The Malta Data Protection Commission (DPC) is closely following developments on allegations that the United States government has, for the last five years, been given illegal access to bank transaction data held by the Society for Worldwide Interbank Financial Telecommunication (SWIFT).
Speaking to The Malta Independent on Sunday, Data Protection Commissioner Paul Mifsud Cremona confirmed the DPC had begun looking into the matter when the allegations first appeared last month in the US media.
More recently, London-based privacy, civil liberties and human rights group Privacy International urged the data protection authorities of Malta and 32 other countries to take over the allegations that citizens’ financial transactions had been compromised.
“While matters refers to the actions of the SWIFT centre in Belgium and falls under Belgian jurisdiction, the Data Protection Commission is co-ordinating at EU level, as well as at local level, where we have communicated with local banks, like any other country, to have a full understanding of the matter,” Mr Mifsud Cremona explained.
Mr Mifsud Cremona said that the DPC’s main preoccupation at the moment is whether Maltese banking transaction data has been handed over to the US authorities in an irregular manner.
The Belgian authorities launched an investigation last week to determine SWIFT’s legality in passing over millions of financial records to US intelligence agencies – specifically the Treasury Department and the Central Intelligence Agency – since September 2001. The Belgian authorities have requested information from several financial institutions, including Maltese banks, as part of their inquiry.
Also last week, the European Parliament called on the European Central Bank to declare exactly how much it knew about the practice before it was brought to light by the media, adding that such actions “could give rise to large scale forms of economic and industrial espionage”.
Once the inquiry is finalised, the EU will begin determining whether the EU’s 1995 data protection directive had been violated.
The DPC, Mr Mifsud Cremona explained, is following developments closely and will now await the conclusion of both investigations. The findings should provide details on exactly what happened, or did not happen, and answer the delicate question over the legality of the actions of SWIFT and the US agencies.
The matter is of concern for the DPC, which works very closely with privacy lobbies such as Privacy International given their common interest to safeguard data.
The DPC also works with local banks in instances such as when financial information is transferred to third, extra-EU countries as part of bank transfers and the processing of related information. When doing so, it is standard practice for banks to consult the DPC on the various regulations involved in such transfers to ensure security.
The issue has also been raised in parliament by MLP MP Leo Brincat, who asked Industry, Investments and IT Minister Austin Gatt for a reaction to the allegations and whether the actions of SWIFT and the US authorities could be considered a contravention of data protection law. Dr Gatt’s answer is pending.
The SWIFT disclosures are thought to have involved both the mass transfer of data to the US and direct access by US authorities data held in Belgium and other data residing in SWIFT centres worldwide.
The US refers to the practice, which had been covert until last month, as the Terrorist Finance Tracking Program. Reacting to articles run in the New York Times and the Los Angeles Times, SWIFT stated in a press release that it had “received significant protections and assurances as to the purpose, confidentiality, oversight and control of the limited sets of data produced under the subpoenas”.
The Belgian Prime Minister’s Office has confirmed that SWIFT had received “broad administrative subpoenas” for millions of records. An administrative subpoena, however, does not carry legal weight and is essentially a letter issued without judicial authority.