Canadian Privacy Commissioner Denies PATRIOT Act Complaints

The Canadian Privacy Commissioner has just released a much-anticipated finding arising from complaints over the potential disclosure of personal information to U.S. law enforcement authorities.  The complaints were launched after the CIBC changed its credit card user agreement to acknowledge that customer information could be disclosed to the U.S. authorities under the USA PATRIOT Act.

The Commissioner denied the complaints against CIBC effectively admitting that she (and federal privacy legislation) is powerless to stop such disclosures.  Notes the commissioner "in short, an organization with a presence in Canada that outsources the processing of personal information to a U.S. firm cannot prevent its customers’ personal information from being lawfully accessed by U.S. authorities."

In discussing the limitations of Canadian privacy law, the Commissioner concludes:

"the Act cannot prevent U.S. authorities from lawfully accessing the personal information of Canadians held by organizations in Canada or in the United States, nor can it force Canadian companies to stop outsourcing to foreign-based service providers. What the Act does demand is that organizations be transparent about their personal information handling practices and protect customer personal information in the hands of foreign-based third-party service providers to the extent possible by contractual means. This Office’s role is to ensure that organizations meet these requirements. In the case of these complaints, these requirements have been met."

The Commissioner’s analysis is consistent with a study I completed a year ago with Milana Homsi on the current legal environment.  It also illustrates why the outsourcing issue is likely to be one of the top issues as part of the PIPEDA review next year.  If PIPEDA and Canadian law currently can’t stop the undisclosed disclosures of personal information (even where that information is located in Canada), then it is time to discuss changes to Canadian law that would effectively block an organization from complying with such requests.

One Comment

  1. Gabriel Fineman says:

    Patriot Act Irrelevant
    My company’s Canadian subsidiary provides hosting in Canada for our Canadian customers and suffers from the interaction of the Patriot Act and PIPEDA. We face unending questions of what we would do if served with a court order to disclose information and to not to tell the owner of the information that it was disclosed. We recently worked with a client that would be much more of a likely target of such an order than most. Their conclusion was that these laws did not matter any more because the US agencies did not bother with court orders anyway and just took what they wanted. They thought that neither our company nor their organization would ever know. Unfortunately, I have to concur that the law has become irrelevant.