European Union officials have agreed a deal setting conditions on the access of transaction data passing over the Swift interbank network by the US government. News of the deal comes as European privacy chiefs give the region's banks a September deadline to alert customers that financial transactions could be tracked by US officials.
Swift came under fire from Belgian and EU data privacy officials and politicians last year after it was dislosed that the Bush administration was using emergency powers to secretly scrutinise suspect transactions sent over the network as part of efforts to trace and cut off terrorist financing.
Swift has always staunchly defended its compliance policies, claiming that its US branch has been subject to valid and compulsory subpoenas which required it to transmit some stored message data to the US Treasury.
EU ambassadors have now agreed a deal that allows the US government to access data for counter-terrorism purposes only and to keep any data for a maximum of five years. A senior European official will be appointed to monitor how the data is used.
In a statement EU justice and security commissioner, Franco Frattini, says: "The EU will have now the necessary guarantees that US Treasury processes data it receives from Swift's mirror server in USA in a way which takes account of EU data protection principles."
This agreement comes a day after German Finance Minister Peer Steinbrueck told a European Parliament committee that they had reached agreement on safe harbour, in which US regulators attest that Swift's data protection meets EU standards. By adhering to this framework, Swift can confirm that customers' data located in the US are protected under similar data privacy principles as in Europe.
Frattini says in addition to compliance with the safe harbour privacy principles, Swift and the financial institutions that use its services must ensure that they fully comply with their information obligations under European data protection rules.
"We urge them to take all the necessary steps to ensure their quick compliance with European data protection law," says Frattini.
News of the deal comes as the Article 29 Working Party - a committee of European data protection officials - imposes a September deadline for banks in the region to notify any clients that may have their personal data accessed by US authorities.
The Working Party said in November that banks should inform customers about how their personal data is processed and provide information about "the fact that US authorities might have access to such data".
But in a statement released last week the Working Party says meetings with European banking associations show that, although progress has been made, "further action is still necessary to remedy the concerns the Working Party expressed".
The group says it has now set 1st September 2007 "as the deadline for financial institutions to take all necessary steps to improve the current situation."
The latest developments come a week after the Swift board provisionally approved proposals for a four year system re-architecture that would allow for intra-European data to be stored only in Europe and not passed onto the US operating centre.