The EU's Article 29 Working Party (the group of EU privacy commissionsers) has publihsed its opinion on the SWIFT financial data transfers to the US intelligence services. It's pretty damning. Here's some of the highlights:
"In this Opinion the Article 29 Working Party emphasizes that even in the fight against terrorism and crime fundamental rights must remain guaranteed. The Article 29 Working Party insists therefore on the respect of global data protection principles...
Article 29 Working Party comes to the following conclusions:
a) The EU Data Protection Directive 95/46/EC is applicable to the exchange of personal data via the SWIFTNet FIN service;
b) SWIFT and the financial institutions bear joint responsibility in light of the Directive for the processing of personal data via the SWIFTNet FIN service, with SWIFT bearing primary responsibility and financial institutions bearing some responsibility for the processing of their clients’ personal data.
c) SWIFT and the financial institutions in the EU have failed to respect the provisions of the Directive...
d) The Working Party is of the opinion that the lack of transparency and adequate and
effective control mechanisms that surrounds the whole process of transfer of personal
data first to the US, and then to the UST represents a serious breach in the light of the
Directive. In addition, the guarantees for the transfer of data to a third country as
defined by the Directive and the principles of proportionality and necessity are
As far as the communication of personal data to the UST is concerned, the Working
Party is of the opinion that the hidden, systematic, massive and long-term transfer of
personal data by SWIFT to the UST in a confidential, non-transparent and systematic
manner for years without effective legal grounds and without the possibility of
independent control by public data protection supervisory authorities constitutes a
violation of the fundamental European principles as regards data protection and is not
in accordance with Belgian and European law...
e) The Working Party recalls once again1 the commitment of democratic societies to
ensure respect for the fundamental rights and freedoms of the individual. The
individual’s right to protection of personal data forms part of these fundamental rights
In view of the above, the Working Party therefore calls for the following immediate
actions to be taken to improve the current situation:
a) Cessation of infringements...
b) Return to lawful data processing: The Article 29 Working Party calls upon SWIFT
and the financial institutions to immediately take measures in order to remedy the
currently illegal state of affairs...
c) Actions as regards to SWIFT: For all its data processing activities, SWIFT as a
controller must take the necessary measures to comply with its obligations under
Belgian data protection law implementing the Directive...
e) Actions as regards to Financial institutions: All financial institutions in the EU
using SWIFTNet Fin service including the Central banks have to make sure according
to Articles 10 and 11 of the EU Directive 95/46/EC that their clients are properly
informed about how their personal data are processed and which rights the data
subjects have. They also have to give information about the fact that US authorities
might have access to such data. Data protection supervisory authorities will enforce
these requirements in order to guarantee that they are met by the all financial
institutions on a European level and they will cooperate on harmonized information
The Working Party also stresses the following:
f) Preservation of our fundamental values in the fight against crime: The Working
Party recalls that any measures taken in the fight against crime and terrorism should
not and must not reduce standards of protection of fundamental rights which
characterise democratic societies. A key element of the fight against terrorism
involves ensuring the preservation of the fundamental rights which are the basis of
democratic societies and the very values that those advocating the use of violence seek to destroy.
g) Global data protection principles: The Working Party considers it essential that the principles for the protection of personal data, including control by independent
supervisory authorities, are fully respected in any framework of global systems of
exchange of information."
Excuse the dodgy formatting. The original press release is only 5 pages and well worth reading in full. The full opinion runs to 29 pages. If you can't find the time to read the full thing take a look at the executive summary and the "IMMEDIATE ACTIONS TO BE TAKEN TO IMPROVE THE CURRENT SITUATION", particularly item 6.6 on page 29, which repeats item f from the presss release:
"Preservation of our fundamental values in the fight against crime: The Working Party recalls that any measures taken in the fight against crime and terrorism should not and must not reduce standards of protection of
fundamental rights which characterise democratic societies. A key element of the fight against terrorism involves ensuring the preservation of the fundamental rights which are the basis of democratic societies and the very values that those advocating the use of violence seek to destroy."