A report by an EU panel released Thursday said the bank data transfer agency SWIFT broke European privacy laws by handing over personal data to U.S. authorities for use in anti-terror investigations.
The Belgian-based company, the Society for Worldwide Interbank Financial Telecommunication, "committed violations of data protection laws" by secretly transferring data to the United States, without properly informing Belgian authorities, the EU's data protection panel said.
The panel's report calls on SWIFT, financial institutions and EU authorities to "take the necessary measures" to end the transfer, which it said contradicts Belgian and EU data protection rules. SWIFT is still transferring data under U.S. subpoenas.
EU spokeswoman Pia Ahrenkilde Hansen said the report was adopted unanimously by the 25-member panel which also chided the role of the European Central Bank in the affair. It demanded clarification from the ECB over its role in the affair. ECB President Jean-Claude Trichet has acknowledged his bank knew of the transfers but could not prevent them.
"SWIFT is expected as well as financial institutions to take the necessary steps immediately to remedy the present illegal infringement," Ahrenkilde Hansen said, adding the group will monitor the implementation of the recommendation by SWIFT and the ECB and other national banks which sit on SWIFT's oversight board.
The data protection officers have been drafting their report since September and their conclusions come as no surprise following a similar finding by a Belgian commission, which was tasked by the Belgian government and the EU panel to investigate SWIFT's secret deal with the U.S. Treasury.
The European Commission, which could eventually launch a legal case against Belgium for failing to uphold EU data protection rules, has said it would await the final report of the EU data protection officers before deciding what action to take.
Ahrenkilde Hansen said the Commission would "ensure correct implementation" of EU data protection rules.
Belgian political leaders have already called on the EU to negotiate with the United States on fixing the apparent legal limbo SWIFT finds itself in.
The EU panel report echoes the Belgian report which said that while the company did all it could to live up to Belgian, EU and U.S. regulations to hand over the requested information, it finds itself in a legal black hole.
The company routes about 11 million financial transactions daily between 7,800 banks and other financial institutions in 200 countries, recording customer names, account numbers and other identifying information.
SWIFT and top European bankers told a European Parliament committee last month it had no power to prevent the transfer of personal data to U.S. authorities.
The company and Trichet called for the EU to sit down with Washington and draft a new global deal to fix the legal quagmire which now exists over the transfer deal.
The transfer deal between the U.S. Treasury and SWIFT was launched by Washington after the Sept. 11 attacks.
The SWIFT case compounds legal and political clashes between Europe and the United States over anti-terror measures and highlights divisions over what lengths governments should go to in order to prevent attacks.
SWIFT officials have argued that it had no choice but to abide by U.S. subpoenas for bank data, saying that if it refused to hand over the information, it would have faced fines and possible criminal penalties like jail time.
"It is disturbing that none of the involved parties is willing to take responsibility for the failure to protect the rights of EU citizens," said Kathalijne Buitenweg, a Dutch Green member of the European Parliament. She called for a clarification of ECB and national bank rules in ensuring they report all violations of EU privacy laws.