Europe's data protection commissioners have said that Belgium-based bank transfer organisation SWIFT broke privacy rules by allowing US authorities access to details of transactions.
SWIFT (Society for Worldwide Interbank Financial Telecommunication) processes 11 million European financial transactions and it emerged earlier this year that since 2001 it has allowed US security agencies access to many of those transactions.
The Article 29 Data Protection Working Party, the independent EU advisory body on data protection and privacy, has said that SWIFT's actions broke both European and Belgian law in allowing the data to be transferred.
"The Article 29 Working Party emphasizes that even in the fight against terrorism and crime fundamental rights must remain guaranteed," said a statement from the group. "The Article 29 Working Party insists therefore on the respect of global data protection principles."
The group said that SWIFT and the financial institutions whose transactions it processed bore joint responsibility for the transfers.
"As far as the communication of personal data to the US Treasury is concerned, the Working Party is of the opinion that the hidden, systematic, massive and long-term transfer of personal data by SWIFT to the US Treasury in a confidential, non-transparent and systematic manner for years without effective legal grounds and without the possibility of independent control by public data protection supervisory authorities constitutes a violation of the fundamental European principles as regards data protection and is not in accordance with Belgian and European law," said the group.
"The existing international framework is already available with regard to the fight against terrorism. The possibilities already offered should be exploited while ensuring the required level of protection of fundamental rights," it said.
Already Belgium's own Privacy Commission had found that SWIFT broke Belgian law, and the Swiss Federal Data Protection Commissioner said that Swiss banks had broken the law by allowing their data to be transferred.
The EU data protection group will now seek talks with SWIFT to outline their concerns and try to change the situation.
"They have to change their system," Peter Schaar, head of the Working Party, told Reuters news agency. "We hope we find ways to find a situation of compliance with EU law."
It has also emerged that the Federal Prosecutor of Brussels is investigating whether or not there are grounds for a prosecution involving SWIFT.
The information was requested by the US to help its intelligence gathering in the aftermath of the terrorist attacks in the US on 11th September 2001. SWIFT has previously told OUT-LAW that it believed that it had to comply with subpoenas issued in the US because some of the data was stored in the US.
European data laws say that personal information must not be transferred out of Europe to countries with weaker data protection laws than Europe. The US has weaker data protection laws than Europe.
SWIFT is a money transfer organisation with 7,500 customer organisations, including most of Europe's big names in banking.