Swift CFO Questioned by Euro Parliament About Data Privacy

Executives from financial data transfer company Swift and the president of the European Central Bank (ECB) faced tough questions in a European Parliament committee meeting Wednesday, about the illegal sharing of private data with U.S. authorities.

ECB chief Jean-Claude Trichet denied that the bank should have stepped in to prevent the breach of European data-protection laws, saying that the bank could only advise the Society for Worldwide Interbank Financial Telecommunication (Swift). “We have no judicial competence in the field of data protection,” he said.

Swift Chief Financial Officer Francis van Bever explained that the company has two information storage facilities, one in the United States and the other in Holland. Each facility holds identical data; they serve as backups for each other in case one crashes.

“Each facility is subject to local laws,” Van Bever said. “We were obliged to respond to the subpoena from the U.S. authorities.”

European law is unclear, he said, adding that after getting external legal advice in Belgium, Swift concluded that transferring the data to the U.S. authorities would be legal. “We didn’t check with local data-protection authorities because we thought what we were doing was legal,” he said.

U.S. agencies ordered Swift to share millions of pieces of information about people and companies from around the world in the wake of the terrorist attacks on Sept. 11, 2001.

The information was deemed essential in tracing the financing of terrorism, and Swift complied with the order. However, European data-protection laws forbid transfers of European citizens’ personal data outside the European Union if the country receiving the data has a weaker data-protection regime than Europe’s. The United States is considered such a country under European laws.

In June, The New York Times revealed that Swift has been sharing the data with U.S. authorities for years, sparking investigations in Europe into how the European laws could so easily have been breached.

Last week, Belgium’s privacy commission concluded a two-month investigation, accusing Swift of breaking Belgian and Europe-wide data-protection laws. However, it stopped short of proposing fines for the company, which it agreed was caught between conflicting legal requirements on each side of the Atlantic.

Many European parliamentarians drew a parallel between the Swift case and the ongoing attempts to strike a data-sharing agreement that would allow the U.S. authorities access to personal data about passengers flying to the United States.

They were unimpressed by what more than one member of the European parliament referred to as “buck-passing” when it came to handing out responsibility for the data-protection breach.

Trichet tried to move the debate beyond casting blame by suggesting ways of avoiding similar problems in future.

“This problem is ongoing,” he said. “The system we have in place is imperfect. It is very important to clarify the situation and work out what to do about such data transfers across the Atlantic.”

He added that any agreement between the European Union and the United States should then form the basis for a global solution, because the problem is worldwide.

“We need a global legal framework for situations like this,” Trichet said.

Swift’s van Bever agreed. “We would welcome such clarification,” he said, adding that the double-taxation treaty could be a role model. The treaty is signed by many countries around the world and is designed to prevent people being taxed twice on the same income by different tax authorities.

By Paul Meller, IDG News Service (Brussels Bureau)

Keep checking in at our Security Feed for updated news coverage.