News & Events

Data Protection Update: Covert disclosure of banking information to the US authorities

01 September 2006

In July 2006 the European Parliament adopted a resolution on the recently publicised interception of bank transfer data from the Society for Worldwide Interbank Financial Telecommunications (SWIFT) system by the US Secret Services.

In July 2006 the European Parliament adopted a resolution on the recently publicised interception of bank transfer data from the Society for Worldwide Interbank Financial Telecommunications (SWIFT) system by the US Secret Services.   SWIFT is a Belgian-based industry-owned cooperative which consists of more than 8000 commercial banks and institutions in 200 countries, including a number of central banks. 

On Friday June 23rd 2006 the New York Times and the Los Angeles Times published details of a private arrangement between SWIFT and the United States Government that involved the covert disclosure to the U.S. of customer financial data. Neither the U.S. Government nor SWIFT was prepared to provide details of the extent of the disclosures.

Swift processes money transfers for all the main Irish banks, including AIB, Bank of Ireland, EBS and National Irish Bank.  According to the SWIFT Annual Report for 2005, in that year alone there were 16,619,000 messages sent over the SWIFTNet FIN service from 12 Irish banks and 77 Irish financial institutions.  The Irish Data Protection Commissioner has said he is concerned over the potential for abuse of the information.

This disclosure of data has been undertaken ostensibly on the grounds of counter-terrorism.  The disclosures involve the mass transfer of data from the SWIFT centre in Belgium to the United States, and possibly direct access by U.S. authorities both to data held within Belgium and data residing in SWIFT centres worldwide.  In all cases the disclosures were made without the knowledge or consent of the individuals to whom the data related.  Customers’ names, bank account numbers, and other identifying information can be retrieved. 

Privacy International, a human rights group in London, has lodged complaints in 32 countries, including all member states, and has stated that “to the best of our knowledge, the disclosure activity is ongoing. The scale of the operation, involving millions of records, places this disclosure in the realm of a fishing exercise rather than legally authorised investigation.  At this stage there is not enough information to determine how many European nationals have been the subjects of these disclosures, but there is a probability that the SWIFT activities involve mass disclosure”.   The office of Belgium’s Prime Minister confirmed that: "the cooperative (SWIFT) had received broad administrative subpoenas for millions of records".  An “administrative subpoena” is issued pursuant to the US International Emergency Economic Powers Act 1977 and takes the form of a letter issued without judicial authority.

Swift Executives have been uneasy at times about their secretive role, according to Belgian government and industry officials.  By 2003, the executives told American officials they were considering pulling out of the arrangement, which began as an emergency response to the Sept. 11 attacks.  Worried about potential legal liability, the Swift executives agreed to continue providing data only after senior officials intervened to ensure that new controls were introduced.  Among these controls is an outside auditing firm that verifies that the data searches are based on intelligence leads about suspected terrorists.

The statement from SWIFT asserts that “all of these actions have been undertaken with advice from international and U.S. legal counsel,” but the statement makes no mention of arrangements being made or notification given to Members States of the European Union. 

All transfers of personal data from the EU to third countries are subject to data protection legislation at national and European level, which provides that any transfer must be authorized by a judicial authority and that any derogation from this principle must be proportional and founded on a law or on an international agreement.

European Parliament concerns

The European Parliament, in its resolution, expressed concern at the fact that a climate of deteriorating respect for privacy and data protection is being created, and regret at the fact that it had not been informed by the other institutions, in particular the European Central Bank, of the existence of the SWIFT transfers, contrary to the principle of loyal and constant cooperation between the Community institutions.  It demanded that the European Commission (the “Commission”), Council and Central Bank explain fully the extent to which they were aware of the secret agreement between SWIFT and the US.

The Commission demanded further that the role of the ECB in this context be clarified, and asked the European Data Protection Supervisor to verify as soon as possible whether, in accordance with Regulation (EC) No 45/2001 of December 2000 on the protection of individuals with regard to the processing of personal data, the ECB was obliged to react to the possible violation of data protection which had come to its knowledge.  The Commission also asked its Committee on Civil Liberties, Justice and Home Affairs, together with the Committee on Economic and Monetary Affairs, to hold a joint hearing of the ECB, the Commission, the Council, the European Data Protection Supervisor and other parties that are involved in the affair in order to uncover what information they may have had.  It requested that the Commission undertake an evaluation of all adopted EU anti-terrorist legislation and strongly urges the Commission and Council to consider what measures should be taken to avoid future repetitions of such serious privacy breaches. 

Belgium has launched an investigation to see if the Brussels-based SWIFT broke Belgian Law by passing the data to the CIA. 

Accessing landline and mobile data

Of similar public interest in relation to data retention, are the recent activities of Digital Rights Ireland (“DRI”), a privacy watchdog group, which recent press reports state was preparing to challenge the constitutionality of the anti-terrorism provisions of the Criminal Justice Act which allows for the retention of electronic data on individuals who either use a mobile phone or a landline in Ireland.

This includes the physical locations of every mobile phone in Ireland and the numbers dialed from every mobile and landline.  DRI argues that the measures are in conflict with a person’s right to privacy and freedom of expression.  It has issued an ultimatum to the Minister for Justice, Equality and Law Reform, the Minister for Communications, the Marine and Natural Resources, and the Garda Commissioner, asking for undertakings that data retention will cease to be implemented and enforced, and that requests for access to data will cease within seven days, or legal proceedings against the State may be initiated.

The above incidents show the topicality of data retention laws, and the need for vigilance on the part of companies to ensure they are in compliance with data protection laws.  This is increasingly complex as the regulatory landscape is far from static.

Attribute to Jeanne Kelly.  Jeanne is a partner in the commercial department of Mason Hayes & Curran.  She regularly advises both US multinationals and Irish companies on data protection compliance.  For more information, please contact Jeanne at jkelly@mhc.ie or +353 1 614 5000.  The content of this article is provided for information purposes only and does not constitute legal or other advice. Mason Hayes & Curran (www.mhc.ie) is a leading business law firm with offices in Dublin, London and New York.

© Copyright Mason Hayes & Curran 2006. All rights reserved.