- Created: 13 April 2010
The European Parliament in February caused a "serious setback" to security cooperation between the European Union and the United States, writes Stephen Gardner. It vetoed an agreement between Brussels and Washington that would have allowed EU financial data to be transferred across the Atlantic.
The vote was the latest twist in the so-called SWIFT saga. SWIFT, or the Society for Worldwide Interbank Financial Telecommunication, is the Belgium-based main provider of a global messaging service that underpins financial transactions. In the aftermath of the 9/11 attacks, as part of work to identify terrorist finance networks, the US federal investigators obliged SWIFT to open its databases.
This became public in 2006, prompting a Belgian government investigation, which concluded that SWIFT had "secretly and systematically transferred massive amounts of personal data for surveillance without [an] effective and clear legal basis and independent controls."
Since then, arguments have rumbled on. Washington and Brussels want to formalise the data transfer, but the case has become a focus for the debate about the right balance between security and privacy. The European Parliament's scuppering of the deal suggests that the balance has yet to be found.
The Parliament's worry was that data collected for one purpose was being used for an entirely different one, potentially posing threats to Europeans. Nathalie Vandelle from the office of the European Data Protection Supervisor says "we are not aware of other existing cases like SWIFT," but that such transfers are "likely to expand" and "systematic cooperation between private companies and law enforcement" needs to be developed.
The bigger issue
But there is a bigger question behind the SWIFT issue. Digital technologies have transformed personal and business relationships. Never before has it been so easy for corporations and governments to amass, exchange and exploit the data, for good or ill.
Serge Ravet of the Internet of Subjects Foundation, which campaigns for data-privacy enforcement, says the situation is dangerous. There is "fragmentation of personal data and global lack of control." Individuals have been "digitally quartered," exposing them to a range of threats, from unauthorised access to personal messages or bank accounts, to identity theft or even the risk of being mistaken for a terrorist.
The problem is that the headlong rush online, and the establishment of services based on personal data, such as social networks, have been accomplished piecemeal. Only now are fundamental questions being asked more widely: what is the meaning of identity in the digital age, and how can individuals benefits from their online existences without suffering the downsides?
Serge Ravet says there should be "total separation" between the hosting and control of personal data, and its use by companies and governments. Individuals should have "personal organisational data stores" (PODS), or digital repositories of their personal information, to which they would choose to whom they grant access. Ravet argues this would render obsolete the holding of personal data by companies or governments.
Such a vision may seem unlikely to be realised soon, but cases such as SWIFT mean the bigger questions of digital identity must be tackled. For now the EU and US authorities must go back to the drawing board and find in one case at least an acceptable balance between privacy and security.
A version of this article was originally published in Ethical Corporation magazine.