(Dieser Artikel ist auch in deutscher Sprache verfügbar)
On 1 February, Peter Hustinx, the European Data Protection Supervisor (EDPS) gave his opinion on the role of the European Central Bank (ECB) in the SWIFT case, considering the bank as accountable along with SWIFT for failing compliance with the European privacy laws in the secret US investigation into terrorist finances.
By using SWIFT's services in its own payment operations, the ECB has become a joint controller being thus co-responsible in ensuring compliance with data protection rules, meaning observing the purpose limitation principle, informing to data subjects, and ensuring guarantees at the transfer of personal data to third countries.
"Just as other banks, the ECB can not escape some responsibilities in the SWIFT case which has breached the trust and private lives of many millions of people. Secret, routine and massive access of third country authorities to banking data is unacceptable. The financial community should therefore provide payment systems which do not violate European data protection laws" affirmed Hustinx in a written statement. He gave the ECB until April to demonstrate that it complies with data protection laws.
However, the ECB does not admit any responsibility in the matter considering data protection was not its concern but financial stability was. It also considers the legislators should have given clearer guidance.
"The monitoring of SWIFT activities that do not affect financial stability is not a matter for central bank oversight and, therefore, the US Treasury subpoenas of SWIFT were outside the purview of central bank oversight. The Oversight Group has no authority to oversee SWIFT with regard to compliance with data protection laws," was ECB statement.
The bank said it would notify the organisations for whom it conducts transactions and ask for their consent before sharing their data. It also appreciated the initative of the EU and US data protection authorities, intelligence agencies and financial regulators to find a way to properly monitor international organisations like SWIFT.
The EDPS also addressed the ECB asking them to transfer data to third parties only when they can guarantee the privacy protection of the owners of the data transferred. The punitive actions that Hustinx could take against ECB are limited. As SWIFT has no credible alternative, asking the ECB to stop using their services would not be a reasonable measure.
EDPS calls on ECB to ensure that European payment systems comply with data
protection law -Press release (1.02.2007)
http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/...
ECB blamed (again) for SWIFT privacy debacle (1.02.2007)
http://www.theregister.co.uk/2007/02/01/ecb_swift_edps/
Hands off our bank data, Europe tells US (23.11.2006)
http://www.theregister.co.uk/2006/11/23/ec_swift_ruling/
EDRI-gram: SWIFT found in breach of Belgian laws (11.10.2006)
http://www.edri.org/edrigram/number4.19/swift