See the Executive Summary - Report of Findings (April 2, 2007) of the Privacy Commissioner of Canada. Finally there is one data protection authority with a clear view and judgement, stating that data provision by SWIFT to US authorities is not a problem and occured within applicable frameworks:
As for compliance, the Commissioner determined that SWIFT had not contravened the Act when it disclosed personal information to the UST. The Act allows for an organization such as SWIFT to be able to abide by the legitimate laws of other countries in which it operates, and an organization may disclose personal information without knowledge or consent in response to a subpoena issued by a court, person or body with jurisdiction to compel the production of information. Recognizing that multi-national organizations must comply with the laws of those jurisdictions in which they operate, she reasoned that an organization that is subject to the Act and that has legitimately moved personal information outside the country for business reasons may be required at times to disclose it to the legitimate authorities of that country. The Commissioner therefore found that the exception to consent that allows for such disclosures applied.
Meanwhile SWIFT have published some further Board decisions describing their follow up:
- achieve Safe Harbour Status,
- increase contract transparancy,
- adapt the global infrastructure, so that EU data protection concerns will be met.