THE TERRORIST FINANCE TRACKING PROGRAM:
ILLUMINATING THE SHORTCOMINGS OF THE
EUROPEAN UNION’S ANTIQUATED DATA
On June 23, 2006, the New York Times, the Los Angeles Times, the
Wall Street Journal, and the Washington Post disclosed the existence
of a confidential Treasury Department and Central Intelligence
Agency (CIA) initiative, the Terrorist Finance Tracking Program
(TFTP).1 The TFTP enables the United States to examine finan-
cial transactions that rely on the messaging infrastructure provided
by the Society for Worldwide Interbank Financial Telecommunica-
tions (SWIFT) for their completion.2 The United States’ ability to
scrutinize financial transactions that utilize SWIFT’s messaging ser-
vice allows the Treasury Department to access the amount trans-
ferred, bank account numbers, method of transfer, names of the
parties, their addresses and telephone numbers, and information
about the financial institutions involved in the transaction.3 Due to
the widespread use of SWIFT messaging among financial institu-
tions, the TFTP provides the United States with the potential to
collect and analyze information on tens of thousands of financial
* J.D. 2008, The George Washington University Law School; B.A. 2005, Marist Col-
lege. I would like to thank the staff and editors for their dedicated assistance and
insightful comments, and my parents for their continued support and encouragement.
1. Barton Gellman et al., Bank Records Secretly Tapped, WASH. POST, June 23, 2006, at
A1; Eric Lichtblau & James Risen, Bank Data Sifted in Secret by U.S. to Block Terror, N.Y. TIMES,
June 23, 2006, at A1; Josh Meyer & Greg Miller, U.S. Secretly Tracks Global Bank Data, L.A.
TIMES, June 23, 2006, at A1; Glenn R. Simpson, Treasury Tracks Financial Data in Secret Pro-
gram, WALL ST. J., June 23, 2006, at A1.
2. Gellman et al., supra note 1; Lichtblau & Risen, supra note 1; Meyer & Miller, supra
note 1; Simpson, supra note 1.
3. Gellman et al., supra note 1; Lichtblau & Risen, supra note 1; Simpson, supra note
1; see also Prime Minister Condemns SWIFT Data Transfers to U.S. as “Illegal,” PRIVACY INT’L,
Sept. 28, 2006, available at http://www.privacyinternational.org/article.shtml.cmdx-
347-543789 [hereinafter PRIVACY INT’L ].
4. See, e.g., Lichtblau, & Risen, supra note 1; PRIVACY INT’L, supra note 3.
554 The Geo. Wash. Int’l L. Rev. [Vol. 40
Six days after the press disclosed the existence of the TFTP, the
U.S. House of Representatives adopted a resolution expressing its
support for the program and communicating its belief that the ini-
tiative was compatible with all applicable laws.5 The Belgian Data
Protection Authority and the European Union’s Article 29 Work-
ing Party, however, concluded that the TFTP was incompatible
with E.U. Directive 95/46/EC on the Protection of Individuals with
Regard to the Processing of Personal Data and the Free Movement
of Such Data6 (Data Privacy Directive).7 Despite the conclusions of
the Belgian Data Protection Authority and the Article 29 Working
Party, President George W. Bush indicated that the United States
would not voluntarily abandon the TFTP.8 In June 2007, after
months of public discord, the European Union and the Bush
administration reached an agreement on the additional safeguards
the United States would need to add to the TFTP in order to
secure the approval of its European allies.9
Resolving the conflict over the TFTP and SWIFT’s participation
in the program will have far-reaching consequences. The Euro-
pean Union’s Data Privacy Directive, on the strength of its ability to
create a potential information embargo,10 is becoming the world’s
first universal data privacy regime.11 Countries developing their
own data privacy regulations are attempting to structure their regu-
lations to satisfy the “adequacy” standards of the Data Privacy
Directive.12 There has been speculation that the United States has
5. See, e.g., H.R. 896, 109th Cong. (2006).
6. Parliament and Council Directive 95/46/EC of 24 October 1995 on the Protec-
tion of Individuals with Regard to the Processing of Personal Data and on the Free Move-
ment of Such Data, 1995 O.J. (L281/40) [hereinafter EU Directive].
7. See Belgian Data Protection Authority, Summary of the Opinion of the Transfer of
Personal Data by SCRL SWIFT Following the U.S. Treasury, www.steptoe.com/assets/
attachments/2644.pdf (last visited July 11, 2008); Article 29 Data Protection Working
Party, Opinion 10/2006: On the Processing of Personal Data by the Society for Worldwide
Interbank Financial Telecommunication (SWIFT), 01935/06/EN WP128 (Nov. 22, 2006),
available at http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2006/wp128_en.
8. Eric Lichtblau, Controls on Bank-Data Spying Impress Civil Liberties Board, N.Y. TIMES,
Nov. 29, 2006, at A26.
9. See James Risen, U.S. Reaches Tentative Deal with Europe on Bank Data, N.Y. TIMES,
June 29, 2007, at A6.
10. See EU Directive, supra note 6, art. 25.
11. See Fred H. Cate, The Changing Face of Privacy Protection in the European Union and the
United States, 33 IND. L. REV. 173, 226 (1999); Seth P. Hobby, The EU Data Protection Directive:
Implementing a WorldWide Data Protection Regime and How the U.S. Position Has Progressed, 1
INT’L L. & MGMT. REV. 155, 156-58 (2005).
12. See EU Directive, supra note 6, art. 25; Data Protection: Commission Adopts Deci-
sions Recognizing Adequacy of Regimes in US, Switzerland, and Hungary (2000), http://
2008] The Terrorist Finance Tracking Program 555
agreements with numerous multinational corporations requiring
them to turn over any information in their possession that the
United States deems relevant to the war on terrorism.13 These
developments create potential for frequent disputes involving
many of the same issues presented by the TFTP. Thus, the resolu-
tion of the controversy surrounding the TFTP will serve as a global
precedent in determining the appropriate balance between the
need for data privacy and the need for information to combat
Part I provides an overview of the United States’ war on terrorist
financing and examines the development of the TFTP. Part II
examines the intricacies of the TFTP and the safeguards built into
the program to protect individual privacy. Part III scrutinizes the
European Union’s Data Privacy Directive and summarizes the Arti-
cle 29 Working Party’s report. Part IV will demonstrate why the
Data Privacy Directive is an anachronistic relic that has ceased to be
beneficial. Ultimately, this Note concludes that the European
Union’s attempt to unilaterally impose its vision of data privacy
protection on the world is misguided because the conditions which
led to the adoption of the Data Privacy Directive reflect values and
experiences not shared by other countries.14
I. THE HISTORY OF ANTI-TERRORIST FINANCING IN THE
On September 11, 2001, Al Qaeda attacked the financial and the
military centers of the United States.15 Prior to the September 11
terrorist attacks, the United States did not actively concern itself
with terrorist financing.16 It failed to make active attempts to dis-
rupt the conduits of terrorist financing because the minimal costs
associated with conducting terrorist operations convinced law
enforcement that there were more efficient mechanisms to combat
13. See, e.g., RON SUSKIND, THE ONE PERCENT DOCTRINE, 36, 38 (2006) (detailing the
cooperation between First Data Corp., Western Union’s parent company, and the Federal
Bureau of Investigation); Mark Ballard, EU May Be Powerless to Stop US Snooping, REGISTER,
Aug. 25, 2006, http://www.theregister.com/2006/08/35/eu_vs_us_snooping/.
14. See, e.g., Francesa Bignami, European Versus American Liberty: A Comparative Privacy
Analysis of Antiterrorism Data Mining, 48 B.C.L. REV. 609, 612-13 (2007) (summarizing the
factors that explain the divergent approaches of the United States and the European
Union towards data privacy); David Scheer, Europe’s New High-Tech Role, Playing Privacy Cop
to the World, WALL ST. J., Oct. 10, 2003, at A1.
15. See Michael Grunwald, Bush Promises Retribution; Military Put on Highest Alert, WASH.
POST, Sept. 12, 2001, at A1.
16. Laura K. Donohue, Anti-Terrorist Finance in the United Kingdom and United States, 27
MICH. J. INT’L L. 303, 349 (2006).
556 The Geo. Wash. Int’l L. Rev. [Vol. 40
terrorism.17 The United States considered it futile to monitor Al
Qaeda’s money trail because of the erroneous belief that Osama
bin Laden, through his personal fortune, financed all of the organ-
The ability of the September 11 hijackers to utilize the global
banking system to facilitate their enterprise was extremely discon-
certing to both the American populace and the federal govern-
ment.19 When the hijackers arrived in the United States, they
opened bank accounts in their real names and transferred
amounts ranging from $5,000 to $70,000 among the various
accounts.20 Wire transfers from banks in the United Arab Emirates
and Germany to a SunTrust branch in Florida, totaling $130,000,
provided the seed money for the hijackers’ enterprise.21
Before the September 11 terrorist attacks, the United States’ reg-
ulatory regime focused on combating money laundering con-
nected to drug trafficking.22 It was apparent to both the Bush
administration and members of Congress, however, that a regula-
tory regime focused on money laundering was insufficient to com-
bat terrorist financing.23 This pre–September 11 regime had
limited usefulness in combating terrorist financing because “terror-
ist financing dirties clean money” while money laundering
17. See id.; JOHN ROTH, DOUGLAS GREENBURG & SERENA WILLE, NATIONAL COMMISSION
ON TERRORIST ATTACKS UPON THE UNITED STATES, MONOGRAPH ON TERRORIST FINANCING:
STAFF REPORT TO THE COMMISSION, 20, 34, available at http://www.9-11commission.gov/
staff_statements/911_TerrFin_Monograph.pdf. The September 11 attacks cost approxi-
mately $303, 672. Paul Beckett, Sept. 11 Attacks Cost $303,672, But Few Details of Plot Surface,
WALL ST. J., May 15, 2002, at B4.
18. See ROTH, GREENBURG & WILLE, supra note 17, at 20.
19. See Jeff Gerth & Judith Miller, A Nation Challenged: Money Trail, U.S. Makes Inroads
in Isolating Funds of Terror Groups, N.Y. TIMES, Nov. 5, 2001, at A1.
20. ROTH, GREENBURG & WILLE, supra note 17, at 53. The transaction escaped notice
under then existing banking regulations because the transaction was consistent with the
student profile. See id.
