EU Privacy Czar Claims Right to Prohibit US Access to EU Financial Records

By Jonathan Winer

In a sweeping assertion of his institutional power to decide whether or not the U.S. has the right to see EU financial data, Europe's Data Protection Supervisor, Peter Hustinx announced today that he and Europe's other privacy czars had the authority to exercise "independent scrutiny" of the SWIFT system and all other aspects of the EU's payments system to decide whether privacy laws are being violated.

The opinion was taken with the goal of stopping forever the ability of the U.S. Treasury to trace terrorist transactions through the SWIFT payment system based in Belgium. The breathtaking EU opinion takes the position that Europe's privacy czars have the legal obligation to ensure that information in the payments system is used only to make payments, not as leads in terrorism or other law enforcement cases. It also says that those holding the data have the obligation immediately to provide the data subjects with information concerning everyone who has received the data, such as any law enforcement or intelligence agency that obtains access to particular records.

The opinion by the EU's privacy czar included a warning that a foreign government like the U.S. cannot be trusted with EU financial data, because it might be a cover for broader spying. In the words of the opinion, "lack of compliance with data protection rules would not only breach EU citizens' fundamental right to protection of personal data, but could also expose European companies to risks of use for economic espionage of data relating to their commercial transactions."

In proposing next steps, the EU privacy czar was careful not to overstep his immediate power, even as he turned the screws on the EU's financial regulators. He called on the European Central Bank and other financial institutions in the EU to immediately prepare "at the latest by April 2007" a report about what it would do to implement the privacy requirements demanded by the opinion. He concluded with a tough warning: "it would not be acceptable that the architecture of the European payment systems would continue to allow and facilitate that personal data relating to any euro payment between Member States are transferred to third countries in breach of the data protection legislation and made available -- routinely, massively, and without appropriate guarantees -- to third countries authorities."

In response, the European Central Bank immediately punted the issue back to the EU's politicians, saying it was not up to it to decide on the balance between privacy and fighting terrorism. Accordingly, it is not certain what will happen next.

But the messages from the EU's privacy czars could not have been more clear, They are mad as hell at the United States, and they are not going to take it any more. They are more upset with the U.S. then they are worried about terrorist attacks. They will do our best to discourage our governments from agreeing to anything else to combat terrorism, if it means that any EU person, including any terrorist or criminal, is at risk of having their financial activities be less than completely secret from the U.S. unless an EU judge has ordered otherwise.

Needless to say, Europe's privacy czars have no competence, institutional or substantive, to combat terrorism. Moreover, national security is a fundamental exception to the privacy laws cited in the opinion, a legal reality that the opinion simply ignores. (The basic position of the EU data protection authorities is that yes, national security is a defense against a violation of the privacy laws, but only if the national security is that of an EU country, not a foreign country like the U.S.)

The position of the EU's politicians on the issue -- privacy or combating terrorism -- has yet to crystalize. That the U.S. is now facing a fundamental challenge to its ability to combat terrorist finance as a result of the privacy czar's pressure and its latest decision is undeniable. The attitude towards the U.S. in Europe at this time is remarkably ugly, as was evident in the tone of the privacy czar's opinion, and the political leadership in important countries like the UK, France, and Italy, is weak. One easy solution, and likely one palatable to the EU privacy czars, would be to limit U.S. access to cases in which the U.S. has gone through traditional mutual legal assistance processes with judicial approval, which are time-consuming, inefficient, adversarial, and wholly unsuited to terrorism investigations. Something broader and quicker is needed, but to forestall that the privacy czars have warned in the Hustinx opinion that they oppose the negotiation of any new agreements by the EU with other countries on crime and terrorism issues.

In the UK, intelligence agencies continue to uncover serious terrorist plots, and issue warnings about more terrorist attacks to come. In Brussels, the warnings that are issued continue to focus on the risks of cooperation with the U.S. Someday soon, something's got to give.

TrackBack