Data protection in international payment transactions (SWIFT)

The great majority of international payment transactions are executed using the system run by the Belgium-based Society for Worldwide Interbank Financial Telecommunication (SWIFT). Unsurprisingly, the news reported in the media in June 2006 that the US administration, as part of its anti-terrorism strategy, had gained access to SWIFT data unleashed a political storm. As soon as we heard of this, we asked the major players in the Swiss banking sector to provide us with details, and took steps at different levels to find a solution to the SWIFT affair.

SWIFT, which has its headquarters in Belgium, is the largest enterprise in the world specialising in international payment transactions. It has two archives which store all transaction data for a period of 124 days. The US press revealed that the US administration had gained access to financial transaction data with the help of SWIFT via their archives located in the USA. To date, we have been unable to obtain any corroborated information as to the extent of that access.

Data protection is quite clearly one of the major legal aspects of what is now referred to as the SWIFT affair. It also explains why the data protection authorities in numerous countries have sought to obtain clarification. As SWIFT is registered in Belgium, the investigation carried out by the Belgian Commission de la protection de la vie privée (Data Protection Commission) is of the utmost importance. In its report, it noted that SWIFT was guilty of a number of violations of Belgian and European data protection law.

On the basis of the Belgian report and our own investigations, we came to the conclusion that SWIFT had not processed any personal data in Switzerland. The responsibility of financial service providers established in Switzerland, however, still needed to be addressed. The report prepared by the FDPIC on this subject can be found under, Topics – Data Protection – Finance.

In conclusion, it can be said that there are two problematic issues: the first is that even after the SWIFT affair had been revealed, the financial service providers did not inform their customers that there was risk that data relating to international payment transactions could be accessed (lack of transparency in the data processing); secondly, the fact that the US administration was able to inspect the transaction data poses the problem of transferring data to a country that does not offer an equivalent level of data protection.

The data protection issues triggered by the SWIFT affair were discussed at length with many foreign data protection authorities, and in particular with the Article 29 Data Protection Working Party. Within this context, we shall continue to press for a solution that complies with data protection principles. Finally, we also informed the parliamentary Control Committee (more specifically, the Federal Department of Finance and the Federal Department of Economic Affairs Sub-Committee) which agreed to put the issue on its agenda.

From a Swiss data protection perspective, measures are still needed to address the questions raised by the SWIFT Affair. We need a political solution which takes account of the need to combat terrorism, but which also respects the data protection legislation of all countries, including the Swiss Data Protection Act. Furthermore, Swiss financial service providers also have a duty to do everything in their power to guarantee transparency and inform their clients of the risk of access to their data when they make international payment transactions.

[July 2007]