A need for SWIFT change: the struggle between the European Union's desire for privacy in international financial transactions and the United States' need for security from terrorists as evidenced by the SWIFT scandal.

• Author: Shea, Courtney
• Position: Society for Worldwide Interbank Financial Telecommunication

In recent history, the struggle between the desire for privacy and the need for security has been affected by worldwide events. This struggle is clearly seen in the transfer of information from the European Union (EU) to the United States. In the last century, Europeans suffered from violent actions, from those such as the Third Reich, which was partly facilitated by privacy violations. Abuses like these have increased the EU's desire to enact strong data protection laws which protect the safety and identity of its citizens. With the invention of the Internet, there was a similar call for stricter privacy laws in the U.S. to protect individuals' information. However, this American trend came to an abrupt halt with the attacks of September 11, 2001. This tragic event changed American life, creating a new cry from U.S. citizens for stronger security measures. As a result, a conflict of ideals was created between the EU and U.S. where Europeans wish to protect information to avoid the follies of the past, while the American government is continually seeking information to learn of possible terrorist activities or plans of future attacks.

This struggle between privacy and security has affected the transfer of important data from the EU to the U.S. A strict European Union Data Protection Directive [hereinafter The Directive] has made it difficult for the U.S. to gather information in the post 9/11 era without violating EU law. In particular, the United States' secret collection of data from messaging services relating to international financial transactions has been found by the EU to violate the Directive. This tracking program was highlighted by the extensive use of the Belgium based bank messaging service, The Society for Worldwide Interbank Financial Telecommunication (SWIFT). Although the EU and the U.S. seem to have temporarily solved this conflict as it relates to SWIFT, a more permanent solution has yet to be negotiated. Thus, it is this author's argument that the U.S. must take immediate action to modify its Safe Harbor Provision with the EU, which provides a safe haven from some of the strict mandates of the Directive, and that the U.S. and EU should work together to create a uniform method of protecting data.

This note discusses: the development of U.S. and EU privacy law; the creation and development of the Directive; how recent actions of the U.S., namely the tracking of international financial data, violates the objectives of the Directive; and how this creates a need for action from the U.S. in order to continue the free flow of data from EU member nations to the U.S. Section I discusses the history of privacy law in the U.S. and in the EU, which led to the EU enactment of the Directive and the subsequent negotiation with the U.S. to create a Safe Harbor Provision. Section II illustrates the recent tracking of international financial transactions in collaboration with the Brussels based banking consortium, SWIFT, and how the EU has reacted. Section III analyzes this issue from both the perspective of the U.S. and the EU. This Section also discusses the solutions to the problem relating to SWIFT. Section IV is a summary of the issues discussed in the note and sets forth the author's perspective on how the overarching problem can be resolved while still respecting the United States' desire of security from terrorists and the EU desire for protection of its citizen's privacy.

1. The Development of Privacy Laws and Data Protection

   A. Privacy of Personal Data in the United States

   While the EU has historically enacted broad legislative protection of personal data, the U.S. has promoted the self-regulation of industries through the use of broad reaching legislation. (1) As a result of the 9/11 attacks on American soil, Americans have subsequently lived in fear of terrorism. Perhaps it is this desire for security that has made Americans more willing to forgo sweeping privacy laws as seen in the EU, and in turn, made them more willing to sacrifice the protection of their data. (2) Although the U. S. has taken this sectoral approach to data protection laws, the United States Constitution and interpreting case law does provide some protection of an individual's privacy. (3) Cases like Whalen v. Roe (4) and Nixon v. Administrator of General Services (5) have extended the protection of an individual's privacy, however, this is a general protection and courts have not yet interpreted the Constitution broadly enough to include a protection of information privacy from government misuse. (6) Despite this lack of overarching protection, there are some statutes that limit the use of data, using the aforementioned sectoral approach. (7) Examples of sectoral regulations enacted include: the Fair Credit Reporting Act of 1970, (8) The Privacy Act of 1974, (9), and the Drivers Privacy Protection Act of 1994. (10)

   B. Privacy Protection in the European Union

   Throughout the past two centuries Europeans have suffered from abuses of invasive data collection, making the issues of privacy and the protection of personal data ongoing concerns. (11) As a result the EU has taken an aggressive position when dealing with the adequate protection of data. (12) While prior to the 1980's there was no international directive governing data privacy in the EU, there were several instruments and measures created to protect the privacy of European citizens in a general way. (13)

   The United Nations (U.N.) started the international movement for privacy protection in 1948 when the U.N. General Assembly implemented the Declaration on Human Rights (UDHR). (14) This was a non-binding document, which recognized privacy as a fundamental right in need of protection. (15) Over 100 nations reaffirmed their commitment to the principles of this international declaration at the 1993 U.N. World Conference on Human Rights. (16) In 1973, Sweden paved the way for other European nations and passed groundbreaking data protection legislation. (17) In the 1970's, the U.N. strengthened its policies with the United Nations International Covenant on Civil and Political Rights (ICCPR) which "gives all individuals the right to protection of the law against ... arbitrary interference with their privacy, family home or correspondence". (18) Subsequently, in 1978, the Organization for Economic Co-operation and Development (OECD) developed guidelines governing the flow of data among its member countries. (19) When the European Union was formed in 1993, this new legislative body began work to create a uniform piece of legislation to set a standard for the protection of personal data for member nations. (20)

   C. The Data Protection Directive

   In response to the desire for privacy from its citizens and member countries, the Declaration of Human Rights, and the OECD guidelines, the newly formed European Union created the Data Protection Directive in 1995 in order to protect the freedom and fundamental rights of individuals, while ensuring the continued free movement of data and information. (21) The Directive came into effect on October 25, 1998 and required EU countries to create legislation implementing the provisions of the Directive and regulating how personal data could be used. (22) In addition to the requirement of enacting appropriate legislation in member countries, the European Parliament and European Council established the European Data Protection Supervisors (EDPS), which is an independent supervisory authority that regulates the processing of data. (23)

   The Directive applies to situations where the data of an identifiable person is processed. (24) According to the Directive, individuals must be informed that their data will be processed, who will receive it, and the purpose of collection. (25) The data must be processed in a manner that is specific, explicit and has a legitimate purpose. (26) Under the Directive, the transfer and processing of data that relates to "racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life" is prohibited. (27) The data for which processing is allowable must be accurate, up to date and stored only for the time needed for the given purpose. (28) Data that is processed only for scientific research or for creating statistics falls outside of the Directive. In addition, EU nations can lower the level of protection of data to "protect national security, defense, public security, investigations of criminal offenses, economic or financial interest, and the rights of others." (29) The penalties for noncompliance vary among EU nations, but they tend to be harsh. (30)

   The Directive requires non-EU nations, such as the U.S., to have adequate data protection measures in order for data transfers to that non-EU nation to be permitted. (31) Article 25 of the Directive states, "Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if, without prejudice to compliance with national provisions adopted pursuant to the other provisions of the Directive, the third country in question ensures an adequate level of protection." (32) To determine if a nation has adequate protection EU states will examine: "the nature of the data, the purpose and duration of the proposed processing operations, the country of origin and country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in that country." (33) Under Article 25 of the Directive, if a non-EU country does not have such suitable protection, EU member countries must block the transfer of data to the nation and the European Commission will enter into negotiations with that nation to attempt to resolve the problem. (34) These restrictions on...