I’ve been waiting for the other shoe to drop on this for the last few days, and it finally has. Privacy International has “filed complaints”:http://www.nytimes.com/2006/06/27/world/27cnd-secure.html?ex=1309060800&en=5a89c5108098a0c0&ei=5090&partner=rssuserland&emc=rss with umpteen European and non-European data regulators that SWIFT has illicitly shared European citizens’ financial data with US authorities. This could have some very interesting consequences. Now bear in mind as you read the below analysis that I am not a lawyer. I have, however, spent a lot of time over the last six years working on and writing about privacy issues in the EU-US relationship, so I do have a good grasp of the political issues involved.
The key issue here is whether or not SWIFT (which is a sort of transactional clearing house, based in Belgium) did or didn’t break European law in providing information to US authorities. Cue background explanation of how complicated the implementation of EU privacy law is. European privacy is (with exceptions: see below) governed by the so-called Data Protection Directive, which, like all EU directives is supposed to be implemented in national legislation. There can be, and usually is, some variation in how it is implemented between different member states. Within each EU member state, there are national data protection authorities, which are supposed to monitor implementation and have some sanctioning powers. There’s also a”Working Party” where the national level data protection authorities come together to issue advisory statements on European-level issues. Under certain circumstances involving non-EU countries, the European Commission can intervene. In short: the usual European Union mess of overlapping jurisdictions. This has become even more messy thanks to a ruling by the European Court of Justice last month in a case taken by the European Parliament against the Council (i.e. the member states’ body for collective decision-making) and the Commission. The Council and Commission had cooked up a deal together that allowed airlines flying into the US to provide certain kinds of information on their passengers to US authorities. The Parliament complained that the Commission and Council were exceeding their competences, and breaking EU privacy law, violating human rights etc etc. The Court “found in favour”:http://curia.eu.int/jurisp/cgi-bin/form.pl?lang=EN&Submit=Rechercher$docrequire=alldocs&numaff=C-317/04&datefs=&datefe=&nomusuel=&domaine=&mots=&resmax=100 of the Parliament, but on the narrowest possible grounds, ruling that the issues involved didn’t fall under the Data Protection Directive, but instead were matters of national security.
I recognize that this is likely to leave the heads of non-EU specialists spinning, but there are two key points. First – the crucial enforcement authorities when it comes to issues like SWIFT aren’t the European Commission or the member state governments. In all probability, they’re the national level data protection authorities. The data protection authority in Belgium is likely to play an especially important role, because SWIFT is based on Belgian soil. But any other member state authority could also reasonably get involved, because this obviously doesn’t just affect Belgian citizens. Second, there is a possibility (given the recent ECJ decision) that this is beyond the grasp of national level data protection authorities, because it involves national security issues rather than the issues explicitly covered under the Data Protection Directive. The data protection authority in Belgium has decided to investigate, but it could conceivably decide not to press the issue, because it would be exceeding its authority. However, this outcome appears to be highly unlikely to me. The national level Data Protection Commissioners were highly annoyed at the ECJ’s ruling last month, which substantially limited their authority. They’re likely to see this as an opportunity to claw some ground back. In contrast to the airline passenger data issue, the SWIFT financial information transfers didn’t happen with any official sanction from the member states. While the issues involved touch on national security, SWIFT wasn’t cooperating with the relevant authorities on national security issues (the member states). Instead, it was more or less unilaterally deciding to cooperate with an authority outside the EU – the US Treasury (and through Treasury, the CIA etc). SWIFT had informally told several member state central banks what was going on – but central banks aren’t the relevant authority under any conceivable reading. Thus (and I repeat that I’m not a lawyer), it would seem to me to be to be pretty hard to make the case that this activity would fall under the national security exemption to European data protection law; it isn’t up to the private actors involved, or to non-European state authorities, to decide what national security does or does not require. In any event, I suspect that this issue, if it’s raised at all, will be raised in subsequent litigation – it surely doesn’t appear to me to be a sufficient obstacle preventing national data protection authorities in Belgium and elsewhere from investigating and taking enforcement actions. If anything, it gives them all the more incentive to, so as to clarify an ambiguous legal situation in ways that favour them, and strengthen their freedom of action.
