A recent ruling by Canada’s Privacy Commissioner has brought into sharp focus “gaps” in our privacy legislation.
Federal Privacy Commissioner, Jennifer Stoddart, recently ruled that an international organization acted legally when it divulged personal data of Canadians to the U.S. government.
Following the completion of an investigation, launched last August, Stoddart concluded the Society for Worldwide Interbank Financial Telecommunication (SWIFT) did not breach Canadian privacy law.
Based in La Hulpe, Belgium, SWIFT is an industry-owned co-operative through which banks process foreign transactions. Members include banks, broker-dealers and investment managers.
The organization was reportedly acting in response to legal subpoenas by the U.S. Treasury.
The subpoenas were part of an anti-terrorism campaign under which U.S. officials and the Central Intelligence Agency gathered international banking data from SWIFT.
The Privacy Commissioner’s ruling highlights flaws in current Canadian privacy legislation, according to a Canadian privacy advocate.
These flaws have led to Canadians’ personal data being divulged to foreign governments that don’t have the same sensitivity to privacy issues as we do, noted Philippa Lawson, director of the Canadian Internet Policy and Public Interest Clinic (CIPPIC).
For instance, she said, in this case, data such as customer names, account numbers, and other personal identifiers were provided to SWIFT, as the request was deemed lawful. “We are allowing foreign states to determine our privacy when our personal information is transferred to another country,” says Lawson.
Ottawa-based CIPPIC aims to ensure balance in policy and law-making processes on issues that arise as a result of new technologies.
The federal investigation into the actions of SWIFT and the Canadian banks was launched, in part, due to complaints from privacy advocates, including CIPPIC.
When Canada allows overseas bodies to make such requests this means the information will be bound by the legal system of that country, Lawson notes.
This can be a problem, she says, because “there are many countries that aren’t democratic, that do not follow and abide by the same rules of law and justice as we do in Canada.”
Besides exonerating SWIFT, the investigation also found Canadian banks that provided the personal data to SWIFT did not violate privacy laws.
The Commissioner concluded Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) permits disclosure of such data to foreign law enforcement authorities as long as the request is deemed legal.
Furthermore, she ruled that SWIFT was in compliance because it took adequate security measures when transferring the information to the U.S. government. The Canadian banks too, had required SWIFT to use necessary security precautions.
While such disclosure of information may have complied with the letter of the law, it is nevertheless unfortunate – and an indication that the law needs to be changed, says Lawson.
Beefing up Canadian privacy legislation to protect Canadians’ personal data may be the obvious solution, however, it’s not realistic given the current environment, she says.
For instance, one option is for privacy commissioners and judicial decision makers to anticipate the possibility of foreign government abuse of privacy and make provisions for this in legislation, says Lawson.
But she acknowledged that this may not be the perfect answer. “Europe has taken this approach and is running into all sorts of problems. There is a law that states European companies should not be transferring data about [citizens] to other countries unless they have the same level of privacy protection.”
However, when it comes to sharing of various types of personal data – such as passenger flight data – adhering to this practice becomes impractical. “Can Europe say we’re not going to allow planes to fly to the U.S. anymore?” she asks. “The reality is people are not going to stop traveling. They’re not going to stop the flow of information because it doesn’t meet this aspect of European law.”
Lawson acknowledges the impracticality of preventing personal data from being provided to foreign institutions. However, she suggests Canada ought to question the fact that currently there are no restrictions on information access.
Another solution, she adds, would be for Canada to take the European Union’s approach to privacy law. “They are required to make their own assessment of the fairness, legality and privacy protectiveness of the foreign regime.”
“Canada should consider that.”