21. See, e.g., id.; Gerth & Miller, supra note 19 (repeating the statement of the United
Arab Emirates’ central bank governor that the transaction should have attracted suspicion
in the United States).
22. See Bank Secrecy of Act 1870, Pub. L. No. 91-508, 84 Stat. 1114 (1970) (codified as
amended in portions of 12 U.S.C., 15 U.S.C., 18 U.S.C., and 31 U.S.C.). The Bank Secrecy
Act required an individual moving $10,000 into or out of the United States to report the
transaction to the Treasury Department. The legislation also placed an affirmative duty
upon financial institutions to file suspicious activity reports for transactions which did not
fit the customer’s profile. 31 C.F.R. § 103.
23. See, e.g., Lichtblau & Risen, supra note 1; Financial War on Terrorism: New Money
Trails Present Fresh Challenges: Hearing Before the S. Comm. on Finance, 107th Cong. 3 (2002)
(prepared statement of Sen. Max Baucus).
2008] The Terrorist Finance Tracking Program 557
attempts to “clean dirty money.”24 Thus, the United States sought
to develop a regulatory regime focused on “starving the terrorists
A. Post–September 11 Initiatives to Combat Terrorist Financing
Two weeks after the September 11 attacks, President Bush issued
Executive Order 13,224.26 The motivating factors behind this
order were the government’s desire to prevent Al Qaeda from
receiving funding and to allay the populaces’ fears by taking public
action against terrorism.27 Executive Order 13,224 declared a
national emergency,28 thereby enabling President Bush to utilize
the powers of the International Emergency Economic Powers Act
(IEEPA).29 To implement the two goals of this executive order,
President Bush gave the Treasury Department the ability to freeze
the assets of foreign and domestic organizations within the United
States’ jurisdiction, including assets of financial institutions.30 This
decision was motivated by his administration’s desire “to avoid not
24. John D.G. Waszak, The Obstacles to Suppressing Radical Islamic Terrorist Financing, 36
CASE W. RES. J. INT’L L. 673, 675 (2004); see Caroline Drees, US Banks Struggle to Spot Terror-
ist Financing, REUTERS, Mar. 9, 2004, available at http://www.forbes.com/business/new-
swire/2004/03/09/rtr1291602.html (quoting an unidentified Bush administration official
that “[u]nless you already know who the terrorists are, it’s hard to figure out what would be
a distinguishing birthmark. . . . The only way so far that we can think of to identify terrorist
financing is for the government to identify who the terrorists are.”).
25. U.S. DEP’T OF THE TREASURY, CONTRIBUTIONS BY THE DEPARTMENT OF THE TREASURY
TO THE FINANCIAL WAR ON TERRORISM, FACT SHEET 2 (2002), available at http://www.treas.
gov/press/releases/reports/2002910184556291211.pdf (quoting Paul O’Neill).
26. Exec. Order No. 13,224, 66 Fed. Reg. 49,079 (Sept. 23, 2001). President Bush
described the executive order as “draconian.” Brian Groom, John Willman & Richard
Wolffe, Bush Targets Terrorist Funds, FIN. TIMES (London), Sept. 25, 2001, at 1.
27. See, e.g., ROTH, GREENBURG & WILLE, supra note 17, at 45.
28. Executive Order 13,224, 66 Fed. Reg. 49,079. The Treasury Department claims
the International Emergency Powers Act of 1977 provides the legal justification for the
TFTP. See Statement Terror Finance Tracking Program: Hearing Before the Subcomm. on Oversight
and Investigations of the H. Comm. on Financial Servs., H. REP. NO. 109-105, at 13 (2006)
(statement of Stuart Levey, Under Secretary for Terrorism and Financial Intelligence, U.S.
Department of the Treasury) [hereinafter Levey Hearing].
29. International Emergency Economic Powers Act, 50 U.S.C. § 1702(a)(1)(B)
(2000). The International Emergency Economic Powers Act enables the President to des-
ignate individuals or organizations as a threat to national security, prohibit or regulate
transactions involving those designated individuals, freeze and seize their assets, and make
it a crime to materially assist the specified individuals and groups. 50 U.S.C.
30. Donohue, supra note 16, at 377-78. Executive Order 13,224 froze the assets of
twenty-seven individuals and terrorists organizations. Executive Order 13,224, 66 Fed. Reg.
558 The Geo. Wash. Int’l L. Rev. [Vol. 40
just criminal law but the judicial system altogether in its efforts to
prevent the flow of funds.”31
One of the most infamous American initiatives to combat terror-
ism is Uniting and Strengthening America by Providing Appropri-
ate Tools Required to Intercept and Obstruct Terrorism
(PATRIOT Act).32 Title III of the PATRIOT Act sets forth the reg-
ulations governing anti-terrorism financing.33 This Act revolution-
ized the United States’ ability to combat terrorist financing by
strengthening the executive branch’s capacity to freeze and seize
assets, broadening the President’s power under the IEEPA, and
expanding the United States’ extraterritorial jurisdiction.34 These
changes led David Aufhauser, the Treasury Department’s general
counsel, to proclaim Title III of the PATRIOT Act “the smart bomb
of terrorist financing.”35 Together, the PATRIOT Act and Execu-
tive Order 13,224 have ensured that the United States has achieved
some success in its attempt to disrupt the flow of terrorist
The PATRIOT Act and Executive Order 13,224 have also sub-
stantially increased the federal government’s power to require
financial institutions to cooperate with law enforcement.37 The
PATRIOT Act enables law enforcement to compel financial institu-
tions to search their records in order to determine if they have had
dealings with any individuals matching a certain generalized
description.38 Those financial institutions refusing to cooperate
with law enforcement face the possibility that the Treasury Depart-
ment will freeze their assets under Executive Order 13,224.39 If a
financial institution cooperates and finds a match, it must provide
31. Donohue, supra note 16, at 307.
32. Pub. L. No. 107-56, 115 Stat. 272 (2001), codified in 50 U.S.C. § 1861; see, e.g., Bob
Barr, Editorial, Patriot Fixes, WALL ST. J., Nov. 12, 2004, at A12.
33. Terrorism: Growing Wahhabi Influence in the United States: Hearing Before the S. Sub-
comm. on Terrorism, Tech. and Homeland Security, 108th Cong. (2003) [hereinafter Terrorism
34. Donohue, supra note 16, at 371-72.
35. Terrorism Hearing, supra note 33 (internal quotes omitted).
36. See, e.g., Victor Mallet, Terrorists Funds “Being Squeezed,” FIN. TIMES (London), Apr.
11, 2002, at 12 (repeating then Secretary of Treasury Paul O’Neil’s assertion that the
United States was victorious in its war on terrorist financing); Philip Shennon, 9/11 Panel
Issues Poor Grades for Handling of Terror, N.Y. TIMES, Dec. 6, 2005, at A24 (noting the Trea-
sury Department received the highest grade from the September 11 Public Disclosure
37. See, e.g., Donohue, supra note 16, at 372; 50 U.S.C. § 1861.
38. Eric Gouvin, Are There Any Checks and Balances on the Government’s Power to Check Our
Balances? The Fate of Financial Privacy in the War on Terrorism, 14 TEMP. POL. & CIV. RTS. L.
REV. 517, 531 (2005).
39. See, e.g., Donohue, supra note 16, at 372.
2008] The Terrorist Finance Tracking Program 559
that individual’s name, account number, social security number,
date of birth, or other unique identifying information to law
enforcement.40 Under the PATRIOT Act, law enforcement can
request information about an individual with only an administra-
tive subpoena, and if it is investigating one of the 200 proscribed
offenses, it can broadly disseminate any information it receives to
other federal agencies.41
B. The Development of the TFTP
In 1973, a consortium of European financial institutions formed
SWIFT to supply standardized messaging services and interface
software to the global financial community.42 Presently, thousands
of financial institutions have an ownership interest in SWIFT.43
SWIFT is headquartered in La Hulpe, Belgium, a suburb of Brus-
sels, but it has offices in at least sixteen countries.44 Approximately
8,000 financial institutions in 206 countries and territories cur-
rently utilize SWIFT’s messaging services.45 It handles approxi-
mately 15 million transactions on a daily basis.46 Two-thirds of the
traffic on SWIFT’s messaging infrastructure originates in Europe.47
As a messaging institution, SWIFT does not handle money, but
rather processes transfer instructions and confirmations for finan-
40. 31 C.F.R. § 103.100(b)(2)(ii) (2004). If an institution fails to provide the
requested information, it faces the prospect of criminal and civil penalties. See Gouvin,
supra note 38, at 530-34 (detailing the lack of oversight and transparency in the Patriot
41. Donohue, supra note 16, at 407. According to Michael Chertoff, the Director of
Homeland Security, the PATRIOT Act authorizes the Attorney General and Secretary of
the Treasury to obtain foreign bank records through administrative subpoenas. The Finan-
cial War on Terrorism and the Administration’s Implementation of the Anti-Money Laundering Pro-
visions of the USA PATRIOT Act, Before S. Comm. on Banking, Housing and Urban Affairs, 107th
42. See About SWIFT, Company Information, http://www.swift.com/
index.cfm?item_id=1243 (last visited July 14, 2008); Simpson, supra note 1.
43. See, e.g., About SWIFT, Company Information, supra note 42; Anita Ramasastry,
The Treasury Department’s Secret Monitoring of International Fund Transfers: Why It Is Probably
Legal, at Least in the U.S., FIND LAW, http://writ.news.findlaw.com/ramasastry/
20060707.html (last visited Feb. 28, 2008). The National Bank of Belgium and the central
banks of the G-10 countries are responsible for overseeing SWIFT’s business operations.
Oversight of SWIFT, http://www.swift.com/index.cfm?item_id=57001 (last visited Mar. 5,
44. PRIVACY INT’L, PULLING A SWIFT ONE? BANK TRANSFER INFORMATION SENT TO U.S.
AUTHORITIES 2 (2007).
45. About SWIFT, supra note 42.
46. See generally Lichtblau & Risen, supra note 1; SWIFT in Figures-SWIFTNET Fin
Traffic, August 2006 YTD, available at http://www.swift.com/index.cgm?item_id=66437.
