By Stephen Gardner
May 8 --There are “no indications” that financial transaction data held by the Belgium-based Society for Worldwide Interbank Financial Telecommunication (SWIFT) have been accessed by government intelligence agencies outside established legal channels, the Belgian and Dutch data protection authorities said May 8.
SWIFT provides a financial transaction messaging service used by more than 10,000 financial institutions internationally.
Belgium's Commission for the Protection of Privacy (CPVP) and the Dutch Data Protection Authority (CBP) said in a joint statement that they had concluded an investigation that started in November 2013 into the security of SWIFT's computer networks and “did not find any violations of legal security requirements.”
In addition, there was no evidence that “third parties have had or could have had unlawful access to financial messaging data related to European citizens,” the DPAs said.
The CPVP and the CBP started a joint investigation into SWIFT in response to reports originating from former U.S. National Security Agency contractor Edward Snowden that intelligence agencies had unlawfully accessed SWIFT financial transaction data.
The DPAs wouldn't disclose further information about their investigation. CPVP spokeswoman Eva Wiertz told Bloomberg BNA May 8 that “we are bound by professional secrecy and cannot disclose any more details,” and that no report on the investigation would be published.
A European Parliament official, who asked not to be named, told Bloomberg BNA May 8 that the lack of detailed information about the CPVP/CBP investigation meant it was unclear to what extent the SWIFT systems had been tested for evidence of surveillance breaches.
It is unclear whether the investigation “really solves the problem,” the official said.
The U.S. can access data held by SWIFT via the Terrorist Finance Tracking Program (TFTP), an EU-U.S. agreement in force since Aug. 1, 2010, under which U.S. authorities can carry out targeted searches of SWIFT data to identify financial transaction information related to suspected terrorist activity.
In a September 2013 letter to the European Commission, the EU's executive arm, U.S. Treasury Under Secretary for Terrorism and Financial Intelligence David S. Cohen answered European Union concerns about surveillance of SWIFT data, saying that the U.S. only obtained SWIFT data through the TFTP, or as part of information provided by financial institutions in response to subpoenas.
But in a nonbinding resolution adopted in October 2013, the European Parliament called for suspension of TFTP on the basis that it didn't adequately protect the data of EU citizens transferred outside the EU .
In March 7 prepared testimony to the European Parliament's Committee on Civil Liberties, Justice and Home Affairs (LIBE), Snowden repeated the allegation that government surveillance agencies had targeted SWIFT for surveillance .
The call for suspension was reiterated in March in the final report of a European Parliament inquiry into the mass electronic surveillance of European Union citizens .
Claude Moraes, a British center-left member of the European Parliament who drew up the final report of the mass surveillance inquiry, told Bloomberg BNA May 8 that the conclusion of the Belgian/Dutch investigation into SWIFT was “an important development, and any follow-up to our inquiry would certainly take on board these findings.”
The European Parliament inquiry wasn't a “forensic” inquiry, and was unable to prove the allegations that SWIFT data were being illegally accessed by intelligence agencies, Moraes said.
SWIFT said in a May 8 statement that it was “pleased to confirm that the authorities have concluded there are no indications that third parties have had, or could have had, unlawful access to financial messaging data.”
SWIFT added that “the authorities have also verified that there have been no violations of the security obligations under EU data protection law.”
To contact the reporter on this story: Stephen Gardner in Brussels at email@example.com
To contact the editor responsible for this story: Donald G. Aplin at firstname.lastname@example.org
To view additional stories from Privacy & Security Law Report® register for a free trial now