European Union privacy regulators concluded yesterday that SWIFT, the global bank transfer service, broke European privacy rules by giving records to U.S. counterterrorism investigators, highlighting a transatlantic rift over security issues.

An advisory panel of privacy officials from EU countries cited “violations to the directive on data protection,” said Pia Ahrenkilde Hansen, a spokeswoman for the European Commission, the EU executive agency, at a regularly scheduled briefing in Brussels.

The report instructs the Belgian-based Society for Worldwide Interbank Financial Telecommunication, along with financial institutions and EU authorities, “to take the necessary steps immediately to remedy” the infringement.

A Belgian commission, which was tasked by the Belgian government and the EU panel to investigate SWIFT’s secret deal with the U.S. Treasury Department, earlier came to the same conclusion.

The European Commission, which could launch a legal case against Belgium for failing to uphold EU data protection rules, has said it would await the final report of the EU data protection officers before deciding what action to take.

SWIFT routes about 11 million financial transactions daily between 7,800 banks and other financial institutions in 200 countries, recording customer names, account numbers and other identifying information.

SWIFT officials have argued that it had no choice but to abide by U.S. subpoenas for bank data, saying that if it refused to hand over the information, it would have faced fines and possible criminal penalties such as jail time.

Belgian political leaders have called on the European Union to negotiate with the United States on fixing the apparent legal limbo SWIFT finds itself in.

The panel, which doesn’t have power to impose penalties, adds to a legal dilemma for SWIFT, which has so far avoided sanction from its national regulator in Belgium.

“SWIFT strongly objects to the opinion” it broke the law, the cooperative said in a statement. “Only dialogue between the EU and U.S. will provide the legal certainty which internationally active companies require,” chief executive officer Leonard Schrank said.

Officials including Belgian Prime Minister Guy Verhofstadt have called for the European Union and United States, or some international body, to forge an agreement on data privacy and reconcile conflicts between laws of different countries.

The cooperative, formally named the Society for Worldwide Interbank Financial Telecommunication, relays money-transfer orders among almost 8,000-member banks in more than 200 countries via its self-named Swift code.

As one of the main conduits for the global financial system, SWIFT drew the attention of the U.S. terrorist hunters after the Sept. 11, 2001, attacks. Wielding administrative subpoenas, the U.S. Treasury Department and Central Intelligence Agency have called up millions of records from SWIFT’s U.S. databank. The New York Times reported on the classified program in June, drawing condemnation from President Bush and members of Congress.

Schrank, CEO since 1992, also has criticized the disclosure of the subpoenas, which he credits with breaking up terrorist plots and saving thousands of lives. Last week, he blasted European data-privacy regulators, as well, for ignoring security concerns and fixating on the technicalities of an 11-year-old privacy law not intended for such circumstances.

Schrank also said last Friday that SWIFT should be commended, rather than criticized, for insisting on privacy safeguards in handling of the data. The United States agreed to limit subpoenas to targets of specific investigations, to let SWIFT officials on site supervise the transfer of information and to verify the controls by an outside auditor.

SWIFT criticized the panel issuing yesterday’s report for ignoring requests to meet and give its side of the argument. The committee is known as the Article 29 Working Party, after the section of the privacy law creating the group.

SWIFT did provide information to the Belgian Data Privacy Commission, the primary supervisor on the case. That authority concluded Sept. 28 that the transfers ran afoul of the law, while stopping short of recommending legal sanctions because SWIFT was caught in a conflict with U.S. law. Verhofstadt said the organization wasn’t being asked to stop cooperating with the United States.

SWIFT last week outlined a detailed objection to the Belgian decision. The legal defenses include that the cooperative doesn’t control the data within the meaning of EU law, likening its role to a postal service that doesn’t open letters.

Providing records to U.S. authorities doesn’t constitute a transfer of information outside the European Union, SWIFT also said, as the group keeps duplicate transaction records on both continents.

With Associated Press reports