Follow-up letter to the Standing Senate Committee on Banking, Trade and Commerce on Bill C-74, Budget Implementation Act, 2018, N^o. 1

On May 25, 2018, the Privacy Commissioner of Canada, Daniel Therrien, sent the following letter to the Standing Senate Committee on Banking, Trade and Commerce to provide a brief follow-up to his appearance on May 22, 2018 before the Committee with respect to Bill C-74.

May 25, 2018

The Honourable Douglas Black, Q.C.
Chair, Standing Committee on Banking, Trade and Commerce
Senate of Canada
Ottawa, Ontario K1A 0A4

Dear Mr. Chair:

I am writing today as a brief follow-up to my appearance on May 22, 2018 before your committee with respect to Bill C-74, Budget Implementation Act, 2018, No. 1.

During my appearance, I undertook to provide the committee with amendments that could address the concerns I raised regarding the privacy implications of Part 6, Division 16, Subdivision A (Financial Technology Activities) of Bill C-74.

As indicated, I am concerned that Bill C-74 removes the current impediments for federally regulated financial institutions to share personal information with financial technology organizations (FinTechs), without ensuring that parallel legislative measures are also adopted to ensure adequate privacy protection.

My preferred approach to addressing these concerns would be to strengthen the federal Personal Information Protection and Electronic Documents Act (PIPEDA) to ensure that all organizations subject to the Act, not just financial institutions, obtain meaningful consent and that my Office be given adequate powers to ensure that PIPEDA rules are being followed. In this regard, you may wish to see my Office’s Report on Consent in our 2016-17 Annual Report to Parliament^{Footnote 1} as well as the recommendations of the Access to Information, Privacy and Ethics Committee (ETHI) on this issue.^{Footnote 2}

In terms of specific amendments, I would propose enhancing the provisions in PIPEDA that deal with the obligation to obtain meaningful consent and introducing provisions to allow my Office to issue binding orders to organizations that fail to comply with PIPEDA’s requirements. The first potential amendment, dealing with consent, would read:

Section 6.1 of the Personal Information Protection and Electronic Documents Act is replaced by the following:

6.1 For the purposes of clause 4.3 of Schedule 1, the consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand:

1. the nature of the personal information being collected;
2. the persons to whom the personal information is disclosed;
3. the purposes for which personal information is collected, used or disclosed; and
4. the consequences of the collection, use or disclosure, including any meaningful risk of significant harm to the individual.

This amendment would help ensure that individuals have the necessary information in order to decide whether to consent to the collection, use or disclosure of personal information by organizations, including financial institutions. It would incorporate in the law the central aspects of the consent guidelines issued this week by my Office.^{Footnote 3} Guidelines would continue to provide additional details on our preferred interpretation of the law as it relates to the obligations of organizations regarding the collection, use and disclosure of personal information.

With respect to an order-making power, I offer an initial amendment that would likely need to be augmented by others, such as consequences for non-compliance with orders, sanctions and so forth. This initial amendment could look something like the following:

The Personal Information Protection and Electronic Documents Act is amended by adding the following after section 13:

13.1 If, after investigating a complaint that he did not initiate, the Commissioner finds that the complaint is well-founded, the Commissioner may order an organization to correct its practices in order to comply with Divisions 1 or 1.1.

13.2 (1) Not later than 30 days after being given a copy of an order of the commissioner, the organization concerned must comply with the order unless an application for judicial review of the order is made before that period ends.

(2) If an application for judicial review is made before the end of the period referred to in subsection (1), the order of the commissioner is stayed from the date the application is made until a court orders otherwise.

The idea behind such a change, as I have signalled previously, is to ensure that my Office has the necessary powers to ensure that organizations comply with the Act and that the privacy rights of individuals are respected without having to engage in costly and lengthy litigation.

Thank you once again for the opportunity to share my views and I hope these points are helpful to Committee Members as you conclude your study of Bill C-74.

Sincerely,