![Sample our Law journals, sign in here to start your FREE access for 14 days]({"type":"image" , "src" : "/sda/5942/TOC-Subject-Sample-2021-Law.jpg"})
Abstract
The ‘SWIFT affair’ eloquently illustrates the complexities of the protection of personal data in the context of global privacy-invading counterterrorist efforts. At the core of the issue there is not only the possibility for US authorities to secretly (and legally) access information on financial transactions taking place in the European Union (EU), as well as the concerns that this fact might raise regarding the effective protection of personal data guaranteed to European citizens. What is also at stake is the possibility for a European company not to comply with EU data protection legislation as interpreted by competent authorities without facing any sanctions. This paper reviews the developments of the ‘SWIFT affair’ assessing the system failures it portrays, particularly in the light of European data protection. It recalls how the facts were rendered public, focuses on the reactions from different European data protection authorities and bodies (the Belgian Privacy Commission, the Article 29 Working Party and the European Data Protection Supervisor) and offers a view of the ‘solutions’ discussed and implemented. By questioning their opportunity and convenience, it underlines that the major unsolved challenge of EU data protection is the need for a consistent approach to deal with transatlantic data transfers.
Notes
1. See, for instance, Colin J. Bennet and Charles D. Raab, The Governance of Privacy: Policy Instruments in Global Perspective (Cambridge, MA: The MIT Press, 2006), 94–5; and Priscilla M. Regan, ‘American Business and the European Data Protection Directive: Lobbying Strategies and Tactics’. In Visions of Privacy: Policy Choices for the Digital Age, ed. Colin J. Bennett and Rebecca Grant (Toronto: University of Toronto Press, 1999), 199–216.
2. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995, on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Official Journal L 281, 23-11-1995, 31).
3. Articles 25 and 26 of Directive 95/46/EC.
4. Directive 95/46/EC, Art. 25.1.
5. Commission Decision of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce (2000) OJ L215/7. For more information, see: http://www.export.gov/safeharbor.htm.
6. For an account on this, see for instance, Dorothee Heisenberg, Negotiating Privacy: the European Union, the United States and Personal Data Protection (Boulder, CO: Lynne Rienner, 2005).
7. More than 1000 companies have already applied.
8. Joined Cases C-317/04 and C-318/04 European Parliament v. Council and Commission, in which the ECJ annulled both Commission Decision 2004/535/EC of 14 May 2004 on the adequate protection of personal data contained in the Passenger Name Record of air passengers transferred to the US Bureau of Customs and Border Protection (OJ 2004 L 235, 11) and Council Decision 2004/496/EC of 17 May 2004 on the conclusion of an Agreement between the European Community and the USA on the processing and transfer of PNR data by Air Carriers to the US Department of Homeland Security, Bureau of Customs and Border Protection (OJ 2004 L 183, 83, and corrigendum at OJ 2005 L 255, 68).
9. From the Belgian Privacy Commission's inquiry it appears that the extraction process had two distinct phases, one consisting of simple retention of data transferred, and the second consisting in effective consultation of certain messages content by the UST (Belgian Privacy Commission, ‘Summary of the opinion on the transfer of personal data by SCRL SWIFT following the UST (OFAC) subpoenas’, Belgian Privacy Commission, Brussels, accessed 29 September 2006).
10. More information on SWIFT's oversight can be found here: http://www.swift.com/index.cfm?item_id=57001 (last accessed 13 March 2008).
11. At a later stage, the applicable Memoranda of Understanding.
12. Notably The Los Angeles Times and The Wall Street Journal.
13. Byron Calame.
14. Byron Calame, ‘Secrecy, Security, the President and the Press’, The New York Times, 2 July 2006, available at: http://www.nytimes.com/2006/07/02/opinion/02pub-ed.html (last accessed 13 March 2008).
15. Ibid., 1.
16. Byron Calame, ‘Banking data: A mea culpa’, The New York Times, 22 October 2006, http://www. nytimes.com/2006/10/22/opinion/22pubed.html?pagewanted=2 (last accessed 13 March 2008).
17. Marc Rotenberg, ‘Recent Privacy Developments in the United States, Particularly with Respect to Travellers Using Air Transport’, 21 March 2007. Written evidence submitted to the European Parliament (Committee on Civil Liberties, Justice and Home Affairs) for the Public Seminar ‘PNR/SWIFT/Safe Harbour: Are transatlantic data protected?’ which took place in Brussels, 26 March 2007. Accessible at: http://www.europarl.europa.eu/meetdocs/2004_2004/documents/dv/rotenbery_/rotenberg_en.pdf (last accessed 13 March 2008).
18. Article 29 Data Protection Working Party, PNR Subgroup, ‘US Watch lists: Passenger no-fly lists / Selectee lists’, Version 21 March 2007.
19. Rotenberg, ‘Recent Privacy Developments’, 5.
20. See, for instance, the declarations of Blanche Petre, a SWIFT representative, at the European Parliament (date of declaration: 26, March 2007). (See also Swift webpages, e.g. http://www.swift.com/index.cfm?item_id=61490 (last accessed 13 March 2008).
21. European Parliament resolution on SWIFT, the PNR agreement and the transatlantic dialogue on these issues, 14 February 2007, Strasbourg, available at: http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//TEXT + TA + P6-TA-2007-0039 + 0 + DOC + XML + V0//EN (last accessed 13 March 2008).
22. The EDPS was established by Regulation (EC) No. 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data, OJ L 008, 12/01/2001, 1–22.
23. The Working Party on the Protection of Individuals with regard to the Processing of Personal Data (known as ‘the Article 29 Working Party’) was set up by Article 29 of Directive 95/46/EC.
