SWIFT Banks Did Not Breach Canadian Law, Says Privacy Commissioner

The Privacy Commissioner of Canada (Commissioner) has found that six Canadian banks did not contravene federal privacy law by disclosing their customers' personal information to the Society for Worldwide Interbank Financial Telecommunication (SWIFT), a financial industry-owned messaging and transaction-handling cooperative based in Belgium. The ruling contrasts with the findings of some EU data protection commissioners who have concluded that SWIFT breached their respective data protection laws. The Commissioner had received a complaint against the banks as a result of the disclosures by SWIFT of Canadian customers' personal financial information to US authorities under subpoenas issued by the US Treasury Department. The complaint specifically alleged that, i) Canadian banks remained responsible under the Personal Information Protection and Electronic Documents Act (PIPEDA) for the personal information subsequently disclosed to US authorities; ii) these disclosures occurred outside approved processes and were not reasonably appropriate; and iii) that the exceptions for disclosure without consent did not apply, as the subpoenas were overly broad and made by a foreign authority, which did not constitute a "government institution" under PIPEDA. The Commissioner found that the banks had adopted "highly-sophisticated and elaborate" contractual and other security measures to ensure that personal information disclosed to or through SWIFT was subject to a comparable level of protection as afforded in Canada, and that the banks could not prevent organizations with whom they contract from responding to lawfully-issued foreign subpoenas. She concluded that the complaint was not well-founded. The Commissioner addressed the purpose of the disclosures and the lack of consent matters raised in the above complaint in a separate Report of Findings in response to a Commissioner-initiated complaint against SWIFT. She found that SWIFT's disclosure to the US Treasury Department was appropriate in the circumstances, and that a reasonable person would expect SWIFT to abide by a legitimate subpoena served on it in a jurisdiction in which it operates. She concluded that multi-national organizations must comply with the laws of those jurisdictions in which they operate and that SWIFT was allowed to respond to a valid subpoena issued in the United States and disclosed the personal information without consent under s. 7(3)(c) of PIPEDA. For PIPEDA Case Summary #365, visit: http://www.privcom.gc.ca/cf-dc/2007/365_20070402_e.asp For the extensive text of the Commissioner's Report of Findings, visit: http://www.privcom.gc.ca/cf-dc/2007/swift_rep_070402_e.asp Summary by: Jason Young