Navigation path

Left navigation

Additional tools

Other available languages: none

MEMO/07/266

Brussels, 28 June 2007

The SWIFT case and the American Terrorist Finance Tracking Program

After the 11th September 2001 terrorist attacks, the United States Department of the Treasury ("U.S. Treasury") developed the "Terrorist Finance Tracking Program" ("TFTP"). The TFTP is based on United States statutory mandates and Executive Orders authorising the U.S. Treasury to use appropriate measures to identify, track and pursue those who provide financial support for terrorist activity.

According to the U.S. Treasury, information derived from the use of SWIFT data has enhanced the United States' and third countries' ability to identify financiers of terrorism, to map terrorist networks and to disrupt the activities of terrorists and their supporters.

Following press reports in June 2006, it was revealed that the U.S. Treasury's Office of Foreign Assets Control ("OFAC") operating on the basis of powers under the TFTP has served administrative subpoenas on the Society for Worldwide Interbank Financial Telecommunication ("SWIFT")[1]. These subpoenas require SWIFT in the U.S. to transfer personal data held on its United States[2] server to OFAC where they are used for counter terrorism purposes regarding suspected individuals or entities.

After these facts were unveiled by the press, the Belgian Data Protection Authority issued its opinion of 27 September 2006 stating that SWIFT processing activities for the execution of interbank payments are in breach of Belgian data protection law, which implements Directive 95/46/EC on the protection of personal data ("the Data Protection Directive")[3]. In its opinion the Belgian Data Protection Authority found several breaches to the fundamental data protection principles, including relating to transfers of personal data to third countries. The Belgian Data Protection Authority is now in discussions with SWIFT regarding appropriate compliance with Belgian data protection law.

In late November 2006 the Article 29 Working Party (the independent advisory body to the European Commission on data protection and privacy) issued an opinion on the processing of personal data by SWIFT. The opinion concluded that SWIFT and the financial institutions which use SWIFT's services had breached Community data protection law as set out in Directive 95/46/EC, including as regards the transfer of personal data to the United States without ensuring adequate protection and failure to inform data subjects about the way in which their personal data were being processed. In its press release of 21st June 2007 the Article 29 Working Party set the 1st September 2007 as the deadline for financial institutions to take all necessary steps to improve the current situation regarding the provision of appropriate information to their customers.

SWIFT and banks need to take the necessary measures quickly to ensure their compliance with national data protection laws in respect of the processing activities of personal data within the EU and address the findings of the national data protection authorities and the Article 29 Working Party in this regard.

SWIFT has chosen to join the "Safe Harbour". The Safe Harbour is a specific type of "Adequacy Decision" adopted by the Commission in order to allow the free flow of personal data between the EU and the US. It allows EU controllers to export personal data to US organisations that have joined the Safe Harbour, since the privacy principles it contains are recognized to afford the adequate protection required by the EU for international data transfers. The Commission has declared in 2000 the Safe Harbour offers an adequate level of protection in accordance with the Data Protection Directive (Decision of 26 July 2000). Once a US organisation has self-certified and is admitted by US Department of Commerce as a member of the Safe Harbour, it is able to accept transfers of personal data lawfully processed in the EU. SWIFT anticipate that they will join the Safe Harbour by early July 2007 once the US Department of Commerce has admitted and registered them as a member of the Safe Harbour. The Safe Harbour allows limitations on its data protection principles for important public purposes: "to the extent necessary to meet national security, public interest or law enforcement requirements". In this respect, it is necessary to show that the processing by the US of EU originating personal data is necessary and proportionate. This is precisely the aim of the Representations. Compliance with the Representations by U.S. Treasury provides this assurance and will permit SWIFT to transfer data to its U.S. server under the Safe Harbour in a way in which satisfies EU data protection law.

To find out more about Vice President Frattini's work please visit his website: http://www.ec.europa.eu/commission_barroso/frattini/index_en.htm


[1] SWIFT is a Belgium-based company with offices in the United States and which operates a worldwide messaging system used to transmit, inter alia, bank transaction information.

[2] For security of data reasons SWIFT operates two identical "mirror" servers, one located in the European Union and the other in the United States. All financial messaging data are held on each server for a period of 124 days.

[3] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data; OJ L 281, 23.11.1995, p. 31–50.


Side Bar