Canada’s Financial Consumer Protection Framework Consultation

Submission of the Office of the Privacy Commissioner of Canada to Finance Canada

February 28, 2014

Ms. Jane Pearse
Director, Financial Institutions Division
Financial Sector Policy Branch
Department of Finance Canada
L’Esplanade Laurier
15th Floor, East Tower
140 O’Connor Street
Ottawa, ON K1A 0G5

Dear Ms. Pearse,

Re: Canada’s Financial Consumer Protection Framework Consultation

On December 3^rd 2013, Finance Canada released consultation questions to seek views on strengthening Canada’s financial consumer protection framework.^{Footnote 1}
The Office of the Privacy Commissioner of Canada (OPC) makes this submission as an interested party to the proceedings, pursuant to its legislative mandate^{Footnote 2} to protect the privacy rights of individuals and promote the privacy protections available to Canadians.^{Footnote 3}
Our comments will be limited to those issues that relate to our mandate. Our position is that principles for establishing a comprehensive framework for financial consumer protection should be developed in a manner that recognizes and supports compliance with federal private-sector privacy legislation: The Personal Information Protection and Electronic Documents Act (PIPEDA).
The federal government proposed to develop the comprehensive financial consumer code in its Economic Action Plan 2013 and noted the code’s importance in its Economic Action Plan 2014. We take the position that privacy is a key element of financial consumer protection and can enhance the overall protection of Canadians’ personal financial information.
Our submission consists of the following sections:
- An overview of PIPEDA and an analysis of the current protections under the Act;
- Establishing a comprehensive set of principles for consumer protection;
- Possible enhancements to the existing regime; and
- Continuing the conversation: engagement.

An overview of PIPEDA and an analysis of the current protections under the Act

The OPC’s mandate is to oversee compliance with the Privacy Act, which applies to the personal information management practices of federal government departments and agencies, and the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private sector legislation. PIPEDA applies to organizations that collect, use, or disclose individuals’ personal information in the course of commercial activity. It does not apply to those organizations in provinces that are deemed to have substantially similar private sector privacy legislation which, as of the date of this submission, are British Columbia, Alberta and Quebec. Ontario, New Brunswick, and Newfoundland also have substantially similar legislation, but these are limited to the personal health information management practices of health information custodians in their respective jurisdictions.
PIPEDA, however, continues to apply to federal works, undertakings, or businesses (FWUBs) across Canada, including banks listed in Schedule I and II of the Bank Act. In relation to FWUBs, PIPEDA covers both customer and employee personal information. It also continues to apply in instances of interprovincial or international transfers of personal information in the course of commercial activities.
Schedule 1 of PIPEDA^{Footnote 4} provides the framework for collection, use, and disclosure of personal information by those organizations subject to the Act and contains 10 principles related to fair information practices. These principles are based on the Canadian Standards Association Model Code for the Protection of Personal Information (which was originally developed by a group of key stakeholders, including those in the financial sector). The principles guide how organizations subject to PIPEDA must handle personal information, and the law provides individuals with recourse to challenge an organization’s compliance with those principles.
PIPEDA is a technologically neutral law and its application covers the collection, use, or disclosure of personal information in the course of commercial activity regardless of the technology used. In addition, it does not have specific requirements for specific sectors, but rather applies to organizations across industry sectors, including financial institutions.

