I’ve been waiting for the other shoe to drop on this for the last few days, and it finally has. Privacy International has filed complaints with umpteen European and non-European data regulators that SWIFT has illicitly shared European citizens’ financial data with US authorities. This could have some very interesting consequences. Now bear in mind as you read the below analysis that I am not a lawyer. I have, however, spent a lot of time over the last six years working on and writing about privacy issues in the EU-US relationship, so I do have a good grasp of the political issues involved.
The key issue here is whether or not SWIFT (which is a sort of transactional clearing house, based in Belgium) did or didn’t break European law in providing information to US authorities. Cue background explanation of how complicated the implementation of EU privacy law is. European privacy is (with exceptions: see below) governed by the so-called Data Protection Directive, which, like all EU directives is supposed to be implemented in national legislation. There can be, and usually is, some variation in how it is implemented between different member states. Within each EU member state, there are national data protection authorities, which are supposed to monitor implementation and have some sanctioning powers. There’s also a”Working Party” where the national level data protection authorities come together to issue advisory statements on European-level issues. Under certain circumstances involving non-EU countries, the European Commission can intervene. In short: the usual European Union mess of overlapping jurisdictions. This has become even more messy thanks to a ruling by the European Court of Justice last month in a case taken by the European Parliament against the Council (i.e. the member states’ body for collective decision-making) and the Commission. The Council and Commission had cooked up a deal together that allowed airlines flying into the US to provide certain kinds of information on their passengers to US authorities. The Parliament complained that the Commission and Council were exceeding their competences, and breaking EU privacy law, violating human rights etc etc. The Court found in favour of the Parliament, but on the narrowest possible grounds, ruling that the issues involved didn’t fall under the Data Protection Directive, but instead were matters of national security.
I recognize that this is likely to leave the heads of non-EU specialists spinning, but there are two key points. First – the crucial enforcement authorities when it comes to issues like SWIFT aren’t the European Commission or the member state governments. In all probability, they’re the national level data protection authorities. The data protection authority in Belgium is likely to play an especially important role, because SWIFT is based on Belgian soil. But any other member state authority could also reasonably get involved, because this obviously doesn’t just affect Belgian citizens. Second, there is a possibility (given the recent ECJ decision) that this is beyond the grasp of national level data protection authorities, because it involves national security issues rather than the issues explicitly covered under the Data Protection Directive. The data protection authority in Belgium has decided to investigate, but it could conceivably decide not to press the issue, because it would be exceeding its authority. However, this outcome appears to be highly unlikely to me. The national level Data Protection Commissioners were highly annoyed at the ECJ’s ruling last month, which substantially limited their authority. They’re likely to see this as an opportunity to claw some ground back. In contrast to the airline passenger data issue, the SWIFT financial information transfers didn’t happen with any official sanction from the member states. While the issues involved touch on national security, SWIFT wasn’t cooperating with the relevant authorities on national security issues (the member states). Instead, it was more or less unilaterally deciding to cooperate with an authority outside the EU – the US Treasury (and through Treasury, the CIA etc). SWIFT had informally told several member state central banks what was going on – but central banks aren’t the relevant authority under any conceivable reading. Thus (and I repeat that I’m not a lawyer), it would seem to me to be to be pretty hard to make the case that this activity would fall under the national security exemption to European data protection law; it isn’t up to the private actors involved, or to non-European state authorities, to decide what national security does or does not require. In any event, I suspect that this issue, if it’s raised at all, will be raised in subsequent litigation – it surely doesn’t appear to me to be a sufficient obstacle preventing national data protection authorities in Belgium and elsewhere from investigating and taking enforcement actions. If anything, it gives them all the more incentive to, so as to clarify an ambiguous legal situation in ways that favour them, and strengthen their freedom of action.
So what’s likely to happen now? There are a number of ways in which this might develop. First, and most unlikely to my mind, is that we’ll see a repeat of what is happening with respect to airline passenger data. That is, that the European Union member states will decide to lend ex post justification to an action which appeared ex ante to be illegal, by formally sanctioning it. This is surely possible – and would probably render discussion of the legality or illegality of SWIFT’s actions moot. However, it would require unanimous action on the part of the member states to legitimize a very tricky and potentially controversial set of actions. European citizens are unlikely to be any happier about foreign authorities going through their financial information than US citizens would be under similar circumstances. Hostile newspaper stories are already beginning to bubble up (e.g. this one from the front page of today’s Irish Times). Even if EU member states have (as is entirely possible) known about the SWIFT arrangement and turned a blind eye, it’s going to be very hard for them to come out and justify it in public.
Second, that the data protection authorities will be informally pressured not to proceed any further with investigations. Again, I don’t think that this is likely to succeed in squashing the issue – it’s too hot and controversial. The European Commission president has made it clear that privacy issues are important – and that “we risk losing our souls” if we don’t pay attention to them. National governments are embarrassed – and annoyed that central banks were informed, but that their justice ministries were not. Finally, there is an unrelated battle between the European Central Bank and national governments over the extent to which the ECB should be free of national authority – it’s far from impossible that some member states are going to use the privacy controversy as a means towards clipping the wings of their impertinent central bank officials.
Third, and most likely in my opinion, is that this is going to result in enforcement action by the EU data protection authorities – and to new laws in the medium term. It seems very unlikely indeed to me that SWIFT’s cooperation with US authorities was legal under European law. The organization could find itself in a lot of hot water. Moreover, there’s a lot of uncertainty surrounding the relationship between privacy and national security, especially when it involves international data transfers. The SWIFT controversy seems to me to be a perfect wedge issue for actors who feel that they’ve gotten short shrift in recent controversies over transatlantic data transfer (the data protection commissioners, the European Parliament) to press for a binding European regime to cover these issues, and to fill the gaps in the Data Protection Directive. My tentative prediction is that SWIFT will be found to have broken the law, and that we’re likely to see new laws being passed over the next couple of years in the EU, to subject these new forms of transnational information transfer to more transparent principles and standards. Which will make EU-US cooperation on these issues a lot trickier, but there you go.