The European Union has come to an agreement with the US over the use of European banking data from payments agency SWIFT. SWIFT's secret permission for the US to use banking data caused outrage amongst data protection officials last year.
The US will be able to continue using data from SWIFT, according to the deal, but the European Commission said that the usage of data will now conform to European data protection principles.
"The EU will have now the necessary guarantees that US Treasury processes data it receives from Swift's mirror server in USA in a way which takes account of EU data protection principles," said Franco Frattini, EU Commissioner responsible for justice, freedom and security. "I welcome the United States' Treasury Department's unilateral representations and the opportunity the Treasury has given the European Union to have its views and concerns duly reflected in the representations."
SWIFT ran into controversy last year when the New York Times revealed that it had passed information on Europeans' transactions to US authorities on an ongoing basis since the aftermath of terrorist attacks in the US on 11th September 2001.
European, Swiss and Belgian data protection authorities all ruled that SWIFT had broken data protection laws in supplying the information without informing bank customers of the US surveillance.
SWIFT defended itself by saying that some of its servers are in the US and that it had to comply with US subpoenas for the data.
The new deal allows US authorities to keep data that is not relevant to anti-terrorism purposes for up to five years. It also allows the US Treasury to pass the information to other US authorities and even other countries, if the activity is related to counter-terrorism.
"The Representations include the following important safeguards: commitments by the US Treasury to use any data received from SWIFT exclusively for counter terrorism purposes – an obligation which applies also where such data are shared with other US agencies and with third countries," said a European Commission statement. "Any other use of SWIFT data is therefore excluded, including for example use of those data for commercial or industrial purposes."
Earlier this week European data protection officials gave Europe's banks a deadline of 1st September, after which all customers whose transactions could be tracked by US authorities had to be informed of this.
Frattini said that it was now up to bankers to ensure that privacy principles were followed. "We now look to SWIFT and to the financial institutions which use its services to ensure that they fully comply with their information obligations under European data protection law," he said."We urge them to take all the necessary steps to ensure their quick compliance with European data protection law".