The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Monday, November 30, 2009
The New York Times is reporting on an agreement reached between European ministers and the United States for restored access to information about bank transfers processed by the Society for Worldwide Interbank Financial Telecommunications (SWIFT). See: EU Clears Bank Data Transfers to United States - NYTimes.com.
There has been some coverage of this already on blogs, particularly the Brussels Blogger (SWIFT - EU to grant USA nearly unlimited access to all EU banking data). Much of the tone has suggested that wholesale transfers of information will take place with massive datamining operations to be set up, but take a look at the actual agreement between the US and Europeans. It's available at wikileaks: EU draft council decision on sharing of banking data with the US and restructuring of SWIFT, 10 Nov 2009 - Wikileaks.
The agreement doesn't contemplate wholesale, massive data downloads of the kind one would expect if the database were in the United States. Instead, targeted requests must be made and these are directed through European authorities rather than to SWIFT directly. There are covenants on the US side that it will not be used for data mining purposes and other privacy-protective promises. And, to top it off, the term of the agreement is one year so that it can be renegotiated if it's not working out.
While all of this needs to be examined with a critical eye and it's not perfect, the cynic in me was pleasantly surprised by the details of the agreement.
Friday, October 12, 2007
It appears that SWIFT is going to move its global data centre from the United States to Switzerland, to avoid having to deal with US fishing expeditions. See:
heise online - SWIFT puts EU data beyond the immediate reach of the US
SWIFT puts EU data beyond the immediate reach of the US
The supervisory board of SWIFT has approved the plans for the restructuring of the systems architecture of the financial messaging network the outlines of which had been known for some time. The core of the realignment is the creation of a global data processing center in Switzerland. To this will be added a command-and-control center in Hong Kong. The first step toward the realization of the project that has now been approved by the supervisory board will involve the expansion of the central news platform of SWIFT, in an attempt to aid the setting up of several processing zones.
By engaging in the restructuring effort that is scheduled to be completed by the end of 2009 the financial messaging network based in Belgium is trying to accomplish a score of targets aimed at satisfying the desires of customers. Thus by preventing immediate access by US authorities to international transfer data -- as is currently the case via the network's computing center in the United States -- data privacy concerns are to be dispelled. In addition SWIFT hopes that the new message architecture will boost the processing capacity of the system, improve reliability, lower information transfer costs and, into the bargain, open up new business opportunities in general.
The financial messaging service intends to create two message processing zones: Europe and Transatlantic. The new global computing center would as a partner of the extant European data processing center, among other things, take on the mirror function of the current US facility, the organization declared. Transfer information belonging to the European zone would be processed and, if need be, stored there. The Swiss location would also process and store data emanating from the US center, it was said. "Messages within a zone will in future remain in their region of origin," SWIFT CEO Lázaro Campos said by way of explaining the new principle, which takes account to a greater degree of concerns voiced by data privacy watchdogs and members of the European Parliament and which will define the future modus operandi for the European Economic Area at least.
According to statements made by SWIFT the choice of Switzerland as the seat of its global data processing center was the result of a comprehensive survey of possible European locations. The decisive factors determining the choice of location had been the suitability of existing infrastructure, the availability of skilled staff and the presence of an appropriate framework of data privacy legislation, SWIFT noted. Switzerland had fulfilled these criteria to an outstanding degree, the organization observed. The financial messaging network has put the costs of the approved initiative at the one-off sum of 150 million euros. In addition some 50 jobs would be created in the European and Asian branches of SWIFT, it was said.
The network has managed to secure a safe harbor agreement for the existing data center in the United States that will stay in effect until the new Swiss computing center commences operations. The company has thus volunteered to abide in the US by data protection provisions that accord with European standards, allowing it thereby to benefit from the transatlantic safe harbor concept. A breach of the data protection provisions agreed to could in theory cause the Federal Trade Commission (FTC) to intervene. However, as the United States can on its territory order data to be handed over the seizure order of the US government remains in force for the time being. SWIFT has, however, assured its customers that it has implemented "unique protective measures" and has received "security guarantees" from the US government for the remaining period of time. These fulfilled the obligation to protect the privacy of customer data and the requirements of EU and US law, the organization stated. One of the most important data access restrictions was the one according to which the US Treasury Department was only given access to data that met specific search criteria in the context of a terror investigation, SWIFT explained. There was moreover a supervision regime in place when data requested by a US authority was made available to the authority in question, the organization added.
