Canada’s Financial Consumer Protection Framework Consultation
Submission of the Office of the Privacy Commissioner of Canada to Finance Canada
February 28, 2014
Ms. Jane Pearse
Director, Financial Institutions Division
Financial Sector Policy Branch
Department of Finance Canada
15th Floor, East Tower
140 O’Connor Street
Ottawa, ON K1A 0G5
Dear Ms. Pearse,
Re: Canada’s Financial Consumer Protection Framework Consultation
- On December 3rd 2013, Finance Canada released consultation questions to seek views on strengthening Canada’s financial consumer protection framework.Footnote 1
- The Office of the Privacy Commissioner of Canada (OPC) makes this submission as an interested party to the proceedings, pursuant to its legislative mandateFootnote 2 to protect the privacy rights of individuals and promote the privacy protections available to Canadians.Footnote 3
- Our comments will be limited to those issues that relate to our mandate. Our position is that principles for establishing a comprehensive framework for financial consumer protection should be developed in a manner that recognizes and supports compliance with federal private-sector privacy legislation: The Personal Information Protection and Electronic Documents Act (PIPEDA).
- The federal government proposed to develop the comprehensive financial consumer code in its Economic Action Plan 2013 and noted the code’s importance in its Economic Action Plan 2014. We take the position that privacy is a key element of financial consumer protection and can enhance the overall protection of Canadians’ personal financial information.
- Our submission consists of the following sections:
- An overview of PIPEDA and an analysis of the current protections under the Act;
- Establishing a comprehensive set of principles for consumer protection;
- Possible enhancements to the existing regime; and
- Continuing the conversation: engagement.
An overview of PIPEDA and an analysis of the current protections under the Act
- The OPC’s mandate is to oversee compliance with the Privacy Act, which applies to the personal information management practices of federal government departments and agencies, and the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private sector legislation. PIPEDA applies to organizations that collect, use, or disclose individuals’ personal information in the course of commercial activity. It does not apply to those organizations in provinces that are deemed to have substantially similar private sector privacy legislation which, as of the date of this submission, are British Columbia, Alberta and Quebec. Ontario, New Brunswick, and Newfoundland also have substantially similar legislation, but these are limited to the personal health information management practices of health information custodians in their respective jurisdictions.
- PIPEDA, however, continues to apply to federal works, undertakings, or businesses (FWUBs) across Canada, including banks listed in Schedule I and II of the Bank Act. In relation to FWUBs, PIPEDA covers both customer and employee personal information. It also continues to apply in instances of interprovincial or international transfers of personal information in the course of commercial activities.
- Schedule 1 of PIPEDAFootnote 4 provides the framework for collection, use, and disclosure of personal information by those organizations subject to the Act and contains 10 principles related to fair information practices. These principles are based on the Canadian Standards Association Model Code for the Protection of Personal Information (which was originally developed by a group of key stakeholders, including those in the financial sector). The principles guide how organizations subject to PIPEDA must handle personal information, and the law provides individuals with recourse to challenge an organization’s compliance with those principles.
- PIPEDA is a technologically neutral law and its application covers the collection, use, or disclosure of personal information in the course of commercial activity regardless of the technology used. In addition, it does not have specific requirements for specific sectors, but rather applies to organizations across industry sectors, including financial institutions.
Establishing a comprehensive set of principles for consumer protection
- Canadians are very concerned about their personal information and research commissioned by our Office found that risks to personal financial information were Canadians’ top concern. When asked, what risks to their own privacy concerned them the most, 23% of Canadians cited financial information/bank fraud at the top of the list. An additional 10% of respondents mentioned credit card fraud.”Footnote 5
- The protection of Canadians’ personal information, including their personal financial information, is an important element in contemplating broad-based financial consumer protections. In addition, recognizing PIPEDA as a minimum legislative requirement that must be complied with would be necessary to demonstrate a commitment to comprehensive consumer protection.
- Traditionally, the largest number of complaints our Office receives from individuals has been against the financial sector. These complaints consist of matters that directly relate to financial information protection. To this extent, our Office has played a key role in the protection of consumer financial information by issuing a number of related findings and audits on matters such as:
- The use and disclosure of personal information, such as disclosure of an individual’s personal information to family members without that individual’s consentFootnote 6;
- The accuracy of their personal information, for example, the accuracy of information on credit scoresFootnote 7;
- Unauthorized access of consumer accounts by employees at financial institutionsFootnote 8;
- Over-reporting of information by organizations to The Financial Transactions and Reports Analysis Centre of CanadaFootnote 9; and
- Undefined retention periods for certain records by The Financial Transactions and Reports Analysis Centre of CanadaFootnote 10.
- The OPC recognizes the role of international trade and innovation as factors that encourage economic growth. That said, building a competitive advantage requires not only respect for the business-consumer relationship, but also respect for customers’ personal data. Meeting obligations related to information and privacy rights is a catalyst for building trust and, as a result, encourages greater consumer participation in the digital economy.
- In the event that the Government adopts a set of principles to govern financial consumer protection, the OPC respectfully recommends that consideration be given to the integral importance of compliance with privacy legislation.
