The Latest Developments in Privacy Compliance: PIPEDA Review and the USA PATRIOT Act

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

11th Annual Meeting on Regulatory Compliance for Financial Institutions

November 18, 2005
Toronto, Ontario

Address by Heather Black
Assistant Privacy Commissioner of Canada


In this post-September 11 world, financial institutions are increasingly caught in the tug-of-war between privacy and security.  Pulling in one direction are privacy laws such as the Personal Information Protection and Electronic Documents Act – PIPEDA – and the need to respond to their clients’ fears about the potential mishandling of personal information.  Pulling in the opposite direction are obligations imposed on financial institutions to respect the strengthened money laundering and terrorism laws that have become the hallmark of the last several years, and that will likely impose ever greater surveillance duties in future.  Financial institutions are being drawn into the surveillance apparatus of the state as never before.

Protecting privacy in this environment is even more challenging because of economic pressures to process personal information outside Canada.  How do we provide adequate protection of privacy in an era of ubiquitous outsourcing?  In particular, how do we respond to legislation such as the USA PATRIOT Act, which greatly facilitates access by the Federal Bureau of Investigation (FBI) to the personal information of Canadians held in the United States?  And how do we respond when that same legislation attempts to reach databases, not only in the United States, but in Canada?

Access by foreign governments to personal information about Canadians is not an insignificant issue, as the Mahar Arar case makes abundantly clear.  US officials detained Mr. Arar in September 2002 in New York as he was returning to Canada from a vacation in Tunisia.  Claiming that he had links to al-Qaeda, the United States deported him to Syria, his land of birth, even though he was now a Canadian citizen carrying a Canadian passport.  At issue is what role Canadian government agencies may have played in providing information about Mr. Arar to US agencies, and whether this led to his deportation to a country known to practice torture. 

Other Canadians are also worried about the sharing of personal information across borders, whether by governments or the private sector.  In March of this year, my Office commissioned a national survey about emerging privacy issues.  The survey found that the level of concern with transborder flows of personal information is extremely high.  Concern is somewhat lower if the transfer of personal information relates to national security, but remains high for any activity – regardless of the purpose or rationale.

These survey results have profound implications for the outsourcing of data processing, and the sharing of personal information with foreign governments.  Canadians want to retain control of their personal information.  They do not want the protections afforded their personal information in Canada to disappear as soon as that information crosses the border. And they want to be informed about transborder data flows. 

The strength of the concern of Canadians about transborder data flows also became clear during an ambitious project undertaken in 2004 by David Loukidelis, the Information and Privacy Commissioner of British Columbia. In response to complaints about outsourcing of the running of BC’s public health insurance plan, Mr. Loukidelis prepared an extensive report about the potential for sensitive personal information about Canadians to be made available secretly to US authorities under the USA PATRIOT Act.  As he notes in his introduction to the report, the debate about this issue was often intense and passionate.

He received hundreds of briefs and responses from Canadians – a degree of public participation in policy development that is virtually unheard of in Canada, and clear evidence of how worried Canadians are about this issue.

What also emerged from his project was an awareness of the limited protection of personal information about Canadians in the hands of foreign governments, especially the United States.

US Congress enacted the USA PATRIOT Act just weeks after the September 11, 2001, attacks in the United States. The Act enhances access by the FBI to records held by companies in the United States. It permits the Director of the FBI to apply to a court in the United States for an order to disclose records, papers, documents and other items for an investigation to protect against international terrorism or clandestine intelligence activities.

If a judge grants an order – very likely, since the threshold for granting an order is very low – a company subject to the order is compelled to provide the information, which could include any personal information about Canadians that it holds.

Furthermore, the company would be prohibited from disclosing to those whose information is provides to the FBI that the FBI has sought or obtained this information. In other words, the companies cannot tell the individuals that their personal information has been sought or obtained under the order.

Court decisions in the United States clearly suggest that legislation such as the USA PATRIOT Act can have extraterritorial effect.  In other words, provisions of the Act can reach into Canada – at least according to US law. 

Canada, of course, would not accept this intrusion into our sovereignty.  Corporations operating in Canada are subject to Canadian law, and Canadian courts would not accept the reach of American law into Canada.

