Privacy Commissioner of Canada v. SWIFT
Report of Findings

April 2, 2007

---

Complaint

1. On June 23, 2006, an article appeared in the New York Times (and in other media outlets), alleging that the United States Treasury used administrative subpoenas to access tens of thousands of records from SWIFT SCRL (Society for Worldwide Interbank Financial Telecommunication).

2. On August 11, 2006, I initiated a complaint against SWIFT, pursuant to subsection 11(2) of the Personal Information Protection and Electronic Documents Act (the Act). It is alleged that SWIFT inappropriately disclosed personal information originating from or transferred to Canadian financial institutions to the US Department of the Treasury (UST).

Summary of Investigation

3. SWIFT is the financial industry-owned co-operative supplying secure, standardized messaging services and software to over 7,900 financial institutions in more than 200 countries. SWIFT is solely a messaging intermediary for transmitting secure and confidential financial messages on behalf of, and between, financial institutions. It is not a bank, nor does it hold accounts or assets of any customers of any financial institution.

The Governance of SWIFT

4. SWIFT has existed as a cooperative society governed by Belgian law since 1973. It is owned and controlled by financial institutions that are its members and customers, including Canadian financial institutions. It is headquartered in La Hulpe, Belgium and has established sales offices in the main financial centres of the world. There is no sales office in Canada. SWIFT has two operating centres – one in Europe and the other in the United States. Each operating centre acts as an active backup to the other. SWIFT states that the decision to select an operating centre in the United States was driven by security requirements.

5. With respect to oversight, SWIFT’s website states:

While SWIFT is neither a payment nor a settlement system and, as such, is not regulated by central banks or bank supervisors, a large number of systemically important payment systems have become dependent on SWIFT, which has thus acquired a systemic character... . Because of this, the central banks of the Group of Ten countries (G-10) agreed that SWIFT should be subject to cooperative oversight by central banks. Overseers review SWIFT’s identification and mitigation of operational risks, and may also review legal risks, transparency of arrangements and customer access policies.

6. The National Bank of Belgium is lead overseer, and has a memorandum of understanding with each of the other cooperating G-10 banks (including the Bank of Canada). Canadian banks contract with SWIFT SCRL.

7. As a cooperative society under Belgian law, SWIFT’s shareholders own and control it. There are in total fourteen Canadian financial institutions that are shareholder members. Collectively, they form a National (SWIFT) Member’s group, which meets periodically and serves an advisory role to the Board of Directors of SWIFT. The shareholders also provide some specialized payment clearance and settlement services, through SWIFT, to other Canadian banks and financial institutions. The banks are part of the SWIFT User group, which also meets periodically with SWIFT members to discuss business issues related to the use of SWIFT services. There are 63 Canadian institutional SWIFT users.

8. SWIFT members in each country have the right to nominate a certain number of Directors to the Board, based on the proportionate number of shares held by the shareholders of the country. The 14 Canadian shareholder members of SWIFT propose one Director for election.

SWIFT’s services

9. SWIFT was founded to replace the telex with a fast, secure, automated, and universal means of sending cross-border financial messages between financial institutions. The key elements of SWIFT are (i) its community of financial institutions, (ii) its standard-setting capability and (iii) its secure, reliable messaging infrastructure.

10. SWIFT’s customers are financial institutions and other organizations in the financial markets, such as brokers/dealers, fund managers, and other large corporate groups. Individuals do not have access to SWIFT services. SWIFT’s focus, as a messaging intermediary, is wholesale financial transactions. With respect to the role played by Canadian financial institutions in this matter, it is worth noting that this Office received a complaint against Canada’s six largest banks, all of which are SWIFT shareholder members.

11. According to SWIFT’s 2005 Annual Report, Canada ranked 17th out of the top 25 users of SWIFT services, with a volume of 34,330,000 messages. This represents 1.4 per cent of the total volume of messages transmitted through the SWIFT system.

