Findings under the Personal Information Protection and Electronic Documents Act (PIPEDA)
Privacy Commissioner of Canada v. SWIFT
April 2, 2007
On June 23, 2006, an article appeared in the New York Times (and elsewhere), alleging that the US Department of the Treasury (UST) used administrative subpoenas to access tens of thousands of records from SWIFT SCRL (Society for Worldwide Interbank Financial Telecommunication). After determining the extent to which it could get involved, the Privacy Commissioner of Canada launched an investigation. It was alleged that SWIFT inappropriately disclosed to the UST personal information originating from or transferred to Canadian financial institutions.
SWIFT supplies messaging services and software to over 7,900 financial institutions in more than 200 countries. The messages are usually used for cross-border payments, securities clearing and settlement, and treasury and trade services. Some messages contain personal information, such as name, address, account number, amount of transfer. All are stored on databases that are mirrored in both Europe and the United States.
Following September 2001, the UST began issuing subpoenas to SWIFT for certain data held in SWIFT’s US-based operating centre. SWIFT confirmed that personal information originating from or transferred to Canadian financial institutions was likely included in data handed over to the UST. SWIFT obtained a series of privacy protections for the data it transferred, which limited the purpose for the data and the amount of data transferred, and gave SWIFT the right to audit and monitor UST compliance with this arrangement. The Commissioner reviewed these protections and was satisfied that SWIFT ensured that the UST abided by them.
The Commissioner determined that SWIFT was subject to the Personal Information Protection and Electronic Documents Act. She noted that SWIFT operates in Canada; collects personal information from and discloses it to Canadian banks as part of a commercial activity; and charges a fee to the banks for providing this service. Fourteen of its shareholders are Canadian; and one of its Directors is from a Canadian bank. While acknowledging that SWIFT’s operations in Canada make up only a small percentage of the organization’s global business operations, the Commissioner noted that SWIFT has a significant presence here. The vast majority of international transfers involving personal information flowing to or from Canadian financial institutions use the SWIFT network.
As for compliance, the Commissioner determined that SWIFT had not contravened the Act when it disclosed personal information to the UST. The Act allows for an organization such as SWIFT to be able to abide by the legitimate laws of other countries in which it operates, and an organization may disclose personal information without knowledge or consent in response to a subpoena issued by a court, person or body with jurisdiction to compel the production of information. Recognizing that multi-national organizations must comply with the laws of those jurisdictions in which they operate, she reasoned that an organization that is subject to the Act and that has legitimately moved personal information outside the country for business reasons may be required at times to disclose it to the legitimate authorities of that country. The Commissioner therefore found that the exception to consent that allows for such disclosures applied.
She stressed, however, that organizations operating in and connected in a substantial way to Canada are subject to the Act. If organizations cross into Canada to collect, use or disclose personal information, they must abide by the Act. Simply because an organization might operate in two or more jurisdictions will not alleviate it of its obligations to comply with Canadian law. For example, while it is permissible for SWIFT in this case to disclose data held in the US to the UST, the Act would still operate to prohibit, for example, the non-consensual disclosure of the personal information held by SWIFT in another country to a data broker or marketing firm operating in that country.
The Commissioner commented on the various avenues already available to fight terrorism, such anti-money laundering/anti-terrorism financing legislation, information-sharing arrangements between financial intelligence agencies in Canada and the US, and evidence-sharing agreements.
She noted that if US authorities need to obtain information about financial transactions that have a Canadian component, they should be encouraged to use existing information-sharing mechanisms that have some degree of transparency and built-in privacy protections. Accordingly, the Commissioner signaled her intent to ask Canadian officials to work with their US counterparts to persuade the US to use its anti-money laundering/anti-terrorism financing regime instead of the subpoena route.
She noted that these alternate avenues would allow far greater Canadian involvement in the scrutiny of personal information, and would better respect the value we give privacy protection. Echoing her European counterparts’ comments, the Commissioner noted that democratic societies must ensure that the fundamental rights and freedoms of the individual are respected, including the right to the protection of personal information.