Canadian-based company shares customer personal information with U.S. parent

PIPEDA Case Summary #2006-333

(Principles 4.1.3 and 4.8 of Schedule 1)

The Office of the Privacy Commissioner of Canada received complaints from two individuals concerning their security system provider.  The complainants felt that the company was using an inappropriate form of consent with respect to its practice of sharing customer personal information with its U.S.-based parent company.  Both complainants also expressed concern about the possibility of their personal information being accessed by U.S. law enforcement officials as a result of the passage of the USA PATRIOT Act.

The Assistant Privacy Commissioner determined that the company was not required to obtain the consent of its customers in this instance and that the type of consent used was therefore moot.  She noted, with approval, that the company had taken the appropriate step of informing its customers about its personal information practices and was satisfied that the parent company adhered to the same level of data protection as the Canadian company.  As for the trans-border issue, the Assistant Commissioner reiterated the comments made in an earlier finding about the same matter.

The following is a detailed overview of the investigation and findings.

Summary of Investigation

In October 2004, the security system company advised its Canadian customers of its intention to share customer contact information with its U.S. parent, under certain limited circumstances.  The notification indicated that the company had built a North American monitoring network that integrated customer monitoring centres (CMCs) in Canada and the United States.  The notification stated that if there is a catastrophic event such as an ice storm or power outage that overwhelms a Canadian-based customer monitoring centre, incoming alarm signals can be routed to another monitoring centre located in North America. 

According to the company, the only personal information shared with a U.S.-based monitoring centre is information needed to provide monitoring and security services, such as the customer’s home or business address, phone number and emergency contact list.  There is no sharing of financial or credit information. 

The notification indicated that customers who did not want their information shared with the U.S. company could choose to opt out of this practice by contacting their local sales and service office prior to a specified date.  It added that, “in the absence of any notification on your part in this regard we will act upon your consent and proceed accordingly.”

Out of approximately 389,000 notices sent out, 3000 Canadian customers requested that their information not be shared with the U.S. company.  In those cases, the Canadian company “partitioned” the accounts for those customers, which means that the alarm signals coming from the homes of those customers will be managed exclusively by the Canadian CMCs.

The company indicated that in recent years it has undertaken an initiative to improve the technology infrastructure of its monitoring operations.  It has built a number of CMCs in the United States and in Canada.  It chose to link the Canadian-based CMCs with their U.S. counterparts in order to increase customer service levels and to reduce recovery times during surges of alarm signal activity or during operational interruptions.  The company stated that all of the CMCs, whether in Canada or the United States, use the same technology, operating systems, processes and procedures.

The company provided examples of situations where the ability of a Canadian-based CMC to provide efficient customer service might be compromised, such as harsh winter conditions.  It stated that its ability to route alarm and emergency calls to a U.S.-based CMC enhances the customer service that it is contracted by the customer to provide.

In the company’s view, the sharing of customer personal information in these circumstances does not qualify as a “disclosure” under the Personal Information Protection and Electronic Documents Act.  It stated that it is outsourcing part of the services that it provides to its U.S.-based parent company, in a manner that is consistent with the legislation.  The company contended that consent is not required in these circumstances.  The services provided by the U.S. company are integral to the services offered by Canadian one.

While the company believed that it is not required to obtain consent, it chose to provide its Canadian customers with the option of maintaining a reduced level of service should they not want their personal information shared with its U.S. parent.  In the company’s view, the opt-out approach that it chose is appropriate.  Customers are being invited to choose between two levels of service: an enhanced level is available if their personal contact information is shared with the U.S. company; or their current level of service is maintained if they choose to restrict the sharing of their personal information to a Canadian-based CMC.  The “deemed consent” that the company sought through its notification relates to service levels and is not a new use or proposed disclosure of personal information.

The company also provided the Office with detailed information regarding the security measures in place at its U.S. parent to safeguard the personal information of customers. 

The possibility of U.S. authorities accessing Canadians’ personal information has been raised frequently since the passage of the USA PATRIOT Act.  Prior to the passage of this Act, U.S. authorities were able to access records held by U.S.-based firms relating to foreign intelligence gathering in a number of ways. 

