Banks unleash paper tigers over terror data probe
'We've written some letters'
British banks have responded to European privacy watchdogs, who claim they broke the law by letting US anti-terror investigators have access to the details of their customers' international financial transactions.
The banks have written letters to their customers, and claim this should be enough to put them in the clear.
British Banking Association retail director Stewart Dickey said banks wrote to their customers to warn them that the details of their international transactions might be accessed by US investigators.
He said this responds to the demands of the Article 29 Working Party (A29), which has co-ordinated the action of data protection authorities across Europe to ensure the banks' co-operation with US agents does not violate individual liberties.
The A29 group, though it has no actual power to enforce its demands, said in November that Europe's financial institutions, all of which conduct their international business through the Society for Worldwide Interbank Financial Telecommunication (Swift), must get this "illegal state of affairs" corrected "immediately".
That order, Dickey said, had been complied with.
"We have to watch carefully what happens in Brussels (where transatlantic agreement is being fleshed out) but, given that Swift are working on this, for the moment that is all we need to do - to make sure the information given to customers is correct.
"We are working very closely with the ICO and he's very much aware - and the Working Party - of what we are doing.
"He is content with the actions the banks are taking with regard to improving the information they give to customers."
The UK Information Commissioner's Office (ICO) has been pressing British banks and financial institutions in accord with its European counterparts.
A spokesman for the Information Commissioner said it had written to "various representative bodies", though wouldn't divulge who these were - despite Europe's privacy watchdogs' recent commitment to transparency.
Following bold European statements to correct the "illegal state of affairs" immediately, the UK's own requests to its financial institutions seemed a little limp.
"We asked them to look at what steps, if any, are needed to make sure UK financial institutions comply with data protection legislation," the spokesman said.
"We explained that, at this stage, we are not expecting to take enforcement action against any UK financial institutions, however, this may need to be considered if the current situation remains unchanged," he added.
What the UK ICO is not outwardly saying is that it might have little more recourse than polite entreaty.
As reported before, Swift operates an effective monopoly on international financial operations. Eighty-eight British financial institutions hold shares in Swift, while a total 457 UK institutions are connected to its network. They can't be ordered to stop using Swift without bringing the world's markets to a halt. The US won't stop its terrorist finance investigation and shows no sign of welcoming European privacy watchdogs into its little coterie.
So the banks appear to be in the clear until the Europeans flesh out the transatlantic agreement for which they opened negotiations with the US last week.
"The banks are waiting to see if they can be saved by the international agreement," a source in Brussels said.
Dickey said as far as Swift was concerned it had struck its own deal with the US to protect the privacy of its data.
"Swift will tell you that the information given to the Americans was very strictly controlled. The point is that the data transferred complies with data protection laws," he said.
The data protection authorities say otherwise, but they can't really do much about it for now. Dickey, as if to rub salt in the wound, says the same stands for him until there's a transatlantic agreement.
That's just what the authorities fear - that a transatlantic agreement between Swift and the US becomes a precedent for other agreements which subvert the broader legal principles the data protection wonks are fighting to protect. ®
Here's Citibanks new "you have no privacy" terms
Read it an weep Citibank customers, here's Citibank UK's new terms which mean they can hand your account information to anyone for any reason, and specifically to the USA for business or other purposes.
43. Transfer of Data abroad
43.1 Data may be transferred to, and stored and processed in, other countries including countries WHICH DO NOT offer “adequate protection” for the purposes of Directive 95/46/EC of the European Union for any purpose related to the operation of Your account.
43.2 Such purposes include but are not limited to processing of instructions and generation of confirmations, advices and statements; maintenance of accurate “know your customer” information; the operation of control systems; the operation of management information systems and allowing Citigroup’s Organisation staff who share responsibility for managing Your relationship from other offices to view information about You.
43.3 Data may also become subject to the legal disclosure requirements of other countries.
Section 30.1. The bank may disclose:
30.1.6. To countries or territories outside the European Economic Area including the United States of America and India for account management and other business purposes. You understand that this information may then become subject to disclosure under the laws of other countries.
No it's illegal, + Citibank new terms
"the handing over of the data was not illigal"
No, it was illegal. SWIFT are trying to retroactively get a the data declared as covered by 'Safe harbor'. The EU Safe Harbor treaty with the US, lets companies keep data in the US as long as its protected to the same extent as in the EU. It doesn't let them hand stuff over without warrants of even auditing or control which is what they did.
It won't even be legal in the USA, since SWIFT handed over US citizens data to the NSA too which is also illegal (FISA exception excluded).
"How many othere companys are doing this"
I read that Citibank UK are changing their account terms and buried in those new terms is a clause 'you consent to have your data sent abroad where is may be subject to disclosure to foreign governments'. It looks like this problem is all the way through the EU banking system, and they're retroactively covering their ass.
If China demanded details from HSBC, would they comply and not tell anyone? I don't see the difference, if the banks are able to do this with the USA, then a legal precedent has been set that works for China, Russian, and anyone else who wants EU data.
If you don't prosecute the first infringement, prosecuting the second, third, fourth becomes damn near impossible.
Illigal in the first place
Shawly the handing over of the data was not illigal (as it was data held in the US), but moving data from the EU to the US in the first place was. Under Data pro law you cannot transfer data to a county that dose not have equivelant protection. How many othere companys are doing this because it is easyer than seting up a new Data center in the UK.
Makes me worry about all the call centers in Asia. Dose India have comparable data pro laws?