Back in February, the European Parliament expressed its displeasure with the fact that the Society for Worldwide Interbank Financial Telecommunications (SWIFT) system was being regularly accessed by US authorities, including the CIA, as part of investigations into terrorist financing. Legislators wondered if SWIFT (a Belgium-based company) was obeying EU data protection laws, and proposals were floated that would ask SWIFT to stop mirroring its data to the US. According to Germany's Federal Data Protection Commissioner, Peter Schaar, the situation could get a lot messier: SWIFT might soon handle domestic as well as international fund transfers, and US authorities might then have access to every bank transfer in Europe.
Schaar's comments were reported in the German paper Heise, which quoted him as saying that this would "scarcely be compatible with our notions of sovereignty." All of this is a bit speculative right now; Schaar's scenario first requires the creation of the Single Euro Payments Area, which is under discussion in Brussels but has yet to be created. It also assumes that SWIFT will continue to follow its current policies without modification, which is not at all certain.
In response to widespread criticism in Europe, SWIFT executives have already taken steps to change their practices. After a board meeting on March 15, the company announced that it was stepping up its efforts to earn "Safe Harbor" status in the US. Safe Harbor is a way for European firms that do business in the US to comply with EU data protection laws. SWIFT has already been told that it is eligible for Safe Harbor, and the necessary technical and legal preparations should be completed by the end of this year.
SWIFT has rejected the idea of moving its mirrored servers out of the US, though. Francis Vanbever of SWIFT told a European Parliament committee this week that the system was necessary to avoid any disruptions to the worldwide system, and he pointed out that the company had no choice but to turn over data to the Americans. "After September 11th," he said, "we received a compulsory order to provide information on data stored in the US… We verified the situation with external legal counsel, which confirmed the US had the authority to issue the order. If we did not comply, we would face civil and criminal penalties, including fines or imprisonment."
Even without processing domestic transactions, SWIFT is already a giant in the banking world, and it's easy to see why concerns would be raised about any disclosure of the company's database. On March 1, 2007, SWIFT set a record for the volume of financial transactions handled in a single day as 14 .7 million messages passed through its network. Privacy advocates like Schaar worry about the potential for economic espionage and other kinds of abuse if US authoritieskeep using their subpoena power to gain access to such a transaction database, which would contain far more messages than the current version.
Combine these worries with earlier fears about a worldwide ECHELON surveillance system run by the US, the UK, and Australia (worries great enough that the European Parliament issued a lengthy report outlining everything it could discover about ECHELON [PDF]), and you have an explosive cocktail of paranoia. The Europeans worry that, without adequate safeguards, the US and others with access to the systems might use them for more than just hunting down terrorists.
This is more than idle speculation; take a look at the chart beginning on page 103 of the ECHELON report linked above. It shows noted cases of industrial espionage, including some famous incidents in 1994 in which the NSA was apparently responsible for outing Airbus bribes in order to allow Boeing to compete on a level playing field.