Decision by the Belgian Data Protection Commission regarding SWIFT
BRUSSELS, 10 December 2008 – Following an extensive review of SWIFT’s messaging services which began in May 2007, the Belgian data protection commission (Commission belge de la Protection de la Vie Privée) has concluded that SWIFT complies with all applicable Belgian data protection legislation. The report emphasizes the constructive approach adopted by SWIFT regarding its handling of mandatory subpoenas received from the United States Treasury within its ‘Terrorist Finance Tracking Programme’.
The Commission has concluded that SWIFT was obliged to comply with lawful subpoenas in the United States. The Commission indicates that while fulfilling its legal obligations in the United States, SWIFT acted with prudence, diligence and due care to protect personal data. The Commission has thus reconsidered the severity of previous opinions and assessments and has concluded that there is no evidence to challenge SWIFT’s good faith.
The Commission recalls that SWIFT has taken adequate measures to ensure the protection of personal data contained in messages processed by its messaging services.
These measures include:
• The revision of its contractual data protection policies (published on www.swift.com).
• Joining the ‘Safe Harbor’ framework. This is a transatlantic framework that ensures that European data transferred to the United States are protected under similar data protection principles as in Europe.
• Changing its messaging architecture to allow for intra-European messages to be processed and stored only in European facilities.
• Publishing and disseminating public information about its processing.
In addition, the Commission has expressed satisfaction with several additional initiatives taken by SWIFT, including the appointment of a full-time ‘Privacy Officer’, the filing of a declaration about its processing of personal data, and the ongoing review of its data protection policies for the processing of financial messaging data.
“SWIFT appreciates the pragmatic attitude adopted by the Commission which recognises the inextricable situation in which SWIFT found itself, when confronted with conflicting legal obligations,” said Francis Vanbever, CFO, SWIFT.
The report of the Belgian data protection Commission can be downloaded from its web site www.privacycommission.be.