An independent European data committee has concluded that Belgium-based interbank network Swift violated European data protection laws by passing details of banking transactions to the US government.
News that Bush administration was using emergency powers to secretly scrutinising suspect transactions sent over the interbank Swift network emerged in June this year.
Swift came under fire from Belgian and EU officials following disclosure of the programme but has always staunchly defended its compliance policies, claiming that its US branch has been subject to valid and compulsory subpoenas which required it to transmit some stored message data to the US Treasury (UST).
But now an Article 29 Working Party has found Swift in violation of EU data protection laws for allowing the US Treasury to access transactions passed over its network, according to a Dow Jones report. A document containing the allegations is expected to be published this week.
The committee has called for Swift, along with other financial institutions, to halt the scheme but lacks any enforcement powers.
In its defence Swift says it "strongly objects" to the opinion and claims that repeated requests to meet with the committee were turned down and therefore "Swift was not given the opportunity to explain its position".
In a statement the interbank network says: "Swift acted responsibly within applicable laws by complying with mandatory UST subpoenas for limited sets of data in the US for the exclusive purpose of terrorism investigations. It obtained from the UST extraordinary protections and control mechanisms that met both its obligations to protect the confidentiality of its members’ data and requirements to follow EU and US laws."
A previous investigation by the Belgian Data Privacy Commission that concluded in September found that Swift had broken Belgian and EU data protection laws and accused the co-operative of a "gross miscalculation" in failing to secure an effective and clear legal basis for the data screening and independent controls in line with European rules. Belgian prime minister Guy Verhofstadt called for talks between the EU and US to reach an agreement on privacy safeguards.
Swift has submitted a legal rebuttal to the Belgian Privacy Commission in response to the claims and says it objects to the commission's analysis and opinion that it committed a "serious error of judgment".
The network says the commission's findings are founded on an incorrect interpretation that Swift is a data "controller" rather than a data "processor".
Swift says it simply transmits financial messages on behalf of financial institutions according to their instructions and does not access any of the data contained in the financial messages.
"As a data processor, Swift has fully complied with all current legal obligations under Belgian data privacy law," the network said in an earlier statement.
Swift CEO Leonard Schrank, says the network supports calls by national and EU officials for urgent dialogue between Europe and the US to develop mechanisms for dealing with financial intelligence for counter-terrorism purposes while ensuring adequate data protection safeguards.
"Swift has always taken data privacy very seriously and will work with its user community and competent authorities to seek solutions which further increase awareness and transparency about usage of global systems like Swift," says Schrank. "It is clear however that only dialogue between the EU and US will provide the legal certainty which internationally active companies require."