Article 29 Working Party expressed its opinion in the SWIFT case

By EDRi · December 6, 2006

(Dieser Artikel ist auch in deutscher Sprache verfügbar)

On 21-22 November 2006, an opinion was adopted by the Privacy Commissioners
represented by Article 29 Working Group ruling against the Society for
Worldwide Interbank Financial Telecommunication (SWIFT) for having
transferred transaction details to the US.

The Privacy Commissioners wanted to point out again that fighting terrorism
and crime should not lead to limiting citizens’ fundamental rights and
strongly emphasized the need to observe data protection principles.

The Working Group decided that SWIFT, as a corporative company based in
Belgium, was subject to Belgian data protection law that implemented the
European Directive on data protection. It also decided that the financial
institution in EU using SWIFT were in their turn subject to the national
data protection laws implementing the EU directive as well.

The Commissioners considered that SWIFT was the primary responsible for the
processing and mirroring personal data while some responsibility for the
processing of their clients’ data came to the financial institutions. They
also decided that SWIFT had to comply with the EU directive for data
protection and that the financial institutions using SWIFT’s services had to
comply with the national laws on data protection.

Among the obligations, SWIFT must notify the processing and provide an
adequate level of protection for the data transferred. The financial
institutions have the obligation to verify that SWIFT complies with the law
and must have the necessary knowledge on the payment systems with their
characteristics and risks. The Working Party also thought that, for the
purpose of transparency, the financial institutions should advise their
clients in cases when the transfer of their data involved certain risks.

It was considered that SWIFT was also in breach of the EU Directive by
the lack of transparency and efficient control in the data transfer
operations and by not observing the proportionality and necessity principles
as well as the guarantees for the personal data transfer to a third country.

Regarding the transfer of data to the US Treasury, the Working Party
considered that “.. the hidden, systematic, massive and long-term transfer
of personal data by SWIFT to the UST in a confidential, non-transparent and
systematic manner for years without effective legal grounds and without the
possibility of independent control by public data protection supervisory
authorities constitutes a violation of the fundamental European principles
as regards data protection and is not in accordance with Belgian and
European law.”

The Working Party Opinion asks for the immediate cessation of the
infringements by SWIFT and the financial institutions and the compliance
with the European and national laws on data protection.
It also urges the financial institutions to inform their clients on the way
their personal data are processed and to advise them about the fact that US
authorities might have access to these data.

The Commissioners wanted to emphasize again that the terrorism fighting
measures must not limit the fundamental rights of citizens considering that:
“A key element of the fight against terrorism involves ensuring the
preservation of the fundamental rights which are the basis of democratic
societies and the very values that those advocating the use of violence seek
to destroy.”

Press Release on the SWIFT Case following the adoption of the Article 29
Working Party opinion on the processing of personal data by the Society for
Worldwide Interbank Financial Telecommunication (SWIFT) (23/11.2006)