But here is the problem.  Under the USA PATRIOT Act, a company in the United States that is subject to an order to provide information to the FBI cannot disclose the fact of the order.  The order might require it to obtain information from its affiliates in Canada. If the US-based company had access to personal information held in Canada, the US law will prohibit it from telling its Canadian affiliate that it had obtained the data from Canada and given it to the FBI.  The Canadian affiliate might never know that its US-based counterpart had taken personal information from a database held in Canada.  The Canadians whose personal information has been burgled this way would never know.

This sort of surreptitious plundering of the personal information held in Canada about Canadians offends the very foundation of our privacy laws.  Canadians do not want the hard-won protections offered by PIPEDA, the Privacy Act or other laws to be undermined by an action taken in secret under a law enacted in a foreign jurisdiction and over which they have no means of democratic control.

The Legal Duty to Protect Personal Information

How should and must Canadian institutions respond when bodies such as the FBI come calling?  If the institution has an operation in the United States, that operation must of course comply with US law.

However, when the institution is located in Canada, there is much it can and must do, not only ethically, but as a matter of law.  A Canadian institution operating in Canada must comply with Canadian law, not the law of a foreign jurisdiction.  Even if under American law the USA PATRIOT Act provides authority to acquire information from an institution situated in Canada, it is Canadian law that governs.

Principle 7 of PIPEDA requires organizations in Canada to provide security safeguards appropriate to the sensitivity of the information they hold. 

These safeguards, physical, organizational or technological, must protect the information against unauthorized access – such as when a foreign affiliate attempts secretly to acquire personal information from a database in Canada to comply with a USA PATRIOT Act order.

Given the potential reach of the USA PATRIOT Act into Canada, it is clearly necessary for Canadian companies subject to PIPEDA to adopt security measures to prevent their US-based affiliates from surreptitiously taking personal information from databases held in Canada.  And given the reach of the USA PATRIOT Act into databases held within the United States, Canadian institutions may well want to reconsider sending personal information about Canadians south of the border for processing. 

At the very least, they should inform their clients about the possible risk to their personal information when it is transferred out of Canada.

What else, apart from technical security measures and restrictions on exporting personal data, can institutions in Canada do to protect the personal information of Canadians from information-hungry foreign governments? The 2005 BC Supreme Court decision in BC Government and Services Employees’ Union v. British Columbia (Minister of Health Services) relating to the USA PATRIOT Act provides a useful guide for protecting the personal information of Canadians.  In that case, Justice Melvin identified several measures that reduce the risk of disclosure under that Act, among them the following:

  • Restrictions on use and control of electronic equipment and devices by employees;
  • Substantial financial penalties if there is a breach of confidentiality;
  • Protection for whistle blowers; and
  • Employee training in respect of their legal duties.

One way to protect information is contractual provisions to provide equivalent protection of personal information that has been transferred outside Canada. The real dilemma we face when we transfer personal data outside Canada is the duty to obey the laws of the jurisdiction where the data are held. 

PIPEDA is powerless to protect personal data that have been transferred outside Canada.  Principle 1 of PIPEDA – the principle of accountability – does make an organization in Canada responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization must use contractual or other means to provide a comparable level of protection while the information is being processed by a third party. However, these contractual provisions simply wither in the face of a legislative requirement in a foreign country to disclose that information to government.

In other words, PIPEDA requires Canadian organizations to promote, through contractual or other means, protection of personal information equivalent to that provided under PIPEDA.  But these contractual or other provisions cannot stop foreign governments from getting access to that information.

A recent case involving the processing of CIBC Visa customer data in the United States highlights the unequal relationship between contractual guarantees and national security legislation.  My Office received several complaints after the CIBC sent a notification to its VISA customers in the autumn of 2004 amending its credit cardholder agreement.

The notification referred to the use of a service provider located in the United States and the possibility that US law enforcement or regulatory agencies might be able to obtain access to cardholders’ personal information under US law.  The amended agreement also made it clear that those who operated under its terms were to be taken as consenting to such access by US government agencies.

My Office reviewed CIBC’s contract with the US-based third-party service provider. The agreement sets out detailed requirements regarding the safeguarding, confidentiality and security of customer account. 

