Bank’s notification to customers triggers PATRIOT Act concerns

The Office of the Privacy Commissioner of Canada has released a case summary regarding a number of complaints it had received after CIBC notified its VISA cardholders that it utilizes a service provider located in the United States and that there is therefore the possibility that U.S. law enforcement or regulatory agencies might be able to obtain access to Canadian cardholders’ personal information under U.S. law.

While the Privacy Commissioner of Canada has gone on record stating that the privacy implications of anti-terrorism legislation and outsourcing need to be the focus of continued public debate, the Assistant Privacy Commissioner stated that the central issue of these complaints was whether the bank acted in accordance with its obligations under the Personal Information Protection and Electronic Documents Act (the Act) – the finding of the Assistant Privacy Commissioner was that CIBC was in fact meeting its obligations under PIPEDA.