SWIFT, the Society for Worldwide Interbank Financial Telecommunication, was established in Belgium in 1973, and subject to Belgian law. Of the services that SWIFT provides, it is most widely known for operating a secure electronic messaging system used by banks and other financial institutions to process international bank transfers. It is estimated that SWIFT processes approximately 12 million messages every day between Europe and America relating to personal financial transactions.
SWIFT processes all electronic messages through one of a small number of operation centres. At present, SWIFT has two operation centres: one in the Netherlands, and the other in the US. All messages processed in these centres are automatically stored there and backed up ('mirrored') in another operation centre for 148 days.
In June 2006, the US media exposed a CIA surveillance initiative (the Terrorist Finance Tracking Programme) under which both the CIA and the Office of Foreign Asset Control at the US Treasury Department (USTD) could subpoena access to the data processed by SWIFT. This initiative was set up in 2001, in the aftermath of the 9/11 terrorist attacks, and was ostensibly used to combat terrorism and for the identification of individuals linked to the finance of terrorist activity.
Personal details about the payer and payee, including name, address and account number, were accessible to the CIA and USTD, including personal data generated through transactions within the EU. Accessible personal data was not limited to financial transactions, raising questions about the exact use for the personal data derived from the surveillance. As a result, there were concerns throughout Europe about the data protection issues raised by this initiative.
In September 2006, following the media revelations about the surveillance initiative, the Belgian data protection authority issued a decision against SWIFT stating that the transfer of personal data to the US operating centre breached EU data transfer rules, particularly with regard to limiting the purposes for which the data was transferred. In November 2006, the Article 29 Working Party adopted Opinion 10/2006 on the processing of personal data by SWIFT. In this Opinion, the Working Party stated that while SWIFT was subject to Belgian data protection laws, the financial institutions that used the SWIFT system could also be subject to their local laws when using SWIFT to process transactions relating to European citizens. The Opinion agreed with the Belgian data protection authority, that SWIFT was in breach of its data transfer obligations under Articles 7, 10, 11, 18 to 20 and 25 of the Data Protection Directive. Its mirroring of messages in its US operating centre could not be justified under the Directive. The Working Party urged SWIFT and local financial institutions to comply with their local data protection laws, including putting in place suitable arrangements (e.g. Binding Corporate Rules or model contract clauses) for the transfer of personal data to the US, where the receiving institution was not already safe harbor registered.
Despite data protection concerns from Europe, US authorities continued to perceive a need to access the data generated by SWIFT. As such, the US Government agreed certain guarantees with the European Commission and European Council to limit the use of the personal data gathered by SWIFT. These guarantees included: (i) limiting the use of SWIFT's information strictly to anti-terrorism investigations; (ii) prescribing the security requirements for personal data; and (iii) a five year data retention period for all personal information derived from SWIFT. The US also agreed to the appointment of an independent "eminent European person" to oversee compliance with these guarantees. Judge Jean-Louis Bruguière was appointed in March 2008 to fulfil this role.
These guarantees averted the risk of European banking organisations breaching their European data protection obligations when transferring personal data to the US using SWIFT.
SWIFT is currently working to open its third operating centre, based in Switzerland. Once this centre is operational, SWIFT will no longer transfer data from its European SWIFT members to be mirrored in the US but will deal with intra-European messages in the Netherlands and Switzerland only. Messages will only be transferred to the US where the sender or recipient is based there. This would have put an end to the US authorities being able to carry out surveillance on intra-European personal data sent via SWIFT.
Early in 2009, the European Commission and certain US authorities entered into negotiations to allow the US to access intra-European messages, i.e. those stored in the Netherlands and Switzerland and not routed via the US. If successful, the primary objective for setting up the Swiss operating centre would be undermined. The US is reliant on a Europe-wide agreement for continued access to this data, without which it would have to ensure the goodwill of individual Member States to permit (or at least not prohibit or constrain) this international transfer of data.
That this agreement was negotiated by the European Council and Commission, rather than the Parliament, has caused uproar throughout Europe. As a result, by Parliamentary resolution made on 17 September 2009, it was adopted that any agreement reached between the Council, Commission and the US would not be in force for at least 12 months. The text of the resolution also set out parameters within which negotiations may take place, including Parliament being given full access to all documents forming part of the negotiation process with the US and ensuring that the European data transfer principles are upheld by the US. These parameters reflect the guarantees given by the US in 2007. The CEO of SWIFT, Lázaro Campos, addressed the European Parliament on 3 September 2009 on this issue. In his speech, Mr Campos acknowledged that the safeguards currently in place, as agreed between Europe and the US Government in 2007, should continue. Since both the European Parliament and the European Commission accepted the continued surveillance of European personal data based on these guarantees in 2007, they are likely to be viewed as an adequate foundation for continued surveillance. Unfortunately, a report issued by Judge Bruguière on SWIFT's compliance with these guarantees has been classified by the US Government and has not been published. The Article 29 Working Party has publicly expressed its concerns about the non-publication of this report, in particular whether this indicates a lack of compliance with these safeguards.
Given the Europe-wide acceptance of the 2007 guarantees, it is likely that the Terrorist Finance Tracking Programme will be allowed to continue its surveillance of intra-European messages. However, once the Swiss operating centre is functional, Europe will then house these messages. In addition, as the use of SWIFT is so prolific across the world, any guarantees required by Europe are unlikely to dampen the US interest in these messages. Europe will be in a much stronger bargaining position even than in 2007 and will be able to demand more from the US in order to permit access to those messages. While it remains to be seen whether and to what extent the US will be given access to Europe's messages, it is anticipated that SWIFT's recent data protection history will provide enough incentive for the data protection rights of European citizens to be adequately protected.
Update for 2010
On 1 December 2009 the Lisbon Treaty came into force, under which the European Parliament was given final say on the agreement.
Council Decision 2010/16/CFSP/JHA and the text of the agreement were published in the Official Journal on 13 January 2010. According to the Decision and despite September's Parliamentary resolution declaring that the SWIFT agreement would not be in force for at least 12 months, the agreement will enter into force on 1 February 2010. It is now anticipated that a Parliamentary vote on the (interim) agreement will take place at the beginning of February 2010. However, as the Council handed the text of the agreement to Parliament only on 25 January 2010, it is unlikely that Parliament will vote before the agreement comes into force. As a result, unless the Council agree to delay, SWIFT will be able to benefit from the agreement and transfer data to the US from 1 February 2010 without the endorsement of Parliament.
If accepted by Parliament, the agreement will last for an initial period of nine months. Any subsequent longer-term agreement is likely to more heavily involve the Parliament from the outset in accordance with the Lisbon Treaty.