The Canadian Privacy Commissioner has just released a much-anticipated finding arising from complaints over the potential disclosure of personal information to U.S. law enforcement authorities. The complaints were launched after the CIBC changed its credit card user agreement to acknowledge that customer information could be disclosed to the U.S. authorities under the USA PATRIOT Act.
The Commissioner denied the complaints against CIBC effectively admitting that she (and federal privacy legislation) is powerless to stop such disclosures. Notes the commissioner "in short, an organization with a presence in Canada that outsources the processing of personal information to a U.S. firm cannot prevent its customers’ personal information from being lawfully accessed by U.S. authorities."
In discussing the limitations of Canadian privacy law, the Commissioner concludes:
The Commissioner’s analysis is consistent with a study I completed a year ago with Milana Homsi on the current legal environment. It also illustrates why the outsourcing issue is likely to be one of the top issues as part of the PIPEDA review next year. If PIPEDA and Canadian law currently can’t stop the undisclosed disclosures of personal information (even where that information is located in Canada), then it is time to discuss changes to Canadian law that would effectively block an organization from complying with such requests.
Patriot Act Irrelevant
My company’s Canadian subsidiary provides hosting in Canada for our Canadian customers and suffers from the interaction of the Patriot Act and PIPEDA. We face unending questions of what we would do if served with a court order to disclose information and to not to tell the owner of the information that it was disclosed. We recently worked with a client that would be much more of a likely target of such an order than most. Their conclusion was that these laws did not matter any more because the US agencies did not bother with court orders anyway and just took what they wanted. They thought that neither our company nor their organization would ever know. Unfortunately, I have to concur that the law has become irrelevant.