On December 9, 2008, the Belgian data protection authority (Privacy Commission) decided to close without further action its proceedings against the Society for Worldwide Interbank Financial Telecommunications (SWIFT).
SWIFT is a Belgium-based cooperative company that provides worldwide financial messaging services for cross-border money transfers. SWIFT has two operating centers, one in Europe and another in the U.S., where it processes messages which may contain personal data (such as the names of payers and payees).
In June 2006, press reports revealed that the U.S. Treasury had served subpoenas on SWIFT in order to access certain financial and personal data originating from SWIFT's European operating center. In Europe, the news triggered hefty reactions from data protection authorities at different levels, all of which seemed to indicate that SWIFT, and possibly the financial institutions using SWIFT's services, had breached fundamental principles of EU data protection law. Since SWIFT's European operating center was located in Belgium, the Belgian Privacy Commission assumed jurisdiction and issued two (preliminary) opinions in which it concluded that, based on the information available at that time, SWIFT was a data controller subject to Belgian law. SWIFT was therefore required to comply with the requirements of the Belgian Data Protection Act, including the duty to inform, to register with the Privacy Commission, and to ensure that there is an adequate level of protection when transferring personal data outside the European Economic Area (EEA).
Following these decisions, the Privacy Commission initiated two proceedings against SWIFT: a verification procedure to confirm its initial findings, and a second procedure to propose recommendations for compliance with the Belgian Data Protection Act. The recommendations procedure enabled SWIFT to submit arguments and documents in its defense, and to access the Privacy Commission's file. After intense discussions with SWIFT for almost two years, the Privacy Commission finally found that SWIFT was in compliance with the Belgian Data Protection Act. Therefore, the two proceedings against SWIFT were closed on the basis of, inter alia, the following considerations:
- In order to reveal all relevant facts, SWIFT had cooperated with the Privacy Commission in good faith. As a result, the Privacy Commission was able to determine the precise obligations of SWIFT and the participating financial institutions with regard to the protection of personal data used in financial transactions.
- SWIFT had agreed to comply with the obligations imposed by the Belgian Data Protection Act and register with the Privacy Commission as a data controller (as regards limited types of data processing only).
- In response to the public allegations of possible privacy violations, SWIFT had adopted data protection and security measures that, according to the Privacy Commission, go beyond what is legally required. For instance, SWIFT had established a new operational center in Switzerland for inter- European messages (which are no longer transferred to the U.S.). In addition, SWIFT had appointed a fulltime "privacy officer" and created a permanent working group for data protection.
- According to the Privacy Commission, the financial institutions that constitute the community of users of SWIFT's messaging services are responsible vis-à-vis their customers for compliance with applicable data privacy law. The financial institutions - as opposed to SWIFT - must ensure, for instance, that customers are properly informed about their privacy rights. In this context, the Privacy Commission has suggested that the financial community in question should create collective rules. This exercise should preferably be guided by the "Article 29 Working Party", which consists of representatives of Member States' data protection authorities and the European Commission.
- It appears that SWIFT was under a legal obligation - imposed by the U.S. Treasury in accordance with the United Nations' procedure for law enforcement cooperation - to disclose specific data, so that they could be used in the fight against international terrorism. Nonetheless, the Privacy Commission found that SWIFT was able to negotiate a strict framework for the disclosure and use of its messages, with a view to protecting individuals' personal data and privacy. It was agreed, for example, that the information obtained would only be used in the fight against terrorism, and that it would have to be confirmed by another source.
The SWIFT case illustrates the importance for companies involved in complex cross-border data flows to determine at an early stage who is the "data controller" and therefore responsible for compliance with EU data protection rules. The fact that SWIFT did not appear to have a well-considered position in this regard at the time of the first allegations is likely to have contributed to the duration of the Privacy Commission's proceedings. The case also shows that it usually pays off to fully cooperate with national data protection authorities that are conducting compliance investigations. By playing a pro-active role in the course of the Privacy Commission's proceedings and implementing compliance measures along the way, SWIFT eventually managed to avoid sanctions.
Multinational companies that are trying to comply with European data privacy rules on the one hand and data requests from non-EEA states on the other often find themselves between a rock and a hard place. The lack of clear guidance from data protection authorities in this context , as well as the absence of an international framework for personal data protection does not facilitate compliance.