EU-US discuss access to financial messaging dataPoliticians seek a new agreementPublished on July 31, 2009
The following statement is also available in German.
On Monday 27 July, the Foreign Affairs ministers of the European Union unanimously gave the European Commission a mandate to negotiate a new agreement under which the US will gain access to financial messaging data necessary to the US Treasury Department’s (UST) Terrorist Finance Tracking Program. We understand that the Commission hopes to conclude the new agreement within the next couple of months. The agreement may apply to SWIFT message data located in Europe.
We welcome the negotiations because SWIFT has been asking the EU and US authorities to provide legal clarity and certainty regarding access by authorities to financial messaging data for the purpose of investigations into terrorist financing.
We understand that the authorities plan to mirror the safeguards obtained from the UST when it first subpoenaed SWIFT after the attacks of 9/11. The Commission has stated that the new agreement will include guarantees on the limits of access, on the use and retention of data, and on the sharing of the data. The negotiations are taking place between the authorities of sovereign entities. SWIFT, as a private company, is not involved.
It is also important to note that the authorities can only access limited sets of data stored in SWIFT Operating Centres and this applies to FIN traffic only. SWIFTNet FileAct traffic, including SEPA data, is not stored and therefore is not retrievable.
From its inception, SWIFT has taken all possible measures to protect the security and confidentiality of its customers’ data while ensuring that its network and services offer the highest levels of reliability and resilience. As part of this commitment, two years ago, we announced the implementation of a new distributed network architecture and the addition of an Operating Centre in Switzerland, by end 2009. Both projects are on track. SWIFT always complies with legal obligations in the jurisdictions in which it operates.
Contrary to recent media reports, the new EU-US discussions confirm our initial statement in 2006, which said that SWIFT’s compliance with UST subpoenas is legal, limited, targeted, protected, audited and overseen.
|
History of United States Treasury Department’s access to SWIFT messaging data
|
SWIFT responds to data privacy concerns
The following statement is also available in German.
After the September 11, 2001 attacks SWIFT responded to compulsory subpoenas for data for the purpose of terrorism investigations from the United States Department of the Treasury (UST). SWIFT is subject to lawful subpoenas in the United States because it has substantial business and operations there, including data storage.
SWIFT negotiated with the UST over the scope and oversight of the subpoenas to protect the confidentiality of its members’ data and obtained extraordinary protections and assurances as to the purpose, confidentiality, oversight and control of limited sets of data produced under the subpoenas. These protections ensure that only a limited set of data is accessed, and for the sole purpose of supporting ongoing investigations into terrorism financing under the UST’s Terrorist Finance Tracking Program.
The New York Times revealed the programme in June 2006, which led to interpretation issues surrounding data privacy laws. SWIFT found itself caught in a conflict between Belgian and European data privacy laws and US counter terrorism laws.
After an in-depth investigation, the Belgian Data Privacy Commission, in consultation with Europe’s data privacy working party 29 (WP29), concluded in December 2008 that SWIFT was obliged to comply with lawful subpoenas in the United States, reconsidered the severity of previous opinions and concluded that there was no evidence to challenge SWIFT’s good faith. It also praised SWIFT on the precautions it took when responding to the subpoenas.
Moreover, the Commission expressed satisfaction with additional measures SWIFT took to ensure the protection of personal data contained in messages processed by its messaging services. These include:
- The revision of contractual data protection policies (www.swift.com).
- Joining the ‘Safe Harbor’ framework. This transatlantic framework ensures that data located in Europe and transferred to the United States are protected under similar data protection principles as in Europe. SWIFT itself has data protection controls, which are audited as part of its annual SAS 70 report.
- Publishing and disseminating public information about its processing.
- SWIFT also appointed a full-time ‘Privacy Officer’ and committed to review regularly its data protection policies for the processing of financial messaging data.
In 2008, the European Commission designated Judge Jean-Louis Bruguière to review on behalf of the European Union the procedures governing the handling, use and dissemination of personal financial data from the EU carried over the SWIFT network and obtained by the UST. In January 2009, Judge Bruguière recognised that SWIFT had obtained extraordinary safeguards and reported that the UST has been vigilant from the outset in respecting these, and notably the strict counter terrorism limitation.
|
|
