On December 9, 2008, following an extensive two-year review of SWIFT’s messaging service, the Belgian Privacy Commission (DPA) concluded that SWIFT had fully complied with Belgian data protection law. While the Article 29 Working Party and the DPA had previously determined that SWIFT was acting as a co-controller, the DPA, introducing a new concept in data protection law, decided that SWIFT is mainly acting as a mandate (délégué de fait) for the financial community. The financial community and the banks are therefore the data controllers and are liable for compliance with most data protection rules. The DPA consider SWIFT as a data controller for the processing of data for extraction and anonymization of non-identifying data for statistical and analytical purposes. In addition, the DPA decided that Belgian law applies when assessing the data transfers and the level of data protection of the country to which the data is transferred. However, further processing of data physically located in the US (e.g., onward transfer of data to the UST) is subject to only US law. Finally, a series of voluntary measures taken by SWIFT to improve the protection of personal data were also decisive. The full text of the Belgian DPA’s decision (in French) is available here.