47. Simpson, supra note 1. In 2005, 1.6 billion out of the 2.5 billion messages SWIFT
handled originated from Europe, while 467 million were from the United States. Id.
560 The Geo. Wash. Int’l L. Rev. [Vol. 40
cial institutions.48 In an effort to explain SWIFT’s operations, the
Belgian Data Privacy Commission analogized its services to a series
of envelopes and letters.49 The envelopes contain information
about the sending institution, the bank’s identifier code, the date
and the time of the proposed transfer, and information about the
other financial institution involved in the transaction.50 The letters
are encrypted messages disclosing the amount to be transferred,
the method of transfer, the identity of the parties to the transac-
tion, and the participating financial institutions.51 The informa-
tion sent over SWIFT’s network is stored for 124 days in both the
United States and the Europe Union.52
The TFTP is an integral component of a concerted effort by the
American government to address a perceived intelligence defi-
ciency in monitoring wire transfers.53 In attempting to address this
intelligence gap, the Treasury Department’s Financial Crime
Enforcement Network54 issued subpoenas to the New York branch
of the Federal Reserve Bank in an effort to access FedWire, the
Federal Reserve’s large dollar electronic transfer system.55 Two
days after the September 11 attacks, First Data Corporation,56 the
then parent company of Western Union,57 voluntarily offered fed-
eral law enforcement the use of their resources to combat terror-
ism.58 The Federal Bureau of Investigations (FBI) established an
office in Omaha, Nebraska, in close proximity to the company’s
48. See, e.g., SWIFT Statement, Francis Vanbever, Chief Financial Officer, European
Parliament Hearing, Oct. 4, 2006, available at http://www.swift.com/index/
index.cfm?item_id=60670; Belgian Data Protection Authority, supra note 7.
49. PRIVACY INT’L, supra note 3.
52. Belgian Data Protection Authority, supra note 7.
53. See, e.g., John Sandman, Terrorist Tracking, Five Years of Controversy over SWIFT May
Have Been Misplaced, SECS. INDUS. NEWS, Sept. 25, 2006; Heather Timmons, Western Union:
Where the Money is—in Small Bills, BUS. WK., Nov. 26, 2001, at 40-41.
54. The Treasury Department created the Financial Crimes Enforcement Network in
1990 to combat money laundering by facilitating cooperation between federal law enforce-
ment and financial institutions. U.S. DEP’T OF THE TREASURY, ABOUT FINANCIAL CRIMES
ENFORCEMENT NETWORK, http://www.fincen.gov/af_overview.html (last visited Jan. 17,
55. Liz Moyer, Swift Defense, FORBES, June 23, 2006, available at http://www.forbes.
56. First Data is the world’s leading processing of credit card and debit card transac-
tions. SUSKIND, supra note 13, at 38.
57. Western Union is the world’s leading wire-transfer service with over 12,000 offices
around the world and controls thirteen percent of the market. See, e.g., id.; Virgil Larson,
First Data Helped FBI After 9/11, OMAHA WORLD-HERALD, June 21, 2006, at A1.
58. See SUSKIND, supra note 13, at 209-12.
2008] The Terrorist Finance Tracking Program 561
main processing center, converting First Data’s computers into the
“FBI’s own in-house search engine.”59
But the TFTP was not the first time the United States had
attempted to access information within SWIFT’s databases.60 Prior
to the September 11 attacks, the Treasury Department issued
numerous subpoenas to SWIFT, which the company refused to
honor because they were considered untimely or unduly burden-
some.61 During President Clinton’s second term, the CIA was able
to covertly access SWIFT’s network in its effort to locate Osama bin
Laden.62 When the Treasury Department learned of this unautho-
rized access, it convinced the CIA to halt its activities because of the
concern over potential backlash in the financial community if this
access ever became public.63 Immediately following the September
11 terrorist attacks, the National Security Agency began to inter-
cept wire transfers sent over the SWIFT network.64
The event that was the impetus for TFTP was a conversation
between a senior Bush-administration official and a Wall Street
executive.65 The executive stoked the government official’s inter-
est in pointing out the potential wealth of information contained
within SWIFT’s databases.66 If the Bush administration could con-
vince SWIFT to share their records with federal law-enforcement
officials, the United States would potentially have access to billions
of financial transactions that SWIFT processed and the informa-
tion needed to facilitate those transactions.67 Further bolstering
the Bush administration’s interest in pursuing the information
within these records was the belief that SWIFT’s American CEO,
Leonard Schrank, would be willing to assist the Treasury Depart-
ment in its war against terrorist financing.68
59. See id. at 38-39, 209-11. Once First Data grew skeptical of granting the FBI unfet-
tered access to their records, the Director of the CIA George Tenet appealed to the patriot-
ism of the company’s executives to ensure continued participation. Id. at 209-11.
60. Meyer & Miller, supra note 1.
61. PRIVACY INT’L, supra note 3.
62. Meyer & Miller, supra note 1.
64. Scott Shane, Terrorism Strikes America, The Response, BALT. SUN, Sept. 21, 2001, at
65. Lichtblau & Risen, supra note 1.
66. Id. (noting a Bush administration official who described SWIFT’s databases as the
“Rosetta stone of financial data”).
67. Europe Panel Defers Report on Bank Data, N.Y. TIMES, Sept. 27, 2006, at A20. The
TFTP provided the United States with the potential to access 2.5 billion messages in 2005
alone. PRIVACY INT’L, supra note 3.
68. See Glenn R. Simpson, Politics & Economics: American Executive in Brussels Aided Ter-
rorist-Tracking Program, WALL ST. J., June 24, 2006, at A4.
562 The Geo. Wash. Int’l L. Rev. [Vol. 40
II. THE EVOLUTION OF THE TFTP
The Treasury Department has relied on administrative subpoe-
nas in requesting information from SWIFT.69 An administrative
subpoena does not require prior judicial authorization and only
needs to meet a reasonableness standard instead of the typical
probable-cause standard required for criminal subpoenas.70 The
most important element in determining whether an administrative
subpoena satisfies the four-part test set forth in United States v. Pow-
ell is the purpose of the investigation.71 The Treasury Department
claims the legal justification for the TFTP is Executive Order
13,224’s determination “that a need exists for further consultation
and cooperation with, and sharing of information by, the United
States and foreign financial institutions. . . to enable the United
States to combat the financing of terrorism.”72 Such an important
justification would receive a great deal of deference from a court
reviewing the reasonableness of a subpoena directed to SWIFT.73
The Treasury Department issued its first subpoena to SWIFT in
October 200174 and has subsequently issued at least sixty-three
more subpoenas.75 The subpoenas sought information that SWIFT
had previously transferred to its operating center in the United
States.76 By seeking access to information that was already legally
transferred to the United States, the federal government was
attempting to ensure U.S. law (which provides lax protection for
financial information compared to the European Union’s Data Pri-
vacy Directive) governed the TFTP.77
These initial subpoenas issued by the Treasury Department
sought any information within SWIFT’s possession that the United
States deemed relevant in investigating terrorism.78 The subpoe-
69. Lichtblau & Risen, supra note 1.
70. Katherine Scherb, Comment, Administrative Subpoenas for Private Financial Records:
What Protection for Privacy Does the Fourth Amendment Afford?, WIS. L. REV. 1075, 1076-85
71. United States v. Powell, 379 U.S. 48, 57-58 (1964).
72. Levey Hearing, supra note 28; Executive Order 13,244, 66 Fed. Reg. 49,079.
73. See BRUCE ACKERMAN, BEFORE THE NEXT ATTACK: PRESERVING CIVIL LIBERTIES IN AN
AGE OF TERRORISM 20 (2006) (finding that in dealing with issues relating to the war on
terror courts have “invoked repressive precedents from the gravest wars of the past” to
justify deference to the executive branch’s decisions and policies).
74. SWIFT Statement, supra note 48.
75. PRIVACY INT’L, supra note 3.
77. See United States v. Miller, 425 U.S. 435, 443 (1976) (denying Fourth Amendment
protection to financial records); Ramasastry, supra note 43.
78. PRIVACY INT’L, supra note 3; Article 29 Data Protection Working Party, supra note
7, at 8.
2008] The Terrorist Finance Tracking Program 563
nas issued by the Treasury Department, however, failed to set forth
any specific individuals or particular transactions that the United
States believed were connected to terrorism.79 The wide scope of
these initial subpoenas eliminated the possibility of effective over-
sight.80 In 2003, SWIFT expressed reluctance to continue partici-
pating in a program that had no specific end date and lacked
SWIFT’s concerns led to a meeting among its executives,
then–Federal Reserve chairman Alan Greenspan, and then–FBI
director Robert Mueller to allay the company’s apprehensions.82
The Treasury Department, in response to SWIFT’s concerns,
attempted to build sufficient safeguards into the TFTP to satisfy the
company while maintaining the initiative’s efficacy.83 Concerns
about maintaining the effectiveness of the TFTP was a paramount
concern of Bush-administration officials because prior to SWIFT
voicing its anxiety about participating in the TFTP, information
received from the TFTP played an important role in capturing
Hambali, the mastermind of the 2002 Bali bombings.84 Addition-
ally, the TFTP played a vital role in prosecuting individuals for pro-
viding financial assistance to terrorist organizations.85
The Treasury Department’s main concession to SWIFT was nar-
rowing the definition of terrorism.86 In conjunction with a nar-
rower definition of terrorism, the Treasury Department assured
SWIFT that it would only investigate individuals linked to an ongo-
ing terrorism investigation.87 To satisfy SWIFT that an individual is
a terrorist suspect, the Treasury Department merely has to show
79. PRIVACY INT’L, supra note 3 (calling these subpoenas “carpet-sweepers”).
80. Lichtblau & Risen, supra note 1.
82. Lichtblau & Risen, supra note 1.
83. See, e.g., Following the Money and the Rules, Editorial, N.Y. TIMES, June 24, 2006, at
A14; Lichtblau & Risen, supra note 1.
84. See, e.g., Lichtblau & Risen, supra note 1; Ramasastry, supra note 43.
85. See, e.g., Levey Hearing, supra note 28; Lichtblau & Risen, supra note 1 (discussing
the case of Uzair Parcha, a Brooklyn resident, who was convicted of attempting to launder
$200,000 for Al Qaeda).
