National Security, European Data Privacy and the Case of SWIFT

The revelation that SWIFT (Society for Worldwide Interbank Financial Telecommunication), which routes trillions of dollars between banks every day, was sharing it records of financial transfers with the CIA, in possible contravention of European law, may be building up to become a storm. The story first broke in the New York Times. Scott Martens over at A Fistful of Euros, a day after the NYT article:

I’ve been surprised at the lack of uproar over the discovery that the CIA has been data mining SWIFT transfer archives. I suppose it’s because this is far from the first troubling secret breech of the right to privacy by the Bush administration, and most people – the ones that don’t have large sums of money – generally don’t have any banking privacy anyway. But this new secret program touches a core Bush constituency: white-collar criminals. If Bush is able to secretly monitor transactions in the name of anti-terrorism, a future Democratic government might be able to use it against money laundering and accounting fraud. That’s surely something the Republican Party could never stand for.

SWIFT is headquartered in Belgium, but operates computer centres both in the US and the EU, so the company probably was not in a position to refuse the government’s request. According to page 4 of the original NY Times article: “Intelligence officials were so eager to use the Swift data that they discussed having the C.I.A. covertly gain access to the system, several officials involved in the talks said.” If they were prepared to break in to get the data, there was little to be gained by the firm taking a stand.

Henry Farrell at Crooked Timber also weighs in:

I’ve been waiting for the other shoe to drop on this for the last few days, and it finally has. Privacy International has filed complaints with umpteen European and non-European data regulators that SWIFT has illicitly shared European citizens’ financial data with US authorities. This could have some very interesting consequences. Now bear in mind as you read the below analysis that I am not a lawyer. I have, however, spent a lot of time over the last six years working on and writing about privacy issues in the EU-US relationship, so I do have a good grasp of the political issues involved.

The key issue here is whether or not SWIFT (which is a sort of transactional clearing house, based in Belgium) did or didn’t break European law in providing information to US authorities. Cue background explanation of how complicated the implementation of EU privacy law is. European privacy is (with exceptions: see below) governed by the so-called Data Protection Directive, which, like all EU directives is supposed to be implemented in national legislation.

Predictably, the Weekly Standard deems the NYT a national security threat and is calling for its prosecution for publishing the story.