Customers allege that sale of personal information by one bank to another occurred without knowledge and consent

PIPEDA Case Summary #2006-350

Please note that this case summary has been combined with Case Summary #2005-307 because of the similarity of the complaints.

[Principles 4.3.2, 4.3.3, 4.8 of Schedule 1]

Two individuals contacted the Office of the Privacy Commissioner when they learned that their banks had sold their credit card information to another bank.  They felt that they should have been forewarned of the sale and allowed to cancel their cards before the transfer of their personal information to the other bank took place. 

One of the complainants also believed that his bank did not make its policies and practices regarding the management of his personal information readily available.  He also felt that the bank was asking him to provide more personal information than necessary to obtain a new credit card.

The complaints were against two different banks.  The Privacy Commissioner determined that, in one of the complaints (Complaint A), the allegations were not well-founded.  The bank in this case had changed its cardholder agreement some years earlier to include a consent clause to cover the sale of a credit card portfolio to another bank.  She also disagreed with the complainant’s other allegations, and found that the bank had made its privacy policies and practices known, and was not asking for too much information from the complainant.

In the other case (Complaint B), the Commissioner determined that there was no consent to the sale of the complainant’s information.  She recommended that the bank change its cardholder agreement.  The bank agreed to do so, and the Commissioner considered the complaint well-founded and resolved.

The following is a detailed overview of each complaint and its respective findings.

Summary of Investigation – Complaint A (formerly Case Summary #2006-307)

The complainant had held a credit card account with the bank for many years.  In 2000, the account was converted to another type of credit card account, and at that time, he received a cardholder agreement.  This agreement did not contain an “assignment” clause.

The bank had documentary evidence showing that it mailed all of its cardholders a revised agreement in October 2001.  The billing notice alerted customers that a revised agreement had been inserted with the bill.  This agreement contained an assignment clause, which indicated that the bank may transfer, by way of assignment, sale or otherwise, any or all of its rights under the agreement.  The bank reserved the right to give information about the cardholder’s account to anyone it transferred its rights to, but indicated that it would ensure that whoever it transferred the information to would respect the cardholder’s privacy rights. 

Both the original and the revised cardholder agreements contain information about the bank’s privacy practices.  The earlier version also referred the cardholder to more detailed information, available in the bank’s privacy brochure.

Although the complainant eventually located the revised agreement in his records, he maintained that the bank acted contrary to the provisions of the Personal Information Protection and Electronic Documents Act.

In 2003, the complainant received a notice in his credit card bill informing him that his account and the card program were being transferred to another bank, effective the first day of the month, 2003.  According to the bank, a similar notice was included in the previous bill statement sent to customers.  The bank stated that the sale of the program and the transfer of the accounts occurred shortly before that.  At that time, the purchasing bank was given the names and addresses of account holders.  All other financial information remained with the bank selling the accounts until the conversion was complete, in early 2004. 

The complainant attempted to withdraw his consent, by contacting the selling bank, to the transfer of his personal information on two occasions in 2003.  As the transfer had already taken place, the bank stated that he could not have chosen to withdraw his consent to the transfer.  Rather, he could have chosen to cancel his account with the bank that now held his account.  His right to do so was set out in both the original and revised versions of the cardholder agreement.

When the complainant asked the original bank to open a new credit card account in his name, the bank indicated that he would need to submit a new application, and agree to a credit check.  The complainant believed that the bank should be able to rely on the information that it already had on file about him.  The bank, however, stated that it did not in fact have information about him on file since his personal information was transferred to the other bank when the credit card program was sold.

Dissatisfied with the bank’s position, the complainant continued to believe that it should have had his express consent for the sale of his personal information to the other bank. 

The Office reviewed the confidentiality agreement which both banks signed prior to the sale.  It guaranteed the confidentiality and security of customer information, and specifically referred to the Act.

Findings

Issued July 14, 2005

Application: Principle 4.3.2 states that organizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information shall be used; Principle 4.3.3 stipulates that an organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use or disclosure of information beyond that required to fulfil the explicitly specified, and legitimate purposes; and Principle 4.8 requires an organization to make readily available to individuals specific information about its policies and practices relating to the management of personal information.

In making her determinations, the Assistant Privacy Commissioner deliberated as follows:

• The investigation confirmed that all cardholders were sent an amended cardholder agreement form in 2001 that set out, as a condition of the agreement, the bank’s right to sell its card program, and to transfer personal information as part of the agreement of sale. 
• The complainant acknowledged that he received a copy of the agreement form.  In the Assistant Commissioner’s view, such notification met the reasonable expectations of customers, as per Principle 4.3.2, and in light of such notification, she was satisfied that the bank did not disclose the complainant’s personal information without his knowledge and consent.

• As for the bank making its privacy policies known, the Assistant Commissioner was satisfied that the original and revised cardholder agreements contained information about the bank’s privacy policies and practices, consistent with the requirements of Principle 4.8.
• Finally, the Assistant Commissioner considered the bank’s request that the complainant provide up-to-date information for the purpose of obtaining a new credit card to be appropriate.  Since the bank had transferred his personal information to another bank as part of its sale of the credit card portfolio, the original bank no longer had any personal information about him.  In order to proceed with his credit card application, it would require appropriate information from him.  She was therefore satisfied that the bank did not contravene Principle 4.3.3.

The Assistant Commissioner concluded that the complaint was not well-founded.

