The Office of the Belgian Privacy Commissioner has released its report into the subpoena of large quantities of transactional data from the inter-bank SWIFT system: here.

On the basis of her general investigation, the Commission is of the opinion that

• The DPL is applicable to the exchange of data via the SWIFTNet FIN service;
• SWIFT and the financial institutions bear joint responsibility in light of the DPL for the processing of personal data via the SWIFTNet FIN service;
• SWIFT is a data controller of the personal data which are processed via the SWIFTNet FIN service;
• The financial institutions are data controllers as they co-determine the objective and the means to perform payment instructions in the inter-bank traffic. The financial institutions in particular, at an inter-bank level, choose to process financial messages with regard to these payment messages via the SWIFTNet Fin service;
• As far as the normal processing of personal data in the framework of the SWIFTNet FIN service is concerned, SWIFT should have complied with its obligations under the DPL, amongst which, the duty to provide information, the notification of the processing and the obligation to provide an appropriate level of protection conform to articles 21 § 2 of the DPL;

As far as the communication of personal data to the UST is concerned, the Commission is of the opinion that SWIFT finds itself in a conflict situation between American and European law and that SWIFT at the least committed a number of errors of judgement when dealing with the American subpoenas. Iit must be considered a serious error of judgement on the part of SWIFT to subject a massive quantity of personal data to surveillance in a secret and systematic manner for years without effective grounds for justification and without independent control in accordance with Belgian and European law;

• In this context SWIFT should from the beginning have been aware that, apart from the application of American law, also the fundamental principles under European law must be complied with, such as the principle of proportionality, the limited storage period, the principle of transparency, the requirement for independent control and the requirement for an appropriate level of protection. These requirements are indeed formulated in the second paragraph of article 8 of the ECHR, Treaty no. 108, the Directive 95/46/EC and the DPL and are applicable to SWIFT. The Commission also refers to the international precedent in the PNR-case. The authorities competent in data protection (the Commission, its peers and the European Commission) should have been informed from the beginning, which would have made it possible to work out a solution at European level for the communication of personal data to the UST, with respect for the above-mentioned principles which apply under European law. For this purpose, the Belgian government could have been asked for an initiative at European level.

Considering the complexity of the issue and its importance, the Commission remains available to issue further guidance.

The administrator,

(sign.) Jo BARET (sign.)

In the absence of the President, The Vice-President,

Willem Debeuckelaere

For some background: Canadian Privacy Law Blog: US reviews international financial database, Canadian Privacy Law Blog: Privacy Commissioner launches investigation of SWIFT disclosures.

Labels: breach notification, patriot act, privacy, surveillance, swift