86. PRIVACY INT’L, supra note 3. The original definition stated that any person “who
constitutes a risk of violence against Americans, American property, and U.S. and foreign
interests” was a terrorist. The Treasury Department modified the definition of terrorism to
encompass activities which “involv[e] a violent or dangerous act that threatens human life,
property, or infrastructure; and has the goal of intimidating or threatening the civilian
population; influencing the actions of government through mass destruction, kidnapping,
intimidation or hostage taking.” This definition mirrors the one provided in 18 U.S.C.
87. PRIVACY INT’L, supra note 3. However, under the Supreme Court’s plain view doc-
trine, if the Treasury Department discovers evidence of other criminal activity in SWIFT’s
564 The Geo. Wash. Int’l L. Rev. [Vol. 40
that the United States has placed the individual on a terrorist
watch list.88 In an effort to ensure that the Treasury Department
followed these safeguards, the U.S. government and SWIFT agreed
to hire Booz Allen Hamilton, an American consulting firm,89 to
oversee the operations of the TFTP.90 Additionally, the Treasury
Department emphasized TFTP’s inability to monitor routine finan-
cial transactions, such as using an ATM or debit card, as a further
limitation on the program.91 The only reason, however, the Trea-
sury Department cannot access these financial transactions is
because it does not utilize SWIFT’s messaging network.92
To access the information provided by SWIFT, the Treasury
Department has to go through a multi-step process.93 Initially,
SWIFT transfers information from its operating center in Europe
to its storage facility in the United States.94 The Treasury Depart-
ment then sends a subpoena to SWIFT’s facility in the United
States.95 The information provided in response to the subpoena is
placed inside a “black box.”96 To view the information in the
“black box,” the Treasury Department designed a software pro-
gram that enables it to search SWIFT’s data for either suspicious
transactions or participants in financial transactions who were sus-
pected terrorists.97 Furthermore, the Treasury Department cannot
perform searches in real time, as a lag exists between when SWIFT
receives a subpoena and when it transfers the information.98 Fur-
thermore, SWIFT retains the ability to prevent any searches they
consider to be of dubious validity.99
records that evidence would be admissible in the defendant’s criminal trial. See, e.g., Hor-
ton v. California, 496 U.S. 128, 133 (1990).
88. Karen DeYoung, Officials Defend Financial Searches, WASH. POST, June 24, 2006, at
89. Booz Allen Hamilton “is an international technology and consulting firm that is
one of the U.S. government’s main contractors.” Profile of Booz Allen Hamilton, WASH.
POST, http://www.washingtonpost.com/wp-srv/business/post200/2005/BAH.html (last
visited Feb. 1, 2007).
90. Levey Hearing, supra note 28. Strict controls have been put in place, and auditors
have discovered one instance of an analyst running an improper search. Id.
93. PRIVACY INT’L, supra note 3.
97. Id. The FBI and the Treasury Department are using the information obtained
from SWIFT to assist in building a comprehensive terrorist database. Lichtblau & Risen,
supra note 1.
98. PRIVACY INT’L, supra note 3.
2008] The Terrorist Finance Tracking Program 565
These extensive safeguards were still considered insufficient to
provide appropriate safeguards for protecting individual privacy by
many within the European Union.100 The outrage expressed by
many Europeans was greater than the limited media attention and
criticisms directed at the TFTP in the United States.101 Many jour-
nalists assumed the strong negative European reaction to the TFTP
was the product of resentment towards the Bush administration’s
policies in the war on terror.102 This explanation only partially
accounts, however, for the strong reaction towards the TFTP
because it fails to recognize that failing to protect an individual’s
data privacy rights within the European Union is seen as a failure
“to respect the fundamental rights of citizens.”103
III. EVALUATING THE TFTP UNDER THE EUROPEAN UNION’S DATA
A. The Fundamentals of the Data Privacy Directive
The European Union explicitly recognizes privacy as a funda-
mental human right.104 The Data Privacy Directive, adopted in
1995, and which took effect shortly thereafter,105 embraces this
view of privacy.106 The European Union enacted a comprehensive
legislative scheme to govern data privacy because it believed the
100. See generally PRIVACY INT’L, PI LAUNCHES CAMPAIGN TO SUSPEND UNLAWFUL ACTIVI-
TIES OF FINANCE GIANT (2006), http://www.privacyinternational.org/article.shtml?
cmd==x-347-538985; Dan Bilefsky, EU Lawmakers Assail SWIFT over Data Sharing, INT’L
HERALD TRIB., Oct. 5, 2006, at 3; Eric Lichtblau, Europe Panel Faults Sifting on Bank Data,
N.Y. TIMES, Sept. 26, 2006, at A1.
101. See, e.g., Risen, supra note 9. Most of the attention in the United States was
focused on the disclosure of a confidential intelligence initiative by the New York Times.
See, e.g., H.R. Res. 896, 109th Cong. (2006); Letter from John W. Snow, U.S. Secretary of
the Treasury, to Bill Keller, N.Y. Times Managing Editor (June 26, 2006), available at http:/
/www.treasury.gov/press/releases/4339.htm; Byron Calame, Secrecy, Security, the President
and the Press, N.Y. TIMES, July 2, 2006, at A10.
102. See Risen, supra note 9 (singling out the operation of secret CIA prisons in Eastern
Europe and the process of extra-rendition).
103. FRED CATE, PRIVACY IN THE INFORMATION AGE 42 (1997) (quoting Spiros Simitis,
Unpublished Address on Information Privacy and the Public Interest (Oct. 6, 1994)).
104. European Convention on Human Rights art. 8, available at http://www.hri.org/
docsECHR.html (last visited July 11, 2008) (stating that “[e]veryone has the right to
respect for his privative and family life, his home, and his correspondence.”).
105. EU Directive, supra note 6, art. 32(1).
106. See Gregory Shaffer, Globalization and Social Protection: The Impact of EU and Interna-
tional Rules in the Ratcheting up of U.S. Privacy Standards, 25 YALE J. INT’L L. 1, 19 (2000).
Professor Shaffer, however, believes the European Union enacted its Data Privacy Directive
to minimize the competitive advantage U.S. businesses have in processing personal data.
Id. at 18-19.
566 The Geo. Wash. Int’l L. Rev. [Vol. 40
free market failed to provide an appropriate level of protection.107
Commentators claim that the motivation for viewing data privacy as
a fundamental right originates from the Continent’s memory of
Nazi Germany and other totalitarian regimes that used personal
information to identify individuals as members of disfavored
groups and then persecute them.108 The Data Privacy Directive was
enacted to promote two sometimes conflicting objectives: first, pro-
tecting an individual’s right to privacy in their private data and sec-
ond, to promote the free flow of information amongst member
states of the European Union.109 The real concern of the Data Pri-
vacy Directive is to prohibit selling consumer preferences and
profiles to companies.110
The Data Privacy Directive contains eight core principles: pur-
pose limitation, data quality, data security, sensitive data, trans-
parency, data transfer, independent oversight, and individual
redress.111 These principles are designed to ensure that an individ-
ual has the ability to control his or her “public image.”112 These
core principles were developed in an effort to protect an individual
against the media—who may publicize unpleasant or distorted
details about his or her life.113 Professor James Whitman is quick
to point out that this threat to an individual’s right to “informa-
tional self-determination”114 is not limited to the media but
extends to “[a]ny other agent that gathers and disseminates infor-
mation.”115 Thus, the Data Privacy Directive is an attempt to
empower an individual with the tools necessary to regulate what
personal information is disseminated to the public.116
107. Id. at 85 (detailing why data privacy is a public good).
108. Joel R. Reidenberg, The Privacy Obstacle Course: Hurdling Barriers to Transactional
Financial Services, 60 FORDHAM L. REV. 137, 142 (1992).
109. EU Directive, supra note 6, art. 1.
110. James Q. Whitman, The Two Western Cultures of Privacy: Dignity Versus Liberty, 113
YALE L.J. 1131, 1192-93 (noting that Europeans see consumers as “need[ing] more than
cheap goods and services”).
111. Cate, supra note 11, at 185-86. Underlying these eight core concept is the propor-
tionality principle, which requires “the government’s legitimate interference with privacy
be proportional.” Bignami, supra note 14, at 642.
112. Whitman, supra note 110, at 1161 (2004).
116. Id. See Spiros Simities, From the Market to the Polis, The EU Directive on the Protection of
Personal Data, 80 IOWA L. REV. 445, 452 (1995) (finding the Data Privacy Directive was a
response to the private enterprises collecting and processing of personal data by private
2008] The Terrorist Finance Tracking Program 567
The Data Privacy Directive “covers all private sector processing of
personal data.”117 However, the Data Privacy Directive does not
apply to transfers undertaken for public or state security.118 In fact,
the European Court of Justice invalidated an agreement between
the United States and the Council of the European Union that pro-
vided for direct transfer of trans-Atlantic passenger information
from airlines to the Department of Homeland Security because the
Data Privacy Directive did not cover the activity.119 However, the
structure of the TFTP (where SWIFT transfers information to its
storage center in the United States, and only thereafter does the
Treasury Department subpoena the information) keeps the pro-
gram within the purview of the Data Privacy Directive.
Viewing data privacy as a fundamental right has led the Euro-
pean Union to attempt to impose this view on other countries in
order to ensure that the protections afforded under its Data Pri-
vacy Directive cannot be circumvented.120 Under the Data Privacy
Directive, the European Commission has the ability to prohibit
data transfers to non-E.U. countries who fail to provide “an ade-
quate level of protection” for an individual’s personal data.121 The
United States’ approach to protecting personal data fails to provide
an adequate level of protection.122 In an effort to prevent the
European Union from effectively imposing an information block-
ade, the Department of Commerce and the European Commission
agreed upon regulations, known as the “Safe Harbor Principles,”
which govern how the Data Privacy Directive applies to American
117. Shaffer, supra note 106, at 13.
118. See EU Directive, supra note 6, art. 3(2) (providing a list of limited activities to
which the Data Privacy Directive does not apply).
