Banks and other financial institutions around the world have frequent access to SWIFT (the Society for Worldwide Interbank Financial Telecommunication) to facilitate inter-bank transfers of funds, particularly international transfers. To do so, the initiating bank needs to collect and communicate information about the customer making those transfers. That information can potentially include the "personal information" that is covered by privacy legislation. In the summer of 2006, the New York Times and other media reported on the use of administrative subpoenas by the U.S. Department of Treasury (UST) to access allegedly tens of thousands of records from SWIFT. In Canada, the Office of the Privacy Commissioner of Canada launched an investigation against six of Canada’s largest financial institutions as a result of that alleged disclosure. Its findings were released on April 2, 2007.
SWIFT is the financial industry-owned cooperative that supplies secure standardized messaging services and interface software to close to 8,000 financial institutions in more than 200 countries. It is the means of processing international money transfers among financial institutions.
There was no dispute that the alleged disclosures of personal information had in fact been made, pursuant to subpoenas, to the UST. The commissioner found that it was likely that some personal information of Canadians originating from the Canadian financial institutions had been disclosed.
The first element of the complaint and investigation was directed at a principle of the federal privacy statute, the Personal Information Protection and Electronic Documents Act (PIPEDA), to the effect that each financial institution remains responsible for personal information that has been transferred to third parties, such as to SWIFT for processing of money transfers.
The privacy commissioner reviewed the terms of the contractual arrangement that the banks had with SWIFT. That document provided each bank’s consent to SWIFT’s processing of personal information. It also provided that SWIFT would not be prevented, when faced with legitimate subpoenas or other legal requirements to disclose information, from disclosing personal information. (This is in line with the provisions in PIPEDA.)
She also looked at the fact that the banks had notified their customers with very clear language in their privacy policies about their practice on outsourcing or processing of personal information and that such outsourcing or processing might take place outside of Canada where the information would become subject to the local laws.
The commissioner’s office also found that the banks had taken sufficient steps to notify their customers that the information would be processed in another country.
On that basis, she found that the banks had not breached their privacy obligations to the customers under PIPEDA.
McCarthy Tétrault Notes:
The commissioner’s office appears to have taken a very pragmatic view in this matter. It noted that Canada has an obligation to respect the legal frameworks of other countries and that PIPEDA cannot operate to prevent foreign authorities from lawfully accessing the personal information of Canadians held by organizations within the foreign country.
The office also recognized that PIPEDA cannot stop Canadian companies from outsourcing the processing of the personal information that they hold to foreign-based service providers. The important factor is that PIPEDA requires organizations to be transparent about the personal information handling practices and that such organizations take all reasonable steps to protect the personal information of their customers when it is in the hands of third party service providers.
Although the commissioner held that the complaints were not well-founded in this case, she signalled her intent to request the Canadian government to initiate talks with the U.S. government to encourage the use of existing information-sharing mechanisms under the anti-money laundering/anti-terrorism financing regime instead of the subpoena route used by the UST to obtain information from SWIFT in this case. In the commissioner’s view, this alternative would allow greater transparency and better respect the value Canadians place on privacy protection.