliament's position adopted on 14 June 2006(3) on the abovementioned proposal for a framework decision, which aim to regulate the treatment of data transferred to private parties in the public interest;

11.  Reiterates its great disappointment with the Council's unwillingness to overcome the current legislative situation, where, under either the first or the third pillar, two different procedural frameworks for the protection of fundamental rights apply; reiterates, therefore, its demand for this dual framework to be abolished by activating the bridging clause provided for in Article 42 TEU;

12.  Requests that the Commission undertake an evaluation of all EU anti-terrorist legislation that has been adopted from the point of view of efficiency, necessity, proportionality and respect for fundamental rights; strongly urges the Commission and Council to consider what measures should be taken to avoid future repetitions of such serious privacy breaches;

13.  Strongly disapproves of any secret operations on EU territory that affect the privacy of EU citizens; is deeply concerned that such operations should be taking place without the citizens of Europe and their parliamentary representation having been informed; urges the USA and its intelligence and security services to act in a spirit of good cooperation and notify their allies of any security operations they intend to carry out on EU territory;

14.  Asks its Committee on Civil Liberties, Justice and Home Affairs, together with its Committee on Economic and Monetary Affairs, to hold, as soon as possible, a joint hearing of the ECB, the Commission, the Council, the European Data Protection Supervisor and other private and public parties that are involved in the affair in order to uncover what information they may have had;

15.  Instructs its President to forward this resolution to the Council, the Commission, the European Central Bank, the governments and parliaments of the Member States, accession countries and candidate countries, and the United States Government and the two Chambers of Congress.

(1) OJ L 281, 23.11.1995, p. 31. (2) OJ L 8, 12.1.2001, p. 1. (3) Texts Adopted, P6_TA(2006)0258.