119. C-317/04, European Parliament v. Council of the European Union 2006, C-318/
04, European Parliament v. Commission of European Commission, available at http://
120. See Shaffer, supra note 106, at 85.
121. EU Directive, supra note 6, art. 25. Article 25(2) provides that the determination
of whether a third party country provides a sufficient level of protection “shall be assessed
in light of all the circumstances surrounding a data transfer operation or set of data trans-
fer operations particular consideration shall be given to the nature of the data, the pur-
pose and duration of the proposed processing operation or operations, the country of
origin and country of final destination, the rules of law, both general and sectoral, in force
in the third county in question and the professional rules and security measures which are
complied with in that country.” Id.; see Working Party on the Protection of Individuals with
Regard to the Processing of Personal Data, Transfers of Personal Data to Third Countries:
Applying Articles 25 and 26 of the EU Data Protection Directive (July 24, 1998), available at
122. See, e.g., Article 29 Data Protection Working Party, supra note 7, at 22; Barbara
Crutchfield George et al., U.S. Multinational Employers: Navigating Through the “Safe Harbor”
Principles to Comply With the EU Data Privacy Directive, 38 AM. BUS. L.J. 735, 736 (2001).
568 The Geo. Wash. Int’l L. Rev. [Vol. 40
businesses.123 American financial institutions, however, cannot
avail themselves of the protection afforded by the Safe Harbor
Principles because they apply only to industries regulated by the
Department of Commerce.124
B. The Article 29 Working Party Evaluates the TFTP
The Data Privacy Directive established the Article 29 Working
Party.125 The Article 29 Working Party is responsible for examin-
ing the effectiveness of the Data Privacy Directive in protecting
“the rights and freedoms of natural persons with regard to the
processing of personal data.”126 The findings of the Article 29
Working Party are only advisory in nature; however, they are
accorded substantial deference in determining the European
In evaluating the TFTP, the Article 29 Working Party reached
three distinct conclusions about the legality of the program.128 It
concluded that SWIFT’s decision to store information in the
United States violated the Data Privacy Directive.129 It also deter-
mined that the TFTP was invalid under the Data Privacy Direc-
tive.130 The third, and perhaps most controversial, conclusion was
that any financial institution utilizing SWIFT’s services, after the
public disclosure of the TFTP, had violated the Data Privacy Direc-
tive.131 In response to these findings, the European Data Protec-
tion supervisor informed the European Central Bank that it had
until April 2007 to bring SWIFT into compliance with the Data Pri-
123. George et al., supra note 122. There are seven Safe Harbor Principles which a
company must comply with (1) notice; (2) choice; (3) onward transfer; (4) security; (5)
data integrity; (6) access; and (7) enforcement. U.S. DEP’T OF COMMERCE, SAFE HARBOR
WORKBOOK, available at http://www.export.gov/safeharbor/sh_workbook.html (last visited
Mar. 2, 2007).
124. Tracie B. Loring, Note, An Analysis of the Informational Privacy Protection Afforded by
the European Union and the United States, 37 TEX. INT’L L.J. 421, 452 (2002) (noting that the
Department of Commerce does not have the authority to regulate financial institutions).
125. See EU Directive, supra note 6, art. 29.
126. Id. art. 30(1)(c).
127. Eric Lichtblau, Europe Panel Faults Sifting on Bank Data, N.Y. TIMES, Sept. 26, 2006,
128. Article 29 Data Protection Working Party, supra note 7.
131. Id. at 12-13 (finding that the presence of representatives of financial institutions
on SWIFT’s board of directors should have enabled the institutions to have a significant
input into SWIFT’s decision to cooperate with the United States).
132. Bank Group Is Told to Halt Flow of Data to U.S. Officials, N.Y. TIMES, Feb. 2, 2007, at
2008] The Terrorist Finance Tracking Program 569
Under Article 26 of the Data Privacy Directive, personal informa-
tion can be transferred to a third-party country without adequate
protections for an individual’s private information if the transfer
falls within one of six safe harbor provisions.133 The only safe-har-
bor provision with the potential to legitimize SWIFT’s transfer of
data under the TFTP was that “the transfer is necessary or legally
required on important public interest grounds . . . .”134 In previ-
ously interpreting this safe harbor, the Article 29 Working Party
indicated that this provision must be strictly interpreted, stressing
that a simple public interest was insufficient.135 This gloss was an
attempt to ensure that third-party countries could not easily avoid
the strictures of the Data Privacy Directive.136
The Article 29 Working Party also concluded that SWIFT’s trans-
fer of data to its operating center in the United States and the sub-
sequent transfer to the Treasury Department failed to serve a
crucial public interest.137 This conclusion built upon a decision
issued by the German Constitutional Court in April 2006, which
showed some apprehension about whether the possibility of future
terrorist attacks were sufficient to justify antiterrorism data min-
ing.138 Although the TFTP was an innovation in combating terror-
ist financing and has been instrumental in helping to thwart
terrorist plots,139 the Article 29 Working Party felt that it was a lux-
ury given the existing international mechanisms to combat terror-
ist financing.140 Furthermore, the Article 29 Working Party also
133. EU Directive, supra note 6, art. 26(1). The six safe harbor provisions are: the data
subject has consented to the transfer, the transfer is essential to protect vital interests of a
data subject, the transfer is necessary for the performance of a contract between the data
subject and the financial institution, the transfer is necessary to fulfill a contract between
the financial institution and a third party, the transfer is necessitated by an important pub-
lic interest, and the transfer is made from a register which is intended to provide informa-
tion to the public and which is open to consultation by the public. Id. art. 26(1)(a)-(f).
134. Id. art. 26(1)(d).
135. Working Party on the Protection of Individuals with Regard to the Processing of
Personal Data, supra note 121, at 25.
136. See Shaffer, supra note 106, at 5.
137. Article 29 Data Protection Working Party, supra note 7, at 24-25.
138. Bundesverfassungsgericht [BVerfG], Apr. 4, 2006, 1 BVerfGE para. 158 (requiring
evidence indicating an “imminent and specific endangerment” of a terrorist attack to jus-
tify antiterrorism data mining).
139. See Lichtblau & Risen, supra note 1.
140. Article 29 Data Protection Working Party, supra note 7, at 25. The International
Convention for the Suppression of the Financing of Terrorism made it a criminal offense
to provide or collect money with the knowledge that the funds would be used in the com-
mission of terrorist offenses. International Convention for the Suppression of the Financ-
ing of Terrorism, Dec. 9, 1999, 39 I.L.M. 270 (2000). In 1989, the G7 established the
Financial Action Task Force to establish an international legal regime to combat money
laundering. The Financial Action Task Force’s mandate was expanded after the Septem-
570 The Geo. Wash. Int’l L. Rev. [Vol. 40
examined SWIFT’s interest in having two information storage cen-
ters to guarantee operational efficiency.141 Although the Working
Party recognized the need for dual storage centers, it found that
SWIFT’s interests could still be served by storing the information in
a country with a data privacy regulation regime approved by the
Data transfer and mining occurring under the TFTP would have
still been permissible if these activities were undertaken to further
a legitimate interest of the United States or SWIFT, and the inter-
ests being pursued outweighed an individual’s right to be pro-
tected from unwanted intrusions into his or her private life.143 The
report of the Article 29 Working Group recognized that the United
States has a legitimate interest in combating terrorism.144 The Arti-
cle 29 Working Party concluded, however, that the large amount of
data being clandestinely transferred to the Treasury Department
was indicative of a program that significantly invaded the privacy
rights of individuals.145 Further supporting this conclusion was
SWIFT’s failure to inform financial institutions, their customers,
and the appropriate national data privacy commissioners about the
company’s participation in the TFTP.146 Also, underlying these
concerns was the belief that antiterrorism data mining relied heavi-
ly on a stereotypical terrorist profile.147
Article 6 of the Directive specifies that personal information can
only be processed for a specified purpose, utilized in accordance
with the original reason why an individual released the data, and
retained for no longer than necessary to fulfill that original pur-
pose.148 The Article 29 Working Party concluded that the TFTP
was simply incongruous with these limitations of the Data Privacy
Directive.149 The data transferred to the Treasury Department
from SWIFT was information necessary to facilitate and complete
ber 11 terrorist attacks to establish a global legal regime to combat terrorist finance. Finan-
cial Action Task Force, http://www.faft-gafo.org (Jan. 17, 2007).
141. Article 29 Data Protection Working Party, supra note 7, at 24-25.
143. EU Directive, supra note 6, art. 7(f).
144. Article 29 Data Protection Working Party, supra note 7, at 19.
145. Id. at 19.
146. Id. at 19-20. The Working Party found SWIFT’s failure to notify its customers and
the national data privacy commissioners about the TFTP violated Articles 10, 11, and 18
through 20 of the Data Privacy Directive. Id.
147. See Bignami, supra note 14, at 637 (finding antiterrorism data mining implicates
concerns about discrimination and suppression of speech).
148. See Cate, supra note 11, at 185.
149. Article 29 Data Protection Working Party, supra note 7, at 14-16.
2008] The Terrorist Finance Tracking Program 571
financial transactions.150 The United States’ mining of SWIFT’s
data to identify terrorists violates the purpose limitation, because
the information is not being used to further the original purpose
for which the information was originally released—to complete a
financial transaction.151 Furthermore, long-term retention of the
information transferred by SWIFT to the Treasury Department is
problematic because the information may become inaccurate over
For SWIFT processing and transferring personal data in conjunc-
tion with the TFTP to be considered lawful, its activities needed to
fulfill one of the conditions set forth in Article 7 of the Data Privacy
Directive.153 Under Article 7, the best justification for SWIFT’s
activities was that its participation in the TFTP was necessary to
comply with the company’s legal obligations.154 Because SWIFT
has an operations center in the United States, it was subject to the
United States’ legal requirements and was thus required to
respond to the compulsory subpoenas issued by the Treasury
Department.155 In evaluating the implementation of whistle-blow-
ing schemes mandated by Sarbanes-Oxley,156 the Article 29 Work-
ing Party concluded that “an obligation imposed by a foreign legal
statute or regulation . . . may not qualify as a legal obligation by
virtue of which data processing in the EU would be made legiti-
mate.”157 Therefore, under the Article 29 Working Party’s prece-
150. Id. at 7.
152. Bignami, supra note 14, at 638 (detailing the harmful consequences that may arise
when the government is mining inaccurate information). These concerns are why the
Data Privacy Directive attempts to limit how long a business or government retains per-
sonal information. See id. at 648. Prior to the June Agreement between the European
Union and the United States, the Treasury Department could retain SWIFT’s information
for as long as it desired. See Lichtblau & Risen, supra note 1.
