Findings under the Personal Information Protection and Electronic Documents Act (PIPEDA)
PIPEDA Case Summary #2005-313
Bank's notification to customers triggers PATRIOT Act concerns
(Principles 4.1.3 and 4.8)
The Office of the Privacy Commissioner of Canada received a number of complaints after the Canadian Imperial Bank of Commerce (the CIBC) sent a notification to its VISA customers in the fall of 2004, amending its credit cardholder agreement. The notification referred to the use of a service provider located in the United States and the possibility that U.S. law enforcement or regulatory agencies might be able to obtain access to cardholders' personal information under U.S. law.
The allegations made by the complainants can be summarized as follows:
- That as a condition of service, CIBC was requiring VISA customers to consent to the disclosure of their personal information to U.S. regulatory authorities;
- That they were being required to share their personal information with a U.S.-based company as a condition of service;
- That they were being required to consent to overly broad collection practices;
- That the CIBC would not allow them to opt-out of having their personal information sent to the third-party service provider; and
- That the bank was not properly safeguarding their personal information.
While each complainant raised slightly different issues, all complainants primarily objected to the possible scrutiny of their personal information by U.S. authorities within the context of foreign intelligence gathering.
The Privacy Commissioner of Canada has gone on record stating that the privacy implications of anti-terrorism legislation and outsourcing need to be the focus of continued public debate. The central issue to be decided in these complaints, however, was whether the bank acted in accordance with its obligations under the Personal Information Protection and Electronic Documents Act (the Act).
Summary of Investigation
In September 2004, the complainants received a Notice of Changes to their CIBC VISA cardholder agreement. The section that was of particular concern stated in part:
I acknowledge that in the event that a Service Provider is located in the United States, my information may be processed and stored in the United States and that United States governments, courts or law enforcement or regulatory agencies may be able to obtain disclosure of my information through the laws of the United States....
I acknowledge and agree that the ... paragraphs above constitute prior written notice to me of, and my consent to the collection, use and disclosure of my personal information as described above....
Outsourcing of financial services to the United States
The CIBC states that, as part of the process of updating its credit card portfolio, it decided to provide further information to customers about the processing and storing of information in the United States. Since 1994, the CIBC has maintained a business relationship with a U.S.-based data processing company. CIBC's third-party service provider has software that facilitates the authorization of payment transactions, risk assessment and fraud monitoring. All of the personal information that approved credit cardholders provide is entered into the third-party service provider's system, and is available to CIBC employees who interact with the cardholder regarding account information, disputes over charges, and any collection activity.
Subsection 245(1) of the Bank Act requires banks to maintain and process in Canada any information or data relating to the preparation and maintenance of bank records, including customer account records. Banks can be exempted from this requirement but they must apply for and receive the approval of the Office of the Superintendent of Financial Institutions (OSFI). OSFI deals with an application for approval from a bank on its merits, and without this approval, the bank cannot proceed with its outsourcing arrangement. The CIBC has received OSFI approvals for its business relationship with the third-party service provider six times — most recently in 2002.
OSFI issues guidelines to all federally regulated entities regarding their outsourcing practices. These guidelines specifically identify confidentiality and the security of information as key considerations in an outsourcing arrangement, and outline OSFI's requirement that banks undertake a due diligence process that fully assesses all risks associated with the outsourcing arrangement and ensures compliance with all applicable regulatory requirements. The guidelines state, in part:
In selecting a service provider, or renewing a contract or outsourcing arrangement, FREs (federally regulated entities) are also expected to undertake a due diligence process that fully assesses the risks associated with the outsourcing arrangement, and addresses all relevant aspects of the service provider, including qualitative (i.e., operational) and quantitative (i.e., financial) factors... when out-of-Canada outsourcing is being contemplated, the FRE should pay particular attention to the legal requirements of that jurisdiction, as well as the potential foreign political, economic and social conditions, and events that may conspire to reduce the foreign service provider's ability to provide the service, as well as any additional risk factors that may require adjustment to the risk management program.
