Responsibility of Canadian financial institutions in SWIFT’s disclosure of personal information to US authorities considered

PIPEDA Case Summary #2007-365

[Principles 4.1.3, 4.3 and 4.8; subsection 5(3); paragraphs 7(3)(c) and 7(3)(c.1)]

Overview of complaint and Assistant Privacy Commissioner’s findings

In the summer of 2006, the Office of the Privacy Commissioner of Canada received a complaint against six Canadian financial institutions as a result of the disclosures by the Society for Worldwide Interbank Financial Telecommunication (SWIFT) of personal information to US authorities.

This complaint was filed subsequent to the publication in the New York Times, in June of 2006, of an article revealing that since 9/11, the United States Department of the Treasury (UST) has been regularly accessing tens of thousands of records from SWIFT. According to the article, the records in question principally involve wire transfers into and out of the United States.

The complainant was of the view the banks were responsible for the personal information that was transferred to SWIFT for processing of money orders. She maintained that the disclosures were for an inappropriate purpose since they circumvented established approved processes for transferring data. She also contended that the exceptions to consent, outlined in paragraphs 7(3)(c) and 7(3)(c.1) of the Personal Information Protection and Electronic Documents Act (the Act), did not apply.

The Assistant Commissioner did not agree and concluded that the complaints were not well-founded. She reviewed the contractual documentation that exists between SWIFT and the banks, and concluded that they are meeting their obligations under the Act, specifically, Principle 4.1.3, to ensure a comparable level of protection. She echoed, however, an earlier finding made by this Office, by noting that when an organization contracts with a firm that operates both within and outside of Canada, it cannot prevent that firm from responding to lawfully issued subpoenas. Moreover, all of the banks clearly indicated what their practices were, in keeping with guidance offered by this Office. As such, she was satisfied that the banks had discharged their responsibilities under the Act.

Summary of Investigation

SWIFT did not dispute the disclosures. In response to the publicity about the New York Times article, it posted a statement on compliance on its website. According to the statement, it “responded to compulsory subpoenas for limited sets of data from the Office of Foreign Assets Control of the United States Department of the Treasury.”

Neither SWIFT nor the US government suggested that the data disclosed to the UST is limited to American citizens or to US financial institutions. The disclosures involve bulk transfers of data, and the complainant reasonably inferred that the bulk transfers include information about Canadians or Canadian financial institutions. SWIFT confirmed to this Office that personal information originating from or transferred to Canadian financial institutions was likely included in the data handed over to the UST.

SWIFT describes itself as “the financial industry-owned co-operative supplying secure, standardised messaging services and interface software to 7,900 financial institutions in more than 200 countries.” SWIFT has identical operating centres that simultaneously collect, send, and store all SWIFT messages.

As a cooperative society under Belgian law, SWIFT’s shareholders own and control it. Each of the major domestic banks against whom a complaint has been filed is a shareholder member of SWIFT. There are in total fourteen Canadian financial institution shareholder members. Collectively, they form a National (SWIFT) Member’s group, which meets periodically and serves an advisory role to the Board of Directors of SWIFT. The shareholders also provide some specialized payment clearance and settlement services, through SWIFT, to other Canadian banks and financial institutions. The banks are part of the SWIFT User group, which also meets periodically with SWIFT members to discuss business issues related to the use of SWIFT services. There are 63 Canadian institutional SWIFT users.

A SWIFT user purchases the capability of transferring sets of financial messages consistent with its business needs. A fully subscribed SWIFT user could potentially transmit approximately 230 different messages, grouped into ten categories of messages. Only two of these categories may contain personally identifying information, such as the name, address, account number, amount of transfer and financial institutions involved.

SWIFT does not collect or hold any personal information involving paper-based Canadian payments systems (mostly cheques) and small value electronic payment systems, such as debit card or automated banking machine transactions, and pre-authorized debits and credits. SWIFT does not collect or hold any information about credit card transactions. In the case of most large value domestic transactions processed over SWIFT’s system, there is only corporate information.

There were three components to the complaint. Firstly, the complainant states that, in light of the disclosures by SWIFT, under Principle 4.1.3 of Schedule 1 of the Act, each financial institution remains responsible for personal information that has been transferred to SWIFT for processing of monetary transfers.