153. EU Directive, supra note 6, art. 7. The Article 29 Working Party considered three
possible justification for the Terrorist Finance Tracking Program: the data processing was
necessary for the performance of a contract; the data processing was necessary for compli-
ance with a legal obligation to which the controller is subject; and the data processing was
necessary for the purposes of a legitimate interest pursued by the controller. Id. art. 7(b),
154. See EU Directive, supra note 6, art. 7(c).
155. SWIFT Statement, supra note 48. Because SWIFT maintained significant eco-
nomic assets in the United States the mere threat they would be frozen ensured coopera-
tion with the Treasury Department. See Bignami, supra note 14, at 674. The European
Parliament criticized SWIFT for not foreseeing that having a presence in the United States
would lead to this sort of problem. See Dan Bilefsky, Europeans Berate Bank Group and Over-
seer for U.S. Access to Data, N.Y. TIMES, Oct. 5, 2006, at A15.
156. Sarbanes-Oxley Act of 2002, 15 U.S.C. §§ 78(j)-(1), 301(m)(4) (2002).
157. Article 29 Working Party, Opinion 1/2006 on the Application of EU Data Protec-
tion Rules to Internal Whistleblowing Schemes in the Fields of Accounting, Internal
572 The Geo. Wash. Int’l L. Rev. [Vol. 40
dent, SWIFT’s obligation to respond to the Treasury Department’s
subpoenas was insufficient to satisfy the requirements of the Data
Privacy Directive.158 At the conclusion of its report, the Article 29
Working Party set forth a series of ideas to help to ensure SWIFT’s
compliance with the Data Privacy Directive.159
The June 2007 agreement between the European Union and the
Bush administration provides that the Treasury Department will
attempt to respect the Data Privacy Directive, retain information it
receives from SWIFT for a maximum of five years, and strictly limit
the use of the TFTP to investigating terrorism.160 The European
Union will compel financial institutions that utilize SWIFT’s mes-
saging services and that are within its jurisdiction to inform their
customers of the United States’ ability to access the personal data
in that institution’s possession, and appoint an individual to assure
the Treasury Department honors these safeguards.161
But as demonstrated in the controversy over the transfer of air-
line passenger information to the U.S. Customs and Border Protec-
tion Agency, such ad hoc agreements have been viewed skeptically
within the European Union.162 This skepticism is a product of
viewing data privacy as a fundamental right which cannot be “bar-
gain[ed] about.”163 Such absolutism, however, is misplaced and
dangerous because it both fails to allow for the necessary flexibility
to address the substantial challenges that have arisen since the
Data Privacy Directive’s enactment as well as overlooks the myriad
of circumstances in which a person’s interest in their personal
information are implicated.164
Accounting Controls, Auditing Matters, Fight Against Bribery, Banking, and Financial
Crime (Feb. 1, 2006) at 8. The motivating factor behind this ruling is concern that these
external legal obligations would be used a pretext to evade the strictures of the Data Pri-
vacy Directive. Id.
158. Article 29 Data Protection Working Party, supra note 7, at 18-19.
159. Id. at 28-29 (stressing the need for the eleven central banks overseeing SWIFT to
clarify their role and for financial institutions which use SWIFT’s messaging service to
inform clients that their information may be accessed by the United States).
160. Risen, supra note 9.
162. See Opinion 6/2004 of the Article 29 Data Protection Working Party on the Imple-
mentation of the Commission Decision of 14-V-2004 on the Adequate Protection of Per-
sonal Data Contained in the Passenger Name Records of Air Passengers Transferred to the
United States’ Bureau of Customs and Border Protection (June 22, 2004), http://
163. FRED CATE, PRIVACY IN THE INFORMATION AGE 42 (1997) (quoting Spiros Simitis,
Unpublished Address on Information Privacy and the Public Interest (Oct. 6, 1994)).
164. See Shaffer, supra note 106, at 20 (detailing equity and efficiency concerns that
arise from making data privacy a fundamental right).
2008] The Terrorist Finance Tracking Program 573
IV. THE FAILINGS OF THE DATA PRIVACY DIRECTIVE
A country possesses the greatest authority to infringe upon its
citizens’ civil liberties during wartime.165 But controversy often
arises when the government attempts to achieve the appropriate
balance between protecting civil liberties and ensuring the safety of
the populace.166 The United States’ experience has shown that
measures sacrificing civil liberties during times of war—most nota-
bly the internment of Japanese-Americans during World War II—
are often unjustified or insufficiently tailored to meet a particular
crisis.167 In evaluating these measures, critics are afforded the
opportunity to review the government’s conduct after the crisis has
passed and no further attacks have occurred.168 The United States
has not been alone in curtailing civil liberties after the September
11 terrorist attacks.169 The European Union has also attempted to
restrict the protection of civil liberties afforded the citizens of its
The Data Privacy Directive is also engaged in a balancing act,
attempting to protect the privacy rights of individuals while
allowing for a seamless stream of information.171 By balancing the
wrong interests, the Data Privacy Directive and those regulations
165. See, e.g., Haig v. Agee, 453 U.S. 280, 307 (1981) (stating it is “obvious and unargu-
able that no governmental interest is more compelling than the security of the Nation”)
(internal quotations omitted); WILLIAM H. REHNQUIST, ALL THE LAWS BUT ONE: CIVIL LIB-
ERTIES IN WARTIME 218 (2000).
166. See Emanuel Gross, The Struggle of a Democracy Against Terrorism-Protection of Human
Rights: The Right to Privacy Versus the National Interest-The Proper Balance, 37 CORNELL INT’L
L.J. 27, 29 (2004).
167. See, e.g., Korematsu v. United States, 323 U.S. 214 (1944); David Cole, Judging the
Next Emergency: Judicial Review and Individual Rights in Times of Crisis, 101 MICH. L. REV. 2565,
2591-92 (2003) (noting Congress’ “overwhelming approval of the Smith Act and the Inter-
nal Security Act during the McCarthy era and . . . the Patriot Act in the current era . . .
illustrate legislators are exceedingly unlikely to stand up against executive power in the
name of civil liberties during emergencies”).
168. See Duncan v. Kahanamoku, 327 U.S. 304, 351 (1946) (Burton, J., dissenting)
(accusing the majority of using the hindsight of 1946 to overturn the convictions of civil-
ians by military tribunals in Hawaii while the territory was under military rule).
169. See Gross, supra note 166, at 77-88.
170. See, e.g., Council Directive 2006/24 2006 O.J. (L105) 54 (EC) arts. 4, 6 (requiring
companies which provide electronic communication services to retain data relating to
phone calls, emails, and other communications for up to two years and make the informa-
tion available to the national police). The motivation behind this Council Directive was to
provide law enforcement with the information needed to combat terrorism. Id. art. 1.
171. See, e.g., Loring, supra note 124, at 432; Shaffer, supra note 106, at 20 (listing the
interests the Data Privacy Directive balances against data privacy).
574 The Geo. Wash. Int’l L. Rev. [Vol. 40
modeled after it are hindrances in the war on terror and impedi-
ments to global economic development.172
President Bush has commented that the September 11 terrorist
attacks “changed everything.”173 As demonstrated by Executive
Order 13,224 and the PATRIOT Act, Americans have been willing
to give the government the allegedly necessary tools for law
enforcement to protect the populace against another terrorist
attack.174 The European Union, however, has been unwilling to
embrace extensive anti-terrorist monitoring initiatives for fear of
infringing on an individual’s right to data privacy.175 In protecting
information voluntarily shared with a third party, the Data Privacy
Directive should emulate the level of protection afforded in the
United States.176 This deferential approach is justified for pro-
grams like the TFTP, which represent only limited intrusions into
an individual’s privacy and provide sufficient operational safe-
guards to ensure the initiative is not mismanaged.
A. The United States’ Approach to Voluntarily Conveyed Data
The safeguards that the U.S. Constitution affords to individual
data privacy are sufficiently malleable to adapt to varying circum-
stances.177 Under the Fourth Amendment,178 a search occurs
172. See Shaffer, supra note 106, at 17-20 (explaining the impact the Data Privacy Direc-
tive has on businesses and the deleterious impact it has on efficiency).
173. Press Release, President Bush and Prime Minister Allawi Press Conference (Sept.
23, 2004), http://www.whitehouse.gov/news/realeases/2004/09/20040923-8.html. See
also John Yoo, War, Responsibility, and the Age of Terrorism, 57 STAN. L. REV. 793, 816 (2004)
(asserting “[t]he world after September 11, 2001 . . . is very different . . . .”).
174. See James X. Dempsey & Lara M. Flint, Commercial Data and National Security, 72
GEO. WASH. L. REV. 1459, 1477-82 (2004) (detailing the changes wrought by the USA
PATRIOT Act to federal data privacy legislation).
175. Whitman, supra note 110, at 1160-62.
176. Some may disagree with the conclusion that the sharing of information with a
financial institution is not a private event because the privacy law of the European Union
intends to shield individuals from public indignity. Whitman, supra note 110, at 1160-62.
However, providing the full panoply of protection under the Data Privacy Directive is inap-
propriate for information that is voluntarily disclosed.
177. See Orin Kerr, Four Modes of Fourth Amendment Protection, 60 STAN. L. REV. 503, 507
(2007). U.S. law is especially relevant to the dilemma faced by companies in a situation
comparable to that faced by SWIFT because multinational businesses have a connection to
the United States and thus provides a basis for the United States to seek to apply its laws.
See Bignami, supra note 14, at 674 (detailing the economic leverage the United States has
exerted in the controversy over the TFTP and the transfer of airline passenger data).
178. The Fourth Amendment states “[t]he right of the people to be secure in their
persons, houses, papers, and effects, against unreasonable searches and seizures, shall not
be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or
affirmation, and particularly describing the places to be searched, and the persons or
things to be seized.” U.S. CONST. amend. IV.
