4 April 2007

Canadian Data Privacy Commission concludes SWIFT upheld privacy law

Canadian DPC Report issued

The Canadian Data Privacy Commission has published its conclusions regarding the complaints issued against SWIFT and against six major banks in Canada.

The Privacy Commission’s conclusions, released by Privacy Commissioner Jennifer Stoddart, are positive both for SWIFT and for the banks. They conclude that SWIFT did not contravene the Canadian Act on data privacy and that the complaints against the banks are not well founded.

The report on SWIFT concludes that:

  • maintaining a back-up database outside Canada achieves legitimate business needs
  • refusing to comply with subpoena was not a feasible option
  • an organisation can disclose personal information without the knowledge or consent of the customer in response to a subpoena. In addition, it notes that it is necessary to make a modern approach to interpreting legislation and that this exception is not restricted to a subpoena issued only by a Canadian body
  • multinational organisations must comply with the laws of those jurisdictions in which they operate. It noted that it is “unrealistic and unworkable” to ask organisations to ignore the legitimate laws of other jurisdictions in which they operate. Moreover this would have the potential of being interpreted as an infringement by Canada on that nation's sovereignty.

It concludes that SWIFT's disclosure to the United States Treasury was appropriate in the circumstances.

The report on the banks concludes that:

  • SWIFT and the banks have implemented a highly sophisticated and elaborate set of security measures to ensure integrity, confidentiality, security and reliability of messages
  • the banks have met their obligations through various oversight and auditing mechanisms, through contractual language and various security measures
  • customers are deemed to have consented to the processing of data according to the Data Retrieval Policy. When read in conjunctions with other documents, SWIFT has absolute discretion with respect to the manner in which it handles subpoenas
  • it states that the banks have very clear language in their privacy policies informing their clients that banks may sent their personal information outside of Canada, and that while such information is out of the country, it is subject to the laws of the country in which it is held.

It also concludes that the Act cannot prevent foreign authorities from lawfully accessing personal information of Canadians. Likewise, the Act cannot force Canadian companies to stop outsourcing to foreign based service providers.

The full text of the reports can be found on the Canadian Data Privacy Commission’s website.

Related links