Post 9/11 electronic funds transfer specialist SWIFT agreed to pass US authorities details of Europe-US funds transfers. But 2006 publicity led to indignation over data privacy law breaches. Stephen Groom draws out the lessons for data exporters.
Who: Society for Worldwide Interbank Financial Telecommunication ("SWIFT"), the Belgian Privacy Commission and the Article 29 Working Party
Where: Brussels
When: 2001-6
What happened:
The Article 29 Working Party, whose members are the data privacy enforcement bodies of all EU states, has heaved into the continuing controversy over the handling of personal data by Belgium based SWIFT, the worldwide financial messaging service which facilitates international money transfers.
As part of its standard transfer process in the course of providing its "SWIFTNet Fin" service, SWIFT stores all messages for 124 days at operation centres in the EU and the USA. The messages contain personal data such as the names of the transferor and the transferee of the funds.
So far so unexceptional you might think, but the case first hit the news in mid 2006 when journalists got wind of an extraordinary arrangement concluded between SWIFT and the US Department of the Treasury ("UST").
SWIFT/US Treasury deal
After 9/11 the UST issued subpoenas requiring SWIFT to provide the UST with access to this message information. SWIFT complied with the subpoenas although some limitations to UST access to the messages were negotiated and the UST was bound by a strict NDA.
SWIFT did not disclose these arrangements either to the financial institutions on behalf of which it effected the funds transfers or to the individual parties to the transfers whose data was being shared with the UST.
Following the publicity surrounding the case in June/July 2006 the Belgian Privacy Commissioner considered the matter and in late September published its verdict.
SWIFT liable as data controller on 4 counts
Firstly SWIFT was held to be a "data controller" in this context because in order to provide its services it was determining the purposes and means of processing the personal data in question.
As such, SWIFT was held to be in breach of Belgian data protection law on at least four counts as follows:
- the rules on proportionality, for instance the requirement that no more personal data is processed than is reasonably necessary in light of the disclosed purposes for which the data was collected;
- the rule requiring transparency as regards data subjects so that know what is happening to their data;
- the requirements as to notifying the data privacy authorities of processing being conducted; and
- breach of the strict controls on the transfer of personal data to non EU countries which do not offer "adequate" levels of protection for personal data.
The Commission accepted that the war on terrorism was a legitimate interest but compliance with data protection principles and respect for the fundamental rights and freedoms of data subjects remained of the utmost importance and could prevail over subpoenas issued by public authorities if no adequate guarantees are built in to ensure a "balance of interests."
Article 29 Working Party steps in
In November 2006 the Article 29 Working Party ("WP") stepped in and issued "Opinion 128" with its findings on the case.
First it held that not only SWIFT was responsible for these matters but also the financial institutions for whose customers SWIFT organised the funds transfers.
These institutions as data controllers had a clear obligation, it said, to ensure that SWIFT complied with data protection laws in order to ensure protection of their clients. If SWIFT's provision of its service involved transfers of personal data to countries without adequate data protection laws (the data protection laws of the US are not recognised by the EU as "adequate") it was essential that the individual clients of the financial institutions were informed of these transfers and the attendant risks.
"Hidden, systematic, long term" EU/US data transfer condemned
The transfers of such data to the UST by SWIFT were described by the WP as "hidden, systematic, massive and long term…in a confidential and non transparent manner."
Secondly the WP emphasised its concern that it was not only the post 9/11 arrangements with the UST that involved EU data protection law breaches but also the day to day transfer of personal data from the EU to the US that occurred as part of providing the SWIFT "SWIFTNet FIN " service.
The WP called on all concerned to remedy the situation and in particular exhorted all financial institutions in the EU using the SWIFTNet FIN funds transfer service to ensure that their clients were properly informed about how their personal data was processed and what rights they had. Clients should also be told that the US authorities might have access to that data.
Why this matters:
It is interesting to note that so far there has been no report of SWIFT or any of the other data controllers involved in these matters having been subjected to any fine or other penalty other than harsh words, negative publicity and calls to mend their ways. There has also been no report of any of the castigated entities appealing or in any other way fighting these findings.
Whether or not there will be later reports of developments in these areas remains to be seen, but for the moment the case underlines that there is no immunity from EU personal data export rules purely because systems are set up so as to automatically transfer personal data from one country to another as part of the provision of a requested service.
Data controllers must ensure that such transfers not only deploy one of the permitted methods of personal data export permitted by the legislation, such as the US transferee being signed up to "safe harbor." They must also comply with the "fair and lawful processing " requirements of the first Data Protection Principle.