Shortly after the terrorist attacks of September 11, 2001, the Belgium-based Society for Worldwide Interbank Financial Telecommunications, or SWIFT, reached an agreement with the United States Treasury Department, pursuant to U.S. subpoenas, to transfer information regarding financial transactions to the U.S. subject to certain limitations in order to protect the privacy of individuals. This made it easier for U.S. counterterrorism efforts to monitor the flow of money through terrorist networks without the knowledge of the suspected terrorists. This week the program was declared to be in violation of Belgian and European Union laws on privacy by the government-sponsored Commission for the Protection of Privacy. The Commission did not demand that the program end all activities immediately, but did demand that its operations be amended in order to be consistent with the Commission’s interpretation of the law (full text of 28-page decision in French, unofficial translation of three-page summary in English [PDF]).
Belgian Prime Minister Guy Verhofstadt was quoted by AP Brussels as saying that the EU would pursue “negotiations as quickly as possible over the question,” because the program would have to be changed. The existence of the program was secret until this past June when classified information about it was leaked to the New York Times. As reported in the Washington Post on Friday:
The decision, announced by Prime Minister Guy Verhofstadt, came as the country’s Data Privacy Commission released a 20-page [sic] report finding that the Belgium-based Society for Worldwide Interbank Financial Telecommunication, or SWIFT, had improperly turned over data from millions of global financial transactions to U.S. anti-terrorism investigators. “It has to be seen as a gross miscalculation by SWIFT that it has, for years, secretly and systematically transferred massive amounts of personal data for surveillance without effective and clear legal basis and independent controls in line with Belgian and European law,” the report says.
Leonard H. Schrank, SWIFT’s chief executive, said in a telephone interview that the cooperative “believes we complied with everything and respected to the fullest extent possible the privacy law in Belgium. But the trouble is data privacy laws in Europe are quite difficult to follow. They’re not drafted for national security issues.” SWIFT said in a statement that it had relinquished data to the U.S. Treasury Department only after it had been “subject to valid and compulsory subpoenas” from U.S. authorities…
The Post goes on to say that “Europeans tend to support strong efforts against terrorist groups… but many Europeans believe that U.S. policies go too far…” The initial premise of this statement is not accurate; as Lorenzo Vidino notes in Al-Qaeda in Europe, most European countries do not seriously punish or in some cases even prohibit acts which constitute logistical support for terrorism, only the terrorist acts themselves (p. 110).
According to the Belgian newspaper La Libre (“Vous etes en faute, surtout continuez”), Prime Minister Verhofstadt emphasized that “the commission did not ask us to stop the program.” A member of the parliament, Version Didier Reynders added, “the commission did not want to go that far, simply because it lacked the power” to shut down the system. The Commission report is quoted as requiring “supplementary guarantees.” One of the problems emphasized is that neither the Belgian government nor the European Union were notified of the existence of the program, although the Belgian National Bank was so notified.
La Libre also interviewed SWIFT CEO Leonard Schrank for a separate article (“Schrank: Plusiers attentats ont pu etre evites”). This is an excerpt (ThreatsWatch translation):
…The guarantees that we put in place in order to ensure that the information requested by Washington would not be used except for the fight against terrorism were extremely severe… this data would not be used to track financial fraud or for economic espionage… although the risk [of privacy violation] is close to zero, zero risk does not exist. One must minimize the risk without being able to eliminate it completely.
Bear in mind that this system has allowed us to save thousands of lives and perhaps more… It has been established that terrorist attacks, from both sides of the Atlantic, to the United States, to Canada and in Indonesia have been avoided thanks to the information provided by SWIFT…
What is left unclear now is whether the changes demanded by the Commission will undermine the program’s effectiveness. An examination of the brief summary of the decision and the full document suggests that changes to the program could well hinder its effectiveness in monitoring terrorists’ financial networks, or else Belgian and EU law will need to be changed. For example, section E.1.2 of the Commission’s opinion concerns the “Obligation to Inform” under a directive on privacy passed by the European parliament. The Commission interpreted the directive to require notice to all individuals who are customers of SWIFT-affiliated financial institutions, tipping off terrorists to the need for evading detection. Although publication of the existence of the program has already done some damage in this regard, enforcement of this rule could cause further damage because financial institutions do not have to process their transactions through SWIFT; despite the company’s centrality to this aspect of the world financial system, there are other means. If alternatives to SWIFT are within the EU, they would be subject to the same regulations.
That there does not appear to be significant political opposition to the SWIFT program may mean that any impeding regulation could be modified, nevertheless this decision introduces an element of uncertainty into the continued effectiveness of global efforts to monitor terrorist monetary transfers. Whether or not there are practical impediments to counterterrorist efforts will thus depend upon the nature of any modifications made on the monitoring system.