The Privacy Commissioner says her investigation into the SWIFT cross-border data flow debacle has revealed a loophole that has some privacy advocates — and the Commissioner herself — flustered.
A New York Times article last June revealed that, according to Privacy Commissioner Jennifer Stoddart’s Report of Findings, “the United States Treasury used administrative subpoenas to access tens of thousands of records from (financial messaging services and interface software vendor Society for Worldwide Interbank Financial Telecommunication)” for anti-terrorism purposes.
Stoddart found that SWIFT had a substantial connection to Canada through its dealings with Canadian financial institutions. Last August she launched her first investigation into an organization outside of Canada, according to Kris Klein, litigation counsel for the Privacy Commissioner’s office. “This was groundbreaking in that we were dealing with a multinational company,” he said.
The American government obtained the information via a subpoena. Under PIPEDA, this made it acceptable, according to the Report of Findings. “Our Act has a provision that we respect subpoenas. We determined that these subpoenas were indeed valid and legal subpoenas,” said Klein. “PIPEDA provides for exceptions. It’s not as if SWIFT is selling the information.”
Canadian Internet Policy and Public Interest Clinic executive director Philippa Lawson commended Stoddart’s work. “The finding that SWIFT is subject to Canadian privacy law is a real step forward, and the fact that (Stoddart) did such a thorough investigation is commendable,” said Lawson.
The Office of the Privacy Commissioner has at times come under fire for being ineffectual, but Terry McQuay, president of the Toronto-based privacy risk management firm Nymity, said that these findings indicate that the Privacy Commissioner can do a thorough investigation. “She is tough but fair, with a balanced approach to business and consumers,” he said.
Klein said that the Privacy Commissioner herself, however, is still “very troubled” by the fact that Canadian information was distributed to the United States Treasury using this method. The Privacy Commissioner would prefer to make use of the more privacy-protective guidelines of existing regimes like Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) to prevent countries from using subpoenas and other legal methods to get around PIPEDA breaches, he said.
Lawson feels that the Privacy Commissioner “hasn’t really acknowledged the enormity of the loophole in the law. This interpretation of Canadian law allows for foreign governments to do an end-run around Canadian privacy law. If the abuse comes from foreign governments, we’re out of luck, as long as the foreign government requires it. There’s nothing we can do about it, even if it violates PIPEDA. It’s a big loophole,” she said.
McQuay, however, said that there is no loophole in PIPEDA. “(The Act’s) fine. There isn’t a loophole — it reflects how (subpoena) laws work around the world.”
Lawson also said that she was unhappy with the lack of thoroughness in inspecting the actual subpoenas from the United States Treasury. She said, “They needed to inquire in a meaningful way whether, in fact, the were lawful. They left it up to the Americans to challenge that.”
Threats can come from the homefront, too, Lawson said, as Canadian companies can outsource to countries whose questionable data protection laws could be compromise Canadians’ information. “We can be very vulnerable. The law does a reasonably good job protecting us from foreign non-state privacy invasions, but not from foreign states,” said Lawson.
The Privacy Commissioner plans on writing a letter to the Minister of Finance to advocate using FINTRAC-type regimes in dealing with these types of situations, and, in turn, encourage the United States government to abide by them as well. Said Klein: “Our ultimate goal is to encourage America to use the existing (FINTRAC) framework.”
He admits that such a change is a hard one to effect. Klein said, “There is no overnight mechanism. FINTRAC isn’t perfect either. But we need better built-in privacy mechanisms than the private sector (provides).”
While Lawson commends the Privacy Commissioner’s office for its commitment to putting pressure on the Minister of Finance to effect change, she is leery of the outcome. “I don’t think the United States is going to care,” she said, although she thinks that encouraging public discourse about the matter-including public forums and research done by academics and public interest groups-could raise awareness about the issue and perhaps help effect change.
The tide of data breaches seems to be rising; Klein admits that there are “more and more” problems with trans-border data flow. He said that the Privacy Commissioner is making a real effort to work with other Privacy Commissioners to try and keep on top of these types of situations, but that, for now, “we’ll have to do our best in the existing regime,” he said.