12. The core service provided by SWIFT is called “SWIFTNet FIN,” which is a store-and-forward messaging service. According to SWIFT, this is the only SWIFT service relevant to this complaint. The SWIFTNet FIN service is typically used by financial institutions and their market infrastructures to send messages to effect cross-border payments, securities clearing and settlement, treasury and trade services.

13. A SWIFT user purchases the capability of transferring sets of financial messages consistent with its business needs. A fully subscribed SWIFT user could potentially transmit approximately 230 different messages, grouped into the following ten categories of messages:

Category 1 - Customer Payments and Cheques
Category 2 – Financial Institution Transfers
Category 3 – Treasury Markets – Foreign Exchange, Money Markets and Derivatives
Category 4 – Collections and Cash Letters
Category 5 – Securities Markets
Category 6 – Precious Metals and Syndications
Category 7 – Documentary Credits & Guarantees
Category 8 – Travellers Cheques
Category 9 – Cash Management & Customer Status
Category 0 – System Messages

14. SWIFT messages are generally used to conduct corporate activity. However, a Category 1 message would be the most likely message type to contain personal information, as would Category 4. Customer Payments and Cheques messages (Category 1) include foreign exchange transfers, and they may contain the personal information of the sender and receiver of the foreign exchange. Collections and Cash Letters (Category 4) may also contain personally identifying information, where, for instance, the financial transaction involves a cheque written on a foreign bank account. The personal information in question could include the name, address, account number, amount of transfer and financial institutions involved.

15. SWIFT does not collect or hold any personal information involving paper-based Canadian payments systems (mostly cheques) and small value electronic payment systems, such as debit card or automated banking machine transactions, and pre-authorized debits and credits. SWIFT does not collect or hold any information about credit card transactions. In the case of most large value domestic transactions processed over SWIFT’s system, there is only corporate information.

16. The messages are retained for a certain period of time which, while confidential, was explained to my Office and is, in my opinion, a justified length of time considering the business process the messages are a part of. Users require tokens and passwords to retrieve and decrypt messages retained by SWIFT.

17. All SWIFT users are subject to standard contractual obligations regarding security and confidentiality which do not distinguish between “personal” and other types of information. All transactions over the SWIFT network are treated by SWIFT in the same fashion.

18. All SWIFT users are bound by the “General Terms and Conditions,” a thirteen page document that forms part of the user’s contractual obligations. Section 4.5.3 of this document sets out the user’s “Data Protection Obligations.” It states, in part (note: the “Customer” is the financial institution):

If the Customer (i.e. the SWIFT user) is the first data controller as the original collector of such personal data, the Customer must ensure that such personal data is collected and supplied in accordance with all relevant laws and regulations and without infringing any third-party rights so as to permit SWIFT to process such personal data as set out in this clause.

. . . the Customer is reminded that it must ensure that such personal data has been collected for these purposes in compliance with all applicable privacy and data protection legislation and without infringing any third party rights.

19. Section 4.5.4 states:

The Customer agrees that it must ensure that confidentiality, integrity and availability of data (such as traffic, message and configuration data) are maintained at all times on its SWIFT systems and that segment of its SWIFT connection under its responsibility. In particular, the customer must ensure that only authorized personnel have physical and logical access to their SWIFT systems and connection, must install state-of-the-art virus scanning software and must operate backup procedures and handle backup media according to security practices no less secure than those applied to their SWIFT systems and connection.

SWIFT’s Data Retrieval Policy

20. SWIFT provided the Office with a copy of its Data Retrieval Policy, which it supplies to its customers. It is an adjunct to the SWIFT General Terms and Conditions document, and forms an integral part of the contractual agreement between a customer and SWIFT.

21. Section 3.2 of the Policy deals with a “Mandatory Request.” It states:

If a court or other competent regulatory, supervisory or governmental authority requests SWIFT to retrieve, use or disclose traffic or message data, SWIFT reviews and assesses such requests as per documented procedures.

