INTERNATIONAL AFFAIRS - LOOKING GLASS NEWS | |
U.S. access to data a concern |
|
by David Canton The London Free Press Entered into the database on Saturday, November 26th, 2005 @ 18:55:13 MST |
|
The ability of the United States government to gain access to Canadians'
personal information that is in the hands of U.S. service providers has been
an issue for some time. The Canadian privacy commissioner addressed this issue in a recent ruling.
The commissioner received complaints after the Canadian Imperial Bank of Commerce
sent notice to its Visa customers in the fall of 2004, amending its cardholder
agreement. The notice referred to the use of a service provider located in the U.S. and
the possibility that U.S. agencies might be able to obtain access to Canadian
cardholders' personal information under U.S. law. The commissioner found CIBC met its privacy obligations under the Personal
Information Protection and Electronic Documents Act (PIPEDA), both for the way
it did the outsourcing and the way it notified its customers. Since the passage of the Patriot Act by the United States, the possibility
of U.S. authorities accessing Canadians' personal information has been at issue.
Some argue this concern is overblown. In any event, the ability of the U.S. or any other government to access information
on Canadians, especially without a warrant or without advising the individual,
is understandably of concern. The risk of personal information being disclosed to government authorities
is not unique to the U.S. Since Sept. 11, 2001, PIPEDA has been amended, despite
objections from the privacy commissioner. Amendments to PIPEDA permit organizations to collect and use personal information
without consent for the purpose of disclosing this information to government
institutions, if the information relates to national security, the defence of
Canada or the conduct of international affairs. The privacy commissioner stated in the finding that PIPEDA "cannot prevent
U.S. authorities from lawfully accessing the personal information of Canadians
held by organizations in Canada or in the United States, nor can it force Canadian
companies to stop outsourcing to foreign-based service providers. "What the act does demand is that organizations be transparent about their
personal information handling practices and protect customer personal information
in the hands of foreign-based third-party service providers to the extent possible
by contractual means." If a U.S.-based service provider is faced with choosing between contractual
provisions that say it can't disclose and a U.S. government demand to disclose
-- it will choose disclosure. While it is not an explicit requirement of PIPEDA, the commissioner ssaid Canadian
companies must notify clients if their personal information will be processed
in the U.S., along with a statement that U.S. law enforcement may be able to
access it. That is a troubling concept for business. Many businesses will feel giving such a notice changes nothing and overstates
the issue to customers. This is a complex issue from many perspectives and it will be debated during
the 2006 PIPEDA review. |