ECB should have stopped SWIFT breach, says EU privacy chief

The European Central Bank should have prevented a major privacy breach in which the details of millions of European financial transactions were passed to US security services, according to Europe's leading privacy chief.

The European Data Protection Supervisor says that the ECB cannot escape responsibility for the breach, and that in each of its three roles it had a duty to prevent such a breach taking place.

Last year it was revealed that payments agency SWIFT (Society for Worldwide Interbank Financial Telecommunication), which processes international financial transactions on behalf of member banks, had been passing transaction details secretly to US authorities.

US security services had issued subpoenas to SWIFT for information they said they needed in their investigations into potential terrorist attacks in the US. SWIFT allowed the agencies access to many of its transactions, unknown to the people behind the transactions.

The Data Protection Supervisor said that the ECB had three duties in relation to the SWIFT case. It was an overseer, a user and a policy maker.

As one of the central banks meant to oversee SWIFT's activities, the ECB's powers of persuasion "should be used to prevent data protection breaches that might hamper financial stability and to ensure that competent authorities are timely informed," said the Supervisor's statement.

"The ECB also bears some responsibility for the way in which its 'clients'' data are processed by SWIFT," said the statement. "Acting effectively as a joint controller means that the ECB needs to ensure full compliance with data protection rules for its clients."

Its third role was as a policy maker. "In that capacity, it needs to ensure that the architecture of systems does not allow information on all European payments [to be] transferred to third country authorities in breach of data protection law," it said.

SWIFT revealed in September that it had told the ECB and national central banks about the activity, but that they had failed to act. "SWIFT informed its overseers but the overseers didn't feel obliged to inform their governments," a SWIFT spokesman said.

ECB head Jean Claude Trichet told a European Parliament hearing into the matter that the ECB had known, but that it had not considered privacy part of its job. "The task of protecting personal data is outside of the remit of the Group's oversight function, since it is unrelated to the functioning of market infrastructure and financial stability," Trichet told the body in October.

Data Protection Supervisor Peter Hustinx said that the ECB cannot evade responsibility for the breach of privacy. "Just as other banks, the ECB can not escape some responsibilities in the SWIFT case which has breached the trust and private lives of many millions of people," he said.

"Secret, routine and massive access of third country authorities to banking data is unacceptable. The financial community should therefore provide payment systems which do not violate European data protection laws," said Hustinx.