The US Treasury's Terrorist Finance Tracking programme had violated the privacy of up to 7,800 international financial institutions in its secret trawl through financial records held by the Belgian firm SWIFT.
The Belgian data protection registrar declared today that the Society for Worldwide Interbank Financial Telecommunication (SWIFT), which handles financial transactions on behalf of banks and other financial institutions in G10 countries, had violated Belgian data protection law by complying with the US Treasury's secret investigation.
"SWIFT should have complied with its obligations under Belgian data protection law," said the opinion of the Belgian Commission de la Protection de la Vie Privee today.
The firm should have informed the Belgian authorities that it was handing its clients records over the the US, and it should have complied with rules regarding the transfer of its data to a foreign country, said the opinion.
It recognised the efforts SWIFT took to comply with the US subpoenas on its data. Pressured by the US to keep the violation secret, SWIFT took its own steps to protect the privacy of its clients' data as much as it could.
But this was not enough: "SWIFT made some substantial errors of judgement in complying with the American subpoenas," said the opinion.
"From the beginning, SWIFT should have been aware that the fundamental principles of European law were to be observed, apart from the enforcement of American law," it continued.
The US Treasury had demanded to examine SWIFT's records in a hunt for terrorist financiers after 9/11.
It had unlimited access to this data for an unspecified time. The opinion said that in order to protect the privacy of its client's data, SWIFT should have ensured that the US snooping of its records was proportionate, that they were only retained for a limited examination, that the investigation was transparent to the European authorities and so on.
Yet a spokeswoman for the Belgian data protection registrar said the office would not prosecute SWIFT. She could not say why, but the opinion gave a clue.
"SWIFT finds itself in a conflict situation between American and European law," it said.
SWIFT jumped on this concession. A statement attributed to the firm's CEO, Leonard Schrank, said: "The review has raised important issues about the balance between data privacy for consumer protection purposes and use of financial data for security and counter-terrorism purposes."
He called for the US and EU authorities to formulate an agreement that "reconciled data privacy protections with today's pressing security concerns."
The Belgian opinion was going to be adopted by the European Commission's Data Protection Supervisor and form the basis of opinions formed by the registrars of all 33 countries where campaigners Privacy International filed complaints about SWIFT's co-operation with the US programme.
The Belgian registrar said it was not in the remit of today's opinion to consider whether Belgium's financial institutions had also offended its data privacy laws. Some of them at least would have been aware of the US snooping through their membership of SWIFT's co-operative board. Central banks in all G10 countries were also privy to the investigation without telling the authorities. The European Parliament is considering on Wednesday whether the ECB should be implicated. The Register found this week that it was.®