IT Business is running an article entitled SWIFT scandal exposes PIPEDA holes, in which the Privacy Commissioner of Canada and Phillipa Lawson of the Canadian Internet Policy and Public Interest Clinic lament that PIPEDA allows the disclosure of personal information without consent in response to a foreign subpoena.
(For some background, see my previous posts on SWIFT.)
Is this a loophole or something that should be remedied? Certainly the European Union thinks that disclosing European info in this way is not OK.
I'm not sure there is really anything that can be done about this, other than to keep data out of jurisdictions with laws that you consider offensive. Certainly, we have seen that the EU and some Canadian provinces think that the USA Patriot Act is overbroad and a threat to privacy. Unlike some public sector laws in Canada, PIPEDA is completely silent with respect to the export of personal information. But if data is in a jurisdiction with a lawful power to compel the production of that information, the practical impact of a foreign law is virtually nil. Particularly if the foreign law is as toothless as PIPEDA.
Practically speaking, the solution is really to keep those data warehouses out of those jurisdictions. While SWIFT is a European outfit, they had a data centre in the US that was within the lawful jurisdiction of the US authorities armed with subpoenas. As an international clearing system, it would obviously have to transmit some data back and forth between HQ and the US. But there doesn't seem to be any compelling argument to suggest that all that data should have been kept there.
Canada, with it's European-accepted privacy laws, would have been an ideal place to locate the SWIFT data centre. Miliseconds from New York and Brussels, but a world away from the US as far as privacy laws go. Any international company doing business with personal information in the United States really should think about this. What SWIFT did may have been completely lawful in the US, but it certainly has caused more than its fair share of headaches and has opened it up to potential liability in the EU.