For the avoidance of any doubt, nothing in this policy or, more generally, SWIFT’s obligations of confidence to customers, shall be construed as preventing SWIFT from retrieving, using, or disclosing traffic or message data as reasonably necessary to comply with a bona fide subpoena or other lawful process by a court or other competent authority.

22. Section 5.1 of the Policy states:

The laws and regulations of some countries or third party rights may apply to the retrieval, use and disclosure of traffic or message data pursuant to this policy, such as, but not limited to, laws and regulations relating to privacy, data protection and banking secrecy, or other customers’ arrangements.

23. Customers requesting SWIFT to retrieve traffic or message data must confirm to SWIFT that they have the necessary capacity and authority to allow SWIFT to retrieve, use and, as the case may be, disclose traffic or message data, and that this complies with all applicable laws and regulations and third party rights.

The subpoenas

24. SWIFT confirms that it has been disclosing data to the US government in response to subpoenas issued by the US Department of the Treasury (UST) since shortly after the attacks of 9/11. It also confirms that personal information originating from or transferred to Canadian financial institutions was likely included in the data handed over to the UST. It states that it transferred certain financial message data located in its US-based operating centre in compliance with subpoenas issued by the Office of Foreign Assets Control (OFAC) of the UST. SWIFT states that, as of December 2006, a total of 65 subpoenas have been issued to SWIFT by OFAC.

25. SWIFT states that it ensured that these subpoenas were valid and that SWIFT was required to comply with them. The subpoenas directed at SWIFT are issued under the authority of the US President and the US Congress, and are lawful and compulsory under US law. US law provides for civil and criminal penalties, including fines, imprisonment, or both, for failure to comply with the subpoenas served on SWIFT.

26. OFAC is an executive agency under the US President that administers US sanctions programs with respect to terrorist financing. OFAC is authorized by US law (i.e. adopted by Congress) to issue subpoenas in order to investigate, among other things, whether an individual or organization should be designated as a terrorist or supporter of terrorism and whether a sanctions program has been violated.

27. The subpoenas in question were issued under two sanctions programs related to terrorist financing: the Global Terrorism Sanctions Regulations and the Terrorism Sanctions Regulations. Each of these regulations independently authorizes the subpoenas directed at SWIFT.

28. Both of these regulations are authorized by two statutes enacted by the US Congress: the International Emergency Economic Powers Act (IEEPA)^{Footnote 1} and section 5 of the United Nations Participation Act (UNPA)^{Footnote 2}. The IEEPA authorizes the US President to investigate, regulate and prohibit certain financial transactions during a national emergency. Section 5 of the UNPA gives the US President broad powers to implement resolutions at the United Nations Security Council.

29. According to SWIFT, it acted in full compliance with SWIFT’s statement on compliance, Data Retrieval Policy, and contractual arrangements with its users. Under section 4.3 of the Data Retrieval Policy, SWIFT undertakes to notify the authority concerned of the confidential nature of the data and to request that such authority preserve the confidentiality of the data.

30. SWIFT stresses that the subpoenas did not provide the UST with a right of access to the SWIFT system or SWIFT’s US-based operating centre. Rather, the UST subpoenas issued to SWIFT demanded only a limited set of data relevant to terrorism investigations, and the data could only be used for this exclusive purpose.

31. Senior SWIFT officials were informed of the subpoenas. Its Board of Directors was advised by external US and EU legal counsel that the subpoenas were valid and had been correctly served, and that SWIFT had three options:

1. comply with the subpoenas (without obtaining any privacy protections);
2. refuse to comply and risk that the UST would enforce the subpoenas via a court action (which would have most likely resulted in SWIFT losing any ability to obtain privacy protections); or
3. choose to negotiate with the UST to obtain the best level of privacy protection.

