SWIFT and the vulnerability of transatlantic data transfers

Abstract

The ‘SWIFT affair’ eloquently illustrates the complexities of the protection of personal data in the context of global privacy-invading counterterrorist efforts. At the core of the issue there is not only the possibility for US authorities to secretly (and legally) access information on financial transactions taking place in the European Union (EU), as well as the concerns that this fact might raise regarding the effective protection of personal data guaranteed to European citizens. What is also at stake is the possibility for a European company not to comply with EU data protection legislation as interpreted by competent authorities without facing any sanctions. This paper reviews the developments of the ‘SWIFT affair’ assessing the system failures it portrays, particularly in the light of European data protection. It recalls how the facts were rendered public, focuses on the reactions from different European data protection authorities and bodies (the Belgian Privacy Commission, the Article 29 Working Party and the European Data Protection Supervisor) and offers a view of the ‘solutions’ discussed and implemented. By questioning their opportunity and convenience, it underlines that the major unsolved challenge of EU data protection is the need for a consistent approach to deal with transatlantic data transfers.