Following a two-year investigation, the Belgian data protection authority (Privacy Commission) decided on December 9, 2008, to close without further action its proceedings against the Society for Worldwide Interbank Financial Telecommunications (SWIFT).  

SWIFT is a Belgium-based cooperative company that provides worldwide financial messaging services for cross-border money transfers. SWIFT has two operating centers, one in Europe and one in the U.S., where it processes messages that may contain personal data (such as the names of payers and payees).  

In June 2006, press reports revealed that the U.S. Treasury had served subpoenas on SWIFT in order to access certain financial and personal data originating from SWIFT's European operating center. In Europe, the news triggered reactions from data protection authorities indicating that SWIFT and possibly the financial institutions using SWIFT's services breached fundamental principles of EU data protection law.  

The Belgian Privacy Commission assumed jurisdiction because SWIFT's European operating center was located in Belgium and it issued two (preliminary) opinions in which it concluded that, based on the information available at that time, SWIFT was a data controller subject to Belgian law. SWIFT was therefore required to comply with the requirements of the Belgian Data Protection Act, including the duty to inform, to register with the Privacy Commission, and to ensure that there is an adequate level of protection in case of data transfers outside the EEA.  

Following these decisions, the Privacy Commission initiated two proceedings against SWIFT: a verification procedure to confirm its initial findings, and a second procedure to propose recommendations for compliance with the Belgian Data Protection Act. After almost two years of discussions with SWIFT, the Privacy Commission found that SWIFT was in compliance with the Belgian Data Protection Act and closed the proceedings against SWIFT on the basis of, inter alia, the following considerations:  

  • SWIFT cooperated in good faith with the Privacy Commission to reveal all relevant facts, which enabled the Privacy Commission to determine SWIFT's and the participating financial institutions' obligations with regard to the protection of personal data used in financial transactions.  
  • SWIFT agreed to comply with the obligations imposed by the Belgian Data Protection Act, and registered with the Privacy Commission as a data controller (for limited types of data processing only).  
  • SWIFT adopted data protection and security measures that, according to the Privacy Commission, go beyond what is legally required. For instance, SWIFT (1) set up a new operational center in Switzerland for inter-European messages (which are no longer transferred to the United States); (2) appointed a fulltime “privacy officer;” and (3) created a permanent working group for data protection.  
  • According to the Privacy Commission, the financial institutions that constitute the community of users of SWIFT's messaging services are responsible vis-à-vis their customers for compliance with applicable data privacy law. The financial institutions - as opposed to SWIFT - must ensure, for instance, that customers are properly informed about their privacy rights. The Privacy Commission suggested that the financial community in question should create collective rules, preferably guided by the Article 29 Working Party.  
  • SWIFT appeared to be under a legal obligation - imposed by the U.S. Treasury in accordance with the United Nations' procedure for law enforcement cooperation - to disclose specific data to combat international terrorism. The Privacy Commission also found that SWIFT was able to negotiate a strict framework with the U.S. Treasury for the disclosure and use of its messages.  

The SWIFT case is relevant to all multinational companies that transfer personal data from Europe to the United States, for several reasons:

  • The SWIFT case emphasizes the importance for companies involved in complex cross-border data flows to determine at an early stage who is the “data controller” and therefore responsible for compliance with EU data protection rules. The fact that SWIFT did not appear to have a welldeveloped position on this issue is likely to have contributed to the length of the Privacy Commission’s proceedings.
  • It is beneficial to cooperate with national data protection authorities that are conducting compliance investigations. By playing a pro-active role in the course of the Privacy Commission’s proceedings, SWIFT eventually managed to convince the Privacy Commission that there was no longer a compliance issue.  
  • In the absence of an international framework for personal data protection, companies that are trying to comply both with EU data privacy rules and data requests from foreign states find themselves in a difficult position. Or, as the Privacy Commission put it: “private companies are unable to combat the risks alone … the establishment of international regulation and control mechanisms is necessary [now] more than ever…”

FOR MORE INFORMATION

A copy of the decision is available here.