SWIFT processes international bank transfers with a volume of about 4.8 trillion euros every day. About 8,100 banks from 208 countries and regions are connected to the network. On its busiest day to date 13,663,975 bank transfer messages shot through SWIFT's data lines. Last year it emerged that US security authorities have access to SWIFT servers and are in a position to analyze the information that is being collected. Following the safe harbor assurances given by SWIFT the European Commission has given its blessing to the current financial-data access regime in the United States. In the US two customers of US banks have filed lawsuit alleging that bank transfer data of theirs was illegally passed on to security authorities by the network; the government for its part is trying to block these lawsuits. (Stefan Krempl)
For previous posts on this topic, see SWIFT.
Saturday, April 28, 2007
IT Business is running an article entitled SWIFT scandal exposes PIPEDA holes, in which the Privacy Commissioner of Canada and Phillipa Lawson of the Canadian Internet Policy and Public Interest Clinic lament that PIPEDA allows the disclosure of personal information without consent in response to a foreign subpoena.
(For some background, see my previous posts on SWIFT.)
Is this a loophole or something that should be remedied? Certainly the European Union thinks that disclosing European info in this way is not OK.
I'm not sure there is really anything that can be done about this, other than to keep data out of jurisdictions with laws that you consider offensive. Certainly, we have seen that the EU and some Canadian provinces think that the USA Patriot Act is overbroad and a threat to privacy. Unlike some public sector laws in Canada, PIPEDA is completely silent with respect to the export of personal information. But if data is in a jurisdiction with a lawful power to compel the production of that information, the practical impact of a foreign law is virtually nil. Particularly if the foreign law is as toothless as PIPEDA.
Practically speaking, the solution is really to keep those data warehouses out of those jurisdictions. While SWIFT is a European outfit, they had a data centre in the US that was within the lawful jurisdiction of the US authorities armed with subpoenas. As an international clearing system, it would obviously have to transmit some data back and forth between HQ and the US. But there doesn't seem to be any compelling argument to suggest that all that data should have been kept there.
Canada, with it's European-accepted privacy laws, would have been an ideal place to locate the SWIFT data centre. Miliseconds from New York and Brussels, but a world away from the US as far as privacy laws go. Any international company doing business with personal information in the United States really should think about this. What SWIFT did may have been completely lawful in the US, but it certainly has caused more than its fair share of headaches and has opened it up to potential liability in the EU.
Monday, April 02, 2007
Canada's Privacy Commissioner has wrapped up her investigation of the SWIFT information sharing fuss and has concluded that SWIFT is subject to PIPEDA but did not violate the law when it handed over Canadian information in response to US subpoenas.
From the Commissioner:
News Release: Privacy Commissioner concludes investigation of SWIFT (April 2, 2007)
Privacy Commissioner concludes investigation of SWIFT
Ottawa, April 2, 2007 —The Privacy Commissioner of Canada, Jennifer Stoddart, today announced the conclusion of her Office’s investigation of the Society for Worldwide Interbank Financial Telecommunication (SWIFT), a European-based financial cooperative, that supplies messaging services and interface software to a large number of financial institutions in more than 200 countries, including Canada.
In her Report of Findings, made public today, the Commissioner confirmed that SWIFT is subject to the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s private sector privacy law, and that the organization did not contravene the Act when it complied with lawful subpoenas served outside the country and disclosed personal information about Canadians to foreign authorities. However, she emphasized that making use of existing information-sharing regimes, with built-in privacy protections, would allow for greater transparency for citizens.
Since her appointment, Ms. Stoddart has raised concerns about the personal information of Canadians flowing across borders. In her Report, the Commissioner stressed that organizations operating and connected in a substantial way to Canada are subject to PIPEDA and they must abide by the Act. “Simply because companies might operate in two or more jurisdictions does not relieve them of their obligations to comply with Canadian law,” said Ms. Stoddart.
It was alleged that SWIFT inappropriately disclosed to the US Department of Treasury (UST) personal information originating from or transferred to Canadian financial institutions. Ms. Stoddart launched a commissioner-initiated investigation into the matter to determine if there was a breach of PIPEDA, the federal law which covers the collection, use and disclosure of personal information in the course of commercial activities.
Following September 2001, the UST began issuing subpoenas to SWIFT for certain data held in SWIFT’s US-based operating centre. SWIFT obtained a series of privacy protections for the data it transferred to the UST.
