Appearance before the Standing Senate Committee on Banking, Trade and Commerce on Division 16 of Part 6 of Bill C-74, the Budget Implementation Act, 2018, No.1

May 22, 2018
Ottawa, Ontario

Opening Statement by Daniel Therrien
Privacy Commissioner of Canada

(Check against delivery)

---

Introduction

Good afternoon Honourable Senators.

Thank you for the opportunity to present my views in relation to Division 16 of Bill C-74, the Budget Implementation Act.

“FinTechs” and Privacy

The amendments proposed in Division 16 of C-74 remove current impediments in the law in order to facilitate business relationships and engagement between federally regulated financial institutions and financial technology organizations (or “FinTechs”). Currently, as I understand it, financial institutions can only deal with organizations that are engaged in primarily financial activities.

Any company that commercializes emerging financial technologies may be considered a FinTech. It is a broad category that could include payment processing services, online lenders, and possibly even large technology firms such as Amazon and Google.

FinTechs may not be regulated in the financial sector, but Canada's private sector privacy law (PIPEDA) applies to all organizations that collect, use, and disclose personal information in the course of a commercial activity. This includes FinTechs and financial institutions.

It is our understanding that the intended effect of these amendments is to offer new flexibilities for the financial sector and its customers to take advantage of emerging technologies. However, it also broadens the types of organizations who may receive personal information from financial institutions.

While advancements in new technologies and innovation is indeed desirable and could provide many benefits to Canadians, these objectives must be balanced with robust privacy protections. Innovation and privacy should be pursued concurrently. Whether Bill C-74 achieves this will depend largely on how PIPEDA is applied by organizations, and perhaps in part on the content, yet unknown, of regulations that the government has announced.

I have not been consulted by the government on the details of these amendments and therefore it is difficult for me to say whether the right balance has been reached. At this point, with the information I have, I would say the government's efforts have been directed towards innovation without ensuring that privacy is adequately considered.

Consent

Canadians are concerned about how their personal information is handled. Consent is central to personal autonomy and is at the heart of PIPEDA. Financial institutions and FinTechs are required by PIPEDA to obtain valid and meaningful consent from their customers in order to collect, use, or disclose personal information.

Under the law, consent is only valid when an individual understands the nature, purpose and consequences of what they are consenting to.

PIPEDA allows for different forms of consent, namely express or implied. Where personal information is considered sensitive, express consent is required. Financial information has been held by the Supreme Court of Canada to generally be extremely sensitive. Therefore, we would expect that financial institutions and FinTechs generally obtain express consent from their customers.

There has been a great deal of discussion about challenges to the consent model as a form of privacy protection. Privacy policies of organizations and the contracts they present to consumers for signature are notoriously long, complex and extremely difficult to understand. Over the past several years, my Office has set out to identify improvements to the current consent model. As a result of this work, we are in the process of finalizing our Guidelines for Consent, which will be released very soon and will come into effect in January 2019. These guidelines will set out practical and actionable guidance regarding what organizations should do to ensure they obtain meaningful consent. For example, organizations must put additional emphasis on the following key elements:

1. Identify what personal information is being, or may be, collected about individuals;
2. Clearly explain any disclosures of personal information to third parties, including the types of information being shared, and be as specific as possible in naming these third parties. For financial institutions, third parties would include FinTechs;
3. Make individuals aware of the purposes for collection, use or disclosure in meaningful language, and in particular, highlighting any purposes that would not be obvious to the individual and/or reasonably expected based on the context (such as, big data analytics, profiling, or any activities unrelated to the financial service the customer seeks); and,
4. Make individuals aware of meaningful risks of significant harm, or other consequences.

If the financial sector obtains express consent, informed as recommended in our guidelines, a reasonable level of privacy protection will be achieved. However, I have reason to believe that financial institutions and FinTechs may wish to proceed otherwiseand, under current law, I do not have the authority to require organizations to apply what I would argue are reasonable measures. It will take several years for concerned consumers to have their rights upheld by the courts.

I am therefore concerned about the changes in this Bill. The most direct way to rebalance this legislation would be to confer to my office the authority to order the financial sector to obtain explicit and truly informed consent.

Safeguards

Further to this, privacy law also requires organizations to implement a comprehensive, overarching security framework to prevent and protect against unauthorized breaches of personal information.

While financial institutions do a reasonable job of protecting the personal information under their control, emerging FinTechs need to pay careful attention to their obligations under PIPEDA as it pertains to safeguards, and the new breach reporting requirements to come into effect this November. All of these elements play a key role in protecting personal information held by the financial sector.

Concluding Remarks

Effective privacy protection is central to consumers’ confidence and trust in emerging technologies. Any personal information transfers that would be facilitated as a result of the amendments in Bill C‑74 need to be considered with all privacy obligations in mind, with the way in which organizations will apply them, and with any rules in upcoming regulations that may impact on privacy.

For the moment, I do not have reasonable assurance that the right balance has been reached or that Privacy by Design principles have been considered in the development of this legislation.

Thank you Chair and members of the Committee I look forward to your questions.