Belgian Data Protection Authority Outlaws Transfer of Banking Records to US Department of Treasury

In a twenty-seven page report (the Report) of September 27, 2006, the Belgian Data Protection Authority (the Belgian DPA) opined that the transfer of banking records by the financial messaging service provider SWIFT to the US Department of Treasury (Treasury) violates European and Belgian data protection laws. The Belgian DPA had taken the initiative to audit SWIFT at the beginning of July 2006 after news had leaked in to the media that Treasury may access banking records processed by SWIFT for terrorism-fighting purposes. The Report confirms (after the May 2006 decision of the European Court of Justice annulling the legal framework to transfer airline passengers records to the US) once more the delicate position in which international businesses can find themselves as they attempt to reconcile European privacy laws and US legal requirements.

The Belgian DPA's Report, which was presented to the Article 29 Data Protection Working Party (a pan-European privacy watch-dog, consisting of representatives of national DPAs), accuses SWIFT of having committed “assessment faults” when complying with subpoenas issued by Treasury to provide access to banking records. Although the Belgian DPA was of the view that foreign subpoenas standing alone do not provide a sufficient legal basis to transfer personal information from Belgium and/or the EU to the US, it confirmed that SWIFT has a legitimate interest in conducting such transfers. However, the DPA concluded that “the exception measures under US law do not legitimize the secret, systematic, massive and continuous violation of fundamental European data protection principles, given the lack of a clear and; legitimizing; European legal basis.”Thus, while the Report is critical of SWIFT's actions, it indirectly recognizes that companies may disclose personal information to foreign public authorities to comply with valid and enforceable foreign subpoenas, if such disclosures meet the proportionality criterion (which is not further illuminated by the decision). The Report indirectly indicates that the processing of personal information for purposes of complying with a US subpoena also requires a legal basis to transfer such information to the US (such as, for instance, the execution of data transfer agreements, Safe Harbor registration of the data importer, or another exception set forth in the EU Data Protection Directive 95/46).

The Belgian Prime Minister has stated publicly that negotiations between the European authorities and the US authorities are necessary to solve the legal impasse and to ensure that sufficient measures are taken to adequately protect banking records made accessible to Treasury. The Article 29 Working Party considered this matter during its plenary meeting of September 26, 2006 and announced that given the complexity of the case, further review was required with a formal position likely to issue during its next meeting in November.