Submits comprehensive legal rebuttal to Belgian Privacy Commission
SWIFT has submitted a comprehensive legal rebuttal to the Belgian Privacy Commission in response to its advisory opinion of 27 September 2006.
On the occasion of the report, SWIFT CEO Leonard H. Schrank stated, “SWIFT strongly supports calls by national and EU officials for urgent dialogue between Europe and the United States to develop mechanisms for dealing with financial intelligence for counter-terrorism purposes while ensuring adequate data protection safeguards. It is vital that the international data privacy debate includes these broader concerns of security and public safety.”
The boundary between security and data privacy must be defined by governments. Private companies, like SWIFT, can play their part through upholding the law, but they cannot make policy. Ultimately they are dependent on governments and elected officials to develop the legal framework in which they operate.
The need for SWIFT’s rebuttal to the Belgian Privacy Commission is a reflection of the interpretation issues surrounding the current data privacy law. SWIFT objects to the Privacy Commission’s analysis and to its unfounded opinion that SWIFT committed a “serious error of judgement”.
The rebuttal reiterates that SWIFT acted within applicable laws by complying with the mandatory subpoenas from the US Treasury (UST) for limited sets of data in the US for the exclusive purpose of terrorism investigations. It reiterates that SWIFT obtained from the US Treasury extraordinary protections and controls that met both its requirement to follow the law and its obligations to protect the confidentiality of its members’ data. These protections went well beyond and were even more stringent than SWIFT’s legal obligations.
Central to the Belgian Privacy Commission’s findings is its incorrect interpretation, based on existing legal definition, that SWIFT is a data “controller” rather than a data “processor”. SWIFT simply transmits financial messages on behalf of financial institutions according to their instructions. It does not know the financial institutions’ ultimate customers and it does not access any of the data contained in the financial messages. Therefore, SWIFT is clearly a data processor and not a data controller. As a data processor, SWIFT has fully complied with all current legal obligations under Belgian data privacy law.
Read a summary of the report :
Previous statements and stories on compliance
- 24 Oct 2006: New York Times public editor reverses himself on 23 June article
- 8 Oct 2006: Commentary: SWIFT defends compliance at EU Parliament hearing
- 4 Oct 2006: EU Parliament hearing: SWIFT statement and press release on compliance
- 28 Sep 2006: SWIFT supports calls for EU-US talks on security and data privacy
- 25 Aug 2006: Update and Q&A to SWIFT’s 23 June 2006 statement on compliance: Compliance with subpoenas is legal, limited, targeted, protected, audited and overseen
- 23 Jun 2006: SWIFT statement on compliance policy: Following recent press coverage, Chairman, Deputy Chairman and CEO provide statement to SWIFT community