Positioning Canada’s Financial Sector for the Future

Submission to the Department of Finance Canada

September 29, 2017

Financial Institutions Division
Financial Sector Policy Branch
Department of Finance Canada
James Michael Flaherty Building
90 Elgin Street
Ottawa ON K1A 0G5

Dear Sir/Madam:

Re: Positioning Canada’s Financial Sector for the Future

1. The Office of the Privacy Commissioner of Canada (OPC) appreciates the opportunity to provide comments to the Department of Finance Canada (Finance Canada) in the context of its consultation on potential policy measures aimed at supporting a strong and growing economy.^{Footnote 1}
2. By way of background, the mandate of the Office of the Privacy Commissioner of Canada (OPC) is to oversee compliance with both the Privacy Act, which covers the personal information-handling practices of federal government departments and agencies, and the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's private-sector privacy law, along with some aspects of Canada's anti-spam law (CASL). The OPC's mission is to protect and promote privacy rights of individuals. As such, our comments will be limited to those issues that relate to our mandate.
3. As our Office understands, this consultation is further to a 2016 call for comments that focused on positioning the federal financial sector framework with respect to the three (3) policy objectives for Canada’s financial sector: i) stability; ii) efficiency; and iii) utility.
4. As the current consultation notes, there are a number of emerging issues/sectors and consumer protection concerns that are important to grow the economy and support the three (3) policy objectives for Canada’s financial sector. Further to this, the consultation notes that stakeholders have called for the framework to provide a high level of consumer protection.
5. The OPC notes that the digital economy has seen privacy issues and consumer protection issues increasingly intersecting — and given the high sensitivity of the information involved, a robust security safeguard infrastructure will be material to consumers’ confidence, adoption levels, their decision to avail themselves of financial technology innovations, and the overall soundness of the financial sector. Privacy is not just a peripheral consideration, it is integral to the adoption and sustainability of the financial sector and financial technological innovation.
6. To this end, the OPC recommends that:
   • The financial policy framework in Canada should take into consideration the existing legislative privacy framework in Canada, recognizing the role of federal private-sector privacy legislation, and substantially similar provincial legislation.
   • The financial policy framework explicitly recognize that PIPEDA applies to organizations engaged in commercial activity regardless of whether they are regulated by Canada’s financial regulators. This includes new and emerging business models, including those in the financial technology (FinTech) sector.
   • Privacy compliance be explicitly recognized as a foundational element to support trust and participation in the digital economy — which contributes and directly supports the three (3) policy objectives for Canada’s financial sector.

Supporting a Competitive and Innovative Sector

Trust in the Digital Economy

7. There are a number of issues in which both the OPC and Finance Canada have a shared interest, for example: i) the way Canadians interact with new business models; ii) consumer protection; iii) the influence of technology; and iv) cyber and national security. These are also areas of importance that fit within the OPC’s strategic privacy priorities.^{Footnote 2}
8. Having identified the Economics of Personal Information as one of the OPC’s strategic priorities, our Office aims to enhance the privacy protection and trust of individuals so that they may confidently participate in the digital economy. Equally important is the notion of individual control over their personal information.
9. While innovation can support positive change, it has also resulted in the push to collect and process unprecedented amounts of personal information, which poses challenges to existing privacy frameworks and norms.
10. Emerging business models that employ technologies and information sharing (often opaque to individuals) has greatly increased the amount and sensitivity of personal information being collected and used. Being in control of one’s information is particularly challenging in a world of Big Data where an unprecedented amount of personal information is being collected, and where powerful algorithms can detect behavioural patterns for a variety of purposes ranging from marketing to national security.
11. The OPC recommends that Finance Canada explicitly recognize the role of privacy as integral to promote trust, innovation and competition. In particular, that privacy protection can play an important role in addressing the integrity of the financial ecosystem and building the necessary trust for individuals to participate therein. This would help enable and promote innovation.