32. Faced with these choices, SWIFT negotiated and obtained a series of privacy protections with respect to the data it transferred to the UST pursuant to the subpoenas. Under an agreement with the UST, SWIFT obtained the following privacy protections:

1. The information is to be solely related to terrorism investigations and cannot be used for any other purpose.
2. Limited sets of messages are given (such messages may be relevant to a terrorism investigation; messages may be from anywhere, not simply a particular country).
3. The data remains under SWIFT’s indirect control.
4. The data is protected and kept confidential.
5. SWIFT has a right to monitor and audit the UST compliance with the negotiated arrangement.

33. SWIFT provided my Office with access to detailed and confidential documents that formalized privacy protections obtained by SWIFT since the fall of 2001, and outlined additional protections negotiated over time.

34. SWIFT denied that it had allowed the UST to have access to its full database and stated that it has only ever transferred information pursuant to the subpoenas in accordance with the agreement between it and the UST.

35. Based on the information presented to us, I am of the opinion that SWIFT did indeed ensure that the UST abided by the protections negotiated by SWIFT.

36. According to SWIFT, it was not aware of any collaboration with Canadian government authorities with respect to the issuance of the subpoenas. SWIFT stated that it is aware that information gleaned from the searches has been shared with other authorities – with the caveat that SWIFT was never to be revealed as the source of the data.

Issues

37. There are two key issues to address in this complaint: does the Personal Information Protection and Electronic Documents Act (the Act)apply to SWIFT’s collection, use and disclosure of personal information in the course of its operations in Canada; and was the personal information collected by SWIFT from Canadian financial institutions disclosed to US authorities in accordance with the Act?

Application

38. In answering these questions, we applied paragraph 4(1)(a), Principle 4.3, paragraph 7(3)(c), and subsection 5(3). Paragraph 4(1)(a) states that (Part 1 of the Act) applies to every organization in respect of personal information that the organization collects, uses or discloses in the course of commercial activities.

39. Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Under paragraph 7(3)(c), an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is required to comply with a subpoena or warrant issued or an order made by a court, person or body with jurisdiction to compel the production of information, or to comply with rules of court relating to the production of records. Under subsection 5(3), an organization may collect, use, or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.

Findings

40. I would like to begin by noting that SWIFT’s activities have been scrutinized by other data protection commissioners around the world. From the opinions that have been released publicly, we know that some of these commissioners have concluded that SWIFT’s disclosure of personal information to the UST was in contravention of their data protection law(s). I should stress, however, that the case before me must be considered in accordance with the application of Canadian law and that we cannot automatically jump to any conclusions based on decisions made under foreign laws. That being said, it is important to note the common thread running through these foreign decisions, namely, the importance of, and need for, adhering to relevant legislation that protects personal information.^{Footnote 3}

41. The first question for me to address is that of the Act’s application. SWIFT operates in Canada. It collects personal information from and discloses it to Canadian banks as part of a commercial activity; SWIFT charges a fee to the banks for providing this service; 14 of its shareholders are Canadian; and one of its Directors is from a Canadian bank. While it is true that SWIFT’s operations in Canada make up only a small percentage of the organization’s total global business operations, the reality is that SWIFT has a significant presence in Canada. The vast majority of international transfers involving personal information flowing to or from Canadian financial institutions use the SWIFT network, which is an integral part of the Canadian financial system.

42. On this basis, I am satisfied that SWIFT is engaged in a commercial activity within Canada, as per paragraph 4(1)(a) of the Act. SWIFT’s presence in Canada is real and substantial, and it must therefore abide by Canadian laws, such as the Act, that provide rules applicable to the activities undertaken by SWIFT in Canada.

43. Having concluded that the Act applies to the operations of SWIFT in Canada, I will now turn to the question of whether SWIFT’s transfers of personal information were in compliance with the Act.

44. As part of SWIFT’s business operations, it backs up all of its data on several databases, one of which is in the United States. Generally, the Act does not prohibit an organization that operates in Canada from storing that information outside the country if it otherwise abides by the Act’s requirements. Based on the submissions and evidence provided by SWIFT, it is clear that maintaining the backup databases outside of Canada achieves legitimate business needs.