Further Considerations

Notwithstanding the finding, the Assistant Commissioner recommended that the bank amend its cardholder agreement to notify customers that, if its assets are sold to another financial institution, that institution will be obligated to retain customer information for a period of five years, in accordance with the Proceeds of Crime (Money-Laundering) Regulations.  The Assistant Commissioner noted that the cardholder can request confirmation from the organization that it purged his or her personal information after five years.  If the information has not been destroyed, the cardholder may challenge the organization’s compliance with the retention requirements under the Personal Information Protection and Electronic Documents Act. 

The bank did not agree to implement this recommendation.  It noted that there are various applicable retention periods in addition to those set out in the anti-money-laundering regulations, and that inclusion of them all would make cardholder agreements considerably longer than they are.

Summary of Investigation – Complaint B

The complainant had a credit card account with a particular bank.  In 2004, he was informed in writing that his bank had sold its credit card portfolio for Western Canada and Ontario to another bank.  The letter indicated that these customers would be issued credit cards by the other bank.  The document the complainant received outlined the new services to be provided by the other bank and the dates on which credit card holders would be receiving new cards and account statements.  The document did not inform customers of any right to cancel their cards should they not want to be customers of the other bank.

The complainant stated that he initially contacted a customer service representative of his bank to indicate that he did not want a credit card from the other bank and that he wanted to remain a cardholder of his bank.  He was told that this was not possible since his bank would no longer be offering credit cards to customers in Western Canada and Ontario.  He objected to receiving the other bank’s credit card and to having his personal information transferred to the other bank.  His bank suggested that he destroy the new credit card upon receipt, which he did.  The complainant also cancelled his original credit card account with his bank shortly after learning about the sale and paid off the balance.  He indicated to the Office that he wanted his personal information held by the other bank returned to him since he did not want that bank to retain his personal information.

The respondent bank stated that it sold its Ontario and Western credit card portfolio to the other bank prior to informing customers of the sale.  Approximately two weeks after the closing date of the sale, it transferred the portfolio information to the other bank.  Thus, any accounts closed prior to this date were not transferred.  Since the complainant’s account was active after this date, his personal information was transferred to the other bank. 

Under the federal Bank Act, the selling of assets is allowed, as stated in section 232(1):

A bank may sell all or substantially all of its assets to a financial institution incorporated by or under an Act of Parliament or to an authorized foreign bank in respect of its business in Canada if the purchasing financial institution or authorized foreign bank assumes all or substantially all of the liabilities of the bank.

In addition, the respondent bank indicated that under provincial law, it has the right to sell or transfer its assets.  When debts are sold – in this case the bank considers the transfer of credit card accounts a sale of a debt to another bank – the identity of the client is transmitted to the party who buys the assets.  The client is then responsible for paying the debt (the credit card purchases) to the other bank.  The respondent bank was of the view that client consent in the case of this portfolio sale is not practical and would impede its ability to conduct business.  Instead, it relied on the language of its cardholder agreement.

We reviewed a copy of the complainant’s original credit card agreement.  With respect to the use and disclosure of personal information, it stated that the customer authorized the bank to disclose information it has about the cardholder to any person authorized by law, any personal information agent, any financial institution, any mortgage insurer, or, with the cardholder’s consent, any person so requesting.  It also indicated that the bank could use customer personal information to send the customer any documents, advertising material or information the bank considered appropriate.

Our Office spoke to three other banks and learned that they had an assignment clause in their cardholder agreements, which stipulated that the bank could transfer any or all of its rights by way of assignment, sale or otherwise.  The respondent bank in this complaint did not have such a clause in its agreement. 

We contacted the bank that bought the credit card portfolio to confirm whether it held the complainant’s personal information and, if so, how long it would retain it.  The bank had the complainant’s name, date of birth, address, and some transactional details required to service its customers.  The information is held in dormant files and is not accessed since the account is listed as inactive.  It must be retained for five years after the date of the account was closed, as required by the Proceeds of Crime (Money-Laundering) Regulations.

Findings

Issued June 9, 2006

Application: Principle 4.3, which states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate; and Principle 4.3.2, which stipulates that organizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used.  To make consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed.

In making her determinations, the Commissioner deliberated as follows:

• The respondent was relying on the provisions contained in its cardholder agreement to support its position that the complainant had consented to the transfer of his personal information to the other bank.  The Commissioner, however, was of the view that the wording of this provision was too broad to be considered to have met the knowledge requirements under the Act. 
• The consent clause covering the use and disclosure of information in the cardholder agreement says nothing about a permanent transfer of the credit card portfolio to another bank, and it is insufficient as consent for such a transfer.  In such a situation, the bank – the organization to which the individual provided information, from which the individual sought services, and which provides services to the individual – ceases to be a party to the relationship.  A consumer would not reasonably expect the language of the consent, as written, to extend this far.
• Principle 4.3.2 demands that the purposes for the use or disclosure of personal information be clearly stated.  The cardholder agreement did not inform clients in a reasonably understandable manner that their personal information could be shared as a result of sales to third parties.
• Therefore, by failing to meet the requirements of Principle 4.3.2, the Commissioner determined that the bank had not obtained the complainant’s meaningful consent, as per Principle 4.3. 
• She therefore found the bank in contravention of the Act.

In order to bring the bank into compliance with Principle 4.3.2 and 4.3, the Commissioner recommended that the bank amend its cardholder agreement to include an assignment clause.  She also recommended that the bank notify customers that, if its assets are sold to another financial institution, that institution may be required by law to retain the information for a period of time. 

The bank responded positively, indicating that it would amend its agreement to include an assignment clause that will also inform clients that the assignee may be required by law to retain clients’ personal information for a period of time.  These measures appear to address our concerns in a satisfactory manner.

Satisfied that the measures addressed the Commissioner’s concerns, she concluded that the complaint was well-founded and resolved.