Establishing a comprehensive set of principles for consumer protection

Canadians are very concerned about their personal information and research commissioned by our Office found that risks to personal financial information were Canadians’ top concern. When asked, what risks to their own privacy concerned them the most, 23% of Canadians cited financial information/bank fraud at the top of the list. An additional 10% of respondents mentioned credit card fraud.”^{Footnote 5}
The protection of Canadians’ personal information, including their personal financial information, is an important element in contemplating broad-based financial consumer protections. In addition, recognizing PIPEDA as a minimum legislative requirement that must be complied with would be necessary to demonstrate a commitment to comprehensive consumer protection.
Traditionally, the largest number of complaints our Office receives from individuals has been against the financial sector. These complaints consist of matters that directly relate to financial information protection. To this extent, our Office has played a key role in the protection of consumer financial information by issuing a number of related findings and audits on matters such as:
- The use and disclosure of personal information, such as disclosure of an individual’s personal information to family members without that individual’s consent^{Footnote 6};
- The accuracy of their personal information, for example, the accuracy of information on credit scores^{Footnote 7};
- Unauthorized access of consumer accounts by employees at financial institutions^{Footnote 8};
- Over-reporting of information by organizations to The Financial Transactions and Reports Analysis Centre of Canada^{Footnote 9}; and
- Undefined retention periods for certain records by The Financial Transactions and Reports Analysis Centre of Canada^{Footnote 10}.
The OPC recognizes the role of international trade and innovation as factors that encourage economic growth. That said, building a competitive advantage requires not only respect for the business-consumer relationship, but also respect for customers’ personal data. Meeting obligations related to information and privacy rights is a catalyst for building trust and, as a result, encourages greater consumer participation in the digital economy.
In the event that the Government adopts a set of principles to govern financial consumer protection, the OPC respectfully recommends that consideration be given to the integral importance of compliance with privacy legislation.
Canada’s economy depends on trade and the flow of information. Given the global nature of economic activity, and advances in technology, privacy issues are an increasingly important component of the broader consumer protection framework. The scope and scale of Canadians’ personal information collected by organizations are vast and the implications of “Big Data”,^{Footnote 11} online behavioural tracking, and cloud computing have led to both opportunities and challenges for organizations.
While innovation can lead to new business models that are intended to benefit consumers and organizations, the challenges that arise from complex technologies and seemingly invisible third parties involved in business transactions also raise privacy concerns (this is particularly true in the evolving payments systems ecosystem).
One method to address these challenges is for organizations to proactively demonstrate a commitment to consumers’ personal financial information by undertaking a privacy impact assessment (PIA). Undertaking a PIA at the beginning of an initiative, the start of a new program, or before implementing new technologies, can help identify potential privacy risks and outline mitigating activities to protect consumers’ personal financial information.
It is important for organizations to build privacy protections for consumers at the outset of new programs or initiatives.^{Footnote 12} Responsible innovation involves developing a robust privacy compliance program, which includes demonstrating accountability and safeguarding consumer information against the increased risks from data breaches.
To this end, the Office of the Privacy Commissioner of Canada (OPC), and the Offices of the Information and Privacy Commissioners (OIPCs) of Alberta and British Columbia have worked together to issue guidance for developing privacy management programs and measures for protecting personal information which can assist financial institutions in meeting their obligations to consumers.^{Footnote 13}
Unclear and ambiguous privacy policies can lead to confusion for individuals and impede the ability of consumers to make informed decisions with respect to their personal financial information. This is especially the case in the online and mobile environments. Both transparency of organizations’ privacy policies and meaningful consent are key privacy principles and requirements under PIPEDA.^{Footnote 14}
Given the importance of personal information in the digital economy and the sensitivity of financial information to Canadians, it is strongly recommended that any new principles for financial consumer protection explicitly reference PIPEDA obligations and the principles found in Schedule 1.

Possible enhancements to existing regime

As a law of general application, PIPEDA applies across industry sectors, is principle-based, and is technologically neutral. These are strengths of Canada’s private-sector privacy framework, and serve an important role in protecting consumer’s financial personal information, especially in the face of emerging technologies and innovation in the technology landscape.
To address today’s issues and those of tomorrow, the existing privacy regime in Canada needs to evolve in order to address the new risks from emerging technologies. As a part of enhancements to overall consumer protection, enhancing privacy rights needs to be addressed.
PIPEDA is in need of some inevitable modernization if it is to effectively protect consumers’ privacy in the context of rapid change in information technologies.
Updating Canada’s federal private-sector privacy legislation would serve to enhance trust, and therefore support innovation, and domestic and international economic activity. This, in turn, would help support improvements to the current financial consumer protection regime for Canadians.
Last year our Office recommended some changes we would like to see in order to modernize PIPEDA,^{Footnote 15} address current and future privacy challenges, and improve Canadians’ trust in the digital economy. Our recommendations included:
- Strengthening enforcement powers;
- Greater transparency and accountability measures; and
- Mandatory breach notification.
We believe such modifications, if made, could provide the necessary incentives to strengthen privacy compliance as an integral part of an enhanced financial consumer protection regime.

Continuing the conversation: engagement

Given the complexity of business models in today’s environment, including those of financial services, the OPC is of the opinion that active engagement of all relevant stakeholders is essential to develop and promote a comprehensive consumer financial protection framework.
For there to be meaningful stakeholder engagement, a successful, longstanding, sustainable code or framework would benefit from the engagement of a wide range of policy makers, as was the case with the Canadian Standards Association Model Code for the Protection of Personal Information, which PIPEDA was based upon.
In keeping with our Office’s public education and outreach mandate under PIPEDA, the OPC has undertaken engagement activities with a wide range of stakeholders in order to promote effective consumer and organizational awareness of privacy rights and obligations.
For example, our Office regularly engages with our provincial and territorial counterparts and has produced joint guidance on cloud computing^{Footnote 16} and mobile applications.^{Footnote 17} In addition, we collaborate with our international counterparts to promote discussion on emerging issues and have participated in the development of international resolutions, such as on international co-operation to strengthen data protection worldwide.^{Footnote 18} The OPC also has a Toronto office, which engages in stakeholder relationship activities with industry groups in the Greater Toronto area.
These activities, as does our Office’s participation in the Financial Consumer Agency of Canada’s (FCAC) Interdepartmental Committee on Financial Literacy, are examples of the OPC’s stakeholder engagement process to promote discourse on privacy for enhanced privacy protections for individuals and consumers.
We encourage you to consider engagement strategies that include privacy stakeholders, including our Office, as key stakeholder groups engaged as part of the overall financial consumer protection framework engagement strategy.

