Thank you, Mr. Chair. Good afternoon.
My name is Linda Routledge and I am the Director, Consumer Affairs with the Canadian Bankers Association. With me is Charles Docherty, Senior Counsel with the CBA. We are pleased to be here today to discuss the Personal Information Protection and Electronic Documents Act (PIPEDA).
The CBA works on behalf of 62 domestic banks, foreign bank subsidiaries, and foreign bank branches operating in Canada and their 280,000 employees.
Privacy and protection of clients’ personal information is, and always has been, a cornerstone of banking. Given the nature of the services that banks provide to millions of Canadians, banks are trusted custodians of significant amounts of personal information. Banks take very seriously their responsibility to protect customers’ information, and are committed to meeting not only the requirements of privacy laws but also the expectations of our customers. A former Assistant Privacy Commissioner once acknowledged that, “Privacy is in the banks’ DNA.”
The banks were among the first group of organizations subject to PIPEDA in 2001. We believe that PIPEDA has worked well to date to balance the protection of individuals’ personal information with the legitimate use of personal information by organizations. PIPEDA is principles based and technologically neutral, providing the necessary framework for innovation as well as new technologies and business models. It is generally well positioned to continue that mandate going forward.
The banks would, however, like to suggest a few changes that we believe would enhance and clarify PIPEDA to make it more effective. These suggestions are related to three broad subject areas: meaningful consent, financial crimes, and access rights.
Banks collect the personal information that is necessary to provide clients with the products and services they want. This information is collected according to the requirements of PIPEDA and banks take steps to ensure that their clients understand the nature of the consent being provided. All banks have privacy policies in place and privacy officers who oversee compliance with those policies. Banks have a strong incentive to enhance their customers’ ability to provide meaningful consent because building their customers’ trust is, and has always been, a top priority.
The Committee heard from several other witnesses who questioned whether the consent individuals provide is meaningful, given the complexity of the terms and conditions when signing up for any product or service. We suggest that one way to address this concern may be to streamline privacy notices so that consent is not required for uses that the individual would expect and consider reasonable.
In particular, we support the concept that express consent should not be required for legitimate business purposes. Some examples of such purposes might include:
- The purposes for which the personal information was collected;
- Fulfilling a service;
- Understanding or delivering products or services to customers to meet their needs; and
- Customer service training.
Removing the requirement for express consent for legitimate business purposes would simplify privacy notices, thereby facilitating a more informed consent process where consumers can focus on information that is most important to them and on which they can take action.
Second, the banking industry suggests that the current narrow definition of “publicly available information” is out of date. The current regulations reference the dominant technologies of the early 2000s when the regulations were promulgated. We suggest that the Committee should look at updating the definition with a view to modernizing it.
Protecting the security and safety of its employees, customers, and the Canadian financial system is a priority for Canada’s banks. Banks are constantly upgrading their security systems and work hard to prevent billions of dollars of financial crime each year. Banks work closely with law enforcement agencies and authorities across the country to help them with their investigations and the prosecution of suspected criminals.
We believe that the ability of banks to help protect against financial crime would be enhanced if PIPEDA were amended to allow financial institutions to share information amongst themselves to detect and prevent other types of serious criminal activity beyond fraud. Currently, provisions in PIPEDA only allow the sharing of information between organizations where it is “reasonable for the purposes of detecting or suppressing fraud or of preventing fraud”. This does not include other types of criminal activity, such as:
- Theft of data / personal information;
- Money laundering;
- Terrorist financing;
- Cyber-crime; and
- Bank robberies.
To enhance the banking industry’s ability to prevent this broader criminal activity, we recommend that the provisions in PIPEDA relating to disclosures without consent should use the term “financial crime” instead of “fraud” to capture the broader range of criminal activities that Canada’s financial institutions deal with on a daily basis. Further, we suggest that “financial crime” be defined to include:
- Criminal activity and any predicate offence related to money laundering and the financing of terrorism;
- Other criminal offences committed against financial institutions, their customers and their employees; and
- Contraventions of laws of foreign jurisdictions, including relating to money laundering and terrorist financing.
Financial crime negatively affects banks, consumers, and the economic integrity of the financial system. Banks understand the important role they have to play and have highly sophisticated security systems and teams of experts in place to protect Canadians from financial crime. We believe this amendment to PIPEDA would give banks greater ability to perform their role in this important endeavor.
Our final suggestion relates to access rights. There are times when organizations create documents containing personal information related to anticipated litigation. Consistent with guidance issued by the Privacy Commissioner and provisions in both Alberta and Quebec privacy laws, this information should not have to be provided in response to an access request. We would ask that PIPEDA be amended to provide a specific exemption for these types of documents based on litigation privilege.
In conclusion, PIPEDA has served Canadians well over the last seventeen years, encouraging organizations to protect the personal information that they have about individuals and also encouraging individuals to be more aware of their rights and responsibilities to protect their own personal information. Nevertheless, as with any legislation operating in an environment that is continually evolving, there are some areas where slight adjustments and improvements would be desirable. We hope that our commentary assists the Committee with its review of the Act.
We look forward to your questions. Thank you.