The contract affirms that CIBC owns the data that is processed by the service provider, that the service provider is to maintain safeguards to protect that data, and that the CIBC retains a right of access and audit. The third party provider’s security policy includes administrative, technical and physical protections to safeguard against events such as unauthorized usage, modification, copying, accessing or other unauthorized processing of CIBC data. The policy is designed with the objectives of ensuring the security and confidentiality of all records and data, protecting against anticipated threats or hazards to the security or integrity of information, and protecting against unauthorized access to or use of information.

The policy incorporates various guidelines, including the European Union Data Protection Directive, VISA Association guidelines, and others.

After investigating these complaints, I concluded that CIBC was in compliance with Principle 4.1.3 – the provision requiring an organization in Canada to use contractual or other means to provide a comparable level of protection while the information is being processed by a third party. 

However, these contractual safeguards could not prevent disclosure of the personal information to US government authorities if required by US law.  In this situation, the appropriate response was to notify customers that the information may be available to the US government or its agencies under a lawful order made in that country. This is what the CIBC did.

By informing its cardholders about the possible access to their data by US government agencies, the CIBC had complied with Principle 4.8 of PIPEDA, which requires organizations to make readily available to individuals specific information about policies and practices relating to the management of personal information.

It is also important to remember that the concern about data flows to the United States also applies to data flows to other countries.  And let’s not forget that Canadian government agencies can also obtain access to personal information held by financial institutions.  The difference is that in Canada we have some democratic control over the actions of our governments.  We have no democratic control over the actions of other governments.

In one instance, my Office handled a complaint from an individual who had arranged a wire transfer through a Canadian affiliate of an American wire transfer company.  He was upset to find that his name had been run through a terrorist watch list when the transfer was processed in the United States. 

However, my Office pointed out to him that Canada also has regulations that require the screening of certain transfers and that, had the transfer occurred through a Canadian transfer company, his name would have been run against a watch list here – likely a very similar watch list to that used in the United States.

Identifying Transborder Data Flows

Another important element of protecting the personal information of Canadians in a globalized environment is to “know oneself.”  Financial institutions cannot protect personal information unless they fully understand the transborder flows of such information. 

How much information crosses borders, to whom does it go, what safeguards are in place to protect it, and when must it be disclosed to a foreign government? 

Yet how many organizations subject to PIPEDA can answer these questions?  This is of course not only an issue for the private sector.  The Government of Canada and provincial and territorial governments outsource the processing of personal information to companies abroad, or to companies in Canada that have affiliates in other countries. The Government of Canada needs to pull up its socks too. 

That is one reason why our Office notified the President of the Canada Border Services Agency in July 2004 that it intended to audit the Agency’s management of the transborder flows of personal information under its control.

PIPEDA review 2006

As part of the process of finding ways to protect the personal information of Canadians in this era of outsourcing, my Office will be examining current and possible future provisions in PIPEDA that may have an impact on this.  Parliament is scheduled to review PIPEDA in 2006, and we will welcome your suggestions for better protecting the information about Canadians when it moves abroad.


We live in a much more fearful world than we did five years ago.  The fear of terrorism has created enormous pressures to diminish the right of privacy – too often, as my Office has found, without sound justification. The Canadian corporate world must not ignore the concerns of Canadians about their privacy, particularly their fears about sharing personal information across borders.  Financial institutions have an obligation to respect our privacy laws, just as they have an obligation to respect other regulatory requirements. 

But the issue goes beyond that.  Stepping outside your roles as representatives of various financial institutions, you are almost certainly individuals who want to ensure respect for the fundamental human rights that we consider elemental in a democracy.  We all need to be vigilant, not only about threats to our security, but about threats to our rights.  The right of privacy, once diminished, will be difficult to revive.  So we must be doubly careful with privacy.  Letting privacy become the whipping boy in our quest for security is not going to make us more secure.  However, it will make us less free. 

If you want to protect privacy, and earn the respect of the citizens you serve, you must go beyond compliance to look at ways to enhance privacy – whether the law is pushing you to do so or not.  I hope you will have the courage to go beyond the take of corporate compliance, challenge the excessive or unnecessary intrusions that are certain to be the hallmark of coming years.

Date modified: