European bodies discuss the SWIFT case

By EDRi · August 30, 2006

(Dieser Artikel ist auch in deutscher Sprache verfügbar)

SWIFT has recently confirmed that it had succeeded in putting some
restrictions to the US Treasury’s programme of transferring transactional
data from them. However, the activities of the company since 2001 are still
under investigation by several European bodies.

The US Treasury’s programme has been operating, without oversight, by
subpoenas, after 11 September 2001 terrorist attacks in view of tracking
down terrorist funding. US Government has thus gained access to records
stored in SWIFT data centres all around the world of financial transactions
performed in more than 200 countries. Concerns were expressed as to the
extent and amount of data transferred.

SWIFT has announced during August 2006 that the US Treasury agreed they
could only take limited sets of data that could then be searched only for
specific transactions proven to have links to terrorism. The searches will
be audited by SWIFT as well as an external auditor.

But this is not considered enough by Privacy International (PI) who launched
on 28 June 2006 an international campaign against the SWIFT activities and
filed simultaneous complaints with Data Protection and Privacy
regulators in 33 countries. PI still wants a proof that “the Treasury was
only able to see records that it knew contained details of terrorist
financial transactions.”

The SWIFT case is also under discussion in several data protection
regulators. On 23 August, European data protection regulators met within the
Article 29 Data Protection Working Party to discuss the case of SWIFT,
hoping they could direct the case into the jurisdiction of EU data
protection law. As security matters are not covered by EU regulators
jurisdiction, they cannot intervene in the case of the US subpoenas on
European firms if their purpose is national security.

As most EU member countries extended the EU Data Protection directive
implementation in order to include security matters, the national Belgian
law has competence over Swift in this case. However, Article 29 Data
Protection Working Party would not like to rely only on the Belgian law as
in the absence of a EU law, member countries may individually enter
bi-lateral agreements with US for an unrestricted transfer of data.

The Independent State Center for Data Protection of the German federal state
of Schleswig-Holstein (ULD) has already performed an analysis of the SWIFT
transfer of sensitive data to the US Government.

The conclusion of the analysis was that for intra-European transactions, the
transfers of records to the US Government violated a substantial number of
provisions of German and European privacy legislation and should be
stopped immediately.

SWIFT is seen as a data processor for German banks, thus giving the
Commission of Schleswig-Holstein jurisdiction over the case. As regards
the transactions between EU and US banks, the analysis also
states there was no legal basis because of the lack of data protection
safeguards in the U.S.

Thilo Weichert, the head of the ULD, said they expected “banks to create in
the very near future the legal and technical conditions for processing
transfer order data in a permissible fashion.” He stated that proper data
protection regulations were required as well as clear procedures to
establish authority and technical safeguards.

ULD has given the banks in question a deadline until the end of September to
report back to it on the measures adopted.

US authorities had free rein over world’s bank data (22.08.06)

EU may be powerless to stop US snooping (25.08.06)

German Lander Commissioner legal analysis condemns SWIFT transfers to U.S.

ULD Opinion on the Swift Case (only in German, 23.08.2006)

Privacy watchdogs: US authorities’ access to SWIFT data must be stopped

Update and Q&A to SWIFT’s 23 June 2006 statement on compliance

EDRI-gram: Terrorist Finance Tracking Program raises privacy questions