May 23, 2018 by David Gambrill
Canadian privacy law as it currently stands may not be enough to protect Canadians if banks are allowed to disclose their customer data to fintechs, Canada’s privacy commissioner told the Canadian Senate Committee on Banking, Trade and Commerce Wednesday.
“Financial institutions and fintechs are required by PIPEDA [the Personal Information Protection and Electronic Documents Act] to obtain valid and meaningful consent from their customers in order to collect, use or disclose personal information,” Daniel Therrien told the committee, which is considering the government’s omnibus budget bill (Bill C-74).
“Under the current law, I do not have the authority to require organizations to apply what I would argue are reasonable measures [to obtain consent]. It will take several years for concerned consumers to have their rights upheld by the courts. I am therefore concerned about the changes in this bill, and the most direct way to rebalance this legislation, in my view, would be to confer with my office the authority to order the financial sector to obtain explicit and truly informed consent.”
The Senate committee is hearing presentations on Bill C-74, which would allow banks to engage in collecting and manipulating consumer information and transmitting or selling it to fintechs.
Therrien’s concerns about data privacy align with the position taken by the Canadian Association of Mutual Insurance Companies (CAMIC), which is concerned that Bill C-74 may allow banks to circumvent consumer protections currently in place in the Bank Act. Currently, s. 417 of the Bank Act does not allow a bank to share consumer information with an insurance company, thereby preventing banks from pressuring consumers to purchase the bank’s insurance at point of sale.
But once a bank sells its consumer information to a fintech, CAMIC has argued, the Bank Act does not apply to fintechs, which are unregulated. Fintechs would then be able to sell the data to an insurance company, thus skirting the consumer protections in the Bank Act.
In contrast to CAMIC, the Insurance Brokers Association of Canada (IBAC) believes banks will only be able to sell the information to fintechs “subject to” the provisions in the Bank Act, including the prohibition against selling information to insurers.
Therrien said the desire to support innovation in the financial services sector should always be balanced with protecting the privacy of Canadians. He said his office had “not been consulted by the government on the details of these amendments,” so it was difficult for him to say whether the right balance had been achieved.
“At this point, with the information in hand, I would say government’s efforts have been directed towards innovation without ensuring that privacy is adequately covered,” Therrien said. “Privacy by design has not been applied in this case.”
Therrien said his office is currently working on clear guidelines for obtaining meaningful consent from consumers, which should be ready in January 2019. The new guidelines have been prepared based on concerns that the current regime of obtaining consent is not strong enough to protect the privacy rights of consumers when “extremely sensitive” information such as financial data is shared with third parties.
“Whether Bill C-74 achieves [the balance between innovation and privacy], this will depend largely on how PIPEDA is applied by organizations and perhaps in part on the content, yet unknown, of the regulations that the government has announced,” Therrien said.
The Finance Minister’s office has reportedly said that it will be dealing with any policy concerns raised by Bill C-74 in the regulations.