BACKGROUND: INADEQUACY OF THE US DATA PROTECTION REGIME: CLEAR TO EVERYONE AFTER SNOWDEN

The Europol – US agreement of 20 December 2002 and the EU – US mutual assistance treaty in criminal matters of 25 June 2003, both concluded in the immediate aft ermath of 9/11, soon set the tone, in that US non-compliance with key EU data protection standards was set aside in favour of enabling EU–US data flows aft er all Neither in terms of police or judicial cooperation could the adequacy of US data protection be established, something required by both the (then) Europol Agreement and Directive 95/46 Purpose limitation (specialty) in the use of data provided by Europol or EU Member States proved an almost nugatory concept, where the US was allowed to freely make use of information that was procured in criminal cases for purely administrative or intelligence purposes.

Later, in 2006, it was revealed that the US Treasury had procured access to worldwide scriptural bank transactions by means of administrative subpoenas vis-a-vis the US hub of the (Belgium-based) Society for Worldwide Interbank Financial Telecommunication (SWIFT) in the context of combating the financing of terrorism, but surely alluding to other (including economic) goals as well Moreover, SWIFT itself defected herein, as its US hub did not endorse the so-called Safe Harbour principles These had been developed in 2000 by the European Commission to ensure that, given that the US data protection regime in itself could not be qualified as adequate, commercial EU – US data transfers would nonetheless be enabled Companies that indicated (and self-certified) their compliance with the principles laid down in the Commission's Safe Harbour Decision, were to be considered as – from a data protection perspective –'safe harbours ‘within US territory, to which EU companies were allowed to transfer data This, however, was not the case for the SWIFT hub in the US, so the Belgian company should have refrained from localising (backup) data in it.