Financial data transfer company Swift can continue to pass details of European citizens' transactions to US authorities provided the firm signs a formal get-out clause granting it immunity from European data protection laws, the European Commission has said.
The Society for Worldwide Interbank Financial Telecommunication SCRL (Swift) has been at the centre of a transatlantic dispute over data protection since being ordered to share millions of pieces of information about people and companies from around the world with US agencies after the terrorist attacks on 11 September 2001.
The information was deemed essential in tracing the financing of terrorism and Swift complied with the order. However, European data protection laws forbid transfers of European citizens' personal data outside the European Union (EU), if the country receiving the data has a weaker data protection regime than Europe's. The US is considered such a country under European laws.
In June 2006, The New York Times revealed that Swift had been sharing the data with US authorities for years, sparking investigations in Europe into how the European laws could have been breached.
In an agreement reached between the European Commission, the German government, which currently holds the EU's presidency, and the US Treasury department, Swift can continue to share the information if it signs the safe harbour agreement and as long as individuals are informed by their banks that the information will be passed over to US authorities, the Commission said.
If these conditions are met, then US authorities are free to keep the data for up to five years, said European Commission spokesman Friso Roscam Abbing.
The safe harbour agreement has been signed by many large multinationals including Microsoft. By signing it, companies agree to respect Europeans' private data once it leaves the EU.
"The EU will have now the necessary guarantees that the US Treasury processes data it receives from Swift's mirror server in US in a way which takes account of EU data protection principles," said Commission vice president Franco Frattini, the commissioner responsible for justice, freedom and security.
"I welcome the US Treasury Department's unilateral representations and the opportunity the Treasury has given the European Union to have its views and concerns duly reflected in the representations," Frattini added.
"As well as Swift joining the Safe Harbour and its compliance with the Safe Harbour privacy principles, we now look to Swift and to the financial institutions that use its services to ensure that they fully comply with their information obligations under European data protection law. We urge them to take all the necessary steps to ensure their quick compliance with European data protection law."
Swift has promised to sign the safe harbour agreement in the coming days, while banks that use Swift to transfer funds have agreed to set up systems that will alert their customers of data transfers to the US by 1 September, Roscam Abbing said. However, it remains unclear what happens if customers decide that they don't want their information shared, the Commission spokesman added.