Key Considerations for Emerging Issues/Sectors

12. While the financial technology (FinTech) sector has been identified as a driver for innovation and economic growth, there are various discussions on the applicability – and degree to which – the current financial regulatory oversight is applicable to the FinTech sector and other emerging business models.
13. As Finance Canada considers issues related to the legislative and policy framework for these emerging models, the OPC suggests that future action from Finance Canada explicitly make reference to the application of PIPEDA to organizations that engage in commercial activity, and the role that privacy legislation plays as part of financial regulatory oversight.
14. This would help emerging businesses appreciate the full extent of their compliance obligations.
15. Furthermore, the OPC supports Finance Canada’s position to increase regulatory transparency and oversight, and is open to future discussions to assist with how to best coordinate and share information.
16. With respect to the issue of Open Banking, our Office strongly urges that future discussions include privacy-related obligations and risk mitigation measures as part of the overall calculus.
17. While we understand that the new European payments directive^{Footnote 3} (expected to come into force in 2018) introduces Open Banking, it does also reference the need to comply with privacy laws, and specifically underpins the importance of obtaining consent. The private sector has also noted the importance of meeting obligations in privacy law for the payments directive and Open Banking.^{Footnote 4}
18. As we understand it, potential benefits associated with Open Banking include: i) increased consumer choice; ii) marketplace competition; and iii) economic opportunities for small and medium-sized enterprises (SMEs).
19. To contemplate how such an initiative could maximize these benefits and support the policy objectives for the Canadian financial sector, it would be essential to consider the following:
    • Making sure emerging and existing stakeholders understand the existing privacy legislative framework in Canada;
    • Recognize that the temptation to be “first to market” with new innovation products should not come at the expense of the privacy, security, trust and confidence of Canadians. Especially considering that privacy is not just a peripheral consideration, it is integral to the adoption and sustainability for financial innovations.
    • Recognizing that personal information can be more than traditional data points (such as name and account number);^{Footnote 5}
    • Assessing the sensitivity of information and information flows;
    • Obtaining meaningful and valid consent;
    • Safeguarding information and information flows;
    • Limiting the purposes; and
    • Implementing an accountability framework, including putting in place a privacy management program and risk assessment protocols.

Improving Consumer Protection

20. The consultation paper identifies a number of regulatory bodies for the financial sector, and the OPC suggests that given the importance of privacy with respect to consumer financial information, these references should be expanded to include privacy regulators.
21. On the issue of consumer protection and privacy, obtaining meaningful consent — which is central to PIPEDA — is one of the challenges with respect to privacy protection. To address this challenge, the OPC has recently launched its policy position on the necessary conditions for making consent more meaningful. The importance of consent in the digital economy, and key principles that organizations should consider in obtaining valid and meaningful consent, are highlighted in our recent Annual Report to Parliament.^{Footnote 6}
22. Further to this, our Office notes that improving consumer privacy requires that organizations pay careful attention to their internal operations as it pertains to accountability,^{Footnote 7} safeguarding data,^{Footnote 8} breach reporting,^{Footnote 9} and authentication practices^{Footnote 10} — all of which play a key role in protecting personal information held by the financial sector.
23. The need to ensure that personal information is protected and handled appropriately by the financial sector is becoming even more vital as the financial sector continues to include new stakeholders, expand on business models, and innovate in the digital economy.

Cyber Risk

24. The OPC supports the position that addressing cyber security threats requires a focus on privacy considerations.
25. The consultation paper also notes that a goal for Finance Canada is the creation of a cyber security strategy that is forward looking and that it is: i) working with Public Safety Canada to assess legislative and regulatory changes; and ii) engaging in international co-operation through the G7 and G20.
26. Our Office recognizes the risks associated with cyber intrusions, and the potential privacy risks associated for individuals. In an environment where cyber attacks are a daily occurrence, one cannot overstate the importance of a comprehensive, overarching security framework to protect against unauthorized breaches of personal information.
27. To this end, upcoming mandatory breach notification in PIPEDA will help organizations enhance security as their recordkeeping and reports will be an important tool to help identify and address systemic issues.
28. Strengthening consumer confidence in the digital economy necessitates a strong cyber security strategy. Consumer confidence can be broken if privacy protection measures are not meaningfully developed as part of such strategy.
29. The OPC would, however, like to reiterate comments made in Commissioner Therrien’s submission to Public Safety Canada; consultation on cyber security, particularly that:^{Footnote 11}
    • Cybersecurity has two sides — organizations must stay abreast of the latest cyber threats in order to protect their information technology systems, and privacy officers must adequately safeguard the personal information entrusted to them by their clients, customers and employees;
    • Cybercrime law enforcement needs to be mindful of the implications of their activities on Canadians’ privacy;
    • Cyber security involves not only assessing technical security risks (such as firewalls), but also risks to personal information holdings, which would be identified and mitigated by undertaking a privacy impact assessment (PIA); and
    • Privacy rights and freedoms protected by the Charter in our daily offline lives, should carry over online.

Conclusion

30. In conclusion, the OPC believes that actions taken to strengthen the financial framework in Canada should also take into consideration the integral importance of compliance with the existing privacy legislation framework in Canada.
31. We appreciate the opportunity to share our views and would be pleased to further discuss the comments made in our submission, as well as other related matters.

Yours truly,