24. Belgian Privacy Commission, Opinion No. 37/2006 on the transfer of personal data by SCRL SWIFT following the UST (OFAC) subpoenas), 27 September 2006. See also Serge Gutwirth, Ronny Saelens and Paul De Hert, ‘SWIFT schendt wet verwerking persoonsgegevens’, Juristenkrant, no. 137 (8 November 2006): 7.
25. See Article 4 of Directive 95/46/EC on National law applicable. The applicable Belgian law is the law of 8 December 1992 regarding the protection of privacy concerning the automatic processing of personal data as modified by the law of 11 December 1998 implementing Directive 95/46/EC and the law of 26 February.
26. The examination of compliance with the applicable Belgian law was indeed made with reference to the Data Protection Directive; in this sense, examining eventual infringements in the framework of the normal functioning of the SWIFTNet FIN service, the Belgian Privacy Commission made reference to Articles 7(b), 9, 11, 21, 25 and 26 of Directive 95/46/EC; examining the transfer of data to the UST, the Belgian Privacy Commission mentioned as legal basis for the transfer not only the relevant Belgian provision, but also Art. 7(b) of Directive 95/46/EC (as well as Art. 8 of the European Charter of Human Rights) and mentioned in the assessment Art. 6.1(c), 6.1(e), 25 and 26 and 28 of said Directive.
27. See note 8.
28. For interpretations dissenting from the Belgian Privacy Commission analysis, see, Franck Dumortier and Yves Poullet, ‘La protection des données à caractère personnel dans le contexte de la construction en piliers de l'Union Européenne’, updated 1 February 2007, available at: http://www.europarl. europa.eu/meetdocs/2004_2009/documents/dv/dumortier_poullet_/dumortier_poullet_fr.pdf (last accessed 13 March 2008); Yves Poullet and Elise Degrave, ‘L'Affaire SWIFT’, 2007, available at: http://www.europarl.europa.eu/meetdocs/2004_2009/documents/dv/poullet_degrave_/poullet_degrave_fr.pdf (last accessed 13 March 2008).
29. The Privacy Commission argued that SWIFT is a data controller not for one but ‘for a series of reasons’, including that it takes decisions that go beyond the normal and legally defined ‘margin for manoeuvre’ within which mere data processors are confined.
30. It is not uncommon for the Belgian public prosecutor to abstain from taking any legal action in the cases submitted to him by the Belgian Privacy Commission. This lack of response is generally explained by general work overload (as commented by Koen Gorissen, member of the Belgian Privacy Commission, in its intervention at the ‘The Policy Challenges of Electronic Privacy’, European Policy Seminar, 28 February 2006, Flemish Parliament, Brussels).
31. Article 29 Working Party, Opinion No. 10/2006 on the processing of personal data by the Society for Worldwide Interbank Financial Telecommunication (SWIFT), 23 November 2006, 01935/06/EN.
32. On the basis of Regulation (EC) No. 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data.
33. European Data Protection Supervisor, ‘EDPS opinion on the role of the European Central Bank in the SWIFT case’, Brussels, 1 February 2007.
34. The EDPS mentioned as a ‘reason’ that judgement does not exclude from the scope of the Data Protection Directive the cases where personal data are transferred to a third country for commercial purposes, on the basis of a free choice of the controller(s).
35. Franco Frattini, Vice-President of the European Commission, declared in its intervention at the European Parliament's ‘Joint Debate on a new agreement on Passenger Name Records (PNR) and on SWIFT data’, on 31 January 2007, that only seven Member States had answered at that time his November letter (minutes of the debate are available at: http://www.euractiv.com/29/images/PNR + SWIFT_tcm29-161379.pdf (last accessed 13 March 2008)).
36. Even though SWIFT does not seem to be fully aware of this notion, as it has publicly stated that ‘Safe Harbor is a framework negotiated by the EU and the US in 2000 to provide a way for companies in Europe, with operations in the US, to conform to EU data privacy regulations’, although admitting afterwards that ‘it has already been informed by the US authorities that it meets the eligibility criteria’ (see ‘Important Actions Resulting from March 2007 Board Meeting’, published 29 March 2007, http://www.swift.com/index.cfm?item_id=61490 (last accessed 13 March 2008)). Contrary to what SWIFT seems to believe, the EU has not (yet?) left the monitoring of compliance with EU law by EU companies in the hands of US authorities.
37. Safe Harbor Privacy Principles, issued by the US Department of Commerce on 21 July 2000, available at: http://www.export.gov/safeharbor/SH_Privacy.asp (last accessed 13 March 2008).
38. Support to negotiations was given through its president, Jean-Claude Trichet.
39. Belgian Privacy Commission, Opinion No. 47/2006 on the preparation of an agreement concerning the transfer of personal data by SWIFT to the UST, 20 December 2006.
40. Follow-up at Prelex: http://ec.europa.eu/prelex/detail_dossier_real.cfm?CL=en&DosId=193371 (last accessed 13 March 2008).
41. The Data Retention Directive case still pending at the European Court of Justice can be cited as an example of this.
42. European Commission, Communication from the Commission to the European Parliament and the Council on the follow-up of the Work Programme for better implementation of the Data Protection Directive, Brussels 7.3.2007, COM (2007)87 final, 11.
43. P. De Hert and B. De Schutter, ‘A Harmonized Data Protection Approach on International Data Transfers in the Field of JHA: What Europol, PNR and Swift Teach Us’. In Justice, Liberty, Security: New Challenges for EU External Relations, ed. Bernd Martenczuck and Servaas van Thiel (Brussels: VUB Press, 2008, 299–355).
44. Office of Foreign Assets Control, US Department of the Treasury (2007), ‘Publication of US/EU Exchange of Letters and Terrorist Finance Tracking Program Representations of the United States Department of the Treasury’, Federal Register 72 (23 October 2004): 60054–66.
45. Ibid., 60055.