Good afternoon. I would like to thank the Committee for the opportunity to speak on Bill C‑27’s Consumer Privacy Protection Act, or CPPA.
My name is Lorraine Krugel, and I am the Vice President, Privacy and Data for the Canadian Bankers Association.
The CBA is the voice of more than 60 banks operating in Canada, employing more than 280,000 Canadians and helping to drive Canada’s economic growth and prosperity.
Banks have long been entrusted with significant amounts of personal information, and privacy and trust are paramount in our banks’ customer relationships.
As global data flows and technological advances have continued to increase, Canadian banks have been able to responsibly innovate to meet consumer demand for even more convenience, value and simplification.
The CPPA reflects a unique, made‑in‑Canada approach that aims to address the needs of consumers and organizations in our evolving digital world.
But we need to get this right. Some of the proposed provisions in the CPPA need to be better tailored for the Canadian context – we are concerned there is a real risk of significant adverse consequences if the scope of certain provisions are not better defined and necessary exceptions are not included.
In particular, we would like to avoid situations where organizations would be required to provide too much information in order to be transparent. For example, certain transparency provisions could end up replicating the equivalent of "consent fatigue" or "cookie banner fatigue", with no meaningful value to the consumer. Transparency obligations also require appropriate limits so they cannot be abused or leveraged by criminals to circumvent processes designed to protect against fraud, money laundering or cyber threats.
In addition, we need to take care so that any requirements that are highly complex or operationally onerous would in fact address the right underlying risks and policy intent, without negatively impacting legitimate operations, product and service delivery, or safeguarding of information.
The CBA is supportive of many of the key foundations of the CPPA. The CPPA is principles-based, scaleable, and technology neutral, and requires organizations to comply with a collection of interconnected provisions that provide a solid privacy foundation based on accountability, reasonability, and proportionality.
However, we see the need for targeted amendments in the following key areas:
- De-identification and anonymization;
- Disposal requests and retention; and
- Automated decision systems
Relating to consent, we recommend an important technical amendment, which will ensure continued alignment with provincial approaches while preserving policy intent and avoiding unintended consequences regarding consent obligations.
In addition, we recommend an amendment to the CPPA to legally allow certain organizations to share personal information to combat money laundering and terrorist financing, as part of a legislative framework that would be further defined through the Proceeds of Crime (Money Laundering) and Terrorist Financing Act. Done in the right way, such sharing could increase privacy protections for Canadians by reducing unnecessary reporting to the government on low‑risk transactions, and simultaneously increase the effectiveness of Canada’s Anti‑Money Laundering regime through targeted and more effective reporting.
Finally, we believe a minimum two‑year implementation period is necessary to accommodate the scope of change and development of regulations and guidance associated with the CPPA.
Regarding the Artificial Intelligence and Data Act, or AIDA, we are in the process of evaluating the Minister’s recent proposals, and will be submitting comments and our recommendations to the Committee when study focuses on the AI portion of the Bill.
We have provided the Committee with written comments and recommendations on the CPPA, and look forward to your questions. Thank you.