A need for SWIFT change: the struggle between the European Union's desire for privacy in international financial transactions and the united states' need for security from terrorists as evidenced by the SWIFT scandal

Journal of High Technology Law, The, Jan, 2008 by Courtney Shea

In recent history, the struggle between the desire for privacy and the need for security has been affected by worldwide events. This struggle is clearly seen in the transfer of information from the European Union (EU) to the United States. In the last century, Europeans suffered from violent actions, from those such as the Third Reich, which was partly facilitated by privacy violations. Abuses like these have increased the EU's desire to enact strong data protection laws which protect the safety and identity of its citizens. With the invention of the Internet, there was a similar call for stricter privacy laws in the U.S. to protect individuals' information. However, this American trend came to an abrupt halt with the attacks of September 11, 2001. This tragic event changed American life, creating a new cry from U.S. citizens for stronger security measures. As a result, a conflict of ideals was created between the EU and U.S. where Europeans wish to protect information to avoid the follies of the past, while the American government is continually seeking information to learn of possible terrorist activities or plans of future attacks.

This struggle between privacy and security has affected the transfer of important data from the EU to the U.S. A strict European Union Data Protection Directive [hereinafter The Directive] has made it difficult for the U.S. to gather information in the post 9/11 era without violating EU law. In particular, the United States' secret collection of data from messaging services relating to international financial transactions has been found by the EU to violate the Directive. This tracking program was highlighted by the extensive use of the Belgium based bank messaging service, The Society for Worldwide Interbank Financial Telecommunication (SWIFT). Although the EU and the U.S. seem to have temporarily solved this conflict as it relates to SWIFT, a more permanent solution has yet to be negotiated. Thus, it is this author's argument that the U.S. must take immediate action to modify its Safe Harbor Provision with the EU, which provides a safe haven from some of the strict mandates of the Directive, and that the U.S. and EU should work together to create a uniform method of protecting data.

This note discusses: the development of U.S. and EU privacy law; the creation and development of the Directive; how recent actions of the U.S., namely the tracking of international financial data, violates the objectives of the Directive; and how this creates a need for action from the U.S. in order to continue the free flow of data from EU member nations to the U.S. Section I discusses the history of privacy law in the U.S. and in the EU, which led to the EU enactment of the Directive and the subsequent negotiation with the U.S. to create a Safe Harbor Provision. Section II illustrates the recent tracking of international financial transactions in collaboration with the Brussels based banking consortium, SWIFT, and how the EU has reacted. Section III analyzes this issue from both the perspective of the U.S. and the EU. This Section also discusses the solutions to the problem relating to SWIFT. Section IV is a summary of the issues discussed in the note and sets forth the author's perspective on how the overarching problem can be resolved while still respecting the United States' desire of security from terrorists and the EU desire for protection of its citizen's privacy.

I. The Development of Privacy Laws and Data Protection

A. Privacy of Personal Data in the United States

While the EU has historically enacted broad legislative protection of personal data, the U.S. has promoted the self-regulation of industries through the use of broad reaching legislation. (1) As a result of the 9/11 attacks on American soil, Americans have subsequently lived in fear of terrorism. Perhaps it is this desire for security that has made Americans more willing to forgo sweeping privacy laws as seen in the EU, and in turn, made them more willing to sacrifice the protection of their data. (2) Although the U. S. has taken this sectoral approach to data protection laws, the United States Constitution and interpreting case law does provide some protection of an individual's privacy. (3) Cases like Whalen v. Roe (4) and Nixon v. Administrator of General Services (5) have extended the protection of an individual's privacy, however, this is a general protection and courts have not yet interpreted the Constitution broadly enough to include a protection of information privacy from government misuse. (6) Despite this lack of overarching protection, there are some statutes that limit the use of data, using the aforementioned sectoral approach. (7) Examples of sectoral regulations enacted include: the Fair Credit Reporting Act of 1970, (8) The Privacy Act of 1974, (9), and the Drivers Privacy Protection Act of 1994. (10)

B. Privacy Protection in the European Union

Throughout the past two centuries Europeans have suffered from abuses of invasive data collection, making the issues of privacy and the protection of personal data ongoing concerns. (11) As a result the EU has taken an aggressive position when dealing with the adequate protection of data. (12) While prior to the 1980's there was no international directive governing data privacy in the EU, there were several instruments and measures created to protect the privacy of European citizens in a general way. (13)