ARTICLE
15 December 2006

EU Regulators Fast To Condemn SWIFT

B
Bristows

Contributor

Bristows logo
We are a hub for litigation, transactions and advice. We don’t work to billing targets, ensuring clients gets the right combination of experts. It’s a rare approach defining the quality of our advice. We recruit inquisitive minds, many with science and technology backgrounds. We are Bristows, seeing things differently for those shaping tomorrow.
Explore
SWIFT, the Society for Worldwide Interbank Financial Telecommunications, that operates a worldwide financial messaging service facilitating money transfers has found itself tripped-up by EU data laws. On 22nd November, the influential Article 29 Working Party (i.e. the EU Data Protection Regulators) issued a damning opinion on the compliance of the SWIFTNet FIN Service with the EU Data Protection Directive.
UK Intellectual Property
Photo of Mark Watts
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

This article was originally published in Bristows' monthly IT e-newsletter 'The Cookie Jar'.

SWIFT, the Society for Worldwide Interbank Financial Telecommunications, that operates a worldwide financial messaging service facilitating money transfers has found itself tripped-up by EU data laws. On 22nd November, the influential Article 29 Working Party (i.e. the EU Data Protection Regulators) issued a damning opinion on the compliance of the SWIFTNet FIN Service with the EU Data Protection Directive. The Opinion is significant, both commercially – the SWIFT service processes over 2 billion payment-related messages a year – and legally. It assesses SWIFT’s compliance against the various requirements of the Directive and finds its service lacking on almost all of them.

The issue arose out of publicity over the summer highlighting that SWIFT was responding positively to US Department of Treasury anti-terrorism related subpoenas to provide message information held in the US in SWIFT’s back-up data centre in the United States. In response, SWIFT had obtained certain privacy-related assurances from the Department of Treasury regarding its handling of the subpoenaed information. This wasn’t good enough. Only the EU authorities can work out a deal with their US counterparts, as they did for SOX hotlines, and as they did for airline passengers’ PNR data. In the meantime, uncertainty remains and SWIFT appears to have come out fighting. It’s issued a 60-plus-page rebuttal of the Article 29 Working Party’s Opinion.

The Opinion expresses the following views:

  • SWIFT is not a mere data processor (acting on behalf of the banks using the network) in its operation of the SWIFTNet FIN service but a data controller. This is perhaps the most significant finding in the Opinion and the conclusion mostly hotly contested by SWIFT in its rebuttal. It brings into sharp focus the difference in compliance responsibilities between controllers and processors. If SWIFT is a controller it must comply with the Data Protection Directive (and its implementing laws) in full, whereas, as a processor it would have far fewer obligations. This aspect of the Opinion may be of some concern to other service providers, which to date have been able to regard data protection compliance as primarily the responsibility of their customers;
  • Since SWIFT is a "formal cooperative network", the financial institutions making use of it to transmit messages (i.e. EU banks) share responsibility for its compliance; that is, they are "joint controllers";
  • SWIFT had not complied with Article 25 of the Directive, which provides that transfers of personal data out of the EU may only proceed where the protection is "adequate". Nor could SWIFT rely upon any of the exceptions under Article 26(1). This aspect of the Opinion seems particularly harsh, as the SWIFTNet FIN structure highlights the difficulties faced by companies transferring personal data out of the EU on a worldwide basis. SWIFT is based on a "branch" structure, rather than having a US subsidiary and as such, it couldn’t rely upon the EU-US Safe Harbor, nor could it implement EU Model Clauses (it can’t be in contract with itself). The only other possibility, implementing "Binding Corporate Rules", which to date no multinational has managed to have approved in every country where it does business, has been ruled out by the Article 29 Working Party as inappropriate for "loose conglomerates". Rock and a hard place;
  • The subpoenas issued by the US Department of Treasury were not binding on SWIFT, which is headquartered in Belgium, and so could not legitimise the processing related to them. Generally, a legal obligation imposed by a non-EU statute or court does not qualify as a legal obligation for the purposes of the Directive.

The issues raised are by no means unique to SWIFT. Many other global networks supporting transactions between loose conglomerates of commercial entities exist. They will be watching the SWIFT decision with interest.

This article was originally published in Bristows' monthly IT e-newsletter 'The Cookie Jar'. If you would like to subscribe to The Cookie Jar please e-mail ben.miller@bristows.com".

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Mark Watts
Mark Watts
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More