European Central Bank found accountable in the SWIFT case

By EDRi · February 14, 2007

(Dieser Artikel ist auch in deutscher Sprache verfügbar)

On 1 February, Peter Hustinx, the European Data Protection Supervisor (EDPS)
gave his opinion on the role of the European Central Bank (ECB) in the SWIFT
case, considering the bank as accountable along with SWIFT for failing
compliance with the European privacy laws in the secret US investigation
into terrorist finances.

By using SWIFT’s services in its own payment operations, the ECB has become
a joint controller being thus co-responsible in ensuring compliance with
data protection rules, meaning observing the purpose limitation principle,
informing to data subjects, and ensuring guarantees at the transfer of
personal data to third countries.

“Just as other banks, the ECB can not escape some responsibilities in the
SWIFT case which has breached the trust and private lives of many millions
of people. Secret, routine and massive access of third country authorities
to banking data is unacceptable. The financial community should therefore
provide payment systems which do not violate European data protection laws”
affirmed Hustinx in a written statement. He gave the ECB until April to
demonstrate that it complies with data protection laws.

However, the ECB does not admit any responsibility in the matter considering
data protection was not its concern but financial stability was. It also
considers the legislators should have given clearer guidance.

“The monitoring of SWIFT activities that do not affect financial stability
is not a matter for central bank oversight and, therefore, the US Treasury
subpoenas of SWIFT were outside the purview of central bank oversight. The
Oversight Group has no authority to oversee SWIFT with regard to compliance
with data protection laws,” was ECB statement.

The bank said it would notify the organisations for whom it conducts
transactions and ask for their consent before sharing their data. It also
appreciated the initative of the EU and US data protection authorities,
intelligence agencies and financial regulators to find a way to properly
monitor international organisations like SWIFT.

The EDPS also addressed the ECB asking them to transfer data to third
parties only when they can guarantee the privacy protection of the owners of
the data transferred. The punitive actions that Hustinx could take against
ECB are limited. As SWIFT has no credible alternative, asking the ECB to
stop using their services would not be a reasonable measure.

EDPS calls on ECB to ensure that European payment systems comply with data
protection law -Press release (1.02.2007)
http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/EDPS/PressNews/Press/2007/EDPS-2007-1-EN_SWIFT.pdf

ECB blamed (again) for SWIFT privacy debacle (1.02.2007)
http://www.theregister.co.uk/2007/02/01/ecb_swift_edps/

Hands off our bank data, Europe tells US (23.11.2006)
http://www.theregister.co.uk/2006/11/23/ec_swift_ruling/

EDRI-gram: SWIFT found in breach of Belgian laws (11.10.2006)
http://www.edri.org/edrigram/number4.19/swift