The European Data Protection Supervisor says
that the ECB cannot escape responsibility for the breach, and that
in each of its three roles it had a duty to prevent such a breach
taking place.
Last year it was revealed that payments agency
SWIFT (Society for Worldwide Interbank Financial
Telecommunication), which processes international financial
transactions on behalf of member banks, had been passing
transaction details secretly to US authorities.
US security services had issued subpoenas to
SWIFT for information they said they needed in their investigations
into potential terrorist attacks in the US. SWIFT allowed the
agencies access to many of its transactions, unknown to the people
behind the transactions.
The Data Protection Supervisor said that the
ECB had three duties in relation to the SWIFT case. It was an
overseer, a user and a policy maker.
As one of the central banks meant to oversee
SWIFT's activities, the ECB's powers of persuasion "should be used
to prevent data protection breaches that might hamper financial
stability and to ensure that competent authorities are timely
informed," said the Supervisor's statement.
"The ECB also bears some responsibility for
the way in which its 'clients'' data are processed by SWIFT," said
the statement. "Acting effectively as a joint controller means that
the ECB needs to ensure full compliance with data protection rules
for its clients."
Its third role was as a policy maker. "In that
capacity, it needs to ensure that the architecture of systems does
not allow information on all European payments [to be] transferred
to third country authorities in breach of data protection law," it
said.
SWIFT revealed in September that it had told
the ECB and national central banks about the activity, but that
they had failed to act. "SWIFT informed its overseers but the
overseers didn't feel obliged to inform their governments," a SWIFT
spokesman said.
ECB head Jean Claude Trichet told a European
Parliament hearing into the matter that the ECB had known, but that
it had not considered privacy part of its job. "The task of
protecting personal data is outside of the remit of the Group's
oversight function, since it is unrelated to the functioning of
market infrastructure and financial stability," Trichet told the
body in October.
Data Protection Supervisor Peter Hustinx said
that the ECB cannot evade responsibility for the breach of privacy.
"Just as other banks, the ECB can not escape some responsibilities
in the SWIFT case which has breached the trust and private lives of
many millions of people," he said.
"Secret, routine and massive access of third
country authorities to banking data is unacceptable. The financial
community should therefore provide payment systems which do not
violate European data protection laws," said Hustinx.