The Office reviewed CIBC's contract with the U.S.-based third-party service provider. It sets out detailed requirements regarding the safeguarding, confidentiality and security of customer account information. The contract affirms that CIBC owns the data that is processed by the service provider, that the service provider is to maintain safeguards to protect that data, and that the CIBC retains a right of access and audit. The third party provider's security policy includes administrative, technical and physical protections to safeguard against, inter alia, unauthorized usage, modification, copying, accessing or other unauthorized processing of CIBC data. The policy is designed with the objectives of ensuring the security and confidentiality of all records and data, protecting against anticipated threats or hazards to the security or integrity of information, and protecting against unauthorized access to or use of information. The policy incorporates various guidelines, including the European Union Data Directive, VISA Association guidelines, and others.
CIBC controls the destruction of the data and manages all aspects of its relationship with its customers. All information and data transmitted between CIBC and the service provider is encrypted and transmitted through a dedicated transmission line. OSFI has a right to audit, inspect, and monitor the provision of services. There are also contractual controls with respect to the subcontracting of services and audits.
Access of U.S. authorities to personal information of Canadian residents
The possibility of U.S. authorities accessing Canadians' personal information has been raised frequently since the passage of the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act, 2001 (USA PATRIOT Act). Prior to the passage of this Act, U.S. authorities were able to access records held by U.S.-based firms relating to foreign intelligence gathering in a number of ways.
What has changed with the passage of USA PATRIOT Act is that certain U.S. intelligence and police surveillance and information collection tools have been expanded, and procedural hurdles for U.S. law enforcement agencies have been minimized. Under section 215 of the USA PATRIOT Act, the Federal Bureau of Investigation (FBI) can access records held in the United States by applying for an order of the Foreign Intelligence Surveillance Act Court. A company subject to a section 215 order cannot reveal that the FBI has sought or obtained information from it.
The risk of personal information being disclosed to government authorities is not a risk unique to U.S. organizations. In the national security and anti-terrorism context, Canadian organizations are subject to similar types of orders to disclose personal information held in Canada to Canadian authorities. Despite the objections of the Office of the Privacy Commissioner, the Personal Information Protection and Electronic Documents Act has been amended since the events of September 11th, 2001, so as to permit organizations to collect and use personal information without consent for the purpose of disclosing this information to government institutions, if the information relates to national security, the defence of Canada or the conduct of international affairs.
In addition to these measures, there are longstanding formal bilateral agreements between the U.S. and Canadian government agencies that provide for mutual cooperation and for the exchange of relevant information. These mechanisms are still available.
Issue of consent
With respect to the Notice, the bank's view was that it was prudent to confirm cardholder consent to the sharing of information with a U.S.-based service provider since the bank was unsure whether any of the exceptions to consent set out in the Act would apply, in the event that customer information held by the bank's third-party processor was accessed by U.S. authorities.
Based on the language of the Notice ("I acknowledge and agree that the ... paragraphs above constitute prior written notice to me of, and my consent to the collection, use and disclosure of my personal information as described above..."), some of the complainants concluded that they had the right to opt-out of this use of their personal information.
In the section of the Notice entitled "Privacy Issues," two paragraphs deal with privacy issues. One describes the information that CIBC collects, and a second states, in part:
My information may be used and disclosed in accordance with CIBC's privacy policies, as set out in its brochure "Your Privacy is Protected"...
We examined the privacy brochure in question. It includes a section that outlines CIBC's practices with regard to the sharing of information with third parties. It states, in part:
We don't share information about you within the CIBC group, or release it to anyone outside of the CIBC group, without your consent. For example, we give information to a credit bureau only with your consent.
There are some exceptions to the above rules. For example, we may collect, use or disclose information without your consent if we:
Use an outside company to process information.
At times we may use the expertise of an outside company to do work for us involving some of your information — for example, the printing of cheque books. When we do, we select the company carefully and confirm that it uses security standards comparable to those of CIBC.
The language of the privacy brochure would appear to advise customers that they do not have the right to opt-out where CIBC uses an outside company to process personal information. CIBC has confirmed that there is no right to opt-out from this situation.
Issued October 19, 2005
Application: Principle 4.1.3 of Schedule 1 states that an organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party. Principle 4.8 provides that an organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.
The Assistant Privacy Commissioner recognized that many Canadians are concerned about the flow of their personal information outside of our country's borders and its accessibility by foreign governments. In order to determine whether these complaints are founded or not, however, it is the obligations imposed by the Act on Canadian-based organizations, and how well CIBC met them, that are the primary considerations.
