The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Tuesday, October 03, 2006
The Office of the Belgian Privacy Commissioner has released its report into the subpoena of large quantities of transactional data from the inter-bank SWIFT system: here.
On the basis of her general investigation, the Commission is of the opinion that
- The DPL is applicable to the exchange of data via the SWIFTNet FIN service;
- SWIFT and the financial institutions bear joint responsibility in light of the DPL for the processing of personal data via the SWIFTNet FIN service;
- SWIFT is a data controller of the personal data which are processed via the SWIFTNet FIN service;
- The financial institutions are data controllers as they co-determine the objective and the means to perform payment instructions in the inter-bank traffic. The financial institutions in particular, at an inter-bank level, choose to process financial messages with regard to these payment messages via the SWIFTNet Fin service;
- As far as the normal processing of personal data in the framework of the SWIFTNet FIN service is concerned, SWIFT should have complied with its obligations under the DPL, amongst which, the duty to provide information, the notification of the processing and the obligation to provide an appropriate level of protection conform to articles 21 § 2 of the DPL;
As far as the communication of personal data to the UST is concerned, the Commission is of the opinion that SWIFT finds itself in a conflict situation between American and European law and that SWIFT at the least committed a number of errors of judgement when dealing with the American subpoenas. Iit must be considered a serious error of judgement on the part of SWIFT to subject a massive quantity of personal data to surveillance in a secret and systematic manner for years without effective grounds for justification and without independent control in accordance with Belgian and European law;
- In this context SWIFT should from the beginning have been aware that, apart from the application of American law, also the fundamental principles under European law must be complied with, such as the principle of proportionality, the limited storage period, the principle of transparency, the requirement for independent control and the requirement for an appropriate level of protection. These requirements are indeed formulated in the second paragraph of article 8 of the ECHR, Treaty no. 108, the Directive 95/46/EC and the DPL and are applicable to SWIFT. The Commission also refers to the international precedent in the PNR-case. The authorities competent in data protection (the Commission, its peers and the European Commission) should have been informed from the beginning, which would have made it possible to work out a solution at European level for the communication of personal data to the UST, with respect for the above-mentioned principles which apply under European law. For this purpose, the Belgian government could have been asked for an initiative at European level.
Considering the complexity of the issue and its importance, the Commission remains available to issue further guidance.
The administrator,
(sign.) Jo BARET (sign.)
In the absence of the President, The Vice-President,
Willem Debeuckelaere
For some background: Canadian Privacy Law Blog: US reviews international financial database, Canadian Privacy Law Blog: Privacy Commissioner launches investigation of SWIFT disclosures.
Labels: breach notification, patriot act, privacy, surveillance, swift
The Canadian Privacy Law Blog is licensed under a
Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.