Here's another preview of from the forthcoming report of the PHAEDRA project we've been working on:
This time it's a case study on the role of DPA co-operation in the case of the involvement of SWIFT in US terrorist tracking programmes,and the subsequent European response to this.
Enjoy - we're putting final touches to the report so it should be available soon.
- David.
SWIFT and US Treasury Terrorist Finance Tracking Program (TFTP)
Overview
The Society for Worldwide Interbank Financial
Telecommunication (SWIFT) is a member-owned co-operative of financial
organisations which is headquartered in Belgium. SWIFT processes and transmits
financial communications globally.[1] In
2006, The New York Times revealed
that SWIFT had been co-operating with a US Treasury department surveillance
programme, granting the Treasury, including the U.S. Secret Service, subpoenaed
search access to SWIFT transactions globally.[2]
The programme is known as the Terrorist Finance Tracking Program (TFTP).
Subsequently, SWIFT was the subject of detailed investigations by the Belgian
Commission for the Protection of Privacy[3]
(the Belgian data protection authority), as well as investigations by the Article
29 Data Protection Working Party, the European Data Protection Supervisor and
several other national data protection authorities. There was a relatively high
level of co-operation and co-ordination between European data protection
authorities, through the Article 29 Working Party. The case also resulted in
negotiations between the US Treasury and the EU on the continuation of the TFTP
programme.
Sequence of key events
23 June 2006
|
The New York Times,
followed by The LA Times and The Washington Post, reveals secret SWIFT surveillance and subpoena
programme run by United States Treasury.[4]
|
27 June 2006
|
Privacy International files simultaneous complaints
regarding SWIFT with data protection and privacy regulators in 32 countries,
requesting investigations.[5]
|
6 July 2006
|
European Parliament Resolution on the interception of bank
transfer data from the SWIFT system by the US secret services.[6]
|
17 July 2006
|
European Commission writes to the Belgian DPA requesting
information on the case.
|
28 July 2006
|
Chairman of the Article 29 Working Party announces intent
of European data protection authorities to co-ordinate activities in
investigating the SWIFT case.
|
26-27 Sept 2006
|
WP29 holds plenary discussion, agrees to continue
fact-finding.
|
27 Sept 2006
|
Report of the Belgian Commission for the Protection of
Privacy.[7]
|
4 Oct 2006
|
SWIFT financial officer appears before European Parliament
and strongly objects to the Belgian report.
|
5 Oct 2006
|
European Data Protection Supervisor criticises the European
Central Bank for not informing European authorities of the SWIFT transfers.[8]
|
22 Nov 2006
|
Article 29 Data Protection Working Party produces Opinion
10/2006 on the processing of personal data by SWIFT.[9]
|
13 Dec 2006
|
Belgian public prosecutor announces that no legal action
will be taken against SWIFT.
|
2 April 2007
|
The Privacy Commissioner of Canada concludes investigation
into SWIFT.[10]
|
23 May 2007
|
The Belgian Privacy Commission decides to initiate a
recommendation procedure with respect to SWIFT.
|
24 May 2007 and 11 June 2007
|
SWIFT informed orally, then by letter, of Privacy
Commission’s procedure.
|
27-28 June 2007
|
Agreement regarding the SWIFT surveillance programme
reached between the US and EU (Council and Commission) following
negotiations.
|
4 Oct 2007
|
SWIFT announces plans to create “closed loop” European
messaging processing zone by creating a new operations centre in Switzerland.
|
19 Dec 2007 to 26 Nov 2008
|
Privacy Commission conducts a series of hearings and
requests for evidence from SWIFT.
|
26 Nov 2008
|
Privacy Commission closes its deliberations.
|
9 December 2008
|
Belgian Commission for the Protection of Privacy publishes
findings of its full investigation into SWIFT.[11]
|
Feb 2010
|
European Parliament rejects conclusion of agreement
allowing US authorities access to European financial transactions data.
|
May 2010
|
European Commission starts negotiating new agreement.
|
June 2010
|
European Parliament approves conclusion of revised
agreement.
|
Reasons for investigation
SWIFT previously operated two data centres, one in Belgium
and the other in Cupertino, California. For data security reasons, transaction
data for all international transactions made through SWIFT were mirrored across
both data centres. All of the SWIFT data, comprising details of millions of
financial transactions, was therefore stored in a data centre under U.S.
