II-11.3 : Decision of the European Parliament of 11 February 2010

Context and Summary

To read the decision (French version), click here.

SWIFT is a private company created in 1973 in order to form a network to manage cross-border wire transfers in Europe. Therefore, SWIFT is a network, which is why it is owned and managed cooperatively by nearly all European banks. One might therefore say that SWIFT is a form of self-regulation.

In order to carry out its mission of performing interbank transfers, and especially wire-transfers, SWIFT has a considerable mass of personal data at its disposal, whether they concern senders or recipients of wire transfers. This data includes information such as where people are located, and whether the transactions were initiated from within or outside the European Union.

It is understandable how effective this mass of information could be in fighting criminal organisations, which also function as networks. Such information would allow locating people when it is necessary to trace links between people, who are fragmented in different place and bound by different links, at different times, in different jurisdictions. Besides, money transfers between criminals are a very effective way to trace organised crime, which is why the September 11, 2001 attacks have made the American government very interested in using data from SWIFT in order to track suspicious movements of funds in Europe. A partnership was created towards this end between SWIFT and the C.I.A., in order to allow the USA to access data relating to infra-European funds transfers. Afterwards, this surveillance system was made public in 2006, and was approved by European institutions in 2007, because governments participating in this system could not access personal data (i.e. it was not possible to link names with specific transfers).

However, because of the technical inefficiency of having information available about funds transfers without having access to the personal information related to them, new negotiations began between the United States and the European Commission, which led to new agreements to permit direct access to data on funds transfers with their associated personal information.

As one might have expected, all authorities dealing with data protection (such as France’s Data Protection Agency, the CNIL, or Commission nationale de l’informatique et des libertés) disapproved of the agreement between SWIFT and the United States. These authorities allied themselves to publish a solemn disapproval of these agreements, just as they had done in a public statement made on November 26, 2006 on the previous agreements. But, since 2006, the European institutional landscape has changed, which means that this time, their statement did not go unnoticed. Truly, even though its approval is not necessary, the Lisbon Treaty requires the European Commission to request the European Parliament’s approval on any agreement signed between the European Union and another country. However, the Parliament refused to grant its assent. Parliament voted a resolution on February 11, 2010 that rejects this agreement and requests that the Commission work on a long-term agreement with the United States that would respect the Lisbon Treaty’s Charter of Fundamental Rights. The principal problems that the Parliament has with the agreement are firstly, that it is disproportionate to the goals pursued, and secondly, that the real security risks do not justify such a violation of freedom.

Brief commentary

Twenty years ago, regulation of public liberties was envisaged in opposition to economic regulation.

Today, this is no longer possible, for the two have become so intermeshed: one one hand, personal data has a considerable economic value, on the other hand, the fact that certain organizations possess huge amounts of personal data on others creates considerable risk. Faced with this situation, we have to admit that we are rather powerless, and the only sorts of rules that exist are procedural in nature. Truly, the first rule is to know how the data will be used, which obliges the owner of the information not to misuse it (here, the proper use is fighting terrorism). But how can we be sure that the information will only be used for this purpose?

The other rule governing personal data control is proportionality: encroaching upon the right to privacy has to be justified by the nature of the goal itself, which in this case, is security. Here, too, the danger lies within the unresolved question of who is capable of guaranteeing the weights and measures of proportionality. It is too simple to say that our safety is so seriously at risk that our right to privacy is no longer of much value. As Alain Supiot so perfectly says in his book L’esprit de Philadelphia : la justice sociale face au marché total (The Spirit of Philadelphia: social justice faced with the total market), everything is prepared for a change from a state of law, to a state of exception, from which we can fear the worst, and whose procedures have never protected us. This is why we can only approve the European Parliament’s very strong use of its new powers—granted by the Lisbon Treaty—against the power of banks.