The Society for Worldwide Interbank Financial Telecommunications (SWIFT) co-ordinates payments between financial institutions and has its headquarters in Brussels and offices in the US. The New York Times revealed in June that it had been passing details of European banking transactions involving the US to the US Government since the terrorist attacks in the US of 11th September 2001.
SWIFT has maintained that it acted legally but the Belgian Data Privacy Commission has said that privacy rules were broken. "The Commission is of the opinion that SWIFT finds itself in a conflict situation between American and European law and that SWIFT at the least committed a number of errors of judgement when dealing with the American subpoenas," said an unofficial and temporary translation provided by the Commission.
"It must be considered a serious error of judgement on the part of SWIFT to subject a massive quantity of personal data to surveillance in a secret and systematic manner for years without effective grounds for justification and without independent control in accordance with Belgian and European law," says the report. "In this context SWIFT should from the beginning have been aware that, apart from the application of American law, also the fundamental principles under European law must be complied with, such as the principle of proportionality, the limited storage period, the principle of transparency, the requirement for independent control and the requirement for an appropriate level of protection."
The report makes reference to another controversial data transfer deal, that between the European Commission and the US over the handing over of inbound airline passenger details to the US and says that SWIFT should have told European authorities what it was doing.
"The Commission also refers to the international precedent in the PNR-case. The authorities competent in data protection (the Commission, its peers and the European Commission) should have been informed from the beginning, which would have made it possible to work out a solution at European level for the communication of personal data to the US, with respect for the above-mentioned principles which apply under European law. For this purpose, the Belgian government could have been asked for an initiative at European level."
A statement from SWIFT said that the behaviour of its US office was legal, due to "valid and compulsory subpoenas". As regards to Europe, it said it tried to stay legal. "SWIFT also did its utmost to comply with the European data privacy principles of proportionality, purpose and oversight," said a statement.
"The review has raised important issues about the balance between data privacy for consumer protection purposes and use of financial data for security and counter-terrorism purposes," said SWIFT chief executive Leonard Schrank.
Belgian prime minister Guy Verhofstadt said that SWIFT should have taken more account of Europeans' privacy rights. “SWIFT finds itself in a conflicting position between American and European law," he said. “But it should have received stronger guarantees of privacy protection based on European standards, not by American standards, which are not as strong.”
Last week a meeting of the 25 European Union data protection officials expressed "immediate concerns about the lack of transparency which has surrounded" the transfer deal and agreed to make a decision next month about what action could be taken. One option to be considered is the appointment of an independent auditor to review the case, according to the New York Times.