So what’s likely to happen now? There are a number of ways in which this might develop. First, and most unlikely to my mind, is that we’ll see a repeat of what is happening with respect to airline passenger data. That is, that the European Union member states will decide to lend _ex post_ justification to an action which appeared _ex ante_ to be illegal, by formally sanctioning it. This is surely possible – and would probably render discussion of the legality or illegality of SWIFT’s actions moot. However, it would require unanimous action on the part of the member states to legitimize a very tricky and potentially controversial set of actions. European citizens are unlikely to be any happier about foreign authorities going through their financial information than US citizens would be under similar circumstances. Hostile newspaper stories are already beginning to bubble up (e.g. “this one”:http://www.ireland.com/newspaper/front/2006/0628/4117598577HM1CIA.html from the front page of today’s _Irish Times_). Even if EU member states have (as is entirely possible) known about the SWIFT arrangement and turned a blind eye, it’s going to be very hard for them to come out and justify it in public.
Second, that the data protection authorities will be informally pressured not to proceed any further with investigations. Again, I don’t think that this is likely to succeed in squashing the issue – it’s too hot and controversial. The European Commission president has made it clear that privacy issues are important – and that “we risk losing our souls” if we don’t pay attention to them. National governments are embarrassed – and annoyed that central banks were informed, but that their justice ministries were not. Finally, there is an unrelated battle between the European Central Bank and national governments over the extent to which the ECB should be free of national authority – it’s far from impossible that some member states are going to use the privacy controversy as a means towards clipping the wings of their impertinent central bank officials.
Third, and most likely in my opinion, is that this is going to result in enforcement action by the EU data protection authorities – and to new laws in the medium term. It seems very unlikely indeed to me that SWIFT’s cooperation with US authorities was legal under European law. The organization could find itself in a lot of hot water. Moreover, there’s a lot of uncertainty surrounding the relationship between privacy and national security, especially when it involves international data transfers. The SWIFT controversy seems to me to be a perfect wedge issue for actors who feel that they’ve gotten short shrift in recent controversies over transatlantic data transfer (the data protection commissioners, the European Parliament) to press for a binding European regime to cover these issues, and to fill the gaps in the Data Protection Directive. My tentative prediction is that SWIFT will be found to have broken the law, _and_ that we’re likely to see new laws being passed over the next couple of years in the EU, to subject these new forms of transnational information transfer to more transparent principles and standards. Which will make EU-US cooperation on these issues a lot trickier, but there you go.
{ 2 trackbacks }
{ 15 comments }
Steve LaBonne 06.28.06 at 10:44 am
But… but… I thought BushCo was making us safer from Terra!
(Of course the wingnuts will never notice nor understand the irony of this sort of thing…)
P O'Neill 06.28.06 at 10:54 am
Of parochial interest — or maybe more — is that the Irish Times did a story on it today; it’s a free front page link (for now) but I’ll put the key bits below.
CIA monitors personal bank data of Irish citizens
Jamie Smyth in Brussels
The personal data of thousands of Irish citizens that have sent or received money transfers to and from the US has been covertly logged by US anti-terrorist agencies.
The Government did not know about the monitoring scheme, but several EU central banks were informed about the programme, which was introduced after the terrorist attacks on September 11th 2001. Under the scheme the CIA can sift through millions of international banking transactions to try to identify potential terrorist financing.
….
Every day 64,000 transactions made by Irish citizens or businesses are carried by Swift …
….
The Irish Central Bank yesterday would neither confirm nor deny whether it had been informed about the CIA monitoring programme. In a statement that bank said oversight of the Swift system rested with the National Bank of Belgium and the G10 central banks, of which it was not a member.
An adviser to the Irish data protection commissioner, Seán Sweeney, said the supply of information to the US would not pose a data protection difficulty provided that it was subject to an appropriate legal instrument such as an international convention or a mutual assistance agreement. But he said he was not aware of any legal provision that would permit direct access to Irish bank records by the US.
© The Irish Times
Henry 06.28.06 at 10:55 am
I link to the _Irish Times_ story in there (in fairness it’s buried amid the rest of the verbiage).