jurisdiction. Following the 11 September 2001 attacks, the U.S. Treasury
department began using broad administrative subpoenas to access large amounts
of data from SWIFT as part of efforts to trace terrorist financing. Given that
SWIFT did not legally challenge these subpoenas, it was required to comply with
this classified surveillance programme. The programme was not covered by US
laws protecting private financial records as SWIFT was considered a messaging
service rather than a bank or financial institution.[12] SWIFT did, however, negotiate a way of
complying with the subpoenas whilst, in their eyes, providing a level of data
protection. This included the appointment of an auditor (Booz, Allen &
Hamilton), a guarantee from the US Treasury of support in the event of censure
from third party authorities, and definitions of the purposes of the searches
conducted.[13]
Following the press revelation of the programme, the
European Parliament expressed concern about the transfer of data to the US
Treasury, and any secret operations on EU territory without EU citizens and
their representatives being informed. The Parliament called on the European
Data Protection Supervisor to ascertain if the European Central Bank had met
its obligations under Regulation (EC) 45/2001,[14]
and demanded that Member States check for legal lacunae at local levels, and
ensure that data protection legislation covers central banks. The Parliament
also urged the Commission to take measures to ensure that cases like SWIFT
would not occur in the future.[15]
In turn, the Commission requested the Belgian authorities to investigate.[16]
The Belgian College of Intelligence and Security[17]
requested an Opinion from the Belgian Commission for the Protection of Privacy,
which had already made the decision to investigate the SWIFT case based on the
press reporting and a complaint from Privacy International.
The Article 29 Data Protection Working Party adopted an
Opinion on the case on the basis of Articles 29 and 30 of the EU Data
Protection Directive (95/46/EC).
Other data protection authorities, including Australia,
Canada, New Zealand, Switzerland and Iceland, also started their own
investigations.
In May 2007, the Belgian Privacy Commissioner started a
recommendation procedure into the SWIFT case. This procedure, which can be
initiated under the Commissioner’s own authority and results in a set of
recommendations to a data controller, included a more intensive interaction
with SWIFT. This was seen as necessary in order to follow up on SWIFT’s
responses to previous opinions, and to clarify the concepts of data controller
and processor in multiple, complex and interlocked processing systems transferring
large volumes of data internationally.
Findings of investigation
The 2006 report from the Belgian Privacy Commissioner found
that SWIFT had broken Belgian law, and that there was a conflict between
European and US law. This report suggested that SWIFT had made errors in
judgement in responding to the subpoenas, resulting in “hidden, systematic,
massive, and long-term violation of the fundamental European principles as
regards data protection”.[18] The Commissioner stated that SWIFT should
have complied with Belgian law relating to the notification of processing and
transfers of data to countries outside the EU; should have followed the
principles of proportionality, limited retention period and protection levels.
Whilst SWIFT had notified G-10 banks of the programme, the banks had not in
turn notified privacy commissioners.
Following the Belgian report, the European Data Protection
Supervisor (EDPS), Peter Hustinx, criticised the European Central Bank for
failing to prevent the transfer of information, or to notify other parties such
as European governments and authorities about the scheme.[19]
The ECB had been aware of the subpoena process since February 2002. The EDPS
also criticised the ECB’s continuing use of the SWIFT service after becoming
aware of the arrangement.[20]
The EDPS concurred with the Belgian Privacy Commissioner’s legal analysis and
conclusions.
The Article 29 Working Party Opinion 10/2006 concluded that
Directive 95/46/EC was applicable to SWIFT through the national laws
implementing it, and that SWIFT was required to comply with its obligations
under the Directive, particularly including providing information to
individuals whose data was being transferred, notifying the Belgian DPA and
ensuring an adequate level of protection for international transfers of data.
The Opinion also concluded that, as data controllers with joint responsibility,
financial institutions in the EU had the obligation to ensure that SWIFT
complied with data protection law. The Opinion called for SWIFT to take measures
to remedy the illegal state of affairs and called for increased oversight of
SWIFT. [21]
The Canadian investigation concluded that whilst SWIFT was
subject to Canada’s Personal Information Protection and Electronic Documents
Act (PIPEDA), the organisation did not contravene the law when it complied with
lawful subpoenas served on it in the United States. However, the Commissioner
suggested that alternate information sharing approaches, with built-in
protections for privacy and mechanisms for accountability, would be more
desirable than the use of the subpoena route.[22]
The Belgian privacy commissioner continued with a longer
investigation under the recommendation procedure. In contrast to the 2006
investigation, this subsequent report cleared SWIFT of breaching the Belgian
Privacy Act.[23] The report took into
account actions taken by SWIFT with the intent of compliance with European data
protection legislation, following the previous Opinion, and the Opinion of the
Article 29 Working Party, in the light of better knowledge of the situation and
of subsequent developments. The report
highlighted SWIFT’s otherwise strong record on security and data protection and
concluded that whilst the protections that SWIFT negotiated with the US
Treasury were imperfect, they were perhaps better than what would have been
achieved from radical opposition to legally binding subpoenas.
