Wednesday 26 March 2014

EU DPA cooperation in the SWIFT case



Here's another preview of from the forthcoming report of the PHAEDRA project we've been working on:
This time it's a case study on the role of DPA co-operation in the case of the involvement of SWIFT in US terrorist tracking programmes,and the subsequent European response to this.

Enjoy - we're putting final touches to the report so it should be available soon.

- David. 

SWIFT and US Treasury Terrorist Finance Tracking Program (TFTP)

Overview


The Society for Worldwide Interbank Financial Telecommunication (SWIFT) is a member-owned co-operative of financial organisations which is headquartered in Belgium. SWIFT processes and transmits financial communications globally.[1] In 2006, The New York Times revealed that SWIFT had been co-operating with a US Treasury department surveillance programme, granting the Treasury, including the U.S. Secret Service, subpoenaed search access to SWIFT transactions globally.[2] The programme is known as the Terrorist Finance Tracking Program (TFTP).

Subsequently, SWIFT was the subject of  detailed investigations by the Belgian Commission for the Protection of Privacy[3] (the Belgian data protection authority), as well as investigations by the Article 29 Data Protection Working Party, the European Data Protection Supervisor and several other national data protection authorities. There was a relatively high level of co-operation and co-ordination between European data protection authorities, through the Article 29 Working Party. The case also resulted in negotiations between the US Treasury and the EU on the continuation of the TFTP programme.

Sequence of key events


23 June 2006
The New York Times, followed by The LA Times and The Washington Post, reveals secret SWIFT surveillance and subpoena programme run by United States Treasury.[4]
27 June 2006
Privacy International files simultaneous complaints regarding SWIFT with data protection and privacy regulators in 32 countries, requesting investigations.[5]
6 July 2006
European Parliament Resolution on the interception of bank transfer data from the SWIFT system by the US secret services.[6]
17 July 2006
European Commission writes to the Belgian DPA requesting information on the case.
28 July 2006
Chairman of the Article 29 Working Party announces intent of European data protection authorities to co-ordinate activities in investigating the SWIFT case.
26-27 Sept 2006
WP29 holds plenary discussion, agrees to continue fact-finding.
27 Sept 2006
Report of the Belgian Commission for the Protection of Privacy.[7]
4 Oct 2006
SWIFT financial officer appears before European Parliament and strongly objects to the Belgian report.
5 Oct 2006
European Data Protection Supervisor criticises the European Central Bank for not informing European authorities of the SWIFT transfers.[8]
22 Nov 2006
Article 29 Data Protection Working Party produces Opinion 10/2006 on the processing of personal data by SWIFT.[9]
13 Dec 2006
Belgian public prosecutor announces that no legal action will be taken against SWIFT.
2 April 2007
The Privacy Commissioner of Canada concludes investigation into SWIFT.[10]
23 May 2007
The Belgian Privacy Commission decides to initiate a recommendation procedure with respect to SWIFT.
24 May 2007 and 11 June 2007
SWIFT informed orally, then by letter, of Privacy Commission’s procedure.
27-28 June 2007
Agreement regarding the SWIFT surveillance programme reached between the US and EU (Council and Commission) following negotiations.
4 Oct 2007
SWIFT announces plans to create “closed loop” European messaging processing zone by creating a new operations centre in Switzerland.
19 Dec 2007 to 26 Nov 2008
Privacy Commission conducts a series of hearings and requests for evidence from SWIFT.
26 Nov 2008
Privacy Commission closes its deliberations.
9 December 2008
Belgian Commission for the Protection of Privacy publishes findings of its full investigation into SWIFT.[11]
Feb 2010
European Parliament rejects conclusion of agreement allowing US authorities access to European financial transactions data.
May 2010
European Commission starts negotiating new agreement.
June 2010
European Parliament approves conclusion of revised agreement.