In her Report, the Commissioner explained that PIPEDA allows an organization such as SWIFT to abide by the laws of other countries in which it operates. An organization that is subject to PIPEDA and that has moved personal information outside the country for business reasons may be required at times to disclose it to the legitimate authorities of that country. It is clear that in response to a valid subpoena issued by a court, person or body with jurisdiction to compel the production of information, an organization must disclose personal information and PIPEDA makes it permissible to comply with this obligation. The Commissioner stressed that multi-national organizations must comply with the laws of those jurisdictions in which they operate.
The Commissioner noted, however, that if US authorities need to obtain information about financial transactions that have a Canadian component, they should be encouraged to use existing information mechanisms that have some degree of transparency and built-in privacy protections. Accordingly, she signaled her intent to ask Canadian officials to work with their US counterparts to persuade them to use Canadian anti-money laundering and anti-terrorism financing mechanisms instead of the subpoena route.
“These alternate avenues would allow far greater Canadian involvement in the scrutiny of personal information and would better respect the value we give privacy protection,” said Ms. Stoddart. “Democratic societies must ensure that the fundamental rights and freedoms of the individual are respected to the extent possible, including the right to the protection of personal information.”
In addition to its investigation of SWIFT, the Privacy Commissioner’s Office also received complaints against six Canadian financial institutions and conducted an investigation into their involvement in the matter.
The Office reviewed the contractual documentation that exists between SWIFT and the banks, and concluded that the banks are meeting their obligations under the PIPEDA, noting that when an organization that contracts with a firm that operates both within and outside of Canada, it must respond to lawfully issued subpoenas in other jurisdictions as well as in Canada, and PIPEDA permits this.
Moreover, she found that each of the banks has very clear language in their privacy policies. These policies inform customers that the banks may send their personal information out of the country for certain purposes and that while such information is out of the country, it is subject to the laws of the country in which it is held.
The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of the privacy and protection of personal information rights of Canadians.
View the Executive Summary.
View the Commissioner’s full Report of Findings.
Tuesday, January 30, 2007
In the wake of the SWIFT privacy scandal, the European parliament will be debating the scandal, European data protection laws and broader issues of access to personal data. Should be interesting to watch:
theparliament.com - EU parliament debates personal data rules
EU parliament debates personal data rules
MEPs are this week expected to intensify pressure on the European commission to act over the controversial Swift case.
In November, an independent panel found that the Belgian-based money transfer company Swift had breached EU privacy laws by secretly giving personal financial data to the US authorities.
Swift denied breaking the law, saying it was subpoenaed to give limited data for use in the fight against terrorism.
On 31 January, in the first Brussels parliamentary plenary of the year, deputies will debate the issue of current personal data legislation and table a series of questions to the commission on the Swift case.
Included in the list of questions is a demand to know whether the commission is aware of any other requests to private companies to make their data available to the US.
MEPs also want to know what action the commission intends to take given that access to data handled by Swift makes it possible to get information on the economic activities of individuals and businesses.
The ongoing row involving Swift, which handles 11 million transactions a day, could further exacerbate tensions between the EU and the US over the use of personal flight data in the fight against terrorism.
The EU and US recently resolved a long-running dispute over the issue and is confident of reaching an agreement on passenger name records (PNR).
US negotiator Michael Chertoff and his EU counterpart Wolfgang Schauble said at the weekend that despite continued differences of opinion on the use of the personal data they were confident of reaching a deal by July.
Some MEPs, however, are currently raising concerns which they would like the commission to take on board when the executive alone negotiates a new agreement with the US.
The plenary, though, will be urged by British Conservative MEP Timothy Kirkhope to back the deal brokered by the EU and US.
"Some of these concerns are warranted but the most important thing to adopt are appropriate air safety and anti-terrorism measures and provide certainty for the airlines, while also ensuring that data protection norms are respected,” Kirkhope said.
Thursday, November 23, 2006
According to the Associated Press, a panel of EU privacy regulators has found that SWIFT violated European privacy laws by handing over SWIFT data to the US. See: EU panel: SWIFT broke data privacy laws.
Friday, October 13, 2006
Swiss Data Protection authorities have found that Swiss banks, usually known for their emphasis on privacy, broke that country's data protection laws for not telling clients that their information could be obtained by third parties via the banks' use of SWIFT. See: Official: Swiss Banks Broke Privacy Law: Financial News - Yahoo! Finance.
Tuesday, October 03, 2006
The Office of the Belgian Privacy Commissioner has released its report into the subpoena of large quantities of transactional data from the inter-bank SWIFT system: here.