Secondly, she contended that the disclosure of personal banking data about Canadians to the US government, for counter-terrorism purposes, is contrary to subsection 5(3) of the Act, as it occurs outside of the approved processes for such data transfers (i.e., judicial authorization, FINTRAC, or a Mutual Legal Assistance Treaty (“MLAT”)). Since wholesale transfers of personal banking data circumvent these approved processes, they do not meet the Act’s requirement of an ‘appropriate purpose’.

Thirdly, the complainant stated that the exceptions to the requirement for consent, set out in subsections 7(3)(c) and/or 7(3)(c.1), do not apply in these circumstances. She was of the view that if the disclosures occurred in the United States, the subpoenas were overly broad and invalid (for the purpose of the exception set out in paragraph 7(3)(c) of the Act). She also maintained that a ‘government institution’ referenced in subsection 7(3)(c.1) means a federal or provincial Canadian government institution, and does not include foreign government institutions.

1. The banks’ responsibility for personal information

In determining the question of the banks’ responsibility for the personal information they transferred to SWIFT, the Office reviewed the contractual agreement between SWIFT and the banks and oversight mechanisms in place.

Contractual agreement between SWIFT and the banks

The Office was provided with documentation that constitutes the contractual agreement between the banks and SWIFT. All of the documents contain at least some information relevant to the banks’ obligations under Principle 4.1.3 of Schedule 1 of the Act.

Three of the documents provide comprehensive information about the measures that SWIFT has implemented to ensure the security, reliability, and resilience of its messaging systems, and the confidentiality and integrity of its data. The measures include proprietary hardware and software applications and security procedures.

One policy document sets out the obligations of SWIFT users that engage a third party provider (i.e., a service bureau) to host or operate SWIFT connectivity components, or provide services such as logging in, or managing sessions of security for SWIFT users. Service bureaus must meet the requirements set out in the Service Bureau Rules and Guidelines.

Another document provides detailed information about SWIFT’s security practices and the requirements that users must have in place to access SWIFT’s secure IP network.

We reviewed documentation outlining the audit mechanisms in place, as well as the company’s security governance structure and its data handling, storage and retrieval policies and practices. We also reviewed information regarding SWIFT’s measures to ensure the confidentiality of its data, as well as details on the oversight, security and control measures that SWIFT has implemented.

The banks’ contractual relationship with SWIFT is primarily set out in one document, which describes the mutual covenants of the parties, with respect to confidentiality of data, and compliance with all applicable laws and regulations, including privacy laws (section 4.5.6).

One section of this document, entitled Data Protection Obligations indicates that:

By subscribing to the relevant SWIFT Services and Products, the Customer shall then be deemed to have consented to any such processing of personal data by SWIFT in accordance with the SWIFT Data Retrieval Policy and other relevant Service Documentation.

The Data Retrieval Policy sets out SWIFT’s policy on the retrieval, use and disclosure of SWIFT data. Section 3.2 of the policy deals with ‘Mandatory Requests’. It states:

If a court or other competent regulatory, supervisory or governmental authority requests SWIFT to retrieve, use or disclose traffic or message data, SWIFT reviews and assesses such requests as per documented procedures.

For the avoidance of any doubt, nothing in this policy or, more generally, SWIFT’s obligations of confidence to customers, shall be construed as preventing SWIFT from retrieving, using, or disclosing traffic or message data as reasonably necessary to comply with a bona fide subpoena or other lawful process by a court or other competent authority.

SWIFT members in each country have the right to nominate a certain number of Directors to the Board, based on the proportionate number of shares held by the shareholders of the country. The 14 Canadian shareholder members of SWIFT propose one Director for election.

According to SWIFT’s corporate rule #3.4 (found on the company’s web site),

The NMG (i.e. National Member Group) is independent from SWIFT and does not form part of the SWIFT legal structure. It can legally organize itself as it thinks appropriate…. The NMGhas an important role in the proposal of Directors…. (It serves in an) advisory role to the Board….[Subject to the SWIFT confidentiality protocols], the NMG is consulted in an advisory function at a national level on policy issues affecting shareholders which are due to be discussed in the Board. … The Board of Directors may from time to time ask the NMG for specific advice and support.

There is also a National User Group that comprises all SWIFT users within a country. SWIFT users operate through contacts with national members.

With respect to oversight, SWIFT’s website states:

While SWIFT is neither a payment nor a settlement system and, as such, is not regulated by central banks or bank supervisors, a large number of systemically important payment systems have become dependent on SWIFT, which has thus acquired a systemic character. . . Because of this, the central banks of the Group of Ten countries (G-10) agreed that SWIFT should be subject to cooperative oversight by central banks. Overseers review SWIFT’s identification and mitigation of operational risks, andmay also review legal risks, transparency of arrangements and customer access policies.

