N/A BONIAS
THE NETHERLANDS
Data privacy laws in the United States and European financial institutions
Financial transactions are a truly international matter. Various sorts of financial transactions are crossing borders in a matter of milliseconds and are processed, stored and executed in several countries simultaneously.
The multinational corporations and banks that form the backbone that makes such an international framework possible, have for decades encouraged the processing, execution and storage of information relating to financial transactions across national borders.
The fact that crossing national borders means that a completely different legislation might apply has been of little or no consequence. The major players in the global financial industry have traditionally been the developed European countries, the United States and Canada and some other developed countries such as Japan. These countries have traditionally been relaxed in the aspects concerning the privacy and confidentiality of financial transactions.
Requests for data and information have been sporadic and focused almost excursively on individual cases such as, for example, specific cases of money laundering and other financial crime.
Courts warrants and other judicial orders were the means that were used to obtain information on individual cases were concern was justified.
This regime that held firm for several decades changed quickly in the period that followed the terrorist attack on the United States on 11 September 2001.
The SWIFT affair
The Society for Worldwide Interbank Financial Telecommunication (SWIFT) was formed in 1973 by European banks that needed a reliable means of executing interbank payments. It legally is a co-operative organization based in Belgium and processes a very significant part of all the international payments on a global scale.
The SWIFT organization stored a complete copy of data relating to the financial transactions it facilitates in the United States. The SWIFT organization has two data processing centers: one is located in Europe and one in the United States. Data is mirrored between these two centers and is stored online for 124 days before stored offline in a backup facility.
This arrangement placed all the data held by SWIFT under the jurisdiction of US authorities.
In the weeks that followed the terrorist attack on the United States, US authorities issued a series of administrative subpoenas against SWIFT ordering to handover a large quantity of data relating to financial transactions even if they originated and were executed completely outside of the United States.
The data was placed in a black box that was created by the US Treasury and was designed to offer advanced mass search capabilities. This black box was initially not under the control or supervision of SWIFT. At least initially, SWIFT surrendered almost total control of its data to the US authorities. The co-operative was not in a position to detail how much data was placed under the control of the US authorities or how many searches -and of what nature- were executed.
The fact is that US authorities were in a position to execute mass searches not targeted at individuals but at huge groups of transactions, sorted on country of origin, residence and so on.
This affair is nothing less than of primordial importance and has severe implications for all European -and international- financial institutions storing and processing their data within or through the United States.
Perhaps the most astonishing fact is that at no time did SWIFT decide to challenge the administrative warrants that were issued by the US authorities before any judicial authority. This fact also provides an indication as to the kind of communication that was taking place between SWIFT and the US authorities and its extremely threatening nature for executives and employees of the co-operative.
This affair is clearly a debacle for SWIFT and the US authorities and will certainly have a great significance in all data privacy discussions in the decades to come.
SWIFT consequently received very strong criticism in Europe on the manner in which it handled the situation. Several Belgian and European commissions condemned SWIFT for handing data over to the US authorities in the manner that they did.
But what are its repercussions exactly for European and international financial institutions?
Stop storing transaction data in the United States
International financial institutions should consider the fact that, after the terrorist attack of 11 September 2001, data privacy laws in the United States do not have much weight in judicial or administrative decisions.
The SWIFT affair has proven that the US authorities are prepared to suffer a great loss of prestige in the international financial markets in order to be able to use their data.
The power of the precedent is great: what happened once, can happen again.
The most prominent consequence of the SWIFT affair is the fact that international financial organizations should not store any transaction data in the United States for the foreseeable future.
The protection that financial institutions, their executives and employees have enjoyed in the United States when it comes to a free operating environment, has been severely eroded.
European Union countries offer the most stable and extensive protection to executives and employees of financial institutions when it comes to the sanctions attached to non-compliance.
Respect the laws in the US and Europe but keep any options open
The United States and Europe are the most prosperous areas in our world today and, by definition, account for a very significant part of international financial transactions.
That international financial institutions will have to operate in both the United States and Europe is a matter of fact and cannot be ignored. This means that international financial institutions will have to respect the law in both the United States and Europe.
In doing so however, international financial institutions must consider carefully the implications of their decisions and should try to keep their options open.
For example, the decision of SWIFT to place a complete copy of their data both in Europe and the United States placed the co-operative in an impossible position. SWIFT had to respect conflicting laws in two different countries on the same subject: access to their transaction data.
It would be interesting to know the reasons that led SWIFT to mirror their data in the United States and not, for example, in Germany or France.
But whatever these reasons might have been, the fact is that they placed SWIFT in a compromised position where the organization could only loose.
Implications beyond the US and Europe
The balance of economic power is currently shifting and China, along with several other countries, is emerging as a new powerful player in the global financial marketplace.
The SWIFT affair could have implications far beyond the United States and Europe. Just imagine, for example, that this affair happened between an American corporation and the Chinese government.
The undertones and the essence of the matter could quickly escalate beyond a legal dispute to a much wider political dispute.
Such a precedent has therefore clearly the potential to significantly affect the way in which international corporations conduct business on a global scale. If international corporations cannot conduct their business on a global scale without fear of undue interference from authorities, the consequences that such a development could have are hard to estimate but certainly ominous.
It appears that the SWIFT affair has opened the Pandora's box of issues that will certainly be a dominant factor in the decades to come.