The European Data Protection Supervisor (EDPS) participated in a public hearing in the European Parliament on "The Interception of Bank Transfer Data from the SWIFT System by the US Secret Services”. The EDPS presented some preliminary observations and provisional findings on ongoing investigations into the case by European data protection authorities. Supporting the key findings of the Belgian Privacy Commission, the EDPS focused on the role of the European Central Bank (ECB). Peter Hustinx, EDPS, said: "We have not concluded our investigation on ECB's role yet, but there are already some observations that I can share publicly. I basically challenge the fact that the ECB continued to allow confidential client banking data to pass to the US although it had become aware of the systematic access by American authorities. Moreover, I cannot help feeling that the ECB should have at least felt morally obliged to inform European governments and authorities about this scheme."
Serious questions have arisen on the routine sharing of financial data by SWIFT with a complete ‘mirror system’ in the US, allowing access through a ‘black box’ arrangement. These questions need further analysis and reflection on compatibility with European data protection law and on different issues of responsibility.
As to the role of the ECB as financial overseer, the EDPS would have expected more initiative to bring this arrangement - of which it was made aware in February 2002 - to the notice of relevant authorities and responsible governments.
As to the role of the ECB as a SWIFT customer, the EDPS could not avoid feeling that it had accepted an inappropriate risk by continuing to transfer financial data through SWIFT after becoming aware of the arrangement with the US authorities.
Referring to the report of the Belgian Privacy Commission, published last week, the EDPS confirmed that European data protection law applies to activities of and via SWIFT. SWIFT should be considered as a responsible controller and not only as a processor. Participating banks should be seen as responsible controllers, each for their own parts of the personal data processing.
The EDPS is available to advise on any measures needed to deal with the present situation.