The National Bank of Belgium (NBB) is lead overseer, and has a memorandum of understanding (MOU) with each of the other cooperating G-10 banks, including the Bank of Canada.

We reviewed the MOU. Among other things, it sets out that there will be a two-tier structure of cooperation between the NBB and the Bank of Canada. At the senior level, there will be a SWIFT Co-operative Oversight Group, with an executive committee that communicates with SWIFT’s Board and management on oversight findings, policy, on SWIFT’s governance, and on its strategy. At the technical level, there is a technical Oversight Group, with a more proactive and interactive approach in its work with SWIFT.

2. The purpose of the disclosures

The complainant was of the view that the wholesale transfers of personal banking data by SWIFT circumvent the approved processes for data transfers (established to counter terrorism – such as MLATs, FINTRAC). She contended that they do not, therefore, meet the Act’s requirement of an ‘appropriate purpose’.

In setting out her argument, she relied in part upon the June 23rd “statement on compliance” that SWIFT posted on its website subsequent to the publication of the NewYork Times article. In its statement, SWIFT indicated that:

SWIFT takes its role as a key infrastructure of the international financial system very seriously and cooperates with authorities to prevent illegal uses of the international financial system. Where required, SWIFT has to comply with valid subpoenas. . .

In the aftermath of the September 11th attacks, SWIFT responded to compulsory subpoenas for limited sets of data from the Office of Foreign Assets Control of the United States Department of the Treasury. . .

Statement on compliance

Cooperating in the global fight against abuse of the financial system for illegal activities
. . .
Given its importance in the financial community, SWIFT takes its role in the global fight against money laundering and other illegal activities extremely seriously.

The banks, however, set out a narrow and singular purpose for the disclosures: to comply with a valid US-issued subpoena. The Office received representations from SWIFT (in response to the Commissioner-initiated complaint) that set out SWIFT’s position that the subpoenas were valid under US law. The Commissioner’s findings on this matter are set out in the Report of Findings.

The banks stated that they did not become aware of the SWIFT disclosures to the UST until the practice was disclosed through the New York Times article. SWIFT has confirmed that it did not inform its members of the subpoenas or of its compliance with them.

3.The exceptions to the requirement of consent

As noted above, the banks indicated that they can rely upon the provisions of paragraph 7(3)(c) with respect to SWIFT’s compliance with the UST subpoenas. Paragraph 7(3)(c) indicates that an organization may disclose personal information without the knowledge or consent of an individual for the purposes of complying with a subpoena or warrant issued or an order made by a court, person or body with jurisdiction to compel the production of information, or to comply with rules of court relating to the production of records.

The banks’ notification to customers about its practices with respect to outsourcing or processing information outside of Canada was also considered. All of the banks’ privacy policies (both in electronic and paper format) contained notification to customers that they use third-party processors, some of which may be located outside of Canada. The language of the banks’ notification (while differing slightly from bank to bank) basically indicates that while customer information is outside of the country, it is subject to the laws of that country.

Findings

Issued April 2, 2007

Application: Principle 4.1.3 states that an organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party. Principle 4.8 states that an organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information. Subsection 5(3) notes that an organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances. Principle 4.3 stipulates that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.

Paragraph 7(3)(c) explains that an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is required to comply with a subpoena or warrant issued or an order made by a court, person or body with jurisdiction to compel the production of information, or to comply with rules of court relating to the production of records.

Paragraph 7(3)(c.1) adds that an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is made to a government institution or part of a government institution that has made a request for the information, identified its lawful authority to obtain the information and indicated that (i) it suspects that the information relates to national security, the defence of Canada or the conduct of international affairs, (ii) the disclosure is requested for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law, or (iii) the disclosure is requested for the purpose of administering any law of Canada or a province.

In making her determinations, the Assistant Privacy Commissioner deliberated as follows:

• She began by noting that the Office of the Privacy Commissioner of Canada recognizes and shares the concerns of Canadians with respect to the flow of their personal information outside of our borders.
• In the context of the complaint before the Office, she noted that we must consider what the Act states and what obligations it imposes on organizations operating in Canada. While the Act does not prohibit outsourcing or using service providers who transfer information outside our borders, it does oblige organizations to have provisions in place to ensure a comparable level of protection.

