Bank faulted over data transfers to U.S.
By Dan Bilefsky

International Herald Tribune

Published: September 28, 2006


BRUSSELS The Belgian banking consortium Swift breached European privacy rules when it aided the U.S. anti-terrorism program by providing confidential information about money transfers, Belgium's privacy protection commission concluded Thursday.

"It has to be seen as a gross miscalculation by Swift that it has, for years, secretly and systematically transferred massive amounts of personal data for surveillance without effective and clear legal basis and independent controls in line with Belgian and European law," the report said.

Swift, or the Society for Worldwide Interbank Financial Telecommunications, has come under scrutiny for participating in a Bush administration program that allows analysts from the Central Intelligence Agency and officials from other U.S. agencies to search for possible terrorist financing activity among the millions of confidential financial transactions it oversees.

Washington has defended the secret program, which began after the Sept. 11, 2001, terrorist attacks in New York and Washington. But critics in Europe argue that it placed U.S. security interests ahead of European civil liberties.

A European Union working group debated this week whether the program violates European banking law and is considering whether an independent auditor should be appointed to prevent possible privacy abuses.

Presenting the findings of the investigation, Prime Minister Guy Verhofstadt of Belgium said he recognized that sharing data on financial transfers was essential in the global fight against terrorism. But he took Swift to task for passing on confidential financial information without adequate safeguards that European privacy rules would be respected.

"Swift finds itself in a conflicting position between American and European law," Verhofstadt said. "But it should have received stronger guarantees of privacy protection based on European standards - not by American standards, which are not as strong."

Such guarantees should have included stronger safeguards that the information was being used only for terrorism investigations, Belgian officials said.

Under European law, companies are forbidden from transferring confidential personal data to another country unless that country offers adequate protections. The EU does not consider the United States to be a country that offers sufficient legal protection of individual data.

The commission report said Swift had transferred confidential information to the United States without establishing a sufficient legal basis to do so in Belgium and the European Union.

Swift has defended the transfers on the grounds that it has offices in the United States and was meeting its legal obligations by upholding U.S. laws.

But the commission rejected this argument. It said Swift was still subject to Belgian rules, regardless of whether the data transferred to U.S. authorities came exclusively from the company's U.S. subsidiary rather than its global headquarters in Brussels.

Referring to the broad administrative subpoenas issued to Swift by the U.S. Treasury, the commission said "Swift should have realized that exceptional measures based on American rules do not legitimize hidden, systemic violations of fundamental European principles related to data protection over a long period of time."

Verhofstadt said Belgium's privacy protection commission had not yet moved to take legal action against Swift. Instead, he said, Belgium would push its EU partners to open talks with the United States on a new agreement on the transfer of financial records to be used in terror investigations.

Swift dismissed criticism that it had done anything unlawful, saying it received strong assurances that the data would be used exclusively for terrorism investigations. But the chief executive of Swift, Leonard Schrank, agreed that the United States and Europe needed a common framework to reconcile data protection with the fight against terrorism.

"We need an agreement between the EU and the U.S. that recognizes the global threat of terrorism but has a comfort level for those seeking to guarantee data protection," he said. "We are caught between complying with the U.S. and European rules and it's a train wreck. But what we have done saves lives in the U.S. and Europe and we must not lose sight of that."

Asked why Swift had not notified European authorities about the data transfers - a criticism made by the Belgian commission - Schrank said that Swift had satisfied disclosure rules but had taken the decision "not to notify broadly" out of fear of harming global security by tipping off terrorists.

He declined to say whether Swift was still transferring such data to the United States, but said that the consortium was still obligated to answer subpoenas from the U.S. authorities because it conducted substantial business in America.

The EU and the United States are increasingly at odds over how to reconcile civil liberties with the fight against terrorism. Recent allegations that the United States kidnapped terrorist suspects on European soil and detained them in secret detention centers has sparked fierce criticism from European legislators.