Laudator: Werner Hülsmann
The BigBrotherAward 2006 in the category “Business” goes to the
Society for Worldwide Interbank Financial Telecommunication (SWIFT)
represented by the German members of the SWIFT supervisory board1,
Roland Böff (Senior Vice President, Bayerische Hypo- und Vereinsbank) and
Wolfgang Gaertner (CIO, Deutsche Bank AG)
for breach of confidence regarding customer privacy by imparting to US authorities details of financial transactions made through SWIFT.
As was only recently made public by reports in US newspapers on June 23 of this year, the Central Intelligence Agency (CIA) uses a special bank surveillance programme to internationally gather and analyse information on banking transactions. Since the end of the year 2001, the CIA has obtained these data mainly from the Belgian “Society for Worldwide Interbank Financial Telecommunications” (SWIFT). Their reason for this vast data delve is to investigate the source and flow of terrorist money. Of course, the SWIFT data are not retrieved by the CIA themselves: they are subpoenaed by the US Treasury Department for this purpose.
Once again, the “war against terrorism” is taken as an excuse for massive breaches of privacy. For almost five years now, the US American “Operation Center” of SWIFT (SWIFT USA) has granted US authorities access to data of wire transfers and other transactions. SWIFT justify themselves by pointing to US law and an executive order signed by President Bush that has made it possible for the Treasury Department to examine financial records. This executive order was used as one of the many weapons in the “war against international terrorism”.
However, not only details of transfers to or from US American accounts are being monitored. For backup reasons, all data of inner-European transfers are also mirrored from SWIFT Europe to the servers of SWIFT USA. And thus, US authorities gain access to each and every transaction involving SWIFT, which means nearly every international bank transaction. That an abuse of these data by US authorities cannot be ruled out is even acknowledged by SWIFT in their own statement of 25 Aug 2006: “SWIFT is aware of the potential for misuse which exists in every system.”2 Still, SWIFT contend to be in “factual control”, through internal and external auditors, of the data transmitted to US authorities.
We venture to doubt their claim: The directors of SWIFT cannot seriously believe they could control the US Department of the Treasury, or the CIA!
It is almost grotesque to think of SWIFT transmitting European data to the USA for backup — they would be much better taken care of on a server in Europe. There is no legal foundation whatsoever for such a transfer of data. SWIFT could only point to the subpoenas from the Treasury Department when transactions to or from accounts in the US are concerned, as SWIFT USA is subject to US American law.
All other data concerning financial transactions, especially those restricted to Europe, should never have been made available to SWIFT USA. After all, it is inadmissible under both German and European data protection legislation to pass on personal data without legal basis. It was only possible to subpoena data for European credit transfers because they were accessible in the USA.
At the very latest, SWIFT should have changed their backup system immediately to protect the confidentiality of all data unrelated to US credit transfers when they started negotiating with US authorities about access to bank transaction data.
On the other hand, we must also ask German banks why they neglected their data protection responsibilities in their choice of a service provider for as sensitive an area as credit transfer. § 11 of the German Law on Data Protection quite clearly states these responsibilities. Every single data protection officer of even a middle-sized company whose computer is being accessed by an external IT service provider for maintenance has to know these requirements. A contract has to be drawn up for each case, stating explicitly and in detail which data the service provider may access, to whom they may pass on the data and to which end, and which technical and organisational measures are to be taken to ensure data protection and backup.
It would have been the responsibility of all German banks and savings associations to prevent data of European credit transfers from ending up in the USA. Though SWIFT members have received no information about the monitoring activities, Deutsche Bank and the Bayerische Hypo- und Vereinsbank knew and know full well that the data were being accessed by US authorities, as leading members of either bank are also members of the SWIFT supervisory board. However, neither of these banks has taken any action in the matter.
On August 23, 2006, the Independent Centre for Data Protection for the federal state of Schleswig-Holstein voiced their criticism in the following statement: “The surrender of financial data of European citizens to US authorities by the Society for Worldwide Interbank Financial Telecommunications (short SWIFT), based in Belgium, is in contravention of German and European Data Protection Law.”3 Two days later, SWIFT brazenly claimed to have complied with all applicable laws. Obviously, SWIFT can only come to this erroneous conclusion by restricting their judgement to the legal relations between SWIFT USA and the US authorities. The question whether any transfer of data from Belgium to the USA was permissible at all is being blissfully ignored. Perhaps this rather one-sided view is due to the fact that SWIFT are quite aware that the answer to this question would have to lead to a change of their data backup concept.
Both the supervisory board and the national central banks have been informed about the executive order and the subpoenas in the USA No information, however, has been given to the 7,800 member institutions. Neither the Bundesbank nor the representatives of the German financial institutions on the supervisory board of SWIFT, the gentlemen Roland Böff and Wolfgang Gaertner, deemed it necessary to speak up against SWIFT’s course of action, which is so obviously against data protection law. Neither did they see any need to inform the persons affected.
It is for this reason that they of all people deserve the Big Brother Award in the business category.
Congratulations to the members of the supervisory board of SWIFT, Roland Böff and Wolfgang Gaertner.