• United States



by Dave Gradijan

Privacy Complaint Lodged Against Australian Banks

Oct 20, 20064 mins
CSO and CISOData and Information Security

A formal complaint has been lodged with the federal privacy commissioner to determine whether Australia’s banking industry is breaching local privacy laws by using the Society for Worldwide Interbank Financial Telecommunications (Swift) network.

The Swift network, which processes international funds transfers and is used by the Commonwealth Bank Group, Westpac Banking and ANZ National Bank, has been accused of breaking European data-protection laws by sharing personal information with U.S. authorities.

Anna Johnston, chair of the Australian Privacy Foundation, said the privacy of Australian’s banking records has been put at risk by a third party, namely Swift, passing on records to the U.S. government.

The U.S. government ordered Swift to share a host of information about people and companies around the world following the Sept. 11, 2001, terrorist attacks, as the data was deemed essential in tracing how terrorism was financed.

However, European data-protection laws outlaw the transfer of personal data outside the European Union if the country receiving the information has weaker privacy protection laws.

Both Swift and the European Central Bank (ECB) have been accused of breaking Belgian and European data-protection laws by sharing data deemed private and personal with U.S. authorities.

Johnston said the foundation is concerned Australian banks and other financial institutions using the Swift service may be in breach of the Australian Privacy Act.

“As if the practice of banks offshoring customer records wasn’t bad enough, now we discover that Swift, the organization that processes international fund transfers for Australian banks, has been giving banking records to the U.S. administration for several years,” Johnston said.

“Our banking records have already been compromised by the actions of Swift in allowing the U.S. government to gain access to Australian banking records without independent judicial oversight.

“If Australian privacy laws cannot be enforced in this case, then all this talk by the treasurer and attorney general about how Australia’s tough privacy laws prevent our banking records leaving this country is completely meaningless.”

The foundation has submitted a complaint to the privacy commissioner to investigate whether customer records are leaving the country.

Under local privacy laws, records cannot leave Australia unless safeguards are attached.

While the Australian Banking Association (ABA) was unwilling to comment, the Swift 2005 annual report shows 11 banks and 88 financial institutions in Australia sent more than 3 million messages over the SWIFTNet FIN service last year.

However, the privacy commissioner cannot investigate Swift itself because the organization is based in Belgium, which is outside the commissioner’s jurisdiction.

Swift and the ECB have not been fined for breaching European privacy laws, but ECB chief Jean-Claude Trichet admitted a global framework is required to deal with this problem.

“The problem is ongoing. The system we have in place is imperfect,” Trichet said.

“It is very important to clarify the situation and work out what to do about such data transfers across the Atlantic.

“Any agreement between the European Union and the United States should then form the basis for a global situation because the problem is worldwide.”

European parliamentarians drew a parallel between the Swift data-sharing case and ongoing attempts to forge an agreement allowing U.S. authorities access to airline passenger information.

In June this year, the European Court of Justice branded a U.S. mandate requiring passenger information to be sent to U.S. authorities prior to travelers arriving in the country as illegal because the data may not be adequately protected.

Australian airlines fully comply with the U.S. mandate, and the federal government claims passenger data is secure.

However, Qantas has confirmed that local passenger data is held in Germany and is subject to the strict European data laws. “Our customer data is held in an offshore facility with Amadeus,” the spokesperson said.

“The data is held in Germany and subject to the EEC data laws, which if anything are more stringent than Australian data-protection laws.”

By Michael Crawford, Computerworld Australia

Keep checking in at our Security Feed for updated news coverage.