The Canadian privacy commissioner addressed this issue in a recent ruling.

The commissioner received complaints after the Canadian Imperial Bank of Commerce sent notice to its Visa customers in the fall of 2004, amending its cardholder agreement.

The notice referred to the use of a service provider located in the U.S. and the possibility that U.S. agencies might be able to obtain access to Canadian cardholders' personal information under U.S. law.

The commissioner found CIBC met its privacy obligations under the Personal Information Protection and Electronic Documents Act (PIPEDA), both for the way it did the outsourcing and the way it notified its customers.

Since the passage of the Patriot Act by the United States, the possibility of U.S. authorities accessing Canadians' personal information has been at issue. Some argue this concern is overblown.

In any event, the ability of the U.S. or any other government to access information on Canadians, especially without a warrant or without advising the individual, is understandably of concern.

The risk of personal information being disclosed to government authorities is not unique to the U.S. Since Sept. 11, 2001, PIPEDA has been amended, despite objections from the privacy commissioner.

Amendments to PIPEDA permit organizations to collect and use personal information without consent for the purpose of disclosing this information to government institutions, if the information relates to national security, the defence of Canada or the conduct of international affairs.

The privacy commissioner stated in the finding that PIPEDA "cannot prevent U.S. authorities from lawfully accessing the personal information of Canadians held by organizations in Canada or in the United States, nor can it force Canadian companies to stop outsourcing to foreign-based service providers.

"What the act does demand is that organizations be transparent about their personal information handling practices and protect customer personal information in the hands of foreign-based third-party service providers to the extent possible by contractual means."

If a U.S.-based service provider is faced with choosing between contractual provisions that say it can't disclose and a U.S. government demand to disclose -- it will choose disclosure.

While it is not an explicit requirement of PIPEDA, the commissioner ssaid Canadian companies must notify clients if their personal information will be processed in the U.S., along with a statement that U.S. law enforcement may be able to access it.

That is a troubling concept for business.

Many businesses will feel giving such a notice changes nothing and overstates the issue to customers.

This is a complex issue from many perspectives and it will be debated during the 2006 PIPEDA review.