Swift: EU privacy enforcers to open data talks with banks

Europe’s banks may be required by EU data protection authorities to warn customers that confidential financial information may be passed to US security agencies.

Europe’s data protection supervisors ruled yesterday that all European banking institutions involved in Swift financial transactions share some responsibility for privacy “violations”.

The "article 29" body of Europe’s data protection chiefs is an advisory body set up under EU law to monitor enforcement and its opinion is set to result in new guidance at national level.

Handovers of banking data to the CIA and US security agencies by the Society for Worldwide Interbank Financial Telecommunication (Swift), an industry-owned consortium, have been found to breach EU law.

And, data protection authorities are also warning European banks which use the Swift system, that customers should be advised that personal data will be passed on.

“All financial institutions in the EU… have to make sure… that their clients are properly informed about how their personal data are processed and which rights the data subjects have.”

“They also have to give information about the fact that US authorities
might have access to such data,” said a statement.

“Data protection supervisory authorities will enforce these requirements in order to guarantee that they are met by the all financial institutions on a European level.”

Data talks with banks

Irish data protection commissioner Billy Hawkes will be taking up the issue with Irish banks following this week’s ruling.

“The opinion is an important restatement of the principle that actions taken to combat terrorism and serious crime must be proportionate and respect the individual's right to data privacy,” he said.

“My office will be discussing with Irish financial institutions the action they should take to bring  the system they use for international financial transfers into conformity with data protection law.”

Ireland’s deputy commissioner Gary Davies told this website that banks had already approached the authorities for advice and that options might include a requirement for customer consent to pass on data.

UK’s information commissioner Richard Thomas also attended the “article 29” meeting on Monday and Tuesday and the British authorities are examining what action to take.

“Richard Thomas was at the meeting and is behind the decision. The next step is something that we are considering at the moment,” said a spokesman for the Information Commissioner’s Office.

Banks called by this website have declined to comment but the European Banking Federation has denied any shared responsibility for data protection on Swift transactions.

“We have always felt until now the matter was for Swift to handle, not for the banks. We have not changed this position,” said a spokeswoman.

Shared responsibility

Europe’s data protection authorities have rejected Swift claims that the consortium, like a post office, is a mere messaging service that is not responsible for content of messages.

“Swift and the financial institutions bear joint responsibility… with Swift bearing primary responsibility and financial institutions bearing some responsibility for the processing of their clients’ personal data,” said the statement.

“The financial institutions in the EU as data controllers have the legal obligation to make sure that Swift fully complies with the law, in particular data protection law, in order to ensure protection of their clients.”

There have been over two billion Swift transactions in 2006, to date, and the consortium has over 2300 members in 2007 countries across the world.

Two thirds of Swift transactions – 65.8 per cent – are in Europe, traffic, involving most banking institutions, that has been handed over to US agencies since 2001.

The EU watchdog has called on Swift and banks to halt “hidden, systematic, massive and long-term transfer of personal data” and pledged new efforts by data protection watchdogs to enforce compliance.

“Swift and the financial institutions shall comply with their legal obligations under national and European law. This includes taking steps to ensure that any transfers of personal data are in line with the law.”

“In the case of non-compliance, data controllers can expect to be subject to sanctions imposed by the
competent authorities,” said the statement.

The secret handovers of financial data relating to European Swift banking transactions have only emerged following June 2006 reports in the New York Times.

US press coverage – despite Washington attempts to gag newspapers – revealed activities that the European central banks and at least one national government were aware of.

Swift response

Speaking to this website, Swift chief financial officer Francis Vanbever regretted that data protection supervisors had not spoken to the consortium – despite offers of talks.

“There are a lot of inaccuracies that we regret. It does not mean we are ready to dismiss the report. We are ready to work with our communities, the banks, to maybe improve transparency of our compliance policy, he said.

“We regret this report was written without talking to us, that could have made it better.”

Swift has taken issue with claims that information transfers were “systematic and massive”.

“All the data that we have given were for limited and well defined sub-sets of data. Every one of them being subject to a different subpoena,” Vanbever stressed.

“It is not like you would have a subpoena that would say give us all your data for six months… it was always limited, not a systematic permanent system.”

Vanbever insists that Swift had to comply with US subpoenas for information and that central banks were informed.

“Since the 1990s we have a compliance policy that is part of our contractual arrangement with our customers and public available on our website.”

“If data are requested by valid subpoenas we have no other choice than providing that data.”

“We informed our board and we informed our overseers, the central banks of the G10. That is our governance… We took a number of steps to make this known to the authorities who had to know.”

Swift is hoping that the EU can open negotiations with the US can be quickly opened following Thursday’s data protection report.

“Unless there is a political dialogue companies like us will continue to be caught in the middle. Now that the European commission has received this advice it is time to open that dialogue,” he said.

• Previous article
• Next article