On April 2, 2007, the Assistant Commissioner of the Office of the Privacy Commissioner of Canada (OPCC) issued his decision (Case Summary #365) in the case involving the Society for Worldwide Interbank Financial Telecommuncation (SWIFT). The Assistant Commissioner found that the complaint that Canadian financial institutions (the “Banks”) did not meet their obligations under PIPEDA in respect of their contractual relationship with SWIFT was not well-founded. In a parallel Report of Findings also dated April 2, 2007, on a Commissioner-initiated complaint against SWIFT, the Commissioner found that SWIFT was bound by PIPEDA, but had fulfilled its obligations under PIPEDA in disclosing personal information of Canadians to the United States Department of the Treasury (UST) under administrative subpoenas which circumvented the established international protocols for the disclosure of this type of information to government. The decisions are important because the OPCC concluded that PIPEDA cannot be used to prevent foreign authorities from lawfully accessing personal information held within their jurisdiction, and that entities, like SWIFT, which operate in multiple jurisdictions, are subject to PIPEDA.
The facts are fairly straightforward. A June 23, 2006 article in the New York Times reported that SWIFT disclosed tens of thousands of records to the UST pursuant to administrative subpoenas. In response to the article, a complaint was filed against six Banks alleging that they were responsible for the disclosures by SWIFT to the UST, and that (i) the Banks failed to ensure a comparable level of protection in relation to personal information disclosed by SWIFT (Principle 4.1.3 of Schedule 1 to PIPEDA), (ii) the disclosures by SWIFT, for which the Banks are responsible, were for an inappropriate purpose since an approved process for such transfers already exists (PIPEDA, s. 5(3)) and (iii) the exceptions to consent for disclosure under subpoenas and to government (PIPEDA, paras. 7(3)(c) and 7(3)(c.1)) do not apply to overly broad subpoenas or foreign governments. The Commissioner initiated an investigation of SWIFT on items (ii) and (iii).
The OPCC found all elements of the complaint not well-founded. (i) The Banks met their obligations to require contractual protections for personal information in their agreements with SWIFT notwithstanding that the Banks had delegated all control over the information to SWIFT. The contractual security measures and oversight in place were sufficient. Also, the privacy policies informing customers that the Banks may send information outside of Canada for certain purposes and that while such information is out of the country, it is subject to the laws of the country in which it is held, complies with Principle 4.8 of Schedule 1 of PIPEDA. Issues (ii) and (iii) were not well-founded as they were in relation to disclosures by SWIFT, and were addressed in the Commissioner’s Report on Findings.
The Report on Findings found (i) that PIPEDA applies to entities, such as SWIFT, that operate in more than one jurisdiction and choose to collect, use or disclose personal information in Canada, (ii) that SWIFT took reasonable steps in the preservation of confidentiality of the information, and (iii) that it was appropriate for SWIFT to disclose on the basis of the administrative subpoenas, which it had determined to be lawful and valid, notwithstanding the existence of FINTRAC and the MLATs which are currently in place for the intergovernmental disclosure of just this type of information. As an aside, the Commissioner implied in her Report of Findings (linked below) that she will encourage Parliament to use diplomatic channels with the U.S. to lend transparency to the disclosure of Canadian personal information to U.S. authorities and to urge a return to the treaty channels of disclosure circumvented by the UST’s administrative subpoena.
In response to similar privacy concerns in other jurisdictions, the US Treasury Department has made unilateral representations to the European Union to take into account EU data protection concerns when accessing EU personal data received from SWIFT pursuant to administrative subpoenas. As part of that process SWIFT will be joining the Safe Harbour and the US commitments will be subject to annual oversight by an EU representative.