The ECB lacked initiative and moral leadership in its actions after finding out that data was being transferred, said the Supervisor. His office said that the ECB had known about the transfers since February 2002.
"I basically challenge the fact that the ECB continued to allow confidential client banking data to pass to the US although it had become aware of the systematic access by American authorities," said Supervisor Peter Hustinx.
"Moreover, I cannot help feeling that the ECB should have at least felt morally obliged to inform European governments and authorities about this scheme," he said.
The Society for Worldwide Interbank Financial Telecommunications (SWIFT) co-ordinates payments between international banks and has been passing transaction details to US authorities since the aftermath of terrorist attacks in America on 11th September 2001.
Europe's data protection commissioners will decide in the next month whether to launch an investigation into SWIFT. Already the Belgian privacy protection commissioner has said that the transfer of transaction details broke European and Belgian privacy rules.
SWIFT has said that it did not break the law but the Belgian commission, which has produced the first report on the affair, disagrees. "The Commission is of the opinion that SWIFT finds itself in a conflict situation between American and European law and that SWIFT at the least committed a number of errors of judgement when dealing with the American subpoenas," said an unofficial and temporary translation provided by the Commission.
A statement from the office of the EDPS said that the ECB could and should have done more to prevent the continuing potential breach of privacy laws. "As to the role of the ECB as financial overseer, the EDPS would have expected more initiative to bring this arrangement – of which it was made aware in February 2002 – to the notice of relevant authorities and responsible governments," it said.
"As to the role of the ECB as a SWIFT customer, the EDPS could not avoid feeling that it had accepted an inappropriate risk by continuing to transfer financial data through SWIFT after becoming aware of the arrangement with the US authorities," said the EDPS statement.