- Canada’s economy depends on trade and the flow of information. Given the global nature of economic activity, and advances in technology, privacy issues are an increasingly important component of the broader consumer protection framework. The scope and scale of Canadians’ personal information collected by organizations are vast and the implications of “Big Data”,Footnote 11 online behavioural tracking, and cloud computing have led to both opportunities and challenges for organizations.
- While innovation can lead to new business models that are intended to benefit consumers and organizations, the challenges that arise from complex technologies and seemingly invisible third parties involved in business transactions also raise privacy concerns (this is particularly true in the evolving payments systems ecosystem).
- One method to address these challenges is for organizations to proactively demonstrate a commitment to consumers’ personal financial information by undertaking a privacy impact assessment (PIA). Undertaking a PIA at the beginning of an initiative, the start of a new program, or before implementing new technologies, can help identify potential privacy risks and outline mitigating activities to protect consumers’ personal financial information.
- It is important for organizations to build privacy protections for consumers at the outset of new programs or initiatives.Footnote 12 Responsible innovation involves developing a robust privacy compliance program, which includes demonstrating accountability and safeguarding consumer information against the increased risks from data breaches.
- To this end, the Office of the Privacy Commissioner of Canada (OPC), and the Offices of the Information and Privacy Commissioners (OIPCs) of Alberta and British Columbia have worked together to issue guidance for developing privacy management programs and measures for protecting personal information which can assist financial institutions in meeting their obligations to consumers.Footnote 13
- Unclear and ambiguous privacy policies can lead to confusion for individuals and impede the ability of consumers to make informed decisions with respect to their personal financial information. This is especially the case in the online and mobile environments. Both transparency of organizations’ privacy policies and meaningful consent are key privacy principles and requirements under PIPEDA.Footnote 14
- Given the importance of personal information in the digital economy and the sensitivity of financial information to Canadians, it is strongly recommended that any new principles for financial consumer protection explicitly reference PIPEDA obligations and the principles found in Schedule 1.
Possible enhancements to existing regime
- As a law of general application, PIPEDA applies across industry sectors, is principle-based, and is technologically neutral. These are strengths of Canada’s private-sector privacy framework, and serve an important role in protecting consumer’s financial personal information, especially in the face of emerging technologies and innovation in the technology landscape.
- To address today’s issues and those of tomorrow, the existing privacy regime in Canada needs to evolve in order to address the new risks from emerging technologies. As a part of enhancements to overall consumer protection, enhancing privacy rights needs to be addressed.
- PIPEDA is in need of some inevitable modernization if it is to effectively protect consumers’ privacy in the context of rapid change in information technologies.
- Updating Canada’s federal private-sector privacy legislation would serve to enhance trust, and therefore support innovation, and domestic and international economic activity. This, in turn, would help support improvements to the current financial consumer protection regime for Canadians.
- Last year our Office recommended some changes we would like to see in order to modernize PIPEDA,Footnote 15 address current and future privacy challenges, and improve Canadians’ trust in the digital economy. Our recommendations included:
- Strengthening enforcement powers;
- Greater transparency and accountability measures; and
- Mandatory breach notification.
- We believe such modifications, if made, could provide the necessary incentives to strengthen privacy compliance as an integral part of an enhanced financial consumer protection regime.
Continuing the conversation: engagement
- Given the complexity of business models in today’s environment, including those of financial services, the OPC is of the opinion that active engagement of all relevant stakeholders is essential to develop and promote a comprehensive consumer financial protection framework.
- For there to be meaningful stakeholder engagement, a successful, longstanding, sustainable code or framework would benefit from the engagement of a wide range of policy makers, as was the case with the Canadian Standards Association Model Code for the Protection of Personal Information, which PIPEDA was based upon.
- In keeping with our Office’s public education and outreach mandate under PIPEDA, the OPC has undertaken engagement activities with a wide range of stakeholders in order to promote effective consumer and organizational awareness of privacy rights and obligations.
- For example, our Office regularly engages with our provincial and territorial counterparts and has produced joint guidance on cloud computingFootnote 16 and mobile applications.Footnote 17 In addition, we collaborate with our international counterparts to promote discussion on emerging issues and have participated in the development of international resolutions, such as on international co-operation to strengthen data protection worldwide.Footnote 18 The OPC also has a Toronto office, which engages in stakeholder relationship activities with industry groups in the Greater Toronto area.
- These activities, as does our Office’s participation in the Financial Consumer Agency of Canada’s (FCAC) Interdepartmental Committee on Financial Literacy, are examples of the OPC’s stakeholder engagement process to promote discourse on privacy for enhanced privacy protections for individuals and consumers.
- We encourage you to consider engagement strategies that include privacy stakeholders, including our Office, as key stakeholder groups engaged as part of the overall financial consumer protection framework engagement strategy.
- Organizations, including financial services, are engaged in increasingly complex business models where consumers’ personal financial information is used in ways that challenge traditional privacy norms.
- As such, the OPC respectfully submits that recognizing privacy and encouraging compliance with relevant obligations are an integral component of a comprehensive consumer financial protection framework.
- The OPC would be pleased to discuss these views and the role of privacy in a financial consumer protection framework at the earliest convenience and opportunity.
Original signed by
Interim Privacy Commissioner of Canada
- Date modified: