The Canadian Privacy Commissioner has just released a much-anticipated finding arising from complaints over the potential disclosure of personal information to U.S. law enforcement authorities. The complaints were launched after the CIBC changed its credit card user agreement to acknowledge that customer information could be disclosed to the U.S. authorities under the USA PATRIOT Act.
The Commissioner denied the complaints against CIBC effectively admitting that she (and federal privacy legislation) is powerless to stop such disclosures. Notes the commissioner "in short, an organization with a presence in Canada that outsources the processing of personal information to a U.S. firm cannot prevent its customers’ personal information from being lawfully accessed by U.S. authorities."
In discussing the limitations of Canadian privacy law, the Commissioner concludes:
The Commissioner’s analysis is consistent with a study I completed a year ago with Milana Homsi on the current legal environment. It also illustrates why the outsourcing issue is likely to be one of the top issues as part of the PIPEDA review next year. If PIPEDA and Canadian law currently can’t stop the undisclosed disclosures of personal information (even where that information is located in Canada), then it is time to discuss changes to Canadian law that would effectively block an organization from complying with such requests.