  Reasons for investigation


SWIFT previously operated two data centres, one in Belgium and the other in Cupertino, California. For data security reasons, transaction data for all international transactions made through SWIFT were mirrored across both data centres. All of the SWIFT data, comprising details of millions of financial transactions, was therefore stored in a data centre under U.S. jurisdiction. Following the 11 September 2001 attacks, the U.S. Treasury department began using broad administrative subpoenas to access large amounts of data from SWIFT as part of efforts to trace terrorist financing. Given that SWIFT did not legally challenge these subpoenas, it was required to comply with this classified surveillance programme. The programme was not covered by US laws protecting private financial records as SWIFT was considered a messaging service rather than a bank or financial institution.[12]  SWIFT did, however, negotiate a way of complying with the subpoenas whilst, in their eyes, providing a level of data protection. This included the appointment of an auditor (Booz, Allen & Hamilton), a guarantee from the US Treasury of support in the event of censure from third party authorities, and definitions of the purposes of the searches conducted.[13] 

Following the press revelation of the programme, the European Parliament expressed concern about the transfer of data to the US Treasury, and any secret operations on EU territory without EU citizens and their representatives being informed. The Parliament called on the European Data Protection Supervisor to ascertain if the European Central Bank had met its obligations under Regulation (EC) 45/2001,[14] and demanded that Member States check for legal lacunae at local levels, and ensure that data protection legislation covers central banks. The Parliament also urged the Commission to take measures to ensure that cases like SWIFT would not occur in the future.[15] In turn, the Commission requested the Belgian authorities to investigate.[16] The Belgian College of Intelligence and Security[17] requested an Opinion from the Belgian Commission for the Protection of Privacy, which had already made the decision to investigate the SWIFT case based on the press reporting and a complaint from Privacy International.

The Article 29 Data Protection Working Party adopted an Opinion on the case on the basis of Articles 29 and 30 of the EU Data Protection Directive (95/46/EC).

Other data protection authorities, including Australia, Canada, New Zealand, Switzerland and Iceland, also started their own investigations.

In May 2007, the Belgian Privacy Commissioner started a recommendation procedure into the SWIFT case. This procedure, which can be initiated under the Commissioner’s own authority and results in a set of recommendations to a data controller, included a more intensive interaction with SWIFT. This was seen as necessary in order to follow up on SWIFT’s responses to previous opinions, and to clarify the concepts of data controller and processor in multiple, complex and interlocked processing systems transferring large volumes of data internationally.

Findings of investigation


The 2006 report from the Belgian Privacy Commissioner found that SWIFT had broken Belgian law, and that there was a conflict between European and US law. This report suggested that SWIFT had made errors in judgement in responding to the subpoenas, resulting in “hidden, systematic, massive, and long-term violation of the fundamental European principles as regards data protection”.[18]  The Commissioner stated that SWIFT should have complied with Belgian law relating to the notification of processing and transfers of data to countries outside the EU; should have followed the principles of proportionality, limited retention period and protection levels. Whilst SWIFT had notified G-10 banks of the programme, the banks had not in turn notified privacy commissioners.

Following the Belgian report, the European Data Protection Supervisor (EDPS), Peter Hustinx, criticised the European Central Bank for failing to prevent the transfer of information, or to notify other parties such as European governments and authorities about the scheme.[19] The ECB had been aware of the subpoena process since February 2002. The EDPS also criticised the ECB’s continuing use of the SWIFT service after becoming aware of the arrangement.[20] The EDPS concurred with the Belgian Privacy Commissioner’s legal analysis and conclusions.

The Article 29 Working Party Opinion 10/2006 concluded that Directive 95/46/EC was applicable to SWIFT through the national laws implementing it, and that SWIFT was required to comply with its obligations under the Directive, particularly including providing information to individuals whose data was being transferred, notifying the Belgian DPA and ensuring an adequate level of protection for international transfers of data. The Opinion also concluded that, as data controllers with joint responsibility, financial institutions in the EU had the obligation to ensure that SWIFT complied with data protection law. The Opinion called for SWIFT to take measures to remedy the illegal state of affairs and called for increased oversight of SWIFT. [21]

The Canadian investigation concluded that whilst SWIFT was subject to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), the organisation did not contravene the law when it complied with lawful subpoenas served on it in the United States. However, the Commissioner suggested that alternate information sharing approaches, with built-in protections for privacy and mechanisms for accountability, would be more desirable than the use of the subpoena route.[22]

The Belgian privacy commissioner continued with a longer investigation under the recommendation procedure. In contrast to the 2006 investigation, this subsequent report cleared SWIFT of breaching the Belgian Privacy Act.[23] The report took into account actions taken by SWIFT with the intent of compliance with European data protection legislation, following the previous Opinion, and the Opinion of the Article 29 Working Party, in the light of better knowledge of the situation and of subsequent developments.  The report highlighted SWIFT’s otherwise strong record on security and data protection and concluded that whilst the protections that SWIFT negotiated with the US Treasury were imperfect, they were perhaps better than what would have been achieved from radical opposition to legally binding subpoenas.