Forms of co-operation
There was broad agreement amongst European institutions
mentioned above regarding the appropriateness of delegating the initial
investigation to the Belgian data protection authority, given the legal
location and identity of SWIFT as a Belgian co-operative. Whilst the Belgian
DPA investigated SWIFT, other national data protection authorities contacted
their relevant national banking organisations, and the European Data Protection
Supervisor investigated the European Central Bank. The investigation by the
Office of the Privacy Commissioner of Canada was independent of other
investigations, and focused solely on the applicability of PIPEDA in the
Canadian context.
The Article 29 Working Party acted as a point of
co-ordination. The initial 2006 report from the Belgian DPA was presented to
the Article 29 Data Protection Working Party, and the Belgian DPA consulted
with the Working Party during the preparation of its Opinion.[24]
The EDPS stated that it received answers to its questions from SWIFT both
directly and indirectly through the Working Party, and through the Belgian
Privacy Commission.[25]
The 2006 Article 29 Working Party Opinion stated that European DPAs “have
joined forces in the investigation of the data flow and the analysis of its
compliance with the European privacy principles, in particular with the Data
Protection Directive”.[26]
The Working Party held a plenary meeting on 26-27 September 2006, and the
subsequent Opinion is a substantial analysis of the case from a combined
European perspective. The Article 29 Working Party expressed regret that no
prior consultation, formal or informal, was conducted by SWIFT or partner financial
institutions with European data protection authorities regarding the processing
or mirroring of personal data in the US.[27]
The 2006 Belgian report was a starting point for several
other investigations. The EDPS Opinion drew upon (and concurred with) the first
Belgian report. The EDPS stated in the conclusion of its 2006 Opinion that “the
EDPS remains available to advise the ECB and other relevant institutions on all
matters concerning the processing of personal data in the framework of payment
systems.”[28] As a member of the
Working Party, the EDPS contributed towards the drafting of its Opinion.
The investigation by the Federal Data Protection and
Information Commissioner (FDPIC) of Switzerland also built strongly on the
foundations of the 2006 Belgian report. Disclosures of information revealed by
the Belgian investigation were also seen as infringements of Swiss data
protection law. The report of this investigation notes that whilst SWIFT is
covered under Belgian data protection (there was no processing of personal data
by SWIFT in Switzerland), the decision of joint responsibility between SWIFT
and financial services did provide grounds for FDPIC’s investigation of Swiss
financial services. Additionally, the report identifies the importance of considering
the broader international dimension whilst having a focus upon Switzerland.[29]
Despite the findings of its initial report, the Belgian DPA
lacked the power to fine or censure SWIFT, which would have been the
responsibility of the Belgian public prosecutor. The public prosecutor took the
decision not to pursue any legal action against SWIFT despite the wishes of the
Belgian DPA, and the Opinion of the Article 29 Working Group. Belgian Prime
Minister Guy Verhofstadt favoured negotiation between the EU and US to achieve
legal certainty for companies involved in international data transfer.
