PI estimates over 4 million UK financial records sent each year to U.S.
Following a series of formal complaints to regulators, the privacy watchdog organisation Privacy International has released its estimate of the volume of confidential UK financial data covertly transmitted to the US government.
Last week PI filed simultaneous complaints with Data Protection and Privacy regulators in 32 countries concerning recent revelations of secret disclosures of records from the banking giant SWIFT to US intelligence agencies (1).
This disclosure of data has been undertaken on the grounds of counter-terrorism though once in US territory, authorities would be at liberty to use the information in whatever way they see fit. The disclosures involve the mass transfer of data from the SWIFT centre in Belgium to the United States, and possibly direct access by US authorities both to data held within Belgium and data residing in SWIFT centres worldwide, including the UK.
The complaints allege that the activity was undertaken without regard to legal process under Data Protection law, and that the disclosures were made without any legal basis or authority whatever. The scale of the operation, involving millions of records, places this disclosure in the realm of a fishing exercise rather than legally authorised investigation.
SWIFT's annual reports show that in 2004/2005 more than 460 million financial transactions originating from the UK were sent through the SWIFT network. Sources close to and within SWIFT have acknowledged that approximately one percent of SWIFT's traffic is relevant to the agreement, resulting in most or all of this data being diverted to the US. While the PI estimate is only indicative, we now believe that it is reasonable to assume that around 4.6 million records in that year were secretly transferred. A comparable figure can be derived for each of the four years that the programme has been in operation.
The secret arrangement was first brought to light on Friday June 23rd 2006, when the New York Times and the Los Angeles Times published details of the private arrangement between SWIFT and the United States Government that involved the covert disclosure to the US of customer financial data (2). The office of the Belgium Prime Minister broadly agreed with PI's estimate, confirming that: "the cooperative (SWIFT) had received broad administrative subpoenas for millions of records" (3).
The PI complaints have expressed concern that this data could be used by US authorities for a range of unrelated activities, including espionage. The Home Office has acknowledged that it was made aware of the programme in 2002.
The Canadian Federal Privacy Commissioner has already commenced an inquiry. Privacy regulators in Europe are deciding whether the matter should be dealt with cooperatively or at a national level.
The complaints call for action to suspend SWIFT's disclosure programme:
We are concerned that the practice substantially violates Data Protection law and we request that your office institutes an investigation without delay. We also ask that you intervene to seek the immediate suspension of the disclosure programme pending legal review.
"The disclosures have taken place on the grounds of counter-terrorism. This complaint does not seek to challenge the existence of provisions to disclose personal information on legitimate grounds of national security or counter-terrorism. Such disclosures must be subject to established legal procedures. The relevant procedures appear not to have been engaged either by SWIFT or by the United States government. In our view, therefore, the disclosures are unlawful and should be brought to a halt."
Privacy International's Director, Simon Davies, said:
"This unlawful activity shows yet again how the US wilfully disregards the privacy rights not only of its own citizens, but also the rights of foreign nationals. The scale of the operation is breathtaking, and the extent of privacy violation is almost without parallel. We will work to bring the programme to a halt pending further investigation."
(1) See original coverage at http://www.iht.com/articles/2006/06/27/news/secure.php and the text of the complaints at http://www.privacyinternational.org/article.shtml?cmd=x-347-538985
(2) See coverage at http://www.usatoday.com/money/industries/banking/2006-06-22-bank-records_x.htm
Notes to editors
Privacy International (PI) is one of the world's oldest privacy organisations, and has been instrumental in establishing the modern international privacy movement. The London-based organisation was formed in 1990 as a privacy, human rights and civil liberties watchdog. PI has organised campaigns and initiatives in more than fifty countries. www.privacyinternational.org
SWIFT is the financial industry-owned co-operative that supplies secure, standardised messaging services and interface software to 7,800 financial institutions in more than 200 countries. SWIFT's worldwide partnership includes banks, broker/dealers and investment managers, as well as their market infrastructures in payments, securities, treasury and trade. The organization generates authorizations concerning almost two billion transactions per year amounting to around 2000 trillion US dollars.