Forms of co-operation


There was broad agreement amongst European institutions mentioned above regarding the appropriateness of delegating the initial investigation to the Belgian data protection authority, given the legal location and identity of SWIFT as a Belgian co-operative. Whilst the Belgian DPA investigated SWIFT, other national data protection authorities contacted their relevant national banking organisations, and the European Data Protection Supervisor investigated the European Central Bank. The investigation by the Office of the Privacy Commissioner of Canada was independent of other investigations, and focused solely on the applicability of PIPEDA in the Canadian context.

The Article 29 Working Party acted as a point of co-ordination. The initial 2006 report from the Belgian DPA was presented to the Article 29 Data Protection Working Party, and the Belgian DPA consulted with the Working Party during the preparation of its Opinion.[24] The EDPS stated that it received answers to its questions from SWIFT both directly and indirectly through the Working Party, and through the Belgian Privacy Commission.[25] The 2006 Article 29 Working Party Opinion stated that European DPAs “have joined forces in the investigation of the data flow and the analysis of its compliance with the European privacy principles, in particular with the Data Protection Directive”.[26] The Working Party held a plenary meeting on 26-27 September 2006, and the subsequent Opinion is a substantial analysis of the case from a combined European perspective. The Article 29 Working Party expressed regret that no prior consultation, formal or informal, was conducted by SWIFT or partner financial institutions with European data protection authorities regarding the processing or mirroring of personal data in the US.[27]

The 2006 Belgian report was a starting point for several other investigations. The EDPS Opinion drew upon (and concurred with) the first Belgian report. The EDPS stated in the conclusion of its 2006 Opinion that “the EDPS remains available to advise the ECB and other relevant institutions on all matters concerning the processing of personal data in the framework of payment systems.”[28] As a member of the Working Party, the EDPS contributed towards the drafting of its Opinion.

The investigation by the Federal Data Protection and Information Commissioner (FDPIC) of Switzerland also built strongly on the foundations of the 2006 Belgian report. Disclosures of information revealed by the Belgian investigation were also seen as infringements of Swiss data protection law. The report of this investigation notes that whilst SWIFT is covered under Belgian data protection (there was no processing of personal data by SWIFT in Switzerland), the decision of joint responsibility between SWIFT and financial services did provide grounds for FDPIC’s investigation of Swiss financial services. Additionally, the report identifies the importance of considering the broader international dimension whilst having a focus upon Switzerland.[29]

Despite the findings of its initial report, the Belgian DPA lacked the power to fine or censure SWIFT, which would have been the responsibility of the Belgian public prosecutor. The public prosecutor took the decision not to pursue any legal action against SWIFT despite the wishes of the Belgian DPA, and the Opinion of the Article 29 Working Group. Belgian Prime Minister Guy Verhofstadt favoured negotiation between the EU and US to achieve legal certainty for companies involved in international data transfer.

The SWIFT issue did result in negotiations between the EU and the US. The US Treasury made representations to the Council in which it committed to processing personal data originating in EU Member States in compliance with specific data protection principles. The Article 29 Working Party was kept informed of these discussions, but was not a participant in them. The resulting TFTP agreement between the US and the EU entailed that information would only be obtained from SWIFT for counter-terrorism purposes, and the information would not be kept longer than necessary.  The Commission, in consultation with the US Treasury, the President of the Permanent Representatives Committee, and the President of the Committee of Civil Liberties, Justice and Home Affairs of the European Parliament, would have appointed an “eminent European” to independently monitor compliance with the agreement, and report to the Commission, who will in turn inform the Council and Parliament.[30]