P O'Neill 06.28.06 at 11:07 am
Sorry Henry. In the excitement of them having a finance article linkable, I missed it.
Sebastian Holsclaw 06.28.06 at 1:54 pm
I don’t understand what you are saying about the US notifying the wrong people in the respective governments. Presuming that the central banks did not have the authority necessary, isn’t it the responsibility of those people to either pass the information along to the right people and/or fail to authorize the program? Are you arguing that the various government did not in fact know about the program? It seems to me a much more classic case of maintaining theoretical deniability than lack of knowledge.
Isabel 06.28.06 at 2:09 pm
(Of course the wingnuts will never notice nor understand the irony of this sort of thing…)
No, they won’t. American nonwingnuts won’t notice either: I don’t think that there was one single article that mentioned anything else than “American citizens” in the receveing end of all that spying. A navel the size of a continent.
Henry 06.28.06 at 3:11 pm
bq. Presuming that the central banks did not have the authority necessary, isn’t it the responsibility of those people to either pass the information along to the right people and/or fail to authorize the program? Are you arguing that the various government did not in fact know about the program? It seems to me a much more classic case of maintaining theoretical deniability than lack of knowledge.
As I said in the post, I wouldn’t be surprised if some people in the govts in question did know what was happening, and tacitly went along with it. I haven’t seen any evidence of this, but I wouldn’t be surprised. But the point is, that unless I’m wrong (and I could be – not a lawyer as stated – although I have been following legal developments in this area as a political scientist), SWIFT’s cooperation was illegal. Government knowledge or lack of knowledge makes no odds here as far as I can tell. If the member states of the EU had entered into some sort of protocol with the US regarding this information, or even if individual member states had done this, it would be a different kettle of fish altogether. And as best as I can tell, SWIFT seem to share this analysis – they were clearly highly uncomfortable about the situation they were in, and to the extent that they have articulated a public defence, it’s been a conflict of laws defence (which is unlikely to cut much ice afik).
Steve Labonne – I didn’t pronounce on the rights or wrongs of this too heavily, but I’m actually considerably less perturbed about this than about various other forms of information gathering that we’ve been finding out about. As best as I can tell from publicly available information there were some checks and balances here, and the information has been used for the relatively narrow purpose of fighting terrorism. That said, I think this will be a highly emotive issue for Europeans – as stated, I think that they’ll feel as strongly about this as Americans would under similar circumstances.
Steve LaBonne 06.28.06 at 5:25 pm
I also don’t think it’s necessarily completely out of bounds provided all the necessary legal and diplomatic niceties are attended to first, so that one doesn’t end up poisoning the well as seems likely to happen here. Of course, that’s not the Bush way…
But I’m getting sick of these idiots, and their sycophants, braying about how they’re making us safer when so many of their actions have exactly the contrary effect.
nik 06.28.06 at 6:02 pm
I think Sebastian makes a really good point.
Henry’s correct that as far as the law is concerned everyone has an obligation not to do things which are illegal. If central banks don’t have the authority to clear them the fact that SWIFT told member central banks what was going on doesn’t excuse them.
But as public authorities responsible for monitoring the banking sector don’t central banks actively have positive obligations? If they knew someone was doing something illegal then why didn’t they act to uphold the law? If they didn’t know then can’t we question their competence?
Tom Maguire 06.28.06 at 9:17 pm
As I said in the post, I wouldn’t be surprised if some people in the govts in question did know what was happening, and tacitly went along with it. I haven’t seen any evidence of this, but I wouldn’t be surprised.
Allow me to non-surprise you: the Belgian National Bank admits it was in the know, but sort of didn’t pass the news along; now the Belgian DoJ, alerted by media reports, is investigating the SWIFT program.
Some excerpts in anticipation of link-rot:
Belgium’s national bank (BNB) admitted yesterday that it knew that the US was monitoring financial transactions via the Swift system, which is based in Belgium, as part of its “war on terrorâ€.
Earlier the country’s justice ministry said it had launched an inquiry into the covert US spy programme.
