The European Parliament has adopted a resolution which admonishes the European Central Bank (ECB) for failing to enforce EU privacy laws against SWIFT (the Society for Worldwide Interbank Financial Telecommunication ) which provided data on financial transactions to U.S. law enforcement. SWIFT is a cooperative of European banks and financial service companies which provides automated systems that enable members to transfer money between and amongst themselves. On a daily basis, SWIFT handles millions of transactions -- many of them cross-border -- totalling trillions of dollars.
The story begins in June 2006 when the New York Times reported that as a part of on-going terrorism investigations, U.S. law enforcement had requested and received from SWIFT access to information on millions and millions of funds transfers made through the messaging system. SWIFT has some operations in the U.S., including a data center with a mirror of all of the transaction data. When American law enforcement served a subpoena on SWIFT seeking access to data in the U.S, SWIFT felt legally obligated to comply. SWIFT explains its actions this way:
SWIFT negotiated with the [U.S. Treasury] over the scope and oversight of the subpoenas. Through this process, it received extraordinary protections and assurances as to the purpose, confidentiality, oversight and control of the limited sets of data produced under the subpoenas. These protections go well beyond and are more stringent than SWIFT’s legal obligations.
Despite the limitations placed on the surveillance effort, the program was heavily criticized, especially in Europe and numerous investigations ensued. Because SWIFT is based in Brussels, the Belgian Privacy Commission looked into the matter and reported its findings. The
Belgian report provides the best description of what exactly US officials asked for and how SWIFT responded. The Commission concluded that SWIFT should have informed European authorities of the American subpoenas before complying.
As far as the communication of personal data to the [U.S. Treasury] is concerned, the Commission is of the opinion that SWIFT finds itself in a conflict situation between American and European law and that SWIFT at the least committed a number of errors of judgement when dealing with the American subpoenas.
SWIFT, however,
strongly disagreed with the Commission's conclusions. The Commission categorized SWIFT as a "data controller" while the group viewed itself merely as a "data processor." SWIFT felt the Commission had misunderstood its role in the financial transactions it facilitates and consequently placed greater obligations upon it than the law requires.
The European Parliament also conducted an investigation. The
Committee on Civil Liberties, Justice and Home Affairs held a
joint hearing with the Committee on Economic and Monetary Affairs on October 4, 2006 on the interception of bank transfer data from SWIFT by US intelligence agencies. In January, Members posed additional
questions to the EU Commission and
to the EU Council regarding their knowledge of and response to the matter. The interrogatory posed to the Council pointedly asks: "Why have the Council and the Member States been passive in an affair where their citizens' data have not been protected and where there is a suspicion of business espionage?"
On November 22, Parliament's Working Party on the Protection of Individuals With Regard to the Processing of Personal Data (often referred to as the Article 29 Working Party or WP29) issued a
opinion which concluded that the provision of bank transfer data by SWIFT to US authorities violated portions of the EU Data Protection Directive. WP29 agreed with the Belgian Commission that SWIFT should be categorized as a data controller with greater
obligations with regard to privacy.
The European Central Bank responded to
Parliament in a January 30, 2007
letter setting out its views of the issues. The Central Bank noted that there is no viable alternative to SWIFT for many transactions. With regard to the use of SWIFT services, the
ECB said it would seek the consent of individual
counterparts in payment transactions before providing their information to SWIFT. In response to suggestions that it take responsibility for ensuring that SWIFT is in compliance with EU data protection rules, the
ECB firmly stated that such oversight is outside of its legal authority.
On February 1, 2007, Peter
Hustinx, the European Data Protection Supervisor issued an
opinion stating that the European Central Bank, as a user and overseer of SWIFT as well as a policy maker, should have exercised appropriate control and supervision over the service. The
EDPS requested that the
ECBurgently explore and promote appropriate solutions in order to clearly bring compliance with data protection rules within the scope of the oversight - to the extent in which lack of compliance may affect financial stability and without prejudice to the competences of relevant national or European data protection authorities - as well as to ensure that rules on confidentiality would not prevent relevant authorities from being duly and timely informed where necessary. This would ensure that on future occasions proper data protection safeguards are taken and that the current lack of transparency is avoided.
The opinion continues:
Furthermore, the EDPS stresses that it would not be acceptable that the architecture of the European payment systems would continue to allow and facilitate that personal data relating to any euro payment between Member States are transferred to third countries in breach of the data protection legislation and made available - routinely, massively, and without appropriate guarantees - to third countries authorities. Therefore, the EDPS calls on the ECB, in cooperation with other central banks and financial institutions, to ensure that European payment systems, and in particular the TARGET systems, are fully compliant with European data protection law.
According to The Register, the
EDPS can take punitive action against the
ECB, but its options are fairly limited. It could bar the central bank from using SWIFT to make payments, but given that there is no alternative for making international payments, that possibility seems remote.
Which brings us back to the
European Parliament's resolution on the SWIFT controversy and, more specifically, on the
ECB's role in policing data protection in the payment system. The resolution endorses the
Hustinx opinion and calls on the
ECB to take the following actions:
- as SWIFT overseer, to explore solutions in order to ensure compliance with data protection rules and to ensure that rules on confidentiality do not prevent information from being supplied in good time to the relevant authorities;
- as user of the SWIFT Net-FIN, to explore solutions to bring its payment operations into compliance with data protection legislation, and to prepare a report on the measures taken no later than April 2007;
- as policymaker, to ensure, in cooperation with central banks and financial institutions, that European payment systems, including the updated 'TARGET2' system for wholesale payments, fully comply with EC data protection law; calls for the ECB to provide the Parliament with the assessment of such compliance.
The ECB is supposed to issue a report in April which will presumably address Parliament's concerns.