On the basis of her general investigation, the Commission is of the opinion that
- The DPL is applicable to the exchange of data via the SWIFTNet FIN service;
- SWIFT and the financial institutions bear joint responsibility in light of the DPL for the processing of personal data via the SWIFTNet FIN service;
- SWIFT is a data controller of the personal data which are processed via the SWIFTNet FIN service;
- The financial institutions are data controllers as they co-determine the objective and the means to perform payment instructions in the inter-bank traffic. The financial institutions in particular, at an inter-bank level, choose to process financial messages with regard to these payment messages via the SWIFTNet Fin service;
- As far as the normal processing of personal data in the framework of the SWIFTNet FIN service is concerned, SWIFT should have complied with its obligations under the DPL, amongst which, the duty to provide information, the notification of the processing and the obligation to provide an appropriate level of protection conform to articles 21 § 2 of the DPL;
As far as the communication of personal data to the UST is concerned, the Commission is of the opinion that SWIFT finds itself in a conflict situation between American and European law and that SWIFT at the least committed a number of errors of judgement when dealing with the American subpoenas. Iit must be considered a serious error of judgement on the part of SWIFT to subject a massive quantity of personal data to surveillance in a secret and systematic manner for years without effective grounds for justification and without independent control in accordance with Belgian and European law;
- In this context SWIFT should from the beginning have been aware that, apart from the application of American law, also the fundamental principles under European law must be complied with, such as the principle of proportionality, the limited storage period, the principle of transparency, the requirement for independent control and the requirement for an appropriate level of protection. These requirements are indeed formulated in the second paragraph of article 8 of the ECHR, Treaty no. 108, the Directive 95/46/EC and the DPL and are applicable to SWIFT. The Commission also refers to the international precedent in the PNR-case. The authorities competent in data protection (the Commission, its peers and the European Commission) should have been informed from the beginning, which would have made it possible to work out a solution at European level for the communication of personal data to the UST, with respect for the above-mentioned principles which apply under European law. For this purpose, the Belgian government could have been asked for an initiative at European level.
Considering the complexity of the issue and its importance, the Commission remains available to issue further guidance.
(sign.) Jo BARET (sign.)
In the absence of the President, The Vice-President,
Friday, July 28, 2006
The Canadian Internet Policy and Public Interest Clinic has filed a complaint with the Privacy Commissioner against the Big Six Canadian banks over the disclosure of information by the international, inter-bank clearinghouse SWIFT. (Via Michael Geist.)
According to previous reports, the Commissioner is already on the case (Canadian Privacy Law Blog: Canadian Commissioner investigates whether Canadian banking records were reviewed by the CIA).
Monday, July 24, 2006
According to Open and Shut, the Australian Privacy Foundation is pressing that country's Privacy Commissioner to investigate US review of SWIFT interbank transfer information, as the Canadian Commissioner is currently doing. See: Open and Shut: Australian Privacy Foundation calls for inquiry into US SWIFT monitoring.
Wednesday, June 28, 2006
The Privacy Commissioner of Canada is investigating whether banking records of Canadians were reviewed by US authorities as part of their sweep of the SWIFT database (for some background: Canadian Privacy Law Blog: US reviews international financial database):
CTV.ca | CIA may have accessed Cdn. banking records:
Canada's privacy commissioner is investigating whether United States officials have improperly received the banking records of Canadians.
The Toronto Star reports the investigation is also trying to determine if the Central Intelligence Agency was given unauthorized access to the confidential files.
"This is something we're looking into," Anne-Marie Hayden, spokesperson for the privacy commissioner's office, told the newspaper.
"Any time personal information of Canadians is obtained by a foreign government in circumstances that may not provide the same privacy protections that exist in Canada, we have concerns."
On Tuesday, a human rights group filed formal complaints in 32 countries, including Canada, against a Brussels-based banking consortium for providing the U.S. with confidential information about international money transfers, the International Herald Tribune reported.
The London-based Privacy International alleges the Society for Worldwide Interbank Financial Telecommunication, or SWIFT, has violated rules in numerous jurisdictions by handing over the data....
Monday, June 26, 2006
The New York Times reported on Friday that in the days following the September 11, 2006 attacks, the United States subponaed the entire database of SWIFT, the international inter-bank transfer settlment organization. This database would contain the records of a vast quantity of international money movements, most of them legitimate. What started as an urgent and temporary measure has since become institutionalized without any congressional approval or oversight. Searches of the database are said to be targeted with justification required, but it is but a short hop to fishing expeditions. What is also troubling is that a large quantity of these transactions have no connection whatever to the United States, but the US government is able to compel their production from a Belgian cooperative. See: Bank Data Is Sifted by U.S. in Secret to Block Terror - New York Times.
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.