45. The issue then centres on what effect, if any, the Act has in relation to an organization that operates in Canada and in other countries at the same time. SWIFT maintains that it responded to a legitimate subpoena issued in a country in which SWIFT operates. If it had failed to respond, it would have been in violation of that country’s legitimate exercise of lawful authority and SWIFT would have been subject to any and all applicable penalties.  I noted the efforts undertaken by SWIFT to ensure that the subpoenas were valid and legally enforceable, and I am satisfied that SWIFT ensured that failing to comply with the subpoena was not a feasible option.

46. While I do not hesitate to conclude that the Act governs SWIFT’s actions as they pertain to what SWIFT does with the personal information it collects, uses and discloses in Canada, it is clear that the Act allows for an organization such as SWIFT to be able to abide by the legitimate laws of the other countries in which it operates. This, therefore, brings me to an interpretation of the Act that recognizes that some organizations operate in more than one jurisdiction.

47. Paragraph 7(3)(c) allows an organization to disclose personal information without knowledge or consent in response to a subpoena or warrant issued or an order made by a court, person or body with jurisdiction to compel the production of information. Must a “subpoena or warrant” as contemplated in paragraph 7(3)(c) be issued only by a body within Canada that has the requisite authority? In answering this question, it is important to bear in mind what the Supreme Court of Canada has stated, namely, that it is necessary to take a modern approach to interpreting legislation by reading the words of this section in their entire context, in their grammatical and ordinary sense harmoniously with the scheme of the Act, the object of the Act and the intention of Parliament.^{Footnote 4}

48. Multi-national organizations must comply with the laws of those jurisdictions in which they operate. Thus, while they operate in Canada, they obviously must comply with Canadian law. However, to ask the organization to ignore the legitimate laws of other jurisdictions in which they operate is unrealistic and unworkable. Moreover, it has the potential of being interpreted as an infringement by Canada on that nation’s sovereignty. It is for this reason that, in my opinion, the Act acknowledges that an organization that is subject to the Act and that has legitimately moved personal information outside the country for business reasons may be required at times to disclose it to the legitimate authorities of that country. In this case, I am of the view that paragraph 7(3)(c) operates to allow SWIFT to respond to a valid subpoena issued in the United States.

49. Such an interpretation of the Act provides as much protection over personal information as possible when it comes to organizations that operate both within and outside Canada. For example, while it is permissible for SWIFT in this case to disclose data held in the US to the UST, the Act would still operate to prohibit, for example, the non-consensual disclosure of the personal information held by SWIFT in another country to a data broker or marketing firm operating in that country.

50. Furthermore, in my opinion, SWIFT’s disclosure to the UST was appropriate in the circumstances, as per subsection 5(3). That is, a reasonable person would expect SWIFT to abide by a legitimate subpoena served on it in a jurisdiction in which it operates.

51. Moreover, I am mindful that individuals using a Canadian financial institution to perform an international transaction can easily inform themselves by reviewing the privacy policy of a bank that uses the SWIFT system that their personal information may be transferred to a third party (such as SWIFT). The privacy policy will also indicate that personal information may be located outside of Canada. As indicated in a finding issued by our Office in 2005 that centred on a financial institution’s outsourcing to a third party processor that solely operated in the United States (Case Summary 313), “?while customer personal information is in the hands of a foreign third-party service provider, it is subject to the laws of that country and no contract or contractual provision can override those laws.” I am of the view that the same is true for an organization that is operating both within and outside of Canada, such as SWIFT.

Conclusion

52. Accordingly, I conclude that SWIFT’s actions did not contravene the Personal Information Protection and Electronic Documents Act.

53. Notwithstanding my finding in this matter, I believe it is important to note a few other issues this case has raised.

