The
Society for Worldwide Interbank Financial Telecommunications
(SWIFT) co-ordinates payments between financial institutions and
has its headquarters in Brussels and offices in the US. The New
York Times revealed in June that it had been passing details of
European banking transactions involving the US to the US Government
since the terrorist attacks in the US of 11th September 2001.
SWIFT has maintained that it acted legally but the Belgian Data
Privacy Commission has said that privacy rules were broken. "The
Commission is of the opinion that SWIFT finds itself in a conflict
situation between American and European law and that SWIFT at the
least committed a number of errors of judgement when dealing with
the American subpoenas," said an unofficial and temporary
translation provided by the Commission.
"It must be considered a serious error of judgement on the part
of SWIFT to subject a massive quantity of personal data to
surveillance in a secret and systematic manner for years without
effective grounds for justification and without independent control
in accordance with Belgian and European law," says the report. "In
this context SWIFT should from the beginning have been aware that,
apart from the application of American law, also the fundamental
principles under European law must be complied with, such as the
principle of proportionality, the limited storage period, the
principle of transparency, the requirement for independent control
and the requirement for an appropriate level of protection."
The report makes reference to another controversial data
transfer deal, that between the European Commission and the US over
the handing over of inbound airline passenger details to the US and
says that SWIFT should have told European authorities what it was
doing.
"The Commission also refers to the international precedent in
the PNR-case. The authorities competent in data protection (the
Commission, its peers and the European Commission) should have been
informed from the beginning, which would have made it possible to
work out a solution at European level for the communication of
personal data to the US, with respect for the above-mentioned
principles which apply under European law. For this purpose, the
Belgian government could have been asked for an initiative at
European level."
A statement from SWIFT said that the behaviour of its US office
was legal, due to "valid and compulsory subpoenas". As regards to
Europe, it said it tried to stay legal. "SWIFT also did its utmost
to comply with the European data privacy principles of
proportionality, purpose and oversight," said a statement.
"The review has raised important issues about the balance
between data privacy for consumer protection purposes and use of
financial data for security and counter-terrorism purposes," said
SWIFT chief executive Leonard Schrank.
Belgian prime minister Guy Verhofstadt said that SWIFT should
have taken more account of Europeans' privacy rights. “SWIFT finds
itself in a conflicting position between American and European
law," he said. “But it should have received stronger guarantees of
privacy protection based on European standards, not by American
standards, which are not as strong.”
Last week a meeting of the 25 European Union data protection
officials expressed "immediate concerns about the lack of
transparency which has surrounded" the transfer deal and agreed to
make a decision next month about what action could be taken. One
option to be considered is the appointment of an independent
auditor to review the case, according to the New York Times.
