Canadian privacy implications of outsourcing to the US

Last fall, the Office of the Privacy Commissioner (Canada) issued a decision regarding a customer complaint against CIBC in respect of its outsourcing of credit card processing services to the United States. The concern was that moving the data to the US would result in such data being accessible to US authorities under the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act, 2001 (USA PATRIOT Act). In the findings portion of the decision, the OPC expressly states: that, at the very least, a company in Canada that outsources information processing to the United States should notify its customers that the information may be available to the U.S. government or its agencies under a lawful order made in that country. Consequently, it is submitted that Canadian companies that outsource the processing of personal information to US subcontractors should prominently disclose this fact to their customers and potential customers. Unfortunately, this is not always occurring.