The SWIFT issue did result in negotiations between the EU
and the US. The US Treasury made representations to the Council in which it
committed to processing personal data originating in EU Member States in
compliance with specific data protection principles. The Article 29 Working
Party was kept informed of these discussions, but was not a participant in
them. The resulting TFTP agreement between the US and the EU entailed that
information would only be obtained from SWIFT for counter-terrorism purposes,
and the information would not be kept longer than necessary. The Commission, in consultation with the US
Treasury, the President of the Permanent Representatives Committee, and the
President of the Committee of Civil Liberties, Justice and Home Affairs of the
European Parliament, would have appointed an “eminent European” to
independently monitor compliance with the agreement, and report to the
Commission, who will in turn inform the Council and Parliament.[30]
Following the changes in SWIFT’s architecture to introduce
the closed European processing loop, there was subsequent disagreement between
the European Commission and Parliament over the details of the negotiated
agreement with the US regarding access to European financial transaction data,
based on privacy, proportionality and reciprocity.[31]
The Commission envisaged an international agreement between the EU and the US
which would require transfer to the US Treasury of relevant financial data
necessary for the Treasury’s Terrorist Finance Tracking Programme. The European
Parliament gave its approval for a revised agreement in July 2010. The revised
agreement gives Europol the “eminent European” role and the responsibility for
determining if requests from the US for SWIFT data comply with the terms of the
agreement.[32] The EDPS was invited to
consult on the second draft agreement.[33]
The European Commission has produced two subsequent reports on the
implementation of the agreement in 2011 and 2012.[34]
The first report concluded that the agreement had been implemented in
accordance with the provisions, but recommended greater public information
about the functioning of the scheme. The second review looked in greater depth
at the functioning of the agreement. The review team was satisfied that
recommendation in the first review had been carried out by the time of the
second, and stated that the sensitive programme is well protected and
scrupulously managed. Recently, the implications for the TFTP programme arising
from the revelations of NSA spying were discussed in the European
Parliament.
The 2008 report from the Belgian privacy commissioner
highlighted the absence of a European assistance mechanism for organisations
that find themselves in a position similar to that of SWIFT, having legal
obligations in a third country, but also a requirement to comply with EU data
protection law. The report concluded that it was unreasonable to expect such
organisations to simply report to the national data protection authority or to
the Article 29 Working Group, where local law requires secrecy or would
criminally sanction any such disclosure. However, those organisations should be
involved in regulation and guidance activity. The report identified a role in
this for the EU – US Contact Group on the protection of personal data, which
could examine problematic situations and assess any guarantees given to such
organisations by the US.[35]
Conclusions
From this case study, we draw the following conclusions:
- The case at first appears to demonstrate differences between US and European law. The subpoena programme was legal in the United States, and required SWIFT to comply. This meant it was also legal in Canada, given that PIPEDA respected local law. Initial European responses were highly critical of the programme, and seemed to indicate different attitudes to this form of financial surveillance. However, later and more detailed investigations did not find a legal breach.
- It is possible that even in the absence of a finding against SWIFT in the second Belgian investigation, the recommendation process itself put pressure on SWIFT to adjust its infrastructure and manner of operation, including opening a new data centre in Switzerland, so as to allow SWIFT to securely mirror transaction data without bringing that data under US jurisdiction.
- The case demonstrates fairly substantial co-operation and co-ordination between European data protection authorities, primarily in the form of a division of responsibility between national DPAs to investigate elements of the case within their jurisdictions, co-ordinated through the Article 29 Working Party.
- Data protection agencies were potentially sidelined during the later negotiations between the US and the EU over the continuation of the TFTP.
[1] SWIFT, “Company
Information”.
[2] Lichtblau, Eric, and James
Risen, “Bank Data Is Sifted by U.S. in Secret to Block Terror”, The New York Times, 23 June 2006. http://www.nytimes.com/2006/06/23/washington/23intel.html?pagewanted=all&_r=0
[3] Commissie voor de
bescherming von de persoonlijke levenssfeer (CBPL) in Dutch and Commission de
la protection de la vie privée (CPVP) in French. http://www.privacycommission.be/
[4] Lichtblau and Risen, op.
cit.; Meyer, Josh, and Greg Miller, “U.S. Secretly Tracks Global Bank Data”, The Los Angeles Times, 23 June 2006, http://articles.latimes.com/2006/jun/23/nation/na-swift23;
Simpson, Glenn R., “Treasury Tracks Financial Data in Secret Program”, The Washington Post, 23 June 2006.
[5] Privacy International, “PI
estimates over 4 million UK financial records sent each year to U.S”, press
release, 6 July 2006. https://www.privacyinternational.org/press-releases/pi-estimates-over-4-million-uk-financial-records-sent-each-year-to-us
[6] European Parliament
resolution on the interception of bank transfer data from the SWIFT system by
the US secret services (P6_TA-PROV(2006)0317).
[7] Commission de la
protection de la vie privée, Avis relative à la transmission de données á
caractére personnel par la SCRL SWIFT suite aux sommations de l’UST (OFAC), Brussels, 27 Sept 2006.
[8] European Data Protection
Supervisor, EDPS Opinion on the role of the European Central Bank in the SWIFT
case, Brussels, 1 Feb 2007.