1. The banks’ responsibility for personal information:

• We reviewed the contract in place between SWIFT and the banks, as well as the other means available to the banks to ensure that SWIFT is providing a comparable level of protection.
• SWIFT and its members have collaboratively developed and implemented a highly sophisticated and elaborate set of security measures to ensure the integrity, confidentiality, security and reliability of the financial messages that SWIFT delivers.
• SWIFT reports back to its committees and boards through its Annual Report and through the security audit report (it should be noted that these reports encompass far more than personal information handling practices).
• Although some of the contractual language appears to place SWIFT in control of how its system is used and, by extension, how personal information in its possession is handled, it is nevertheless also obliged to maintain confidentiality of information.
• Furthermore, the Assistant Commissioner noted that there are other means by which the banks, as members and users of the SWIFT system, can ensure that a comparable level of protection is in place, particularly with respect to the cooperative oversight and technical oversight groups. Through these various oversight and auditing mechanisms, and through the contractual language and various security measures in place, she was satisfied that the banks are meeting their obligations under Principle 4.1.3.
• Under the contract between SWIFT and the banks, the question of mandatory requests is contemplated. Under section 3.2 of SWIFT’s Data Retrieval Policy, the customer (i.e. a member bank) is deemed to have consented to SWIFT’s processing of personal data in accordance with the Data Retrieval Policy. Read in conjunction with another document, SWIFT has absolute discretion with respect to the manner in which it handles subpoenas “or other lawful process(es) by a court or other competent authority.”
• On the surface, it would appear that the banks have surrendered the control of the personal information that they handle to SWIFT in these circumstances. However, it can be argued that they have no more “surrendered” control than any other organization that transfers personal information to organizations outside of the country.
• In Case summary 313, we noted the following in the findings:

• (the bank) has in place a contract with its third-party service provider that provides guarantees of confidentiality and security of personal information. The contract allows for oversight, monitoring, and an audit of the services being provided. (the bank) maintains custody and control of the information that is processed by the third-party service provider. However, while customer personal information is in the hands of a foreign third-party service provider, it is subject to the laws of that country and no contract or contractual provision can override those laws. In short, an organization with a presence in Canada that outsources the processing of personal information to a USfirm cannot prevent its customers’ personal information from being lawfully accessed by US authorities.

• In this case, the banks are meeting their obligations under Principle 4.1.3. When an organization contracts with a firm that operates both within and outside of Canada, it cannot prevent that firm from responding to lawfully issued subpoenas.
• The Assistant Commissioner commented that, in keeping with this Office’s publicly stated position, namely, that, at the very least, a company in Canada that outsources information processing to a company that operates in another country should notify its customers that the information may be available to the government of that country or its agencies under a lawful order made in that country. She found that each of the banks has very clear language in their privacy policies. These policies inform customers that the banks may send their personal information outside of the country for certain purposes and that, while such information is out of the country, it is subject to the laws of the country in which it is held.
• The Assistant Commissioner was therefore satisfied that each bank has conformed to the requirements of Principle 4.8.

2. and 3. The purpose for the disclosures and lack of consent:

• The complainant had raised concerns about the purpose of the disclosures. She had also argued that the exceptions to consent under the Act that allow organizations to respond to subpoenas without knowledge or consent did not apply in this case. The banks, she contended, were therefore responsible for the disclosures.
• The Assistant Commissioner noted, however, that the banks did not disclose the information, SWIFT did. The contractual language between the banks and SWIFT clearly places responsibility for responding to such subpoenas in the hands of SWIFT; the banks notify their customers of the possibility of such disclosures by way of their respective privacy policies.
• Given that SWIFT was responsible for the disclosures, not the banks, the issues of the purpose for the disclosures and the lack of consent are dealt with in the Commissioner-initiated complaint against SWIFT in the Report of Findings.

Accordingly, she concluded that the complaints were not well-founded.

The Assistant Commissioner concluded her remarks by noting that Canada must respect the legal frameworks of other countries. The Act cannot prevent foreign authorities from lawfully accessing the personal information of Canadians held by organizations within their jurisdiction. Likewise, the Actcannot force Canadian companies to stop outsourcing to foreign-based service providers (or service providers that operate in several jurisdictions). What the Act does demand is that organizations be transparent about their personal information handling practices and protect customer personal information in the hands of third-party service providers to the extent possible by contractual or other means. In these cases, such requirements have been met.