Belgian Prime Minister condemns SWIFT data transfers to U.S. as 'illegal'

Privacy International

28/09/2006

The Belgian government released a report today on the SWIFT case. SWIFT has been subject to a PI campaign against its transfer of financial transaction data to the U.S. Government. The Belgians concluded that "Swift should have respected its obligations under Belgian data privacy laws."

The full opinion in french is available on the Belgian Privacy Commission website, "avis n° 37 / 2006 du 27 septembre 2006 relatif à la transmission de données à caractère personnel par la SCRL SWIFT suite aux sommations de l'UST (OFAC)" (PDF). A summary is available as an unofficial translation at http://www.privacycommission.be/communiqu%E9s/summary_opinion_Swift_%2028_09_2006.pdf.

Our Analysis: Key Points

Key Points

SWIFT has been declared as a 'data controller' within the jurisdiction of Belgian data protection law.
Financial institutions are also data controllers and may also be implicated. However the Belgian investigation was looking merely at whether SWIFT had infringed Belgian privacy law.
SWIFT was found to have breached Belgian privacy law: "SWIFT should have complied with its obligations under the Belgian privacy law, amongst which the notification of the processing, the information, and the obligation to comply with the rules concerning personal data transfer to countries outside the EU."
Regarding the transfers to the U.S. Treasury, "SWIFT made some substantial errors of judgement in complying with the American subpoenas. From the beginning, SWIFT should have been aware that the fundamental principles of European law were to be observed, apart from the enforcement of the American law, such as the principle of proportionality, the limited retention period, the principle of traprotection level."
The opinion acknowledges that SWIFT did make considerable efforts to provide certain guarantees through its negotiations with the U.S. Treasury, but these were found to be inadequate.
Privacy Commissioners should have been notified; instead SWIFT only notified the G-10 banks.

Our Summary of the Belgian Report's Assessment of SWIFT's actions

Background to the investigation

The investigation looked into the transfer of data to the US Department of the Treasury's Office of Foreign Assets Control (OFAC).
The Belgian commission received Privacy International's complaint on June 28, 2006, and notes that similar complaints were filed in 33 other countries.
The Belgian commission only looked at the SWIFTNet FIN service, and not the general use of personal data by SWIFT and its other services. It has no knowledge of other transfers to the U.S. Treasury.
The investigation included: public information on the SWIFT website (which PI helped advise SWIFT on), meetings with SWIFT's staff including the general counsel and CEO, including an on-site visit on August 31. They also sought information from the Belgian Central Bank.

About SWIFT and its services

SWIFT has two data processing centres: one in Europe and one in the U.S. Each operations centre (OC) contains all the messages processed by SWIFT, mirrored for 124 days before they are stored in a back-up facility.
Explanation of SWIFT data processing: the SWIFT messages can be compared to 'envelopes' and 'letters'. The envelopes contain information on the sending institution, the Bank's identifier code (BIC or SWIFT number), identifying information about the recipient bank, and the date and time of the transfer. The letter consists of the message itself, which is encrypted; if the message is regarding a financial transfer, the message will consist of the amount to be transferred, the method of transfer, the names of the sender and the recipient, and their banks. The messages may also consist of 'free format' fields such as reference numbers and other information.
The transfer process is as follows:
1. Individual account holder gives order to bank to transfer funds. The message is then encrypted.
2. The message is then sent over the SWIFT network (or some alternative service provider). The message is then sent to the receipient bank (or some representative of that bank).
3. The recipient bank sends back an acknowledgement of receipt.
The message may be decrypted en-route, such as to assure SWIFT that the recipient bank is named in the message. The contents of the messages are also retained for 124 days.