Spokeswoman Anaik De Voghel said Justice Minister Laurette Onkelinx had ordered the Belgian intelligence services to investigate the programme, confirmed by senior US officials Friday after it was leaked to US media.
“We had the information in the context of our monitoring activities†of Swift (Society for Worldwide Interbank Financial Transactions), a BNB spokesman said, refusing to say when it had that information.
“We were alerted informally in the framework of our contacts with this enterprise,†he said.
http://www.gulf-times.com/site/topics/article.asp?cu_no=2&item_no=93906&version=1&template_id=39&parent_id=21
And:
Belgium’s government is investigating the legality of counter-terrorism searches by U.S. officials of thousands of private records held by Brussels-based international bank cooperative SWIFT, a spokeswoman said.
… Belgian Justice Minister Laurette Onkelinx learned of the searches from the media and asked Belgium’s national security services and counter-fraud office to produce reports into the matter before the end of the week, a ministry spokeswoman said.
“She wants to know if these actions taken by the U.S. and SWIFT are okay under Belgian law,” Annaik De Voghel told Reuters on Monday. Security officials will discuss the issue later this week, she added.
A spokesman for European Commissioner for Justice and Home Affairs Franco Frattini said it did not appear that the European Union’s executive body had any competence in the matter.
“At first sight there is no European legislation covering this type of transfer and (it is) therefore a matter of national law,” he said.
Belgium’s central bank sought to distance itself from the affair, saying in a statement on Sunday that its role as head of the oversight body for SWIFT was limited.
“The monitoring of SWIFT’s activities that do not affect financial stability is not a matter for the oversight group and therefore the U.S. Treasury subpoenas of SWIFT were outside the purview of central bank oversight,” the statement said.
P O'Neill 06.28.06 at 11:01 pm
From Thursday’s Irish Times, reaction to the Privacy International complaint:
Seán Sweeney, compliance officer at the Irish data protection commissioner’s office, said he could not comment on whether an investigation was ongoing in the Swift case.
But he said in such a case the commissioner would have to establish a few key pieces of information early on. “Has the personal data of people resident in Ireland been accessed? If so, by whom, how and from where? The access point will be very important in determining jurisdiction. If Irish data are accessed in Belgium, it will be necessary to establish the conditions under which the data were supplied to Swift, in order to determine what power the commissioner may have to investigate.”
Labour MEP Proinsias De Rossa said the Swift case was yet another example of the erosion of EU citizens’ civil rights in the name of the US “war on terror”.
“It is not acceptable that the CIA or FBI can access records like this,” said Mr De Rossa, who urged the Government to hold an inquiry into the monitoring of banking records and called on the Irish Central Bank to explain what it knew about the CIA programme.
Several central banks in Europe knew that Swift was passing on details to the CIA from its US offices, but it is understood that many did not tell their governments.
The Irish Central Bank refuses to confirm or deny whether it knew.
Maria 06.29.06 at 4:59 am
What’s not clear to me from the reports I’ve read is what – if any – legal instrument was used for the transfers. Data sharing with third (i.e. non-EU) countries can be lawful if a mutual assistance agreement is invoked. If, as it seems, no particular instrument was used, then SWIFT may well be liable to enforcement actions.
As to the creation of instruments for data-sharing; this is moving quite quickly within the EU, but I’m less knowledgeable on the generally bi-lateral agreemetns with third countries. But I do know that a data protection directive on the specific applications within justice and home affairs has been in draft form for at least a year, but hasn’t yet see the light of day.
trotsky 06.29.06 at 5:15 pm
Man, this international finance stuff is complicated, but comment 14 is all Greek to me.
Michael B 06.29.06 at 11:16 pm
Unquestionably, monocular vision is better than no vision at all, but binocular vision lends perspective and balance; privacy is a perfectly valid concern, not the only concern.
Michael Kenny 07.03.06 at 4:27 am
A banker friend here in Luxembourg said to me that what the banking industry objects to is the far too broad sweep of the information SWIFT supplied. They see it as going far beyond the legitimate requirements of law enforcement and being little more than a pretext for economic espionage. As he put it: “Bush has scored another own goal!”
Comments on this entry are closed.