Conclusion

Organizations, including financial services, are engaged in increasingly complex business models where consumers’ personal financial information is used in ways that challenge traditional privacy norms.
As such, the OPC respectfully submits that recognizing privacy and encouraging compliance with relevant obligations are an integral component of a comprehensive consumer financial protection framework.
The OPC would be pleased to discuss these views and the role of privacy in a financial consumer protection framework at the earliest convenience and opportunity.

Sincerely,

Original signed by

Chantal Bernier
Interim Privacy Commissioner of Canada

Footnote 1

Department of Finance Canada, “Canada’s Financial Consumer Protection Framework: Consultation Paper” December 3^rd, 2013.

Return to footnote 1

Footnote 2

Mandate and Mission of the OPC

Return to footnote 2

Footnote 3

Under the Privacy Act (R.S.C., 1985, c. P-21). ; and Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5).

Return to footnote 3

Footnote 4

Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5).

Return to footnote 4

Footnote 5

“Survey of Canadians on Privacy-Related Issues: January 2013” Prepared for the Office of the Privacy Commissioner of Canada by Phoenix Strategic Perspectives Inc.

Return to footnote 5

Footnote 6

The Office of the Privacy Commissioner of Canada, “PIPEDA Case Summary #2003-156: Husband's name appears on wife's credit line statement”

Return to footnote 6

Footnote 7

The Office of the Privacy Commissioner of Canada, “PIPEDA Report of Findings #2013-008: Individual objects to the real-time accuracy of credit score”

Return to footnote 7

Footnote 8

The Office of the Privacy Commissioner of Canada, “PIPEDA Case Summary #2003-212: Bank employee improperly accessed customer's account”

Return to footnote 8

Footnote 9

The Office of the Privacy Commissioner of Canada, “2013 Audit of the Financial Transactions and Reports Analysis Centre of Canada”

Return to footnote 9

Footnote 10

Ibid

Return to footnote 10

Footnote 11

“Big data” could be looked at as the collection of vast amounts of data in combination with algorithmic systems for decision making or analytic purposes. Big data has become a prominent issue in the business, technology, and privacy environment because the sophistication of systems used to make inferences from the data has increased. In turn, this has motivated the collection of more and more data, often with higher amounts of detail.

Return to footnote 11

Footnote 12

“Resolution on Privacy by Design.” Adopted at the 32^nd International Conference of Data Protection and Privacy Commissioners, October 2010.

Return to footnote 12

Footnote 13/dt>

The Office of the Privacy Commissioner of Canada (OPC), The Office of the Information and Privacy Commissioner of Alberta, and The Office of the Information and Privacy Commissioner British Columbia, “Getting Accountability Right with a Privacy Management Program”.

Return to footnote 13

Footnote 14

Please refer to the Results of the 2013 Global Privacy Enforcement Network Internet Privacy Sweep.

Return to footnote 14

Footnote 15

The Office of the Privacy Commissioner of Canada, “The Case for Reforming the Personal Information Protection and Electronic Documents Act”; and
The Office of the Privacy Commissioner of Canada (OPC), The Office of the Information and Privacy Commissioner of Alberta, and The Office of the Information and Privacy Commissioner British Columbia, “Seizing Opportunity: Good Privacy Practices for Developing Mobile Apps”.

Return to footnote 15

Footnote 16

The Office of the Privacy Commissioner of Canada (OPC), The Office of the Information and Privacy Commissioner of Alberta, and The Office of the Information and Privacy Commissioner British Columbia, “Cloud Computing for Small and Medium-sized Enterprises: Privacy Responsibilities and Considerations”.

Return to footnote 16

Footnote 17

The Office of the Privacy Commissioner of Canada (OPC), The Office of the Information and Privacy Commissioner of Alberta, and The Office of the Information and Privacy Commissioner British Columbia, “Seizing Opportunity: Good Privacy Practices for Developing Mobile Apps”.

Return to footnote 17

Footnote 18

“Resolution on privacy Enforcement and Co-ordination at the International Level.” Adopted at the 33^rd International Conference of Data Protection and Privacy Commissioners, November 2011.

Return to footnote 18

Date modified:: 2014-03-11

Language selection

Search and menus

Search