EU, US Laws Clash Once Again on Personal Privacy

Last Wednesday in Brussels, a working group comprised of leading European information privacy officials concluded that a major global financial transaction processing organization based in Belgium may have violated EU law in complying with subpoenas from the US Treasury Dept. for information.

The Society for Worldwide Interbank Financial Telecommunications (SWIFT) operates one of the Internet’s principal services for transactions that take place specifically between banks, with an exclusive and secret chunk of Internet namespace devoted exclusively to its own purposes. Following the terrorist attacks of 2001, the Treasury Dept. sought information from multiple sources on international transactions of all kinds, with the stated intention of sifting through them in hopes of isolating transactions that relate to terrorist financing.

In 1995, the European Parliament established a directive explicitly detailing the duties of companies based there to protect the private information of their customers and patrons, as well as member countries to protect its citizens’ information. Directive 95/46/EC spells out the terms by which a business or government can share data with what it classifies as a “third country;” and in this case, the United States is one such entity.

To help enforce the Directive, the EU established what’s called the Article 29 Working Party, made up of the key supervisors of all member states’ ministries whose purview is information security and privacy. Though it’s not a lawmaking body but an advisory panel, its decisions are generally taken at face value.

As the Working Body concluded last week, SWIFT was negligent in its duty to comply with the Directive mainly because it failed to take adequate measures to ensure that the data it was sharing with Treasury would be kept as secret in the US as it would be in the EU.

Citing from the Directive: “The Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if, without prejudice to compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection.”

The Directive goes on to require a very circumspect examination of the entire intra-country transfer process, including the laws in place within the third country guaranteeing its security there. As the Working Party concluded, SWIFT didn’t take enough account of the Treasury Dept.’s computing environment to have been able to guarantee the safety of the data it was giving to the US.

“The financial institutions are responsible for having sufficient knowledge of the different payment systems and their technical and legal characteristics and risks,” wrote WP 29. “If financial institutions did not strive (sufficiently) to obtain such knowledge, they would accept substantial legal and client risks in breach of their fundamental duty of care.”

WP 29 went on to say that there didn’t actually appear to be any safety mechanisms or procedures, particularly in light of the fact that the means by which the Treasury Dept. is supposed to keep data secret...is secret.

“The Working Party is of the opinion that the lack of transparency and adequate and effective control mechanisms that surrounds the whole process of transfer of personal data first to the US, and then to the UST represents a serious breach in the light of the Directive,” reads its decision.

But if that movement was merely allegro, the Working Party’s next movement was allegro vivace: “As far as the communication of personal data to the [US Treasury Dept.] is concerned, the Working Party is of the opinion that the hidden, systematic, massive and long-term transfer of personal data by SWIFT to the UST in a confidential, non-transparent and systematic manner for years without effective legal grounds and without the possibility of independent control by public data protection supervisory authorities constitutes a violation of the fundamental European principles as regards data protection and is not in accordance with Belgian and European law. The existing international framework is already available with regard to the fight against terrorism. The possibilities already offered should be exploited while ensuring the required level of protection of fundamental rights.”

In other words, if the US had wanted to avoid the possibility of clashing with the EU, it could have followed international law in requesting this data, rather than resorting to unilateral subpoenas.

The Treasury Dept., for its part, has not commented. However, SWIFT issued a statement late last week saying it believes it actually did ensure safeguards on the US end prior to transfer. “SWIFT strongly objects to WP 29’s opinion about the communication of personal data to the US Treasury,” its statement reads. “SWIFT acted responsibly within applicable laws by complying with mandatory UST subpoenas for limited sets of data in the US for the exclusive purpose of terrorism investigations. It obtained from the UST extraordinary protections and control mechanisms that met both its obligations to protect the confidentiality of its members’ data and requirements to follow EU and US laws."

“SWIFT is clearly caught in the middle,” its statement continues, “and supports calls by national and EU officials for cooperation between Europe and the US to develop approaches for dealing with financial intelligence for counter-terrorism purposes while ensuring adequate data protection safeguards.”

SWIFT noted that negotiations between Treasury Dept. and senior EU officials have indeed commenced, though if the past is any indication, officials may not necessarily come away with an agreement on just what it was the parties discussed.

This is neither the first nor likely the last tangle that the US has encountered with regard to data sharing in the wake of terrorist investigations. Last month, a system for managing the sharing of airline passenger data was reached, after European airlines were found to be in violation of the Directive, for having shared passenger identity data with US Customs and Border Patrol.