OTTAWA, April 2 /CNW Telbec/ - The Privacy Commissioner of Canada,
Jennifer Stoddart, today announced the conclusion of her Office's
investigation of the Society for Worldwide Interbank Financial
Telecommunication (SWIFT), a European-based financial cooperative, that
supplies messaging services and interface software to a large number of
financial institutions in more than 200 countries, including Canada.
In her Report of Findings, made public today, the Commissioner confirmed
that SWIFT is subject to the Personal Information Protection and Electronic
Documents Act (PIPEDA), Canada's private sector privacy law, and that the
organization did not contravene the Act when it complied with lawful subpoenas
served outside the country and disclosed personal information about Canadians
to foreign authorities. However, she emphasized that making use of existing
information-sharing regimes, with built-in privacy protections, would allow
for greater transparency for citizens.
Since her appointment, Ms. Stoddart has raised concerns about the
personal information of Canadians flowing across borders. In her Report, the
Commissioner stressed that organizations operating and connected in a
substantial way to Canada are subject to PIPEDA and they must abide by the
Act. "Simply because companies might operate in two or more jurisdictions does
not relieve them of their obligations to comply with Canadian law," said Ms.
It was alleged that SWIFT inappropriately disclosed to the US Department
of Treasury (UST) personal information originating from or transferred to
Canadian financial institutions. Ms. Stoddart launched a
commissioner-initiated investigation into the matter to determine if there was
a breach of PIPEDA, the federal law which covers the collection, use and
disclosure of personal information in the course of commercial activities.
Following September 2001, the UST began issuing subpoenas to SWIFT for
certain data held in SWIFT's US-based operating centre. SWIFT obtained a
series of privacy protections for the data it transferred to the UST.
In her Report, the Commissioner explained that PIPEDA allows an
organization such as SWIFT to abide by the laws of other countries in which it
operates. An organization that is subject to PIPEDA and that has moved
personal information outside the country for business reasons may be required
at times to disclose it to the legitimate authorities of that country. It is
clear that in response to a valid subpoena issued by a court, person or body
with jurisdiction to compel the production of information, an organization
must disclose personal information and PIPEDA makes it permissible to comply
with this obligation. The Commissioner stressed that multi-national
organizations must comply with the laws of those jurisdictions in which they
The Commissioner noted, however, that if US authorities need to obtain
information about financial transactions that have a Canadian component, they
should be encouraged to use existing information mechanisms that have some
degree of transparency and built-in privacy protections. Accordingly, she
signaled her intent to ask Canadian officials to work with their US
counterparts to persuade them to use Canadian anti-money laundering and
anti-terrorism financing mechanisms instead of the subpoena route.
"These alternate avenues would allow far greater Canadian involvement in
the scrutiny of personal information and would better respect the value we
give privacy protection," said Ms. Stoddart. "Democratic societies must ensure
that the fundamental rights and freedoms of the individual are respected to
the extent possible, including the right to the protection of personal
In addition to its investigation of SWIFT, the Privacy Commissioner's
Office also received complaints against six Canadian financial institutions
and conducted an investigation into their involvement in the matter.
The Office reviewed the contractual documentation that exists between
SWIFT and the banks, and concluded that the banks are meeting their
obligations under the PIPEDA, noting that when an organization that contracts
with a firm that operates both within and outside of Canada, it must respond
to lawfully issued subpoenas in other jurisdictions as well as in Canada.
Moreover, she found that each of the banks has very clear language in
their privacy policies. These policies inform customers that the banks may
send their personal information out of the country for certain purposes and
that while such information is out of the country, it is subject to the laws
of the country in which it is held.
The Privacy Commissioner of Canada is mandated by Parliament to act as an
ombudsman, advocate and guardian of the privacy and protection of personal
information rights of Canadians.
View the Executive Summary.
View the Commissioner's full Report of Findings.
View the PIPEDA case summary relating to the investigations of the banks
View the Commissioner's June 2006 news release and August 2006 news
release on this issue.
For further information:
For further information: Anne-Marie Hayden, Office of the Privacy
Commissioner of Canada, (613) 995-0103, firstname.lastname@example.org