About the Subpoenas

Since 9/11, the U.S. Treasury submitted 64 subpoenas to SWIFT.
Prior to 9/11, SWIFT received a number of subpoenas from the U.S. Treasury but rejected them in part due to the delay in their reception (they were received after 124 days), but also because SWIFT noted that more relevant data could be collected from the banks themselves, and finally because SWIFT could not justify the search for data on a specific individual amongst all the data held within the operating centres.
The early subpoenas were of a 'sweeping' nature and were not specific to an individual (referred to as 'Rasterfandung' and 'carpetsweeping'). They were seeking all transactions that were relevant to terrorism concerning a given country or jurisdiction at a specific date (or varying between a number of weeks). This could have been information about transaction two and from the U.S. or even entirely outside the U.S. (e.g. intra-EU transfers).
The original definition of terrorism provided by the U.S. Government was as follows (paraphrasing due to translation): the struggle against the terrorist attacks that took place after the attacks of September 11, and the global network of terrorists who constitute a risk of violence against Americans, American property and U.S. interests and foreign interests.
After negotiations with SWIFT, the U.S. Treasury definition was altered, defining terrorism as: an activity that (i) involves a violent or dangerous act that threatens human life, property or infrastructure; and (ii) that has the goal of (a) intimidating or threatening the civilian population; (b) of influencing the action of governments through intimidation or threats; (c) influencing the actions of a government through mass destruction, assassination, kidnapping, or hostage taking. This second definition excluded the activities of known governments. Also the new definition no longer mentioned the U.S. Government per se.

About the Transfer and Access to the Data

This involved a two-step process: the handing over of data requested in the subpoena to the U.S. Treasury and the placing of this data into a 'black box'; and the access to specific data within the black box.
All the transfers came from the SWIFT processing centre in the U.S.
The black box was held at the U.S. Treasury offices.
The 'black box' was designed by the U.S. Treasury, which would permit the Treasury to search the data therein by name. This software application was not available for SWIFT to review. The searches attempted to see if the suspects involved in the investigation appeared in the messages within the black box.
SWIFT negotiated with the U.S. Treasury to ensure that the searches could only take place if it was relvant to a terrorist investigation.
SWIFT could not inform the Belgian commission as to how many messages were placed in this black box. But the data could only be accessed unless adequate procedures were taken with oversight by Belgian employees (who held adequate security clearance).
SWIFT told the Commission that the U.S. government has the complete right under its laws to require that all SWIFT messages are placed within that black box. The commission notes that this means for 2005 alone, over 2.5 billion messages could have been placed within this 'black box.'

The Negotiations between SWIFT and the U.S. Treasury

In an attempt to lessen the onerous regime and breach of security of SWIFT files, SWIFT engaged in negotiations with the U.S. Treasury.
SWIFT decided against appealing to a court to dispute the subpoenas.
Booz Allen Hamilton was appointed as the external auditors of the program, in August 2002.
In September 2003 the U.S. Treasury offered SWIFT a 'comfort letter' to support SWIFT if other countries sought information regarding the U.S. subpoenas.
In April 2004 additional guarantees were offered to SWIFT, including the new definition of terrorism and assurances of the confidentiality of the data held by the U.S. Treasury, and assurances that SWIFT would be notified of the search criteria. SWIFT was also assured that the program would be kept secret.
To summarise the safeguards:
- The U.S.T. did not have direct access to the SWIFT network;
- Only if the data is relevant to a terrorist investigation, then would SWIFT be required to submit the data to the UST.
- The only searches that would be conducted on the data would be those that are relevant to terrorist investigations.
- Booz Allen Hamltion would assure that the storage system was secure, that the searches were relevant only to terrorist investigations, and would suggest improvements to the system.
- SWIFT was also promised that that two members of SWIFT staff would have complete access to the search criteria. Initially this involved taking a sample of the searches to verify that they were relevant to a terrorism investigation, but eventually led to SWIFT reviewing all of the extractions from the black box. These two employees would not disclose the details of specific extractions to SWIFT management.
- The black box was under 24h surveillance and control by these two SWIFT members of staff. The searches could be blocked in real time by the SWIFT staff, even when the black box was placed under secure storage by U.S. authorities.
- If U.S.T. was to seek a warrant to gain additional acess to SWIFT data, it would not invoke the prior access regime as precedent; and SWIFT could oppose this warrant.

<< Back

Email us at privacyint@privacy.org.
Call on +44 (0)208.123.7933.
Privacy Policy - About PI - Support PI