Following the changes in SWIFT’s architecture to introduce the closed European processing loop, there was subsequent disagreement between the European Commission and Parliament over the details of the negotiated agreement with the US regarding access to European financial transaction data, based on privacy, proportionality and reciprocity.[31] The Commission envisaged an international agreement between the EU and the US which would require transfer to the US Treasury of relevant financial data necessary for the Treasury’s Terrorist Finance Tracking Programme. The European Parliament gave its approval for a revised agreement in July 2010. The revised agreement gives Europol the “eminent European” role and the responsibility for determining if requests from the US for SWIFT data comply with the terms of the agreement.[32] The EDPS was invited to consult on the second draft agreement.[33] The European Commission has produced two subsequent reports on the implementation of the agreement in 2011 and 2012.[34] The first report concluded that the agreement had been implemented in accordance with the provisions, but recommended greater public information about the functioning of the scheme. The second review looked in greater depth at the functioning of the agreement. The review team was satisfied that recommendation in the first review had been carried out by the time of the second, and stated that the sensitive programme is well protected and scrupulously managed. Recently, the implications for the TFTP programme arising from the revelations of NSA spying were discussed in the European Parliament. 

The 2008 report from the Belgian privacy commissioner highlighted the absence of a European assistance mechanism for organisations that find themselves in a position similar to that of SWIFT, having legal obligations in a third country, but also a requirement to comply with EU data protection law. The report concluded that it was unreasonable to expect such organisations to simply report to the national data protection authority or to the Article 29 Working Group, where local law requires secrecy or would criminally sanction any such disclosure. However, those organisations should be involved in regulation and guidance activity. The report identified a role in this for the EU – US Contact Group on the protection of personal data, which could examine problematic situations and assess any guarantees given to such organisations by the US.[35]

Conclusions

From this case study, we draw the following conclusions:
  • The case at first appears to demonstrate differences between US and European law. The subpoena programme was legal in the United States, and required SWIFT to comply. This meant it was also legal in Canada, given that PIPEDA respected local law. Initial European responses were highly critical of the programme, and seemed to indicate different attitudes to this form of financial surveillance. However, later and more detailed investigations did not find a legal breach.
  • It is possible that even in the absence of a finding against SWIFT in the second Belgian investigation, the recommendation process itself put pressure on SWIFT to adjust its infrastructure and manner of operation, including opening a new data centre in Switzerland, so as to allow SWIFT to securely mirror transaction data without bringing that data under US jurisdiction.
  • The case demonstrates fairly substantial co-operation and co-ordination between European data protection authorities, primarily in the form of a division of responsibility between national DPAs to investigate elements of the case within their jurisdictions, co-ordinated through the Article 29 Working Party.
  • Data protection agencies were potentially sidelined during the later negotiations between the US and the EU over the continuation of the TFTP.


