(Dieser Artikel ist auch in deutscher Sprache verfügbar)
On 21-22 November 2006, an opinion was adopted by the Privacy Commissioners represented by Article 29 Working Group ruling against the Society for Worldwide Interbank Financial Telecommunication (SWIFT) for having transferred transaction details to the US.
The Privacy Commissioners wanted to point out again that fighting terrorism and crime should not lead to limiting citizens' fundamental rights and strongly emphasized the need to observe data protection principles.
The Working Group decided that SWIFT, as a corporative company based in Belgium, was subject to Belgian data protection law that implemented the European Directive on data protection. It also decided that the financial institution in EU using SWIFT were in their turn subject to the national data protection laws implementing the EU directive as well.
The Commissioners considered that SWIFT was the primary responsible for the processing and mirroring personal data while some responsibility for the processing of their clients' data came to the financial institutions. They also decided that SWIFT had to comply with the EU directive for data protection and that the financial institutions using SWIFT's services had to comply with the national laws on data protection.
Among the obligations, SWIFT must notify the processing and provide an adequate level of protection for the data transferred. The financial institutions have the obligation to verify that SWIFT complies with the law and must have the necessary knowledge on the payment systems with their characteristics and risks. The Working Party also thought that, for the purpose of transparency, the financial institutions should advise their clients in cases when the transfer of their data involved certain risks.
It was considered that SWIFT was also in breach of the EU Directive by the lack of transparency and efficient control in the data transfer operations and by not observing the proportionality and necessity principles as well as the guarantees for the personal data transfer to a third country.
Regarding the transfer of data to the US Treasury, the Working Party considered that ".. the hidden, systematic, massive and long-term transfer of personal data by SWIFT to the UST in a confidential, non-transparent and systematic manner for years without effective legal grounds and without the possibility of independent control by public data protection supervisory authorities constitutes a violation of the fundamental European principles as regards data protection and is not in accordance with Belgian and European law."
The Working Party Opinion asks for the immediate cessation of the infringements by SWIFT and the financial institutions and the compliance with the European and national laws on data protection. It also urges the financial institutions to inform their clients on the way their personal data are processed and to advise them about the fact that US authorities might have access to these data.
The Commissioners wanted to emphasize again that the terrorism fighting measures must not limit the fundamental rights of citizens considering that: "A key element of the fight against terrorism involves ensuring the preservation of the fundamental rights which are the basis of democratic societies and the very values that those advocating the use of violence seek to destroy."
Press Release on the SWIFT Case following the adoption of the Article 29
Working Party opinion on the processing of personal data by the Society for
Worldwide Interbank Financial Telecommunication (SWIFT) (23/11.2006)
http://ec.europa.eu/justice_home/fsj/privacy/news/docs/PR_Swift_Affair...