What has changed with the passage of the USA PATRIOT Act is that certain U.S. intelligence and police surveillance and information collection tools have been expanded, and procedural hurdles for U.S. law enforcement agencies have been minimized.  Under section 215 of the USA PATRIOT Act, the Federal Bureau of Investigation (FBI) can access records held in the United States by applying for an order of the Foreign Intelligence Surveillance Act Court.  A company subject to a section 215 order cannot reveal that the FBI has sought or obtained information from it. 

The risk of personal information being disclosed to government authorities is not a risk unique to U.S. organizations.  Indeed, in the national security and anti-terrorism context, Canadian organizations are subject to similar types of orders to disclose personal information held in Canada to Canadian authorities. 

In addition to these measures, there are formal bilateral agreements between the U.S. and Canadian government agencies that provide for mutual cooperation and for the exchange of relevant information.  These mechanisms are still available.

Findings

Issued May 11, 2006

Application: Principle 4.1.3 states that an organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing.  The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.  Principle 4.8 provides that an organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.

In making her determinations, the Assistant Privacy Commissioner deliberated as follows:

• With respect to the issue of the appropriateness of the type of consent the Canadian company was using, the Assistant Commissioner was of the view that the company was not required to obtain the consent of its customers in this instance. 
• When they signed up for service, customers consented to providing personal information to the Canadian company for its services.  The company is now transferring this information to its parent to ensure service in case of interruption. 
• The Assistant Commissioner noted that the information is therefore still being used for the same purpose, the difference being that another organization may provide part of that service if there is an interruption in the service provided by Canadian CMCs.  The Canadian company is not proposing to use this information for a purpose that is different from the one the customer already consented to.  Thus, the Assistant Commissioner was of the view that asking for the customer’s consent again was not required, and the question about the type of consent used by the Canadian company was moot. 
• She noted that the Canadian company nevertheless offered customers the option of a reduced service if they did not want the enhanced level of service that is available when their personal information is transferred to the U.S company. 
• Given that the company sent out a notification explaining what it was doing with customers’ personal information, the Assistant Commissioner was satisfied that the company met its obligations under Principle 4.8 to make readily available to individuals specific information about its policies and practices relating to the management of personal information.  
• Although the Assistant Commissioner was satisfied that the Canadian company was not disclosing customer personal information or using it for a new purpose, she nevertheless noted that the Canadian company still had obligations with respect to the protection of customer personal information.  She referred to Principle 4.1.3, under which an organization is required to use contractual or other (her emphasis) means to provide a comparable level of protection when information is transferred to a third party for processing. 
• As this was an example of information-sharing between a parent company and an affiliate, a separate contract between the two parties was not necessary.  What was required, the Assistant Commissioner noted, was that both companies adhere to the same levels of data protection. 
• After reviewing its representations, it was clear to the Assistant Commissioner that the U.S. company had in place a closed private network and a comprehensive strategy and techniques to safeguard the personal information of its customers. 
• The Assistant Commissioner therefore determined that the Canadian company’s practices met the obligations outlined in Principle 4.1.3, in that it used “other means” to provide a comparable level of protection of customer personal information.

Accordingly, she concluded that the complaints were not well-founded.

Further Considerations

Echoing the comments made in an earlier summary regarding the implications of cross-border dissemination of personal information, the Assistant Commissioner noted that while customer personal information is in the hands of a foreign third-party service provider, it is subject to the laws of that country and no contract or contractual provision can override those laws.  In short, an organization with a presence in Canada that shares customer personal information with its U.S. parent cannot protect its customers’ personal information from being lawfully accessed by U.S. authorities. 

Furthermore, she stated that even if one were to consider the issue of “comparable protection” from the perspective of U.S. versus Canadian anti-terrorism legislation, it is clear that there is a comparable legal risk that the personal information of Canadians held by any organization and its service provider – be it Canadian or American – can be obtained by government agencies, whether through the provisions of U.S. law or Canadian law. 

The Assistant Commissioner concluded by stating that the Act cannot prevent a Canadian company from sharing customer personal information with a foreign-based parent.  What the Act does is require organizations to be transparent about their personal information handling practices and to protect customer personal information in the hands of foreign-based service providers to the extent possible by contractual means.  This Office’s role is to ensure that organizations meet these requirements.  In the case of these complaints, these requirements have been met.