[2] Lichtblau, Eric, and James Risen, “Bank Data Is Sifted by U.S. in Secret to Block Terror”, The New York Times, 23 June 2006. http://www.nytimes.com/2006/06/23/washington/23intel.html?pagewanted=all&_r=0
[3] Commissie voor de bescherming von de persoonlijke levenssfeer (CBPL) in Dutch and Commission de la protection de la vie privée (CPVP) in French. http://www.privacycommission.be/
[4] Lichtblau and Risen, op. cit.; Meyer, Josh, and Greg Miller, “U.S. Secretly Tracks Global Bank Data”, The Los Angeles Times, 23 June 2006, http://articles.latimes.com/2006/jun/23/nation/na-swift23; Simpson, Glenn R., “Treasury Tracks Financial Data in Secret Program”, The Washington Post,  23 June 2006.
[5] Privacy International, “PI estimates over 4 million UK financial records sent each year to U.S”, press release, 6 July 2006. https://www.privacyinternational.org/press-releases/pi-estimates-over-4-million-uk-financial-records-sent-each-year-to-us
[6] European Parliament resolution on the interception of bank transfer data from the SWIFT system by the US secret services (P6_TA-PROV(2006)0317).
[7] Commission de la protection de la vie privée, Avis relative à la transmission de données á caractére personnel par la SCRL SWIFT suite aux sommations de l’UST (OFAC), Brussels, 27 Sept 2006.
[8] European Data Protection Supervisor, EDPS Opinion on the role of the European Central Bank in the SWIFT case, Brussels, 1 Feb 2007.
[9] Article 29 Data Protection Working Party, Opinion 10/2006 on the processing of personal data by the Society for Worldwide Interbank Financial Telecommunication (SWIFT), Brussels, 22 Nov 2006.
[10] Office of the Privacy Commissioner of Canada, Report of Findings - Privacy Commissioner of Canada v. SWIFT, 2 April 2007. http://www.priv.gc.ca/cf-dc/2007/swift_rep_070402_e.asp
[11] Commission de la protection de la vie privée, Control and recommendation procedure initiated with respect to the company SWIFT scrl, 9 Dec  2008.
[12] Lichtblau and Risen, op. cit., 2006.
[13] Commission de la protection de la vie privée, 27 September 2006, pp.6-7.
[14] The ECB is a member of the Central Banks of the Group of Ten (G-10) countries which conduct collective oversight of SWIFT.
[15] European Parliament resolution on the interception of bank transfer data from the SWIFT system by the US secret services (P6_TA-PROV(2006)0317).
[16] Ibid., p. 2.
[17] A committee chaired by the Prime Minister, with representatives of the Belgian intelligence services, police, Ministry of Foreign Affairs, the college of Attorneys General and the National Security Authority.
[18] Commission de la protection de la vie privée, 26 Sept 2006.
[19] European Data Protection Supervisor, op. cit., 1 Feb 2006.
[20] EDRI, “SWIFT Found In Breach of Belgian Privacy Laws”, EDRI-gram, 4.19, 11 Oct 2006.
[21] Article 29 Data Protection Working Party, op. cit., 22 Nov 2006.
[22] Office of the Privacy Commissioner of Canada, “Privacy Commissioner concludes investigation of SWIFT”, press release, 2 April 2007. http://www.priv.gc.ca/media/nr-c/2007/nr-c_070402_e.asp
[23] Commission de la protection de la vie privée, 9 Dec 2006, p.74.
[24] Commission de la protection de la vie privée, 27 Sept 2006, p. 3.
[25] European Data Protection Supervisor, EDPS Opinion on the role of the European Central Bank in the SWIFT case, Brussels, 1 Feb 2007.
[26] Article 29 Data Protection Working Party, op. cit., 22 Nov 2006, p. 5.
[27] Ibid, p. 20.
[28] European Data Protection Supervisor, op. cit., 1 Feb 2007, p. 12.
[29] Federal Data Protection and Information Commissioner, Access to SWIFT Transaction Data – Opinion of the Federal Data Protection and Information Commissioner, Bern, 31 October 2006.
[30] Council of the European Union, Processing and protection of personal data subpoenaed by the Treasury Department from the US based operation centre of the Society for Worldwide Interbank Financial Telecommunication (SWIFT), 11291/2/07 REV 2,  Luxembourg, 28 June 2007.
[31] European Parliament, “European Parliament votes down agreement with the US”, Press Release, 11 Feb 2010. http://www.europarl.europa.eu/sides/getDoc.do?type=IM-PRESS&reference=20100209IPR68674&language=EN
[32] Europol, “Europol JSB inspects for the second year the implementation of the TFTP agreement”, press release, Brussels, 14 March 2012.
[33] Council of the European Union, Note from European Data Protection Supervisor to delegations, 11580/10, Brussels, 28 June 2010. http://register.consilium.europa.eu/pdf/en/10/st11/st11580.en10.pdf
[34] European Commission, Report on the joint review of the implementation of the Agreement between the European Union and the United States of America on the processing and transfer of Financial Messaging data from the European Union to the United States for the purposes of the Terrorist Finance Tracking Program, Brussels, 16 March 2011. http://ec.europa.eu/dgs/home-affairs/news/intro/docs/commission-report-on-the-joint-review-of-the-tftp.pdf , European Commission, Report on the second joint review of the implementation of the Agreement between the European Union and the United States of America on the processing and transfer of financial messaging data from the European Union to the United States for the purposes of the Terrorist Finance Tracking Program, SWD(2012) 454 final, Brussels, 14 Dec 2012. http://ec.europa.eu/dgs/home-affairs/pdf/20121214_joint_review_report_tftp_en.pdf
[35] Commission de la protection de la vie privée, op. cit., 9 Dec 2006, p.73.