After two-year investigation, Belgian commission finds no violation of data protection law

By Tanguy Van Overstraeten and Richard Cumbley
The Belgian Privacy Commission finally completed its investigation into SWIFT’s disclosure of information to the U.S. Department of the Treasury in December. Its detailed and comprehensive decision concluded that SWIFT complies with all the provisions of Belgian data protection law and that no further action is required. The investigation and decision also acknowledge the difficult position private organisations are placed in when presented with conflicting legal demands from different states

A brief history of the SWIFT affair

SWIFT, the Society for Worldwide Interbank Financial Telecommunication, is a Belgium-based co-operative company. It provides a secure and encrypted financial messaging service to more than 8,300 banking organisations, securities institutions, and corporate customers, and handles millions of messages per day. SWIFT stores copies of these messages in two operation centres—one in Europe and the other in the U.S.—for resilience purposes. Some of the financial instructions are made on behalf of individuals and, therefore, contain personal data.  

SWIFT moved into the spotlight in June 2006 when the New York Times revealed that SWIFT had been subject to a number of subpoenas requiring it to disclose messaging information to the U.S. Department of the Treasury. The European data protection authorities reacted rapidly and violently to this revelation. Opinions on the disclosure were issued in rapid succession by the Schleswig-Holstein and Belgian data protection authorities and both the Article 29 Working Party and the European data protection supervisor strongly challenged the disclosure. The reasoning in these opinions varies but, in the main, they found that:

• SWIFT was data controller or joint data controller in respect of the information (though there were dissenting views on this point);
• transferring information to the U.S. operation centre and subsequently disclosing it to the U.S. authorities was in breach of data protection law; and,
• inadequate information was provided to the relevant data subjects and authorities.  

SWIFT is located in Belgium so the Belgian Privacy Commission is responsible for any formal enforcement action. Accordingly, the Privacy Commission followed its initial opinion of September 2006 with a control procedure and a recommendation procedure. The recommendation procedure allowed for a more detailed investigation and for SWIFT to present its position and arguments. Both procedures are now complete. The Privacy Commission issued a final decision (the “Decision”) and closed the case against SWIFT.  

Overview of the privacy commission’s decision  

The Privacy Commission’s Decision runs nearly 80 pages and sets out a detailed and comprehensive analysis of SWIFT’s operations and their compatibility with Belgian data protection law. The key finding is that there was no serious or repeated violation of data protection laws by SWIFT.

The Decision makes it clear that SWIFT’s messaging service cannot be considered as a single, indivisible whole. Instead, it must be broken down into individual processing activities and, in relation to each different type of processing, it is necessary to decide whether SWIFT is data controller or data processor. Accordingly, the Decision concludes:

• the financial institutions act as data controller in relation to the creation of each message and its transfer across the SWIFT network;
• SWIFT acts as de facto delegate of its community of users in respect of the messaging service, including decrypting, validating and storing a copy of the message and re-encrypting it and forwarding it to the recipient bank. For this type of processing the community of users itself is considered as data controller;
• finally, SWIFT itself acts as data controller only to a limited extent in relation to data it is retrieving and anonymising for statistical and other analytical purposes.

This is important for the wider community as this shows that the radical position adopted previously about who is and is not a data controller, has been substantially moderated. In light of this finding, SWIFT has filed two notifications of its processing on the Belgian data protection public register, one as de facto delegate of the community of users and the other as data controller to the limited extent set out above.

The Decision also recognises that SWIFT’s disclosures were made in response to the binding subpoenas from the U.S. Department of the Treasury. Moreover, SWIFT negotiated a detailed framework to regulate any such disclosures that provided a high level of protection to this information. In particular:

• the U.S. Department of Treasury’s requests have to be for precise types of information, such as types of messages. “Fishing expeditions” are not permitted;
• the messaging information may only be used for the fight against terrorism;
• the information must be confirmed from a separate source before being used; and,
• control mechanisms are set up to ensure compliance with these conditions.

SWIFT has also taken a number of steps to complement its legal obligations under data protection laws and to better protect personal data. These steps include establishing a new operating centre in Switzerland for inter-European messages. SWIFT has also appointed a full-time privacy officer and organises regular meetings of a data protection working group made of SWIFT users and its representatives.

Finally, the Decision makes some interesting points about the U.S. Safe Harbor scheme, which SWIFT signed up to in July 2007. The scheme does not permit transfers for law enforcement purposes as this is outside of the scope of the Directive (see the ECJjudgment in the PNR cases C-317/04, C-318/04). Accordingly, it was necessary for SWIFT to justify the transfer on another basis, namely that the undertakings given by the U.S. Department of the Treasury, as confirmed in its correspondence with the European Commission, provide an adequate level of protection for the data.
 

Are we still caught between a rock and a hard place?  

The SWIFT case vividly illustrated the problems many organisations face when dealing with conflicting legal obligations, particularly those arising out of compliance with U.S. law. Other notable examples include the whistleblowing obligations stemming from the Sarbanes-Oxley Act, e-discovery and disclosure requests from the U.S. Securities and Exchange Commission.  

The Decision provides some acknowledgement that private companies are unable to resolve these conflicting obligations single-handedly. The correct approach would be to establish international control and governance structures to protect privacy rights in a world where data flows freely.

The Decision is available on the Privacy Commission’s Web site (www.privacycommission.be) in French and Dutch – with an English translation available at http://www.privacycommission.be/en/static/pdf/cbpl-documents/a10268302-v1-0-151208_translation_recommswift_fina.pdf.

Tanguy Van Overstraeten is Linklaters LLP’s global head of privacy, based in Brussels. Richard Cumbley is a partner in Linklaters LLP’s London office. The authors can be reached at tvanover@linklaters.com and richard.cumbley@linklaters.com.