Hanspeter Thür, the Federal Data Protection
Commissioner of Switzerland, said that the banks broke data
protection laws when they failed to inform customers that
information was being transferred.
SWIFT (Society for Worldwide Interbank Financial
Telecommunication) manages international payments between banks and
has allowed US authorities to have access to transaction details
since the terrorist attacks in the US of 11th September 2001.
Already the Belgian Data Privacy Commission has said that
Brussels-based SWIFT broke privacy rules in allowing the
information transfer. SWIFT conducts $6 trillion worth of transfers
per day between 7,800 financial organisations.
A European Commission working party of data protection officials
has expressed "concerns about the lack of transparency" surrounding
the programme. The working party will soon decide whether or not to
launch an independent audit of the situation.
News wire AP reports that Thür has said the actions of the Swiss
banks broke data protection laws. He said that the problem was that
data was being passed out of the country without the knowledge of
the data subjects, and to a country with fewer privacy protections
than Switzerland.
The massive Swiss banking industry is famed for its secrecy.
Thür's report contradicts the view of the Swiss finance minister
Hans-Rudolf Merz, who recently said that he believed the actions of
Swiss banks were legal. He said they did not undermine Swiss
sovereignty or break its banking secrecy rules.
The only major report to have emerged to date is the Belgian
Data Privacy Commission's report. "It must be considered a serious
error of judgement on the part of SWIFT to subject a massive
quantity of personal data to surveillance in a secret and
systematic manner for years without effective grounds for
justification and without independent control in accordance with
Belgian and European law," said the report.
"In this context SWIFT should from the beginning have been aware
that, apart from the application of American law, also the
fundamental principles under European law must be complied with,
such as the principle of proportionality, the limited storage
period, the principle of transparency, the requirement for
independent control and the requirement for an appropriate level of
protection," it said.
At that time, a statement from SWIFT said that the behaviour of
its US office was legal, due to "valid and compulsory subpoenas".
As regards to Europe, it said it tried to stay legal. "SWIFT also
did its utmost to comply with the European data privacy principles
of proportionality, purpose and oversight," said a statement.