2008] The Terrorist Finance Tracking Program 575
when the government intrudes on a person’s “reasonable expecta-
tion of privacy.”179 To determine whether an individual has a “rea-
sonable expectation of privacy,” an individual must have a
subjective expectation of privacy in the information and society
must recognize such expectation as reasonable.180 The Supreme
Court has concluded that an individual does not have a reasonable
expectation of privacy in information that he or she “voluntarily
conveys” to a third party.181 Thus, in United States v. Miller, the
Supreme Court held that financial information conveyed to a bank
did not qualify for Fourth Amendment protection.182
Two years after the Supreme Court’s decision in Miller, Congress
passed the Right to Financial Privacy Act (RFPA) in an effort to
provide some privacy protections to customers of financial institu-
tions.183 The RFPA typically requires the government to obtain a
customer’s consent prior to accessing an individual’s financial
records.184 Under the RFPA no notice is needed, however, if an
individual’s financial records are “sought for foreign counter intel-
ligence purposes to protect against international terrorism or clan-
destine intelligence activities.”185
Under the United States’ legal regime, administrative officials
have defended the program on the belief that the TFTP did not
infringe on the privacy of financial customers.186 In a lawsuit filed
in the U.S. District Court for the Northern District of Illinois, Chief
Judge James F. Holderman denied SWIFT’s motion to dismiss the
179. Katz v. United States, 389 U.S. 347, 361 (1967) (Harlan, J., concurring).
180. See id. at 361-62.
181. See Miller, 425 U.S. at 443. Commentators have concluded there is no distinction
between information that is given directly to the government and the government “min-
ing” data provided to computer databases. See, e.g., Chris Jay Hoofnagle, Big Brother’s Little
Helpers: How Choicepoint and Other Commercial Data Brokers Collect and Package Your Data for
Law Enforcement, 29 N.C.J. INT’L. & COM. REG. 595, 622 (2004); Daniel J. Solove, Digital
Dossiers and the Dissipation of Fourth Amendment Privacy, 75 S. CAL. L. REV. 1083, 1137-38
182. Miller, 425 U.S. at 442-43 (finding the defendant by utilizing the bank’s services
assumed “the risk . . . the information will be conveyed to the government”).
183. Right to Financial Privacy Act, 12 U.S.C. §§ 3401-3422 (2000 & Supp. I 2003); see
Gouvin, supra note 38, at 521.
184. Right to Financial Privacy Act, 12 U.S.C. §§ 3401-3402.
185. Id. § 3414(a)(5)(A).
186. See, e.g., Richard A. Clarke & Roger W. Cressey, A Secret the Terrorists Already Knew,
N.Y. TIMES, June 30, 2006, at A23 (finding international initiatives against money launder-
ing “combined with treaties and international agreements, should leave no one with any
presumption of privacy when moving money electronically between countries”); Ramasas-
try, supra note 43, at 3. But see Eric Lichtblau, US Cites ‘Secrets’ Privilege as It Tries To Stop Suit
on Banking Records, N.Y. TIMES, Aug. 31, 2007 (noting that privacy advocates have
denounced the program).
576 The Geo. Wash. Int’l L. Rev. [Vol. 40
case, finding that the plaintiffs’ allegations could proceed without
ruling on the merits.187 When reviewing the voluntary conveyance
of information to an institution for the purpose of initiating finan-
cial transactions, courts have found that customers assume the risk
that the information could be used for purposes inimical to the
owner’s intentions.188 In Walker v. S.W.I.F.T. SCRL, the court
found this principle inapplicable because unrestricted access to
individuals’ bank records through a secret government initiative
operating outside the legal system is constitutionally problem-
atic.189 The opinion in Walker significantly downplays the fact that
SWIFT released information only in response to subpoenas from
the Treasury Department190 and that SWIFT had the ability to chal-
lenge the validity of these subpoenas in federal court.191
The United States has given law enforcement great latitude to
pursue those that finance terrorism.192 In an effort to ensure
financial institutions cooperate with law enforcement, Executive
Order 13,224 provides the Treasury Department with the option of
freezing a company’s assets.193 Thus, it would appear foolish for a
company to try to resist cooperating with the United States in the
war on terror because of concerns about violating the legal rights
of their customers.194 While some may be wary of this power of
persuasion, it provides a meaningful tool for the United States to
187. Walker v. S.W.I.F.T. SCRL, 491 F. Supp. 2d 781, 790-92 (N.D. Ill. 2007). The case
was subsequently transferred to the Eastern District Virginia and SWIFT has brought a
motion for a reconsideration of Judge Holderman’s ruling. Lichtblau, supra note 186.
188. See Miller, 425 U.S. at 443.
189. Walker, 491 F. Supp. 2d at 790-91. The Court found the Fourth Amendment
applied to SWIFT even though a private actor because of the allegation that SWIFT had
turned over all of its record to the Treasury Department in response to the subpoenas it
received. Id. A recent decision from the U.S. District Court for the Southern District of
New York addressing a legal challenge to the TFTP dismissed the case because the plaintiff
lacked standing. Amidax Trading Group v. S.W.I.F.T. SCRL, No. 08 Civ. 5689(PKC), 2009
WL 361949, at *1 (S.D.N.Y. Feb. 13, 2009).
190. SWIFT Statement on Compliance Policy, http://www.swift.com/
index.cfm?item_id=59897 (June 23, 2006) (“In the aftermath of the September 11th
attacks, SWIFT responded to compulsory subpoenas for limited sets of data . . . .”).
191. See United States v. Bailey, 228 F.3d 341, 348 (4th Cir. 2000) (holding that an
administrative subpoena initiates the adversarial process thereby allowing a court to review
the subpoena before the party that received the subpoena is penalized for
192. See Donohue, supra note 16, at 372-75.
193. Id. at 377-78.
194. See Ramasastry, supra note 43, at 3.
2008] The Terrorist Finance Tracking Program 577
guarantee that a corporation will cooperate in a program that the
United States deems relevant to its national security.195
In the United States, the PATRIOT Act and Executive Order
13,224 have tipped the balance between law enforcement and civil
liberties firmly in the direction of law enforcement.196 Both con-
servatives and liberals have criticized the PATRIOT Act as an unjus-
tified intrusion into the private lives of Americans.197 Advocating
that the European Union adopt the United States’ approach to
data privacy protection does not require member states to embrace
legislation like the PATRIOT Act.198 Instead, it requires the Euro-
pean Union to weaken the protection it affords certain informa-
tion voluntarily shared with a third party, which would not
undermine the Data Privacy Directive’s concern for protecting an
individual’s right to “informational self-determination.”199
B. The Inconsistencies of Applying the Data Privacy Directive
to the TFTP
The right of an individual to control publicly available informa-
tion about themselves must have limits.200 If an individual has an
unfettered right to control the information disclosed to the public,
it would inhibit the ability of the government to carry out many of
its core functions.201 Although the Data Privacy Directive recog-
nizes the importance of these core governmental functions, Euro-
pean courts and advocates of privacy downplay their importance by
195. SWIFT’s participation in the TFTP despite concerns about violating the Data Pri-
vacy Directive and Belgian law shows how powerful this leverage can be. See Bignami, supra
note 14, at 674.
196. See, e.g., Gouvin, supra note 38, at 540-41; Gross, supra note 166, at 73.
197. Amy Borus, When Right and Left See Eye-to-Eye, BUS. WK., Nov. 5, 2001, at 88.
198. On October 2, 2001, the European Commission proposed a regulation allowing
funds of suspected terrorists to be frozen and denying access of the financial system to
suspected terrorists. In order to fulfill this obligation, member nations of the European
Union were provided with the authority to make financial institutions to provide any rele-
vant information. Proposal for a Council Regulation on Specific Restrictive Measures
Directed Against Certain Persons and Entities with a View to Combating Terrorism, COM
(01)569, art. 12.
199. Whitman, supra note 110, at 1161.
200. See Richard Posner, The Right to Privacy, 12 GA. L. REV. 393, 399 (1978) (“Much of
the demand for privacy . . . concerns discreditable information concerning past or present
criminal activity or moral conduct at variance with a person’s professed moral standards.
And often the motive for concealment is . . . to mislead those with whom he transacts.”).
201. The Data Privacy Directive recognizes that a right to control a person’s publicly
available information is often inconsistent with a Country’s security concerns and thus
tends to exempt the processing of personal data for “public security, defense, State secur-
ity . . . and the activities of the State in areas of criminal law.” EU Directive, supra note 6,
578 The Geo. Wash. Int’l L. Rev. [Vol. 40
“employ[ing] a fundamental rights discourse . . . to enhance the
relative importance of their concerns.”202 This undervaluation,
coupled with an emphasis on the potential deleterious conse-
quences of governmental information gathering203 indicates that
absent specific information identifying a specific target and date,
the government’s ability to combat terrorism could be significantly
curtailed. Such stringent restrictions are inappropriate for antiter-
rorism programs like the TFTP, which contain comprehensive safe-
guards and seek information a person has voluntarily shared with
The information that the Treasury Department accesses from
SWIFT is simple factual data, such as a person’s name or date of
birth, which people routinely reveal to governmental agencies,
credit card providers, and websites.204 It seems arbitrary to afford
protection to some voluntary conversations, such as a conversation
with a bank teller to complete a financial transaction, but not to
impose similar restrictions on conversations with friends.205 Recog-
nizing this untenable position, the European Council and Parlia-
ment now requires all lawyers, accountants, and notaries to inform
law-enforcement authorities of suspicious financial transactions.206
The member nations of the European Union have a valid con-
cern that foreign jurisdictions may not provide the same level of
protection afforded by the Data Privacy Directive.207 Nevertheless,
this concern, which was a factor behind the adoption of the Data
Privacy Directive,208 should not apply to the U.S. government when
it is asking for information to combat terrorism. Terrorism threat-
202. Shaffer, supra note 106, at 21. See Bundesverfassungsgericht [BVerfG], Apr. 4,
2006, 1 BVerfge, para. 158 (applying German privacy law to police data mining and con-
cluding due to the importance of data privacy such police activity was only acceptable if law
enforcement had facts to demonstrate an “imminent and specific endangerment of a ter-
203. See, e.g., Bignami, supra note 14, at 637-38.
204. See, e.g., Levey Hearing, supra note 28; Christopher Slobogin, Transaction Surveil-
lance, 75 MISS. L. REV. 139 (2005). The Data Privacy Directive imposes added safeguards
when the information may reveal an individual’s political opinions, religious beliefs, race,
ethnicity, and sexual preferences. EU Directive, supra note 6, art. 8.
