Monday, April 02, 2007

Banks Using Swift 'Meeting Their Obligations' Under Privacy Law

Bloomberg, Greg Quinn, 2 April 2007

Canada's privacy commissioner said the country's six biggest banks and a Belgium-based industry cooperative didn't break privacy law by complying with U.S. subpoenas for customer records.

The cooperative, known as Swift, ``did not contravene the Act when it complied with lawful subpoenas served outside the country and disclosed personal information about Canadians to foreign authorities,'' Privacy Commissioner Jennifer Stoddart said today in a statement from Ottawa. Canadian banks are ``meeting their obligations'' under privacy law, she said.

The findings wrap up a 7-1/2-month investigation Stoddart announced Aug. 14, after the New York Times said the U.S. studied millions of international banking records to track terrorist finances using Swift, or the Society for Worldwide Interbank Financial Telecommunication. Canada should ask U.S. officials to seek future records through money-laundering or terrorist financing laws instead of subpoenas, Stoddart said.

Those laws ``have some degree of transparency and built-in privacy protections,'' according to a report by Stoddart that accompanied today's announcement.

The investigation began after a complaint against Swift and Royal Bank of Canada, Toronto-Dominion Bank, Bank of Nova Scotia, Canadian Imperial Bank of Commerce, Bank of Montreal and National Bank of Canada.

Swift handles about $6 trillion daily between banks, brokerages, exchanges and other institutions.

Canada's Privacy Commissioner reports to Parliament and has authority to take cases to court and force companies to change their practices or award damages.
Investment Executive, 2 April 2007

Canada’s privacy commissioner, Jennifer Stoddart, released her office’s investigation on Monday of the Society for Worldwide Interbank Financial Telecommunication, a European-based financial co-operative, that supplies messaging services and interface software to a large number of financial institutions in more than 200 countries, including Canada.

In her report of findings, the commissioner confirmed that SWIFT is subject to the Personal Information Protection and Electronic Documents Act, Canada’s private sector privacy law, and that the organization did not contravene the Act when it complied with lawful subpoenas served outside the country and disclosed personal information about Canadians to foreign authorities. However, she emphasized that making use of existing information-sharing regimes, with built-in privacy protections, would allow for greater transparency for citizens.

Since her appointment, Stoddart has raised concerns about the personal information of Canadians flowing across borders. In her report, she stressed that organizations operating and connected in a substantial way to Canada are subject to PIPEDA and they must abide by the Act. “Simply because companies might operate in two or more jurisdictions does not relieve them of their obligations to comply with Canadian law,” said Ms. Stoddart.

It was alleged that SWIFT inappropriately disclosed to the U.S. Department of Treasury personal information originating from or transferred to Canadian financial institutions. Stoddart launched a commissioner-initiated investigation into the matter to determine if there was a breach of PIPEDA, the federal law that covers the collection, use and disclosure of personal information in the course of commercial activities.

Following September 2001, the UST began issuing subpoenas to SWIFT for certain data held in SWIFT’s U.S.-based operating centre. SWIFT obtained a series of privacy protections for the data it transferred to the UST.

In her report, the commissioner explained that PIPEDA allows an organization such as SWIFT to abide by the laws of other countries in which it operates. An organization that is subject to PIPEDA and that has moved personal information outside the country for business reasons may be required at times to disclose it to the legitimate authorities of that country. It is clear that in response to a valid subpoena issued by a court, person or body with jurisdiction to compel the production of information, an organization must disclose personal information and PIPEDA makes it permissible to comply with this obligation. The commissioner stressed that multi-national organizations must comply with the laws of those jurisdictions in which they operate.

Stoddart noted, however, that if U,S, authorities need to obtain information about financial transactions that have a Canadian component, they should be encouraged to use existing information mechanisms that have some degree of transparency and built-in privacy protections. Accordingly, she signalled her intent to ask Canadian officials to work with their U.S. counterparts to persuade them to use Canadian anti-money laundering and anti-terrorism financing mechanisms instead of the subpoena route.

“These alternate avenues would allow far greater Canadian involvement in the scrutiny of personal information and would better respect the value we give privacy protection,” said Stoddart. “Democratic societies must ensure that the fundamental rights and freedoms of the individual are respected to the extent possible, including the right to the protection of personal information.”

In addition to its investigation of SWIFT, the privacy commissioner’s office also received complaints against six Canadian financial institutions and conducted an investigation into their involvement in the matter.

The office reviewed the contractual documentation that exists between SWIFT and the banks, and concluded that the banks are meeting their obligations under the PIPEDA, noting that when an organization that contracts with a firm that operates both within and outside of Canada, it must respond to lawfully issued subpoenas in other jurisdictions as well as in Canada.

Moreover, she found that each of the banks has very clear language in their privacy policies. These policies inform customers that the banks may send their personal information out of the country for certain purposes and that while such information is out of the country, it is subject to the laws of the country in which it is held.