Federal Privacy Commissioner Says 'YES' to Outsourcing

The federal Privacy Commissioner has found that a Canadian bank that outsourced the processing of credit card transactions to a US-based service provider complied with the requirement to provide a "comparable level of protection" under the Personal Information Protection and Electronic Documents Act (PIPEDA). A number of customers of the Canadian Imperial Bank of Commerce had filed complaints with the Commissioner in response to the bank's outsourcing of their personal information to the United States, where they feared it would be subject to scrutiny by US authorities under the USA PATRIOT Act. The Commissioner acknowledged that the privacy implications of anti-terrorism legislation and outsourcing must continue to be the focus of public debate. Nevertheless, she found that regardless of the contractual measures an international outsourcer took, it could not prevent its customers' personal information from being lawfully accessed under a foreign jurisdiction's domestic laws. Further, she found that there was a "comparable legal risk" under Canadian and US law that Canadians' personal information could be obtained by government agencies through provisions of either nation's laws. For PIPEDA Case Summary #313, visit: http://pco313.notlong.com For the text of PIPEDA, see: http://laws.justice.gc.ca/en/P-8.6/ Summary by: Jason Young