205. Contra Miller, 425 U.S. at 451 (Brennan, J., dissenting) (claiming that communicat-
ing information with a bank is not voluntary because it is a prerequisite to participating in
206. European Parliament and Council Directive 2001/97/EC, preamble, 2001 O.J. (L
344/76), art. 2(a) (amending prior Council Directive 91/308/EC on The Prevention of
the Use of the Financial System for money laundering). See Donohue, supra note 16, at
337-38. Financial institutions in the United States are required to file Suspicious Activity
Reports for questionable transactions. Id. at 356.
207. Loring, supra note 124, at 435.
2008] The Terrorist Finance Tracking Program 579
ens both the United States and the European Union. Thus, a
mutual interest exists in exchanging intelligence that may help to
prevent a terrorist attack.209 The European Union should not have
concerned itself with the activities of the TFTP because the
restraint of the Treasury Department in conducting searches,210
combined with the important national security interests served by
the TFTP211 as well as the extensive safeguards that were in place
prior to June 2007 to satisfy SWIFT, mitigates such concerns.212
The steps the Treasury Department must go through before
accessing the information transferred from SWIFT ensure an indi-
vidual’s privacy is respected.213 Requiring the Treasury Depart-
ment to limit its searches to ongoing terrorism investigations and
providing SWIFT with the opportunity to object to any search helps
minimize the risk of false positives and sharpens the focus of an
investigation.214 These two features combine to make the TFTP
superior to the European Union’s decision to rely on the accoun-
tants, notaries, and lawyers to protect the integrity of its financial
system. As demonstrated by the United States’ experience—
requiring financial institutions to file Suspicious Activity Reports
for questionable transactions—this approach leads to law enforce-
ment being inundated with information about individuals that
have no connection to terrorism because of concerns about being
subjected to liability.215
The United States’ desire to protect itself against terrorist attacks
is a weighty interest that should override the protection afforded
by the Data Privacy Directive to factual information that was volun-
tarily conveyed to a third-party.216 The need to “starve the ter-
209. See, e.g., S.C. Res. 1269, U.N. Doc. S/RES/1269 (Oct. 19, 1999) (calling for the
member of the United Nations to “cooperate with each other . . . to prevent and suppress
terrorist acts . . . [to] prevent and suppress in their territories through all lawful means the
preparations and financing of any acts of terrorism . . . [and to] exchange information”).
210. There has only been one instance of an improper search being conducted. Licht-
blau & Risen, supra note 1. Furthermore, there has been independent oversight of the
TFTP. See id.
211. See Statement of Treasury Secretary John W. Snow on Disclosure of the Terrorist
Finance Tracking Program, June 22, 2006, available at http://www.treas.gov/press/
releases/js4332.htm (“[The TFTP] is not a ‘fishing expedition,’ but rather a sharp har-
poon aimed at the heart of terrorist activity.”).
212. See Lichtblau, supra note 8.
213. See Statement of Treasury Secretary John W. Snow on Disclosure of the Terrorist
Finance Tracking Program, supra note 211.
214. See, e.g., PRIVACY INT’L, supra note 3; Levey Hearing, supra note 28.
215. See, e.g., Donohue, supra note 16, at 374; Gouvin, supra note 38, at 527 (noting
both Rush Limbaugh and Senator Bob Dole were investigated for money laundering).
216. Many claim the September 11 terrorist attacks and the War on Terror have cre-
ated a threat “to the national and constitutional survival of the United States.” See Michael
580 The Geo. Wash. Int’l L. Rev. [Vol. 40
rorists of funding”217 has been a central focus of the war on terror,
as indicated by legislation adopted in the United States and the
international community.218 The information SWIFT provides to
the Treasury Department should be indistinguishable from the
information member nations of the European Union can require
to be turned over to law enforcement under European Parliament
and Council Directive 2001/97/EC.219 Thus, the conflict over the
TFTP is a product of the European Union viewing itself as the “pri-
vacy cop of the world”220 and the United States being unwilling to
provide detailed evidence supporting its suspicions of terrorist
The feelings of distrust between the European Union and the
United States influenced the Article 29 Working Party’s recom-
mendations on the TFTP and the implementation of the require-
ments of Sarbanes-Oxley in the affiliates of American business
located in Europe.222 The Article 29 Working Party itself mani-
fested a distrust of the United States when its report claimed that
the TFTP enabled the Treasury Department to access any informa-
tion held by SWIFT.223 This characterization misrepresents the
Treasury Department and SWIFT safeguards, which only allow
access to the information related to an ongoing terrorism investiga-
tion.224 E.U. attempts to force the United States to terminate the
TFTP embody a refusal to acknowledge that “terrorism has made
our world an integrated community.”225
Stokes Plausen, The Emancipation Proclamation and the Commander in Chief Power, 40 GA. L.
REV. 807, 811 (2006).
217. U.S. DEP’T OF THE TREASURY, supra note 54.
218. See, e.g., Donohue, supra note 16, at 382-89 (detailing various regional and multi-
lateral efforts to combat terrorist financing); U.S. DEP’T OF THE TREASURY, supra note 54.
219. See Directive 2001/97/EC OJ 2001 L344/76 art. 6 (requiring the affected profes-
sion to provide national law enforcement “with all necessary information. . . .”). If an
accountant notices a suspicious transaction while auditing financial information he or she
would conceivably provide factual information like the person’s name, the date of the
transaction, the amount involved, and the individual’s address to the police. See id.
220. Scheer, supra note 14.
221. Donohue, supra note 16, at 381 (noting the obstacle which has prevented the
United States from securing the assistance of its allies in the financial war on terror is its
reluctance to provide evidence because of a fear of compromising sources and intelligence
222. See Article 29 Data Protection Working Party, supra note 7.
223. See id. at 6 (expressing concern that the TFTP was subterfuge for the United States
to engage in economic and industrial espionage).
224. PRIVACY INT’L, supra note 3.
225. PETER SINGER, ONE WORLD: THE ETHICS OF GLOBALIZATION 7 (2d ed. 2004) (2002).
See The Secretary General, Report of the High-Level Panel on Financing for Development, U.N.
GAOR, 55th Sess., Agenda item 101, A/55/100 at 3 (June 26, 2001), available at
www.un.org/esa/ffd/a55-1000.pdf (“In the global village, someone else’s poverty very soon
2008] The Terrorist Finance Tracking Program 581
In evaluating any initiative that seeks to combat terrorism, it is
important to strike an appropriate balance between protecting civil
liberties and providing law enforcement with sufficient resources
to combat terrorism.226 The TFTP is an example of an initiative
that can accommodate these competing interests. The responses
of the members of the European Parliament to the disclosure of
the TFTP, however, demonstrate an unwillingness to compromise
their commitment to data privacy protection.227
As countries model their data privacy regulations on the Data
Privacy Directive,228 they must be aware of the limitations inherent
in the European Union’s approach. The Data Privacy Directive was
drafted in a world that was largely ignorant of the failures of global-
ization.229 If countries blindly copy the Data Privacy Directive to
ensure that the European Union cannot halt the flow of informa-
tion to their country, they are enshrining economic protectionism
by overprotecting an individual’s privacy in financial information
voluntarily transmitted to third parties.230 This economic protec-
tionism, besides having a deleterious economic impact, is prevent-
ing the United States from having access to the necessary tools to
fight the war on terror.
In a globalizing world, the Article 29 Working Party’s decision
that a foreign subpoena cannot serve as a legal justification under
the Data Privacy Directive is untenable. This decision places multi-
national companies in difficult situations; they face potential liabil-
ity for complying with the subpoena under the European Union’s
legal regime, whereas failing to comply with the subpoena subjects
the company to liability in the United States.231 A company placed
in such a situation will attempt to avoid liability by trying to par-
tially accommodate both the United States and the European
becomes one’s own problem: of lack of market for one’s products, illegal immigration,
pollution, contagious disease, insecurity, fanaticism, terrorism.”).
226. See Daniel J. Mitchell, Fighting Terror and Defending Freedom: The Role of Cost-Benefit
Analysis, 25 PACE. L. REV. 219, 220 (2005).
227. Bilefsky, supra note 100. Compare with Lichtblau, supra note 8 (reporting the Civil
Liberties Board found the TFTP contained extensive safeguards to protect privacy).
228. See David Banisar & Simon Davies, Global Trends in Privacy Protection: An Interna-
tional Survey of Privacy, Data of Protection, and Surveillance Laws and Developments, J. MARSHALL
J. COMPUTER & INFO. L. 3, 27 (1999).
229. See ANKIE HOOGVELT, GLOBALIZATION AND THE POSTCOLONIAL WORLD: THE NEW
POLITICAL ECONOMY OF DEVELOPMENT 212 (2d 2001) (1997) (describing radical Islam as a
response to the globalization and the Americanization of the Middle East).
230. See Shaffer, supra note 106, at 46-47
231. See, e.g., Article 29 Data Protection Working Party, supra note 7, at 19.
582 The Geo. Wash. Int’l L. Rev. [Vol. 40
Union. Such an approach, however, will not satisfy either the
European Union, as demonstrated by SWIFT’s participation in the
TFTP,232 or the Bush administration, which does not look kindly
upon what it considers undue restraints on its ability to fight
The Data Privacy Directive represents the E.U. member states’
judgment that the legislation struck the appropriate balance
between the competing interests of data privacy and the need for
information.234 However, the world is more dangerous today than
it was in the mid-1990s when the debate surrounding the Data Pri-
vacy Directive occurred. The United States has been able to use its
economic influence to reach agreements with the European Union
on the TFTP and the transfer customer information on transatlan-
tic flights.235 Such agreements, which may take considerable time
to negotiate, leave companies exposed to liability for assisting the
United States in locating terrorists. Additionally, the liability result-
ing from these agreements probably hampers the willingness of
other corporations to cooperate. The United States should
attempt to use its market power, through the North American Free
Trade Agreement or the World Trade Organization, to convince
the European Union to lessen the protection afforded information
voluntarily transmitted to a third-party, and to be more receptive to
the transfer of that information abroad—especially when the infor-
mation is helpful in combating terrorism.
232. See Bilefsky, supra note 100.
233. See Linda Greenhouse, Detention Cases Before Supreme Court Will Test Limits of Presi-
dential Power, N.Y. TIMES, Apr. 18, 2004, at A20.
234. Loring, supra note 124, at 432.
235. Bignami, supra note 14, at 674.