Canadian bank privacy fears
p2p news / p2pnet: "I acknowledge that in the event that a Service Provider is located in the United States, my information may be processed and stored in the United States and that United States governments, courts or law enforcement or regulatory agencies may be able to obtain disclosure of my information through the laws of the United States….
"I acknowledge and agree that the … paragraphs above constitute prior written notice to me of, and my consent to the collection, use and disclosure of my personal information as described above…."
Last fall CIBC (Canadian Imperial Bank of Commerce) VISA users were told the above conditions applied to them and Canadian privacy commissioner Jennifer Stoddart says her office has since been receiving complaints from customers, worried that their personal information could be open to US authorities, “within the context of foreign intelligence gathering”.
Bank customers claimed:
As a condition of service, CIBC was requiring VISA customers to consent to the disclosure of their personal information to U.S. regulatory authorities;
They were being required to share their personal information with a U.S.-based company as a condition of service;
They were being required to consent to overly broad collection practices;
That the CIBC would not allow them to opt-out of having their personal information sent to the third-party service provider; and
The bank was not properly safeguarding their personal information.
Privacy threats, “seem to be multiplying like a bad virus, threatening to overwhelm us,” Stoddart said in her annual report to parliament.
“If there is one central message we want to convey this year, it is that we are not going to allow that to happen. We mean business, and we are counting on the support of all institutions to help us grapple with these issues and preserve and maintain the privacy of the individuals in this country.”
However, Canadian privacy legislation can’t stop US authorities from “lawfully accessing the personal information of Canadians," she states. And Canadian companies can’t be prevented from outsourcing to foreign firms.
The possibility of US authorities accessing Canadians’ personal information has often been raised since the passage of the USA PATRIOT Act, under which US intelligence and "police surveillance and information collection tools" were expanded, and "procedural hurdles" for US law enforcement agencies minimized, says Stoddardt’s official web site.
Over objections from her office, Canada’s Personal Information Protection and Electronic Documents Act has been amended since September 11 to allow organizations to collect and use personal information without consent for the purpose of disclosing this information to government institutions, "if the information relates to national security, the defence of Canada or the conduct of international affairs," she says.
“In addition to these measures, there are longstanding formal bilateral agreements between the U.S. and Canadian government agencies that provide for mutual cooperation and for the exchange of relevant information. These mechanisms are still available.”
But an assistant privacy commissioner concludes customer complaints about the CIBC, "were not well-founded".
"The bank took the appropriate step of being transparent about its practices of using a U.S.-based third-party service provider for processing and about the possible risk that customer personal information might be lawfully accessed by U.S. authorities," but, "She nevertheless encouraged CIBC to review the language of its cardholder agreements to ensure that its customers clearly understand that they do not have the right to opt out of having their personal information processed by a third-party service provider."
Something you think we should know? tips[at]p2pnet.net
See:-
annual report – Surveillance assault in Canada, October 7, 2005
web site – Bank’s notification to customers triggers PATRIOT Act concerns, October, 2005
