Execs quizzed by Euro Parliament about data privacy

European companies face tough questions about the illegal sharing of data with U.S. authorities

Executives from the financial data transfer company Swift and the president of the European Central Bank (ECB) faced tough questions in a European Parliament committee meeting Wednesday, about the illegal sharing of private data with U.S. authorities.

ECB chief Jean-Claude Trichet denied that the bank should have stepped in to prevent the breach of European data protection laws, saying that the bank could only advise the Society for Worldwide Interbank Financial Telecommunication SCRL (Swift). "We have no judicial competence in the field of data protection," he said.

Swift's Chief Financial Officer Francis van Bever explained that the company has two information storage facilities, one in the U.S. and the other in Holland. Each facility holds identical data: they serve as back-ups for each other in case one were to crash.

"Each facility is subject to local laws," Van Bever said. "We were obliged to respond to the subpoena from the U.S. authorities."

European law is unclear, he said, adding that after getting external legal advice in Belgium, Swift concluded that transferring the data to the U.S. authorities would be legal. "We didn't check with local data protection authorities because we thought what we were doing was legal," he said.

U.S. agencies ordered Swift to share millions of pieces of information about people and companies from around the world in the wake of the terrorist attacks on Sept. 11, 2001.

The information was deemed essential in tracing the financing of terrorism, and Swift complied with the order. However, European data protection laws forbid transfers of European citizens' personal data outside the E.U. if the country receiving the data has a weaker data protection regime than Europe's. The U.S. is considered such a country under European laws.

In June the New York Times revealed that Swift has been sharing the data with U.S. authorities for years, sparking investigations in Europe into how the European laws could so easily have been breached.

Last week, Belgium's privacy commission concluded a two-month investigation, accusing Swift of breaking Belgian and Europe-wide data protection laws. However, it stopped short of proposing fines for the company, which it agreed was caught between conflicting legal requirements on each side of the Atlantic.

Many European parliamentarians drew a parallel between the Swift case and the ongoing attempts to strike a data sharing agreement that would allow the U.S. authorities access to personal data about passengers flying to the U.S..

They were unimpressed by what more than one member of the European parliament referred to as "buck-passing" when it came to handing out responsibility for the data protection breach.

Trichet tried to move the debate beyond casting blame by suggesting ways of avoiding similar problems in future.

"This problem is ongoing," he said. "The system we have in place is imperfect. It is very important to clarify the situation and work out what to do about such data transfers across the Atlantic."

He added that any agreement between the E.U. and the U.S. should then form the basis for a global solution, because the problem is worldwide.

"We need a global legal framework for situations like this," Trichet said.

Swift's van Bever agreed. "We would welcome such clarification," he said, adding that the double taxation treaty could be a role model. The treaty is signed by many countries around the world and is designed to prevent people being taxed twice on the same income by different tax authorities.

Copyright © 2006 IDG Communications, Inc.

How to choose a low-code development platform