I thought this might be a good opportunity to remind people that Canada has bank secrecy laws too. Remember PIPEDA.
From the privacy commissioner
http://www.priv.gc.ca/information/02_05_d_08_e.asp
PIPEDA requires private-sector organizations to collect, use or disclose your personal information by fair and lawful means, with your consent, and only for purposes that are stated and reasonable.
They’re also obliged to protect your personal information through appropriate security measures, and to destroy it when it’s no longer needed for the original purposes.
You have the right to expect the personal information the organization holds about you to be accurate, complete and up-to-date. That means you have a right to see it, and to ask for corrections if they got it wrong.
If you think an organization covered by PIPEDA is not living up to its obligations, you should try to address your concerns directly with the organization. If that doesn’t work, you have the option of lodging a complaint with the Privacy Commissioner.
PIPEDA applies to the personal information collected, used or disclosed by organizations engaged in commercial activities, from banks and retail outlets to airlines, communications companies and law firms. It applies equally to small and big businesses, whether they operate out of an actual building or only online. The law, which has been fully in force since 2004, applies to private enterprises across Canada.
There are exceptions: Many private enterprises operating within British Columbia, Alberta and Quebec are covered not by PIPEDA but by similar provincial statutes.
But, even in those provinces, PIPEDA applies to organizations under federal jurisdiction, such as companies involved in banking, transportation, broadcasting or telecommunications. For those businesses, PIPEDA also applies to the personal information of employees.
Another law, called the Privacy Act, protects the privacy of your dealings with federal government departments, agencies and Crown corporations
I think that the key provision in PIPEDA is this one:
4.3.3 An organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil the explicitly specified, and legitimate purposes.
If your citizenship status is not “required to fufill” the transaction then they can’t collect of disclose it. I cant imagine that US regulation could satisify the “reguired” condition but I am sure that the banks will argue otherwise. It may be up to the courts to decide.
The BC “Personal Information Protection Act” has a similar regulation:
7(2) An organization must not, as a condition of supplying a product or service, require an individual to consent to the collection, use or disclosure of personal information beyond what is necessary to provide the product or service.
Other provinces may have similar rules, I have not researched those.