[9] Article 29 Data Protection
Working Party, Opinion 10/2006 on the processing of personal data by the
Society for Worldwide Interbank Financial Telecommunication (SWIFT), Brussels, 22 Nov 2006.
[10] Office of the Privacy
Commissioner of Canada, Report of
Findings - Privacy Commissioner of Canada v. SWIFT, 2 April 2007. http://www.priv.gc.ca/cf-dc/2007/swift_rep_070402_e.asp
[11] Commission de la
protection de la vie privée, Control and
recommendation procedure initiated with respect to the company SWIFT scrl, 9
Dec 2008.
[12] Lichtblau and Risen, op.
cit., 2006.
[13] Commission de la
protection de la vie privée, 27 September 2006, pp.6-7.
[14] The ECB is a member of
the Central Banks of the Group of Ten (G-10) countries which conduct collective
oversight of SWIFT.
[15] European Parliament
resolution on the interception of bank transfer data from the SWIFT system by
the US secret services (P6_TA-PROV(2006)0317).
[16] Ibid., p. 2.
[17] A committee chaired by
the Prime Minister, with representatives of the Belgian intelligence services,
police, Ministry of Foreign Affairs, the college of Attorneys General and the
National Security Authority.
[18] Commission de la
protection de la vie privée, 26 Sept 2006.
[19] European Data Protection
Supervisor, op. cit., 1 Feb 2006.
[20] EDRI, “SWIFT Found In
Breach of Belgian Privacy Laws”, EDRI-gram,
4.19, 11 Oct 2006.
[21] Article 29 Data
Protection Working Party, op. cit., 22 Nov 2006.
[22] Office of the Privacy
Commissioner of Canada, “Privacy Commissioner concludes investigation of
SWIFT”, press release, 2 April 2007. http://www.priv.gc.ca/media/nr-c/2007/nr-c_070402_e.asp
[23] Commission de la
protection de la vie privée, 9 Dec 2006, p.74.
[24] Commission de la
protection de la vie privée, 27 Sept 2006, p. 3.
[25] European Data Protection
Supervisor, EDPS Opinion on the role of the European Central Bank in the SWIFT
case, Brussels, 1 Feb 2007.
[26] Article 29 Data
Protection Working Party, op. cit., 22 Nov 2006, p. 5.
[27] Ibid, p. 20.
[28] European Data Protection
Supervisor, op. cit., 1 Feb 2007, p. 12.
[29] Federal Data Protection
and Information Commissioner, Access to SWIFT Transaction Data – Opinion of the
Federal Data Protection and Information Commissioner, Bern, 31 October 2006.
[30] Council of the European
Union, Processing and protection of personal data subpoenaed by the Treasury
Department from the US based operation centre of the Society for Worldwide
Interbank Financial Telecommunication (SWIFT), 11291/2/07 REV 2, Luxembourg, 28 June 2007.
[31] European Parliament,
“European Parliament votes down agreement with the US”, Press Release, 11 Feb
2010. http://www.europarl.europa.eu/sides/getDoc.do?type=IM-PRESS&reference=20100209IPR68674&language=EN
[32] Europol, “Europol JSB
inspects for the second year the implementation of the TFTP agreement”, press
release, Brussels, 14 March 2012.
[33] Council of the European
Union, Note from European Data Protection Supervisor to delegations, 11580/10,
Brussels, 28 June 2010. http://register.consilium.europa.eu/pdf/en/10/st11/st11580.en10.pdf
[34] European Commission,
Report on the joint review of the implementation of the Agreement between the
European Union and the United States of America on the processing and transfer
of Financial Messaging data from the European Union to the United States for
the purposes of the Terrorist Finance Tracking Program, Brussels, 16 March
2011.
http://ec.europa.eu/dgs/home-affairs/news/intro/docs/commission-report-on-the-joint-review-of-the-tftp.pdf
, European Commission, Report on the second joint review of the implementation
of the Agreement between the European Union and the United States of America on
the processing and transfer of financial messaging data from the European Union
to the United States for the purposes of the Terrorist Finance Tracking
Program, SWD(2012) 454 final, Brussels, 14 Dec 2012. http://ec.europa.eu/dgs/home-affairs/pdf/20121214_joint_review_report_tftp_en.pdf
[35] Commission de la
protection de la vie privée, op. cit., 9 Dec 2006, p.73.