54. First, I must stress that organizations operating in and connected in a substantial way to Canada are subject to the Act. While organizations can obviously also operate outside the country, if they cross into Canada to collect, use or disclose personal information, they must abide by the Act. Simply because an organization might operate in two or more jurisdictions will not alleviate it of its obligations to comply with Canadian law.

55. Second, this case has given me the opportunity to review how Canada fights terrorism financing, and to explore how the regime in Canada differs from the surveillance techniques chosen by the United States in this particular case. In Canada, there is a specific legislated scheme [the Proceeds of Crime (Money Laundering) and Terrorist Financing Act]that sets out how the government can address the problem of terrorism financing. That legislation is perhaps not without its own problems vis-à-vis privacy protection, but there is at least some notion of transparency, and it specifically requires FINTRAC^{Footnote 5} to ensure the protection of personal information. It works because all large monetary transactions and those of a suspicious nature are reported to FINTRAC, which is an independent agency at arm’s length from law enforcement.

56. FINTRAC has memoranda of understanding (MOUs) with its counterparts in 45 countries, including the Financial Crimes Enforcement Network (FinCEN, the US counterpart). FINTRAC deals exclusively with financial intelligence agencies in foreign jurisdictions, not with police or other legal authorities. Furthermore, FINTRAC and its counterparts exchange only information relating to financial transactions, the information can only be used for agreed upon purposes, and each agency must expressly consent to its information being provided to any third party.

57. I would note also that, as a result of the most recent Parliamentary review of this legislation, my Office has been tasked with reviewing, every two years, the measures FINTRAC has in place to protect information under its control. As a result of what I have learned through this investigation, I am going to ask that the appropriate Canadian officials work with their US counterparts in order to encourage the US government to use its anti-money laundering/anti-terrorism financing regime instead of the subpoena route used in the present case.  If US authorities feel that they need to obtain information about financial transactions that have a Canadian component, they should be encouraged to use existing information-sharing mechanisms that have some degree of transparency and built-in privacy protections. I will be writing to the Minister of Finance to recommend that the Canadian government initiate talks with its US counterparts as soon as possible to discuss making use of, and improving, if necessary, the system currently in place.

58. US authorities can also acquire evidence held in Canada through the use of procedures under the Mutual Legal Assistance Treaties, letters of request, and informal requests for assistance through the Office of International Affairs of the US Department of Justice. There is also cooperation between the US Department of Justice and the Canadian Department of Justice under the US Canada Treaty on Mutual Assistance in Criminal Matters.

59. Finally, I understand that SWIFT has been asked by European officials to consider a better way of achieving its business needs to provide enhanced protection over the personal information held by SWIFT. In this regard, I have learned that SWIFT is actively exploring a range of feasible solutions. For example, I am encouraged by recent news that SWIFT and the United States are working at trying to have SWIFT certified under the European Union-United States Safe Harbour Agreement, which will establish a framework of privacy principles applicable to SWIFT. Moreover, I am told that SWIFT is also working with its member banks worldwide to enhance transparency, where necessary, so that individuals who are making international banking transactions better understand that their personal information may be accessed by foreign governments using valid legal mechanisms to obtain the information. In this regard, I would highlight that in the parallel investigations into the Canadian banks, we have found that they already have adequate notification statements in their privacy policies.

60. While I do not underestimate the obvious and global problem of terrorist financing, we must at the same time be cognizant of exactly what it is we are protecting when we fight terrorists and their financial backers. We are protecting our freedoms and rights – and surely the right to privacy and the reasonable protection of personal information is one of the rights we do not want to diminish in the name of fighting terrorism.

61. The alternate avenues which I have suggested would allow far greater Canadian involvement in the scrutiny of personal information, and would better respect the value we give this fundamental right in our democracy. To echo the comments made by the Article 29 Working Party in its opinion on the SWIFT matter^{Footnote 6}, we must ensure that the fundamental rights and freedoms of the individual are respected, and the right to protection of personal information is one of these fundamental rights and freedoms.

Jennifer Stoddart
Privacy Commissioner of Canada

Footnotes