In making her determinations, she deliberated as follows:
- While the Act does not prohibit the use of foreign-based third-party service providers, it does oblige Canadian-based organizations to have provisions in place, when using third-party service providers, to ensure a comparable level of protection.
- In keeping with its obligations under Principle 4.1.3 of the Act and in accordance with OSFI's guidelines (which are also consistent with this Principle), CIBC has in place a contract with its third-party service provider that provides guarantees of confidentiality and security of personal information.
- The contract allows for oversight, monitoring, and an audit of the services being provided. CIBC maintains custody and control of the information that is processed by the third-party service provider.
- The Assistant Commissioner noted, however, that while customer personal information is in the hands of a foreign third-party service provider, it is subject to the laws of that country and no contract or contractual provision can override those laws.
- In short, an organization with a presence in Canada that outsources the processing of personal information to a U.S. firm cannot prevent its customers' personal information from being lawfully accessed by U.S. authorities.
- Furthermore, even if one were to consider the issue of "comparable protection" from the perspective of U.S. versus Canadian anti-terrorism legislation, it was clear to the Assistant Commissioner that there is a comparable legal risk that the personal information of Canadians held by any organization and its service provider — be it Canadian or American — can be obtained by government agencies, whether through the provisions of U.S. law or Canadian law.
- The Assistant Commissioner therefore determined that CIBC was in compliance with Principle 4.1.3.
- She went on to reaffirm this Office's publicly stated position: that, at the very least, a company in Canada that outsources information processing to the United States should notify its customers that the information may be available to the U.S. government or its agencies under a lawful order made in that country.
- In keeping with this direction, CIBC notified its customers of the risk that their personal information might be accessed under the provisions of the USA PATRIOT Act whilst in the hands of a U.S.-based third-party service provider.
- Thus, by providing such information, the bank was informing its customers about its policies and practices related to the management of their personal information, in accordance with Principle 4.8.
- In the Assistant Commissioner's view, the real concern underlying these complaints is the prospect of a foreign government accessing Canadians' personal information.
- She concluded, however, that the Act cannot prevent U.S. authorities from lawfully accessing the personal information of Canadians held by organizations in Canada or in the United States, nor can it force Canadian companies to stop outsourcing to foreign-based service providers. What the Act does demand is that organizations be transparent about their personal information handling practices and protect customer personal information in the hands of foreign-based third-party service providers to the extent possible by contractual means. This Office's role is to ensure that organizations meet these requirements. In the case of these complaints, these requirements have been met.
The Assistant Commissioner therefore concluded that these complaints were not well-founded.
The bank's notice of amendment of the cardholder agreement triggered complaints to the Office, many of which centred on the complainants' views that they could opt-out of having their information sent to the U.S. or that they were being required to consent to the sharing of their personal information with the U.S. government.
CIBC's third-party service provider is offering services (data processing to maintain an account) that are directly related to the primary purposes for which customers provided their personal information (to obtain a credit card). This Office has taken the position that companies are not required to provide customers with the choice of opting-out where the third-party service provider is offering services directly related to the primary purposes for which the personal information was collected. A customer provides consent to the primary uses of personal information when he or she initially signs the application form or when he or she continues to use the service after being advised of substantive changes to the service agreement.
Principle 4.3 requires organizations to obtain the meaningful consent of an individual to its actual and proposed collection, use and disclosure practices. CIBC was not, however, proposing to release customer information to U.S. regulatory authorities, nor was it proposing that its U.S.-based data processor do so. Similarly, CIBC was not notifying customers that it was collecting, using or disclosing more personal information than before, nor was it requiring customers to consent to the collection of their personal information by U.S. authorities as a condition of service. It was clear to the Assistant Commissioner that it was notifying customers of the risk that their personal information could be lawfully accessed by U.S. authorities because of where it is processed. In short, CIBC was making information available to its customers about its policies and practices related to the management of personal information.
The Assistant Commissioner was of the view that CIBC's notification did not offend any provisions of the Act. The bank took the appropriate step of being transparent about its practices of using a U.S.-based third-party service provider for processing and about the possible risk that customer personal information might be lawfully accessed by U.S. authorities.
She nevertheless encouraged CIBC to review the language of its cardholder agreements to ensure that its customers clearly understand that they do not have the right to opt out of having their personal information processed by a third-party service provider.