Canada's Privacy Commissioner has wrapped up her investigation of the SWIFT information sharing fuss and has concluded that SWIFT is subject to PIPEDA but did not violate the law when it handed over Canadian information in response to US subpoenas.
From the Commissioner:
News Release: Privacy Commissioner concludes investigation of SWIFT (April 2, 2007)
Privacy Commissioner concludes investigation of SWIFT
Ottawa, April 2, 2007 —The Privacy Commissioner of Canada, Jennifer Stoddart, today announced the conclusion of her Office’s investigation of the Society for Worldwide Interbank Financial Telecommunication (SWIFT), a European-based financial cooperative, that supplies messaging services and interface software to a large number of financial institutions in more than 200 countries, including Canada.
In her Report of Findings, made public today, the Commissioner confirmed that SWIFT is subject to the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s private sector privacy law, and that the organization did not contravene the Act when it complied with lawful subpoenas served outside the country and disclosed personal information about Canadians to foreign authorities. However, she emphasized that making use of existing information-sharing regimes, with built-in privacy protections, would allow for greater transparency for citizens.
Since her appointment, Ms. Stoddart has raised concerns about the personal information of Canadians flowing across borders. In her Report, the Commissioner stressed that organizations operating and connected in a substantial way to Canada are subject to PIPEDA and they must abide by the Act. “Simply because companies might operate in two or more jurisdictions does not relieve them of their obligations to comply with Canadian law,” said Ms. Stoddart.
It was alleged that SWIFT inappropriately disclosed to the US Department of Treasury (UST) personal information originating from or transferred to Canadian financial institutions. Ms. Stoddart launched a commissioner-initiated investigation into the matter to determine if there was a breach of PIPEDA, the federal law which covers the collection, use and disclosure of personal information in the course of commercial activities.
Following September 2001, the UST began issuing subpoenas to SWIFT for certain data held in SWIFT’s US-based operating centre. SWIFT obtained a series of privacy protections for the data it transferred to the UST.
In her Report, the Commissioner explained that PIPEDA allows an organization such as SWIFT to abide by the laws of other countries in which it operates. An organization that is subject to PIPEDA and that has moved personal information outside the country for business reasons may be required at times to disclose it to the legitimate authorities of that country. It is clear that in response to a valid subpoena issued by a court, person or body with jurisdiction to compel the production of information, an organization must disclose personal information and PIPEDA makes it permissible to comply with this obligation. The Commissioner stressed that multi-national organizations must comply with the laws of those jurisdictions in which they operate.
The Commissioner noted, however, that if US authorities need to obtain information about financial transactions that have a Canadian component, they should be encouraged to use existing information mechanisms that have some degree of transparency and built-in privacy protections. Accordingly, she signaled her intent to ask Canadian officials to work with their US counterparts to persuade them to use Canadian anti-money laundering and anti-terrorism financing mechanisms instead of the subpoena route.
“These alternate avenues would allow far greater Canadian involvement in the scrutiny of personal information and would better respect the value we give privacy protection,” said Ms. Stoddart. “Democratic societies must ensure that the fundamental rights and freedoms of the individual are respected to the extent possible, including the right to the protection of personal information.”
In addition to its investigation of SWIFT, the Privacy Commissioner’s Office also received complaints against six Canadian financial institutions and conducted an investigation into their involvement in the matter.
The Office reviewed the contractual documentation that exists between SWIFT and the banks, and concluded that the banks are meeting their obligations under the PIPEDA, noting that when an organization that contracts with a firm that operates both within and outside of Canada, it must respond to lawfully issued subpoenas in other jurisdictions as well as in Canada, and PIPEDA permits this.
Moreover, she found that each of the banks has very clear language in their privacy policies. These policies inform customers that the banks may send their personal information out of the country for certain purposes and that while such information is out of the country, it is subject to the laws of the country in which it is held.
The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of the privacy and protection of personal information rights of Canadians.
View the Executive Summary.
View the Commissioner’s full Report of Findings.