Appearance before the Standing Senate Committee on Banking, Trade and Commerce to examine and report on the potential benefits and challenges of open banking for Canadian financial services consumers, with specific focus on the federal government’s regulatory role
February 21, 2019
Opening Statement by Gregory Smolynec
Deputy Commissioner, Policy and Promotion
(Check against delivery)
Good afternoon Chair. Thank you for the invitation.
I am joined today by Arun Bauri, the OPC’s lead analyst on Open Banking.
Advocates note that there are many benefits to Open Banking for consumers and businesses. These include access to new products and services, and increased competition and entry to the market for small businesses such as we see in the financial technology (FinTech) sector.
As Commissioner Therrien stated before this Committee last May in the context of Division 16 of Bill C-74, while advancements in new technologies and innovation are indeed desirable and can provide many benefits to Canadians, these objectives must be pursued concurrently with robust protections for human rights, including privacy.
In his submission to ISED on its National Digital and Data Consultations, Commissioner Therrien highlighted how recent events have shed light on the manner in which personal information can be manipulated and used in unintended ways. These events should serve as a cautionary tale on the need to have strong regulatory frameworks in place prior to operationalizing “disruptive” ways of leveraging data.
The OPC recommends that Open Banking in Canada be built upon a foundation that includes respect for privacy and other fundamental rights at its core.
There are examples of frameworks for Open Banking, such as in Europe where the Second Payment Services Directive, or PSD2, and the General Data Protection Regulation (GDPR) govern the manner in which Open Banking operates. Consent is a fundamental component of the GDPR and we recommend that meaningful, express consent form part of any Canadian framework governing Open Banking.
PIPEDA allows for different forms of consent, namely express or implied. Where personal information is considered sensitive, express consent is required. Financial information has been held by the Supreme Court of Canada to generally be extremely sensitive. Therefore, we would expect that financial institutions and FinTechs generally obtain express consent from their customers.
The OPC released guidelines for consent, which took effect this past January. These guidelines include key elements that should be emphasized by organizations in order for individuals to meaningfully understand what they are consenting to. These include:
- the nature of the personal information being collected;
- the parties to whom personal information is being disclosed;
- the purposes for which personal information is collected, used or disclosed; and
- the risk of harm and other consequence for the individual.
To ensure consistent ground rules for Open Banking, we recommend the development of standards, including technical and privacy standards. We have seen this in Australia, where a data standards body has been established with necessary experience and expertise.
Our office would be pleased to provide privacy expertise to support the development of Canadian standards, which would be consistent with the role of our Australian counterpart.
We have seen a variety of approaches to Open Banking in other jurisdictions. For example, in most jurisdictions new players require prior authorization to participate in the Open Banking ecosystem. Approved firms must be registered and carry professional insurance.
We support such a model, and recommend that, should Open Banking be implemented in Canada, companies be accredited or licensed before being authorized to participate.
Accountability for Privacy
To ensure privacy risks associated with the collection, use and disclosure of sensitive financial information in the Open Banking context are appropriately managed, we recommend that financial institutions and FinTechs be required to document an analysis of privacy risks associated with their activities and the manner in which these risks will be mitigated. There needs to be an auditable record of such a risk assessment so that a regulator, such as the OPC, would be able to access that record.
The requirement to conduct a Privacy Impact Assessment already exists for federal government institutions, and under the GDPR for situations, particularly those involving new technologies, which are likely to result in a high risk to rights and freedoms.
We believe that modernized privacy laws are a necessary pre-condition to a concept like Open Banking. For the digital economy to flourish, Canadians must trust in businesses and government to innovate with their personal data. To build this trust there needs to be an appropriate legal framework in place.
In this context, the OPC needs stronger enforcement powers under amended privacy law, including the power to make orders, impose fines for non-compliance with the law, as well as the right to independently verify compliance, without grounds, to ensure organizations are truly accountable for protecting personal information.
Changes in financial policy and legislation require concurrent updating of Canada’s privacy legislation to ensure that consumers and their data are not just viewed as a commodity or raw material from which data can be extracted.
While there is merit in privacy laws continuing to be principles-based and technologically neutral, they should also incorporate enforceable rights for individuals. Privacy is a necessary precondition for the protection of fundamental rights and values in Canada, including those pertaining to liberty, equality, dignity and human rights, and our laws should reflect this.
We need to reform our privacy legislation to make it fit for purpose to ensure that the privacy of Canadians is protected as technologies and the economy changes.
Thank you and I look forward to your questions.
Report a problem or mistake on this page
- Date modified: